Skip Links

Pentagon hiring binge won't guarantee more security

Hiring 4,000 cybersecurity pros welcomed, but experts warn that without the right skill mix the nation's cyber defenses may not be much better

By Taylor Armerding, CSO
January 29, 2013 07:32 AM ET

CSO - A Pentagon plan to hire another 4,000 cybersecurity professionals, for both defense and offense, will improve the employment and salary prospects of those with the right skills.

On that much, most cybersecurity experts agree. They are less confident, however, that it will significantly improve the nation's security from catastrophic cyberattacks.

[TECH SKILLS in low demand]

The plan, leaked last week to the Washington Post prior to a formal announcement, would expand the Pentagon's cybersecurity force within the next several years by 500%, from 900 to 4,900 military and civilian personnel.

At the request of the Defense Department's Cyber Command, it would also expand the focus of the force from largely defensive to offensive as well -- a move that is highly controversial among cybersecurity experts.

Both outgoing Defense Secretary Leon Panetta and Homeland Security Secretary Janet Napolitano have warned several times in recent months of the increasing threat of a "cyber Pearl Harbor" or "cyber 9/11" from hostile nation states.

"The only question is whether we're going to take the necessary steps like this one to deflect the impact of the attack in advance or ... read about the steps we should have taken in some post-attack commission report," William J. Lynn III, a former deputy defense secretary who has worked with the Pentagon to develop its cybersecurity strategy, told the Post.

Gary McGraw, CTO of Cigital, who has been a vocal opponent of taking the offense in cybersecurity conflicts, said neither the hiring nor its purpose is a surprise. "The Cyber Command is not new, and we knew they were doing offense. What do you think Stuxnet was?" he said, in reference to the computer worm used to attack Iranian nuclear facilities, generally acknowledged to have been launched by the U.S. and Israeli governments.

"This is just about staffing up," he said.

The Pentagon plan is focused on having the new staff address three major vulnerabilities in the U.S., the report said. "'National mission forces,' to protect computer systems that undergird electrical grids, power plants and other infrastructure deemed critical to national and economic security; 'combat mission forces' to help commanders abroad plan and execute attacks or other offensive operations; and 'cyber protection forces' to fortify the Defense Department's networks."

All of which are admirable goals, said Joe Weiss, managing partner of Applied Control Solutions, but without the right mix of skills, he said it may not improve security no matter how many people are hired or how much money is spent.

[See also: U.S. rattles preemptive cyberattack saber]

"I'm an engineer, so I understand how industrial control systems (ICS) work. Unfortunately, many IT people don't," he said. "Given the state of ICS technology, there probably will be a cyber Pearl Harbor, but we might not know it. There are minimal cyber forensics for control systems."

Weiss added: "If a plant shuts down or blows up, you can't hide that, but you may or may not know if cyber had anything to do with it."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News