Cybersecurity needs to be fundamental infrastructure, but we don’t treat it that way.
The opinions stated here are my own, not those of my company.
One of the major US events in the 1970s is the oil embargo. Historical documents about the embargo includes photos of long lines for gas and countless shortages. Rationing policies had to implemented to ensure that there was enough for everyone.
This was not the case last week, when our supply was not actually limited. The supply chains we’ve built were hijacked, preventing our ample supply from getting to the right places. That didn’t stop hoarding, price gouging, and panic.
The panic was ultimately silly and certainly exacerbated a temporary issue. The systems are back online now and the supply chain will likely get back to normal in a few days. But it was an attack on critical infrastructure, essentially an attack on the country. We cannot keep letting this happen, and it requires a wartime mindset to build an adequate defense.
Ransomware is a good business, with Darkside netting $5 million just for the Colonial Pipeline attack alone. Colonial Pipeline didn’t get anything out of the deal regardless.
Economically, Darkside has all the power. Their ransomware attacked and damaged critical infrastructure, but they have no incentive to actually make their decryption tools any good. The transaction is already completed.
Ultimately whack-a-mole is not good enough.
Cyberwarfare was once the stuff of hardcore 90s science-fiction, but it is our real present. Last year I read Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers. I recommend it. It includes stories of the kinds of attacks that Russian-linked groups have conducted, and is a warning sign for what our future might be: a society of unfreedom, under the tyranny of anarchist attacks to paralyze infrastructure and government.
President Biden has just signed an executive order that aims to take cyber seriously. There is a lot of essential changes that need to be made to government IT systems, but also the private sector. Efforts like migration to multi-factor authentication, employing zero-trust architectures, an “energy star type of label” for IoT security, a Cyber Security Review Board, a standard incident playbook, and improved intrusion detection are all very good policies that are needed. I hope this will transform our cyber policy from proactive rather than reactive.
Unfortunately a number of these policies are only applicable to government systems and not the private sector. While the government can serve as a positive model, it may not be able to mandate these changes nor affect cybersecurity in other countries.
Companies do not put enough money into their cybersecurity efforts nor have enough cybersecurity efforts. However, that may not be for a lack of trying. Unemployment in the cybersecurity field is at 0%. This means everyone in the cybersecurity field has a job, and every recent graduate is hired immediately. It means there is far more demand than supply.
In normal economics, this would be a simple market issue. Raising wages, giving incentives, and improving benefits would lure potential workers to your job postings. I think this is what is needed in the service & restaurant industries today.
However, I do not believe we should treat cybersecurity as a normal field where we should just let the market play out. Not filling those jobs don’t just make the firm less efficient. It has fundamental consequences for our society, as we’ve already seen.
Three months ago Colonial Pipeline posted a cybersecurity manager job position that they haven’t filled. They should probably pick one of the dozens of applicants soon, but we should also look at policies to make this job pipeline larger.
There has been debate in politics for several months regarding student debt cancellation. I’m going to take the position that we should not do this, at least not across the board. Rather, government policy should incentivize people graduating with particular credentials like cybersecurity in order to generate a larger labor pool in critical fields.
It’s a common meme that theater majors deliver coffee orders to engineering majors. While oversimplified, underemployment is a real problem that is the result of mismatching people’s majors with available jobs.
The Federal Reserve Bank of New York has compiled statistics on recent college graduate outcomes. The majority of people with a criminal justice or performing arts degree are not using it. This is a significant allocation failure that gives these students a lot of debt with very little to show for it. We need fewer people studying liberal arts and more studying cybersecurity. I would like our student debt policy to reflect this need as well. In fact, our need for cybersecurity is more existentially necessary than performing arts.
I will note that their statistics do not include cybersecurity as a separate field, but the related computer science and computer engineering fields have underemployment rates in the low 20 percent.
I understand that liberal arts are important. The humanities are important. I absolutely agree. At the same time, a degree in the humanities doesn’t benefit students. I reject the notion that college should be a job-training program, and people should get more from their education, but underemployment is not the right outcome.
Humanities should not be ignored. We should not train people in IT systems and just pretend that they’ll be good members of society. When I studied engineering in college, I had to take several general education classes. These included instruction on writing and public speaking. I took a course on the intersection of music and technology. I found my class on literature from Barcelona, depicting the fascism of Francisco Franco to be very influential.
Literature, art, and theater are important parts of our society that make up our culture. Yet do we need so many people studying these full-time? The data says no. But we also shouldn’t ignore these fields. I hope we can have cybersecurity employees that engage in community theater programs, host book clubs, and engage in local politics outside of their full-time job.
I also believe that the United Nations should get involved by instituting higher order standards for cybersecurity in our software and hardware. The US is not alone in dealing with these issues. Healthcare systems in Ireland and the UK have been targeted in the past. Ukraine has experienced infrastructure shutdowns due to attacks.
The UN really doesn’t have a lot of easily available information on this matter. They look at it from a governance perspective, protecting the organization’s data and the data of member nations. However, what are they doing to protect vulnerable people and infrastructure? Where is the ‘Cybersecurity without Borders’ and global standards?
I’m glad we are starting to take cybersecurity seriously. But we are still looking at it from the perspective of changes popping up here and there rather than spending more effort on the long tail. Much like COVID-19, if we don’t ensure security end-to-end, we aren’t setting ourselves up for success.