The U.S. Department of Defense (DoD) just released its new cybersecurity strategy report for 2015. This strategy sets five strategic goals:
1. Build and maintain ready forces and capabilities to conduct cyberspace operations;
2. Defend the DoD information network, secure DoD data, and mitigate risks to DoD missions;
3. Be prepared to defend the U.S. homeland and U.S. vital interests from disruptive or destructive cyberattacks of significant consequence;
4. Build and maintain viable cyber options and plan to use those options to control conflict escalation and to shape the conflict environment at all stages; and
5. Build and maintain robust international alliances and partnerships to deter shared threats and increase international security and stability.
While all of these strategic goals are obviously important and are not given with any preference in order, it is interesting to note that the first strategic goal listed involves the workforce. That’s where (ISC)2 would start the conversation as well.
According to the 2015 (ISC)² Global Information Security Workforce Study (GISWS), 60 percent of the over 1,800 U.S. federal government respondents say that they do not have enough information security personnel to meet the demands of their mission; a 2 percent increase over the 2013 survey findings.
This personnel shortage is especially alarming considering the daily barrage of attacks against DoD networks. Eric Rosenbach, who serves as the Principal Cyber Advisor to the Secretary of Defense, recently testified before the U.S. Senate Committee on Armed Services on this topic.
“External actors probe and scan DoD networks for vulnerabilities millions of times each day, and over one hundred foreign intelligence agencies continually attempt to infiltrate DoD networks. Unfortunately, some incursions – by both state and non-state entities – have succeeded,” said Rosenbach.
To help reduce the risk of attacks, the Pentagon is building what they refer to as a Cyber Mission Force (CMF). The goal is to have the CMF fully staffed by 2018 under U.S. Cyber Command, with 133 teams and nearly 6,200 military and civilian personnel. But as of today, the CMF is only half staffed.
Part of the challenge has been matching up the qualifications of cybersecurity candidates with the actual job requirements. That’s why programs such as the National Initiative for Cybersecurity Education (NICE) and its National Cybersecurity Workforce Framework offer such promise. NICE even gets a mention within the implementation objectives listed underneath the workforce strategic goal in the report:
“DoD will develop policies to support the National Initiative for Cybersecurity Education. Working with interagency partners, one or more educational institutions, as well as state and private sector partners, DoD will continue to support innovative workforce development partnerships focused on both the technical and policy dimensions of cybersecurity and cyber defense.”
Historically, DoD has used 8570.01 as its Information Assurance Workforce Improvement Program manual (Note that we’re starting to see a shift away from the term “Information Assurance” in DoD, replacing it with “Cybersecurity”). This manual was created in 2005 and while it was last updated in 2012, another refresh is required. That’s where the upcoming DoD Directive 8140, Cyberspace Workforce Management Policy, comes into play. 8140 is currently in draft mode, and will eventually be the DoD policy that supports NICE and the workforce framework. At a recent Armed Forces Communications and Electronics Association (AFCEA) Washington, D.C. chapter event, Stephanie Keith, who heads up the Cyberspace Workforce Division under the DoD CIO, said that 8140 will not replace 8570 – rather, it will reference a revised 8570.
In closing, we’ve all seen this topic mentioned in report after report, year after year. So why should we be encouraged this time around that the dam will break and we’ll actually see some positive results on the DoD cyber workforce issue? Well, we saw one symbolic gesture in March. Where did Ashton Carter choose to hold his first troop event in the United States as the new Defense Secretary?
The U.S. Cyber Command Headquarters in Maryland.
We’ll be watching.
-Dan Waddell, CISSP, CAP, Director of Government Affairs for the National Capital Region, (ISC)²