Many industry and government insiders have stressed what they say is an urgent need to add more cyber warriors to protect the digital infrastructure. But some experts are now taking an opposite view, claiming additional resources funneled into cybersecurity won’t begin to solve some of the significant problems the United States has in securing cyberspace, unless those resources are used wisely.
“In far too many historical circumstances, when you don’t know exactly how to fix a problem, the common answer ends up being to apply more resources,” Aaron Barr, CEO of HBGary Federal, writes on the company’s website. “I believe we are precisely at that point in cybersecurity. We have been struggling for years to get a handle on cybersecurity and we are honestly only slightly better off. While overall any problem is solvable with some mixture of people, process, and technology, in this case we are far too lacking in process and technology for more people to really help.”
The current “fundamentally broken” situation is not because the United States lacks cybersecurity personnel, Barr said, but instead the problem lies within the low-paying cybersecurity positions, which fail to attract skilled and trained talent.
“Training more people doesn’t solve that problem, paying more for those positions does,” Barr wrote.
In addition to cybersecurity’s often insufficient pay, Barr notes there is still not a common means to discuss, identify and classify threats.
“As a Navy cryptologist, I remember sitting in amazement at the detailed information we had on Soviet order of battle, the specifications,” he writes. “Now I know cyber is different, but we don’t even have a common taxonomy or methodology much less the data to fill in.”
As a last point, Barr highlights the problem security clearances present. Many qualified CERT/SOC personnel face difficulties with getting in or bidding on existing contracts as many of those positions require a TS/SCI clearance. This requirement, he said, drastically limits the resource pool.
“Do they really require TS/SCI? Isn’t adding more people just going to further bog down this process?” he asked.
After getting a handle on these issues, more trained people will be able to help and fill new positions created by a more mature capability, but until then, “more people are just going to put more people working with the same inefficiencies,” Barr concluded.