Pages

Search This Blog

Translate

Search Tool




Sep 29, 2020

Analysis | The Cybersecurity 202: DHS is highlighting diversity as a key cybersecurity goal

Joseph Marks


It follows a number of private-sector efforts to highlight the work of minority and female cybersecurity pros this year, prompted partly by widespread protests over racism and police violence. 

“The industry is reacting to this broader moment we’ve been having around systemic racism and so folk are prioritizing and pushing for these discussions,” Camille Stewart, a cybersecurity executive at Google who’s led or participated in several efforts to diversify the cybersecurity field, told me. 

But I don’t want it to stop at conversation. There needs to be action,” said Stewart, who will give an address at Wednesday's conference. “I’m interested to see how this translates into changing CISA’s workforce and how bias is dealt with in technology.”

The dearth of female and minority cybersecurity pros is also contributing to an overall shortage of such workers that is making the nation’s companies more vulnerable to cyberattacks. 

There are more than 500,000 unfilled cybersecurity jobs in the United States, according to a tracker developed by the Commerce Department’s National Initiative for Cybersecurity Education. That’s compared to an employed cybersecurity workforce of just about 922,000, according to the tracker. 

Meanwhile, only about 24 percent of cybersecurity pros are women, according to a study by (ISC) 2, a nonprofit organization that provides cybersecurity certifications. About 26 percent of cybersecurity pros are non-White, and their salaries lag their White counterparts, the organization found.  

“It was important for us this year to include diversity because we have a workforce shortage across the cybersecurity community. We really need to be thoughtful and intentional about what that community looks like in the future,” Toni Benson, CISA’s deputy associate director for cybersecurity defense education and training, told me. 

Benson is moderating a panel on “Diversifying Our Talent Pipeline” during the summit. One big thing that would help make the industry more diverse, she said, would be for government and cybersecurity companies to be less stringent about education requirements for new employees. That could include accepting work and internship experience in lieu of specific degrees. 

When you open the aperture and you open up the way to get into the space, that helps build out the opportunity to reach more people,” she said. 

CISA Director Chris Krebs praised diversity as a key advantage the United States has against adversaries in cyberspace such as Russia and China in remarks during an earlier portion of the summit. 

“This is our advantage here in the United States of America, that we have a wealth of experiences, a wealth of backgrounds, a wealth of perspectives, when our adversaries tend to be monocultural or homogeneous. We can bring the fight back here and take it to them,” he said. 

But the government has also faced serious criticism for not doing enough to encourage diversity in cybersecurity. 

A prime example: President Trump signed an executive order aimed at improving government cybersecurity last year that urged companies and government agencies to “grow a dynamic and diverse cybersecurity workforce through retraining, hands-on, experiential and work-based learning approaches, including apprenticeships [and] research experiences,” among other methods.

But the order didn’t create any government programs to support that effort or to hold the industry accountable for it

During a press call introducing the order, a senior government official speculated that increased diversity would be a “natural byproduct” of the order.

But until there are specific government measures aimed at recruiting women and minorities into cybersecurity jobs, the government will keep falling short, Stewart told me. 

The government has been focusing on getting more workers in cybersecurity, but there’s a lot of talent that already exists that’s struggling to be seen,” she said.  

Stewart wrote in a June blog post for the Council on Foreign Relations that, “Technical and policy mitigations to cybersecurity challenges will never reach their full potential until systemic racism is addressed and diverse voices are reflected among our ranks at all levels.” 

Other parts of Wednesday’s event will focus on expanding the pool of cybersecurity pros in other ways. 

That includes recruiting people with liberal arts degrees in addition to computer science majors and people with work experience outside of technology. 

Those non-technology skills can often be more useful than traditional tech training for complex jobs such as determining when online speech amounts to disinformation and sorting out the motives of government-backed hacking groups, Laura Galante, a cybersecurity consultant and former executive at the cybersecurity company FireEye, told me. Galante is also speaking on a panel at the event, titled “Forging a Cyber Career.”

“Having read Cervantes or Shakespeare can help you understand and grapple with really tough and disparate fact patterns," she said. “That’s something cybersecurity is definitely dealing with now.” 

The keys

Democrats are scoring key legal victories to protect voting by mail. 

