From: Army Times
By Zachary Fryer-Biggs
WASHINGTON — The Defense Department wants to hire thousands of new cyber experts to create a large force of skilled cyber warriors. But first, it has to address concerns about the experts the agency already has.
Many of those tasked with protecting networks — key cogs in the U.S. national security infrastructure — are undertrained and unqualified, creating dangerous vulnerabilities, experts both in and out of government are saying.
Agency officials said they were aware of the concerns and are rewriting all policy related to qualifications and certifications to make sure that the impending boom in cyber hiring puts capable experts in critical positions.
The concerns center on a series of requirements, many of which were put in place in August 2004 under DoD Directive 8570. The directive mandates that information assurance (IA) experts — those in a variety of primarily cyber defense positions — receive specific certifications. Those certifications, created by organizations outside DoD, are coming under fire as failing to test the capability of defenders.
One source indicated that an earlier, more difficult certification that required hands-on instruction was considered and then rejected when the directive was being finalized in favor of certifications that wouldn’t require the training.
And because limitations in funding mean resources are allocated almost exclusively toward academic-based certifications, experts said that critical members of the cybersecurity work force are being put in important positions unprepared to do their jobs because money is not being spent on hands-on training.
“The current requirements aren’t turning out people who are prepared,” said Jeff Moulton, a senior cyber researcher at the Georgia Tech Research Institute. “The school of hard knocks can teach quite a few lessons, but at DoD that can cost people’s lives. Book training is simply not enough.”
In a memorandum sent to Deputy Defense Secretary Ashton Carter in late 2012, two dozen experts, including uniformed members of all three major branches of the military, expressed concern that DoD 8570 was hampering the agency. The names of the experts were not included in the memo, sent by an outside organization, because of concerns that they might suffer retribution for going around the chain of command and speaking out in a document sent directly to Carter.
“One of the biggest threats to the DoD networks is the inability of DoD security professionals to secure the networks,” a U.S. Army chief warrant officer assigned to U.S. Army Cyber was quoted as saying. “Many of these security professionals have the required certifications but no understanding how to truly secure the DoD networks and make poor decisions resulting in vulnerable networks.”
Others focused on the lack of hands-on training required, resulting in broad certifications that are required for many jobs but are not specific to any of them.
“How on earth can anyone truly believe that one certification can ensure that you have mastered the deep technical skills to be an intrusion analyst, infrastructure support, incident responder, auditor and manager?” the memorandum quoted a U.S. Army major. “Those are 5 different technical jobs and should require 5 different certifications.”
In a joint interview with Deputy Chief Information Officer for Cybersecurity Richard Hale, DoD Chief Information Officer Teri Takai said the agency is aware of the concerns.
“We have never said that our policies and procedures, as it relates to IA certification and qualification, are completely up to date,” she said. “One of our challenges is that it takes a while for us to update our policies.”
Although Takai and Hale were not in their current positions when the original 8570 was issued, Takai said disagreement over the merit of certain external certifications is common.
Leave a Reply