For months it has been abundantly clear that cybersecurity will be a key area of concern for the new administration, but the headlines only tell a fragment of a much larger story. Undoubtedly countering specific threats from state-based actors and individual hackers alike will continue to be a major challenge for the new administration; however, three systemic issues will emerge as critical considerations for policymakers trying to gain a sense of the cybersecurity landscape, and success or failure in these areas will have a lasting and outsized effect on long-term national security.
A New Twist on Information Operations
Amid reports of fake news, vulnerable voting machines, and doctored data dumps, the 2016 election season has shown how vitally important information integrity is to the democratic process. From a cybersecurity standpoint, it is critical to secure U.S. networks in order to ensure that exfiltrated data is not used to give credibility to larger campaigns of information manipulation. However, networks outside .mil and .gov addresses are not secured by the federal government, so government organizations operating in this space must work through outside partners to enable better cybersecurity practices. This massive undertaking involves a broad range of actors not traditionally considered to be part of the national security infrastructure. In order to truly meet this innovative twist to the old threat of information operations, both the U.S. Government and the American population generally need to reconceptualize how they think of national security and cybersecurity; maintaining data integrity has become a nationwide responsibility.
Engaging State and Local Governments
Many of the policy tools to encourage best practices and positive change in cybersecurity are determined outside the federal government. For example, the education policies that could encourage students to track into computer science are determined by county governments. Similarly, state governments dictate regulations that could shape cybersecurity insurance regimes, which can be used to encourage best practices in the private sector, while local law enforcement officers are often the first to receive and act on reports of cybercrime.
Whether through ransomware attacks on a local hospital, internet outages because of a widespread distributed denial of service (DDoS) attack, or even just garden-variety credit card information theft, cybersecurity is increasingly impacting average citizens’ daily lives, and so cybersecurity defense must also become a part of daily life rather than a matter of great power politics and international conflict. As the entire nation’s digital infrastructure becomes a target for adversaries, the entire nation must be engaged in providing for its own security. Accordingly, the federal government’s ability to enable successful cybersecurity policies at state and local levels will increasingly become a matter of national security.
Limitations on the Most In-Demand Workforce
The numbers detailing shortfalls in the cybersecurity workforce are staggering. According to a 2015 report, 49,493 jobs are posted in the U.S. that require a CISSP (a primary cybersecurity certification), yet only 65,362 individuals– including those currently employed– in the U.S. hold that certification. Meanwhile, of the top 50 computer science programs in the U.S., only three require a cybersecurity course to graduate. These numbers become even more troubling given the projected growth of the cybersecurity industry, leading to an estimated global worker shortfall of 1.5 million by 2019.
The cybersecurity workforce clearly has a pipeline problem, but despite that, the industry is not making best use of the human resources available. Only 10% of the information security workforce is female, and people of color are similarly underrepresented. There is no one silver bullet to change this trend; meaningful improvement will require changes in education, hiring, certification, vocational and “boot camp” programs, and very fundamental changes in how society envisions a “cybersecurity worker” (or even just a “tech worker” in general). Making progress across all these areas will require deliberate effort from the new administration and other national leaders, but tapping into these additional talent pools will be critically important if the U.S. is going to meet the cybersecurity need.
These three trends have a commonality—they stand to build or undermine the long-term health of national cybersecurity. While day-to-day priorities for the incoming administration will undoubtedly be determined by specific emerging threats, their ability to protect against internet-enabled information operations, to engage partners in state and local government, and to dramatically grow the cybersecurity workforce may be their greatest challenges in—and potential contributions to―national cybersecurity.