May 31, 2022

            We need to stop talking about the issue of cybersecurity workforce development.  We need to properly frame the issue an imperative for national defense digital mobilization.

Just as World War II made it apparent that the skies were a unique domain of warfare resulting in the creation of the US Air Force Academy in the 1950s, so too have recent events made it clear beyond doubt that cyberspace is now a unique domain of warfare.

As such, cybersecurity must be properly understood not just as privacy, consumer, and business issue with an adjunct military aspect, but for what it truly is.  The most dominate element of national defense in the 21st century, because all the other domains of warfare are ultimately dependent on cyber technology.

It is axiomatic that it is impossible to have an effective national defense without properly trained personnel to implement that defense.  The Russian army’s failure in Ukraine is a stunning example of how even a massive superpower can have its apparent strength undermined by poor training and strategy.

The US should take a lesson from the current Russian experience, albeit in a differing context.  However, a major part of the Russian failure has been a mischaracterization of modern conflict and an inadequately trained army. Considering these concepts from a US cybersecurity perspective we may have very similar issues we are not addressing.

To begin with, cyber technology has changed the nature of national defense which can no longer be considered in strictly military terms

The defining characteristic of the Internet is ubiquitous interconnection.  In 21st century America our national defense must be understood as coequally dependent on a cybersecure private sector as a capable cyber ready military force. Although there are rhetorical allusions to this fact, our public policy has not been redirected to this modern reality.

In the 1940s steel plants in Pennsylvania were not expected to erect radar and deploy anti-aircraft weapons to ward off a possible Japanese or German attack on the US critical infrastructure, however we have heretofore taken that posture with respect to cybersecurity.

It is established fact that in present day private institutions are faced increasingly with cyber-attacks often by nation state, state affiliated or state trained assailants.  These attacks not only threaten consumer and corporate interests but the overall national interest.

It is also widely accepted fact that neither the US government nor the private sector has adequately trained personnel to defend itself against cyber-attacks. The estimates vary somewhat but there is virtual unanimity in the cybersecurity community that the adequately cyber-trained personnel shortage is hundreds and hundreds of thousands and growing rapidly.

The federal government has been trying for years to compete with the private sector for scarce cyber resources and has had only marginal success.  This situation is unlikely to get appreciably better so long as the demand for adequate personnel out strips supply, and all evidence suggest the trends are moving in the opposite direction. 

The situation is far worse at the state and local levels which do not have the economic elasticity of the federal government.  Without a dramatic increase in the supply of appropriate personnel it is almost impossible to see how financially strapped states and localities will ever be able to compete in the market for cybersecurity personnel. It bears repeating that due to the extensive interconnection between states and the federal governments not only are the states and their citizens going to continually suffer from attacks they cannot possibly defend themselves from, but they will provide massive pathways to federal systems creating an ever-present systemic risk to the nation. 

 To be fair, the USA is not alone in this personnel shortage. In the rest of the world the need for appropriately trained personnel is even greater. However, that fact is of little solace when the US is being attacked. And we are already under constant attack. Time is not running out to build an adequately mobilized and trained cyber community.  It has run out.  We have massive ground to make up and we need to start making it up fast.

Cyber-attack methods and business models are becoming ever more sophisticated and diffused to a growing cyber-attack community.  Attack methods considered highly advanced and capable only from nation states a few years ago are now widely practices by criminals.  Cyber-attacks as a service are growing which will increasingly make sophisticated attack methods available to ever more dangerous and less manageable entities than traditional nation states.

It is true that we have not yet faced “the big one.” Fears that Russia may attack US critical infrastructure have not materialized – or at least not yet.  However, I suspect there may have been an element of invincibility in the Russian command before Ukraine, we would do well not to underestimate our vulnerability and at the very least develop train and mobilize our defenses against cyber-attacks.

In part two of this series, we will consider possibly the only practical way to address this problem in a proficient, speedy, and cost-effective fashion – a national, virtual cybersecurity academy.