CSIS Report Reveals Extreme Vulnerability to Cyber Threats

Virtually all aspects of our society, business, and government are dependent our information infrastructure, and yet we, as a nation, are extraordinarily vulnerable to cyber threats, according to a new report from the Center for Strategic and International Studies.

In A Human Capital Crisis in Cybersecurity, CSIS describes a few of the current problems, which seem to portend disastrous consequences if these very real threats are not addressed.

From the report:

Military and nuclear energy systems are under continuous attack, experiencing large losses. For at least the past six years the US Department of Defense, nuclear laboratory sites and other sensitive US civilian government sites have been deeply penetrated, multiple times, by other nation-states. "China has downloaded 10 to 20 terabytes of data from the NIPRNet (the sensitive, but unclassified US military network). There is a nation-state threat by the Chinese." (Maj. Gen. William Lord, Director of Information, Services and Integration in the Air Force's Office of Warfighting Integration and Chief Information Officer, 8/21/06 Government Computer News, "Red Storm Rising")

Terrorists and organized crime groups are actively exploiting weak US security and extorting money used for criminal purposes and to buy terrorist bombs. In October 2008, for example, Express Scripts, one of the nation's largest processors of pharmacy prescriptions, reported extortionists had threatened to disclose personal and medical information on millions of Americans if the company failed to meet payment demands.

One of the fundamental concerns, as CSIS sees it, is that there are simply not enough people in the US who have the specialized training required to combat what have become a constant barrage of cyber threats. The personnel issue is a problem of both quality and quantity, and the report poses an intriguing solution. It calls for a cybersecurity workforce that's professionally certified and accredited, much as physicians are today.

Again, from the report:

In many ways, cybersecurity is similar to like 19th century medicine a growing field dealing with real threats with lots of self-taught practitioners only some of whom know what they are doing. The evolution of the practice of medicine mandated different skills and specialties coupled with qualifications and assessments. In medicine, we now have accreditation standards and professional certifications by specialty. We can afford nothing less in the world of cybersecurity. We need to develop a culture of professionalism and goal orientation for the cybersecurity workforce; doing so will help prevent, detect, and/or respond to intentional or unintentional compromises involving both federal and other critical infrastructure systems.

As I posted about earlier this year, cybersecurity is not just a problem for your IT department. Achieving adequate and ongoing protection for your digital information will require a holistic approach that includes enterprise-wide involvement and based on the results of this report, that all may depend on a shift in workforce priorities and attitudes, as well.