A review of nearly 90 state and federal lawsuits found that judges have been largely skeptical of Republican allegations that mail voting leads to fraud, Elise Viebeck reports. Not a single judge has backed Trump's claims that mail ballot fraud is so substantial it could sway the election, a position that experts have almost uniformly refuted.

When actual judges are reviewing cases, they demand — whether you’re progressive or conservative — actual facts,” Justin Levitt, a professor at Loyola Law School, told Elise. “And the courts have not been kind to the unsupported claims of, ‘There’s going to be fraud,’ all-caps, exclamation points everywhere.”

Still, some of the victories have been preliminary. Others have been split, failing to grant Democrats new changes while maintaining the status quo sought by the GOP. Republicans have also scored wins such as placing limitations on third-party groups collecting and returning ballots on voters' behalf in Florida, Minnesota and Michigan. 

“I would actually say it’s a mixed bag, and that’s the reflection of the decentralization of our election system,”  said Sylvia Albert, director of Common Cause’s voting and elections program. “So while state judges have actually found generally more in favor of expanding voting rights, federal courts have generally deferred to the wants of the local election officials.” 

Hackers locked up online systems at one of the United States' largest health-care providers. 

The apparent ransomware attack made it impossible for medical providers to use computer and phone systems at several of Universal Health Services' facilities across the country.

The attack didn't appear to compromise any patient or employee data, the company said in a statement to Raphael Satter at Reuters. The company attributed the issues to an unspecified “IT security issue.”

It's unclear how badly the attack has disrupted medical services. One Arizona nurse told Kevin Collier at NBC News that her location's medication system was knocked offline and the facility had to move to hand-labeling medication.

The attack reflects a surge in ransomware attacks in recent, including during the pandemic. 

A hacker published Social Security numbers of students stolen from a Las Vegas school district.

The hacker spilled the data after the Clark County School District refused to pay a ransom in exchange for unlocking its systems, Tawnell D. Hobbs at the Wall Street Journal reports. The breach highlights how ransomware attacks against schools are becoming more aggressive as schools become more reliant on online learning during the pandemic.

“The value of doing this has gone up,” Evan Kohlmann, chief innovation officer at the cybersecurity firm Flashpoint, told the Journal. “You have all remote employees, all remote students. How do you educate people entirely remotely if your whole system is down? The impact of these attacks have significantly increased.”

The FBI discourages ransomware victims from paying hackers. But for some victims who don’t have backups, paying the ransom may be cheaper and less risky than rebuilding their entire networks. 

The Clark County district, which has more than 300,000 students, said it would notify those affected immediately. It's working with law enforcement to investigate the incident.

Securing the ballot

Foreign actors may try to trick voters into believing they hacked U.S. voter registration data, the FBI warns.

The FBI and CISA have found no evidence of cyberattacks that tampered with voter registration information. And most voter registration data is already publicly available. 

The alert follows a warning last week that foreign actors could exploit the time needed to declare a winner of November’s election to spread disinformation, including false claims of voter suppression.

More voting news:

Industry report

Trump’s proposed TikTok ban probably exceeds his authority, a judge says. 

Judge Carl Nichols ordered a delay in implementing that ban Sunday but only released his reasoning yesterday. 

He said it was clear from the government’s argument that China presents “a significant national security threat,” Rachel Lerman reports. But he was not convinced that TikTok specifically is a threat or that banning the app is the only way to address concerns that China could access U.S. user data.

More industry news:

On the move

  • Twitter appointed Rinki Sethi as its new chief information security officer. Sethi previously worked as chief information security officer at Rubrik and as vice president of information security at IBM and Palo Alto Networks.

Chat room

With the first presidential debate later today, here's a timely thread from Harvard disinformation expert Joan Donovan on “pre-bunking" phony and misleading claims. 

She also noted some topics ripe for disinformation:

Daybook

  • The Senate Armed Services Committee will hold a hearing on supply chain integrity on Thursday at 9:15 a.m.
  • New America’s Open Technology Institute will hold a virtual panel exploring how Internet platforms are addressing the spread of election-related misinformation on Thursday at 1:30 p.m.

Secure log off

The Washington Post’s Jonathan O’Connell and David A. Fahrenthold explain the legal troubles Trump could face after a New York Times investigation revealed his tax returns show years of tax avoidance.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.