There may be no country on the planet more vulnerable to a massive cyberattack than the United States, where financial, transportation, telecommunications and even military operations are now deeply dependent on data networking.
U.S. industry, government and military operations are all at risk of an attack on complex computer systems, analysts warn.
U.S. industry, government and military operations are all at risk of an attack on complex computer systems, analysts warn. iStockphoto.com
What's worse: U.S. security officials say the country's cyberdefenses are not up to the challenge. In part, it's due to a severe shortage of computer security specialists and engineers with the skills and knowledge necessary to do battle against would-be adversaries. The protection of U.S. computer systems essentially requires an army of cyberwarriors, but the recruitment of that force is suffering.
"We don't have sufficiently bright people moving into this field to support those national security objectives as we move forward in time," says James Gosler, a veteran cybersecurity specialist who has worked at the CIA, the National Security Agency and the Energy Department.
If U.S. cyberdefenses are to be improved, more people like Gosler will be needed on the front lines. Gosler, 58, works at the Energy Department's Sandia National Laboratory in Albuquerque, N.M., where he focuses on ways to counter efforts to penetrate U.S. data networks. It's an ever-increasing challenge.
"You can have vulnerabilities in the fundamentals of the technology, you can have vulnerabilities introduced based on how that technology is implemented, and you can have vulnerabilities introduced through the artificial applications that are built on that fundamental technology," Gosler says. "It takes a very skilled person to operate at that level, and we don't have enough of them."
Gosler estimates there are now only 1,000 people in the entire United States with the sophisticated skills needed for the most demanding cyberdefense tasks. To meet the computer security needs of U.S. government agencies and large corporations, he says, a force of 20,000 to 30,000 similarly skilled specialists is needed.
Some are currently being trained at the nonprofit SANS (SysAdmin, Audit, Network, Security) Institute outside Washington, D.C., but the demand for qualified cybersecurity specialists far exceeds the supply.
"You go looking for those people, but everybody else is looking for the same thousand people," says SANS Research Director Alan Paller. "So they're just being pushed around from NSA to CIA to DHS to Boeing. It's a mess."
The Center for Strategic and International Studies highlights the problem in a forthcoming report, "A Human Capital Crisis in Cybersecurity."
According to the report, a key element of a "robust" cybersecurity strategy is "having the right people at every level to identify, build and staff the defenses and responses."
The CSIS report highlights a "desperate shortage" of people with the skills to "design secure systems, write safe computer code, and create the ever more sophisticated tools needed to prevent, detect, mitigate and reconstitute from damage due to system failures and malicious acts."
Win McNamee/Getty Images
The U.S. Computer Emergency Readiness Team/National Cybersecurity and Communications Integration Center is designed to help protect the technical infrastructure of the United States.
The U.S. Computer Emergency Readiness Team/National Cybersecurity and Communications Integration Center is designed to help protect the technical infrastructure of the United States. Win McNamee/Getty Images
The cyber manpower crisis in the United States stands in sharp contrast to the situation in China, where the training of computer experts is a top national priority. In the most recent round of the International Collegiate Programming Contest, co-sponsored by IBM and the Association for Computing Machinery, Chinese universities took four of the top 10 places. No U.S. university made the list.
The Chinese government, in fact, appears to be systematically building a cyberwarrior force.
"Every military district of the Peoples' Liberation Army runs a competition every spring," says Alan Paller of SANS, "and they search for kids who might have gotten caught hacking."
One of the Chinese youths who won that competition had earlier been caught hacking into a Japanese computer, according to Paller, only to be rewarded with extra training.
"Later that year, we found him hacking into the Pentagon," Paller says. "So they find them, they train them, and they get them into operation very, very fast."
Some members of Congress, eager to follow China's example, are now promoting a U.S. Cyber Challenge, a national talent search at the high school level. The aim is to find up to 10,000 potential cyberwarriors, ready to play both offense and defense.
"The idea is for schools around the country to field teams, and the teams would compete against one another," says Sen. Thomas Carper, a Delaware Democrat who is one of the backers of the effort. He sees the challenge as an opportunity "not only for them to hone their skills on being able to hack into other systems, particularly those of folks we may not be fond of, but also to use what they learn to strengthen our defenses."
In order to protect a computer system, one needs to know how someone might attack it. Last year's preliminary Cyber Challenge game was won by a 17-year-old from Connecticut — Michael Coppola — who was smart enough to hack into the game computer and add points to his own score.
"There's actually a flaw within that Web application," Coppola says. "Using that, I was able to execute commands on the computer running the scoring software, and I was able to add points and basically do whatever I wanted."
It was certainly an unconventional approach, but the competition judges were so impressed by Coppola's ability to hack into the computer game that they actually rewarded him for changing his score.
"It's cheating," Michael says, "but it's like the entire game is cheating."
Indeed. People who know how to cheat will soon be on the front lines of cyber defense, because the best way to defend a computer system from attack is to figure out how an adversary would be able to hack into it.
Now 18, Coppola is himself looking to a career in cybersecurity.