What would federal IT security leaders do if they had unlimited sums of money to throw around? Invest in cybersecurity education and training.
That was a clear theme from recent comments by federal CISOs. Greater training will make cybersecurity incident response more effective, according to federal officials.
Department of Homeland Security CISO Jeffrey Eisensmith said he would put a “significant investment in workforce both in training and retention” via performance-based training and testing, according to FCW.
Invest in Cybersecurity Training
Eisensmith and other federal IT leaders spoke at the recent Billington Cybersecurity Summit in Washington, D.C. Essye Miller, the CISO and deputy CIO for cybersecurity at the Defense Department, said agencies need to take a “holistic” approach to education and training that includes both contractors and government workers.
“The investment piece in this is very important but it has to be holistic,” Miller said, according to FCW. The training needs to encompass all who work on cybersecurity so that they develop the right posture to respond to incidents, she said.
The panelists, who represented the departments of Treasury, Defense, Homeland Security, and Health and Human Services, as well as industry, said that President Donald Trump’s cybersecurity executive order gives agencies guidance on how to invest in cybersecurity resources.
“The executive order gave us specific direction to make those investments,” and encouraged agency leaders to identify their biggest cybersecurity vulnerabilities so they could be addressed, said Jack Donnelly, the Treasury Department’s CISO and associate cybersecurity CIO. “Find your greatest risk and then systematically address them.”
Acting DHS Secretary Elaine Duke, speaking at the Oct. 4 U.S. Chamber of Commerce Cybersecurity Summit, to kick off National Cyber Security Awareness Month, said the government needs to “establish measures to demonstrate the effectiveness of our cybersecurity workforce and investments related to that workforce,” FCW separately reports. Those metrics can help agencies establish their cybersecurity needs, align them with the right levels of education and training, and then compare the country with global competitors.
“Effectiveness measures may not bear fruit for years to come,” she said, “but that doesn’t mean we shouldn't be making the effort.”
Under the executive order, secretaries of Commerce and Homeland Security, in consultation with other cabinet secretaries, are supposed to “jointly assess the scope and sufficiency of efforts to educate and train the American cybersecurity workforce of the future, including cybersecurity-related education curricula, training, and apprenticeship programs, from primary through higher education.”
Give Federal Cybersecurity Workers More Real-World Training
Federal officials have been harping on the need for more cybersecurity training for some time. Earlier this year, during a cybersecurity panel at the GITEC conference, Brian Varine, chief of the Justice Security Operations Center at the Justice Department, said the people agencies wind up hiring for cybersecurity jobs are “kind of green.”
A key reason, he said, is that most cyberdefenders “have never actually seen a real cyberattack,” an advanced persistent threat that tears apart a network and forces them to respond.
What should agencies do about this? Varine noted that in the 1950s and 1960s, the armed forces sent out young pilots in multimillion-dollar aircraft, and many of them would get shot down early in their deployments. “Eventually, the Navy figured out, when they invented Top Gun, ‘Hey, most of our guys are getting shot down in their first 10 missions because that’s where they’re making all of their mistakes.’ Once they got past 10, they got pretty good.”
The government needs to give cyberdefenders those 10 missions, either with training on government networks or before they set foot inside agencies, Varine said. Entire agencies also need to go through training for real-world cyberattacks, he added.
“When was the last time their enterprise really went through a live-fire cyberdefense exercise? Well, I can tell you: never,” Varine said. “Because what organization is going to say, ‘Hey, come in here, take my entire IT operation out of commission for three days while we simulate an attack’?”
The military decided to send their best pilots for real-world fighter pilot training. “We kind of need that, minus the shades, for cyber,” Varine said.
When those workers come back to agencies, they can then train their colleagues, he said. “Unfortunately, what we do is, the guys that do see those incidents and they get the experience, they go off to the private sector to go work for the same person you’re going to pay $600 an hour to come and help you out with the next incident,” he noted.
Many agencies are reluctant to turn their networks into battlefields, Varine said. “Well, that’s OK. The adversary is real cool with that,” he added sarcastically.