Since Joe Biden took office in January, the White House has made cybersecurity one of its main policy concerns, and with good reason.
Just before taking office, a large-scale supply chain attack involving SolarWinds and its Orion networking monitoring tool was revealed by security firm FireEye. The White House tied the incident to Russia’s Foreign Intelligence Service, or SVR. After that, a series of alarming ransomware attacks hit businesses and government agencies across the country, including a May 2021 attack involving Colonial Pipeline Co., which affected fuel and gas deliveries across portions of the Eastern U.S.
The Biden administration, in turn, has responded in multiple ways. This first was the president’s executive order, published in May, which seeks to reinvent how the federal government approaches cybersecurity in the wake of these incidents, including how departments and agencies buy and evaluate software as well as the deployment of modern security tools such as multifactor authentication.
In June, Biden made cybersecurity one of the main issues he raised with Russian President Vladimir Putin during a face-to-face meeting, including how cybercriminal gangs allegedly operate freely within the country’s borders. In August, the Biden administration took the issue one step further by inviting technology, banking, insurance and education executives and leaders to the White House to discuss cybersecurity issues, especially around supply chain and critical infrastructure threats.
The big news at that meeting came from Microsoft, with the software giant promising an investment of $20 billion over five years to “accelerate efforts to integrate cyber security by design and deliver advanced security solutions,” according to a White House fact sheet. Google also promised $10 billion over five years to expand zero trust initiatives, while Apple said it will work with its third-party suppliers to deploy multifactor authentication protections across the iPhone maker’s supply chain.
The meeting also produced several promises by tech and other private firms to expand the hiring and training of the country’s cybersecurity workforce. These agreements included:
IBM agreeing to train 150,000 people in cybersecurity skills over the next three years. Big Blue will also partner with more than 20 Historically Black Colleges and Universities to establish cybersecurity leadership centers to grow a more diverse cyber workforce.
Amazon saying it would make the same security awareness training the company offers to its employees available to the public. In addition, Amazon Web Services account holders will gain access to a multifactor authentication device to protect against threats.
Code.org announcing that it will teach cybersecurity concepts to over 3 million students across 35,000 classrooms over three years.
The University of Texas System noting that it will expand existing and develop new short-term credentials in cyber-related fields to strengthen America’s cybersecurity workforce.
Whatcom Community College announcing that it has been designated the new NSF Advanced Technological Education National Cybersecurity Center, and will provide cybersecurity education and training to faculty and support program development for colleges to “fast-track” students from college to career.
“These recent developments underscore the importance of public and private sector collaboration when it comes to fighting cybercrime and keeping the increasingly digital economy safe,” said Kevin Dunne, president of security firm Pathlock. “Countries and companies will need to put aside their competitive differences and work together to have a fighting chance in thwarting the ever-evolving attacks from these criminals.”
Cyber Skills in Demand
The latest White House announcement comes as the need for those with cybersecurity skills at all levels continues to grow.
One estimate by Cyber Seek, a job-tracking database developed by the Department of Commerce and CompTIA, estimates there are 465,000 open cyber positions nationwide, with about 36,000 of those across federal, state and local government agencies.
At the Black Hat conference in Las Vegas, Jen Easterly, the director of the U.S. Cybersecurity and Infrastructure Security Agency, and Alejandro Mayorkas, the secretary of Homeland Security, each made appeals to white hat hackers and security researchers that the federal government is in need of their talents.
One of the unique challenges facing the federal government is that much of the nation’s critical infrastructure—water treatment facilities, power plants, portions of the electrical grid—are operated by private companies, which makes the type of collaboration models that the Biden administration is trying to create crucial to the nation’s security, said John Bambenek, a threat intelligence advisor at security firm Netenrich.
“One of the unique challenges here in this country is that the overwhelming majority of critical infrastructure is owned and operated by private industry. This has routinely been a stumbling block to effective coordination, however, both the private and public sectors need to make changes in order to truly protect the nation,” Bambenek told Dice. “The barrier of entry into cybersecurity jobs is far too high. In my opinion, the entry degree for cybersecurity should be at the associates’ level. The government should also use its resources to build a talent pipeline.”
In other words, educational programs are key. “Whatcom Community College specifically looking at creating a community college program could greatly lower the bar for talented individuals to enter the field,” Bambenek said. “This means that the other organizations who are also employers need to drop the ‘must have a bachelor’s degree’ requirement. If those two things happen, it will have both a great impact on the job market and the nation’s cybersecurity.”
While experts applauded what the White House, private companies, and educational institutions have put together to improve cybersecurity opportunities, these gestures are also viewed as a down payment, as it might take years to grow a full-blown cyber workforce.
“As these resources cannot be created overnight, it is important to build the pipeline in advance. This initiative to ramp up efforts against cybercriminals will likely take two to three years before it bears fruit, but it is better to start late than never,” Dunne told Dice. “In the short term, we will likely see a continued increase in the pace of cybercriminal activity, but hopefully these measures will help things to get under control in the near future.”
Joseph Carson, chief security scientist and advisory CISO at security firm ThycoticCentrify, agrees that any initiatives started now to improve cybersecurity and hire and train more security professionals will take years to play out. At the same time, the attackers will grow more sophisticated.
“The initiatives, including commitments to providing more training and more cybersecurity jobs, are great. But we must prioritize what we can do now and what we must do in the future,” Caron told Dice. “We must look to accelerate the need for skilled workers in cybersecurity and fast track them into the industry as the skills shortage is only getting larger. Cybersecurity is no longer just an industry issue. It is one that can impact all of society and that means cybersecurity training is needed for everyone to reduce the risks from cyberattacks. Cybersecurity is no longer just a career path. It is an essential skill in today’s digital society.”