The federal cybersecurity budget will hold steady next year, even with tighter federal budgets. But the sequestration problem is reminding federal leaders about the importance of planning.
Alan Paller, the director of research at the SANS Institute, says the most important priority for technology managers this year should be balancing the government’s cybersecurity pay scales.
Alan Paller’s Top 3 for 2013
Inverting the pay scales for cybersecurity consultants serving government. Salaries for certification and accreditation report writers will drop as salaries for people with more technical skills rise sharply. Supply and demand controls salaries in cybersecurity just as it does in other career tracks, and the demand for people with technical skills is rising sharply. The president of one of the three firms authorized to test security of federal cloud providers called in December asking for help finding people to eliminate the backlog in FedRAMP reviews. “There are hundreds of people who can write certification reports on the market, but I cannot find anyone who can do the log analysis and application security testing and other tasks that are required.” No cloud provider one can get through the new FedRAMP security approval process without passing a deeply technical cybersecurity review and internal federal system reviews will soon be similarly rigorous. The cybersecurity program manager for one midsized professional services and IT consulting firms in the federal space described the problem to a group of federal policy makers as follows: “Eighty percent of my people (then 206 consultants doing federal C&A work) have soft skills; if we don’t reverse that ratio in the next 24 months, we will be out of business.” The 2012 DHS Task Force on Cyberskills defined the specific technical skills that are needed, calling them “mission critical jobs in cybersecurity.” And at a meeting in the White House of presidents of consulting firms the consensus among them was that the government would need to fund training for their consultants because the people they could find on the market simply did not have the needed skills. They said contracting officers had been willing to accept people who didn’t have the needed skills for years, but when the government starts demanding that contractors have technical skills, “someone” will have to pay for the training.
The shift from information theft to actual destruction will raise the priority of cybersecurity and technical controls even higher. At the 2012 Australian national government cybersecurity, one of the U.S. NSA division chiefs presented a new slide in which the cyber threat had a new dimension: destruction. No longer do attackers have only financial and espionage goals. Now they are bent on destroying the capacity of organizations and countries to operate. The remote cyber destruction of more than 30,000 computers at Aramco in Saudi Arabia RasGas in Qatar were merely data points. Ever since a remote cyber attack caused 1,000 Iranian centrifuges to blow apart, the world has been awakening to the direct military effect (the cyber take over of control of a U.S. intelligence drone to make it land in Iran and the act of forcing satellites to do what they were not intended to do) and to the active disruptive power of cyber attacks (the Wells Fargo melt down in September and again in December). When the threat was just loss of money and information, senior managers considered it important but not top of mind. As it moves to destruction and disruption, its priority rises.
CEOs and agency heads will get direct access to data showing the cybersecurity status of their systems and networks and comparing their status with other agencies and companies and use it to provide incentives for rapid improvement. Deputy Secretaries have long been pressed to improve cybersecurity by OMB, but they had no visibility into the actual status of cybersecurity. At the same time they could find no one they could trust to provide definitive answers to their often-asked questions of “what needed to be done first to secure systems and how much was enough?” Without that information, they had no option other than to delegate security to CISOs who spent much of their budget on tasks that had little or no impact on reducing the risk of cyber destruction. During 2013, the DepSecs will have joint access to direct information on how well their components have implemented the most critical security controls. The breakthrough is less about the new tools that vendors will deliver to provide reliable visibility into the security status, and much more about global consensus on which things need to be done first – immediately – to protect systems against the most virulent attacks.