Even as the Defense Departments plans to beef up its cybersecurity staff, critics say those already on board are undertrained and unqualified, reports Federal Times.
Staff at the Defense Department’s Cyber Command is expected to grow from about 900 troops and civilians to about 4,900 over the next few years – that is if the budget allows.
The Federal Times story reports disagreement over requirements put in place in 2004 under DoD Directive 8570 that require specific certifications for information assurance experts. The article doesn’t specify which certifications are being referred to, only that they’re created and administered by the private sector. According to the article:
… because limitations in funding mean resources are allocated almost exclusively toward academic-based certifications, experts said that critical members of the cyber security work force are being put in important positions unprepared to do their jobs because money is not being spent on hands-on training.
It quotes Jeff Moulton, a senior cyber researcher at the Georgia Tech Research Institute, saying the current requirements are turning out people unprepared: “Book training is simply not enough.”
It quotes a U.S. Army chief warrant officer assigned to U.S. Army Cyber on a memorandum sent to Deputy Defense Secretary Ashton Carter in late 2012 as saying:
“One of the biggest threats to the DoD networks is the inability of DoD security professionals to secure the networks. Many of these security professionals have the required certifications but no understanding how to truly secure the DoD networks and make poor decisions resulting in vulnerable networks.”
Others criticized the training as too broad to relate specifically to any of the required jobs.
The DoD, however, is in the midst of redesigning its certification policy, creating job-specific requirements. Its goal is to have the new policy in place by the end of the fiscal year (Oct. 1.), though there’s a push to apply new specific job requirements in the meantime.
The federal government overall has been working for quite some time on defining cybersecurity skills and roles.
Meanwhile, federal agencies such as the Commerce, Homeland Security and Treasury departments will take a bigger role in ensuring the nation’s most critical assets, such as the electrical grid and water systems, are secure from cyber intrusions, according to a second Federal Times article.
Under a White House executive order, the agencies will work with the private sector to develop voluntary security standards for agencies with that authority, to make voluntary standards mandatory, the article says.
And there’s always a story to illustrate how this all needs to happen sooner than later:
The Alexandria, Va.-based Mandiant security firm has tied more than 100 cyber attacks on private U.S. corporations to the Chinese military, The Washington Post reports.