Cyber warrior shortage hits anti-hacker fightback

LONDON Sun Oct 13, 2013 12:34pm EDT

A man types on a computer keyboard in Warsaw in this February 28, 2013 illustration file picture. REUTERS/Kacper Pempel/Files

A man types on a computer keyboard in Warsaw in this February 28, 2013 illustration file picture.

Credit: Reuters/Kacper Pempel/Files

LONDON (Reuters) - For the governments and corporations facing increasing computer attacks, the biggest challenge is finding the right cyber warriors to fight back.

Hostile computer activity from spies, saboteurs, competitors and criminals has spawned a growing industry of corporate defenders who can attract the best talent from government cyber units.

The U.S. military's Cyber Command is due to quadruple in size by 2015 with 4,000 new personnel while Britain announced a new Joint Cyber Reserve last month. From Brazil to Indonesia, similar forces have been set up.

But demand for specialists has far outpaced the number of those qualified to do the job, leading to a staffing crunch as talent is poached by competitors offering big salaries.

"As with anything, it really comes down to human capital and there simply isn't enough of it," says Chris Finan, White House director for cyber security from 2011-12, who is now a senior fellow at the Truman National Security Project and working for a start-up in Silicon Valley.

"They will choose where they work based on salary, lifestyle and the lack of an interfering bureaucracy and that makes it particularly hard to get them into government."

Cyber attacks can be expensive: one unidentified London-listed company incurred losses of 800 million pounds ($1.29 billion) in a cyber attack several years ago, according to the British security services.

Global losses are in the range of $80 billion to $400 billion a year, according to research by the Washington-based Center for Strategic and International Studies that was sponsored by Intel Corp's McAfee anti-virus division.

There is a whole range of attacks. Some involve simply transferring money, but more often clients' credit card details are stolen. There is also intellectual property theft or theft of commercially sensitive information for business advantage.

Victims can also suffer a "hacktivist" attack, such as a directed denial of service to bring a website down, which can cost a lot of money to fix.

Quantifying the exact damage is almost impossible, especially when secrets and money are not the only targets.

While no government has taken responsibility for the Stuxnet computer virus that destroyed centrifuges at Iran's Natanz uranium enrichment facility, it was widely reported to have been a U.S.-Israeli project.

Britain says it blocked 400,000 advanced cyber threats to the government's secure intranet last year while a virus unleashed against Saudi Arabia's energy group Aramco, likely to be the world's most valuable company, destroyed data on thousands of computers and put an image of a burning American flag onto screens.

GOING VIRAL?

Most cyber expertise remains in the private sector where companies are seeing an steep increase in spending on security products and services.

Depending on the cyber threat, a variety of firms are bidding for cyber talent. Google is currently advertising 129 IT security jobs, while defense companies such as Lockheed Martin Corp and BAE Systems are looking to hire in this area.

Anti-virus maker Symantec Corp is also doing good business. "The threat environment is exploding," Chief Executive Steve Bennett told Reuters in an interview in July.

The perception of an increased threat, has also led to explosive demand for the best talent.

The U.S. Bureau of Labour Statistics says the number of Information Technology security roles in the U.S. will increase by some 22 percent in the decade to 2020, creating 65,700 new jobs. Experts say it is a similar situation globally, with salaries often rising 5-7 percent a year.

"Recruitment and retention in cyber is a challenge for everybody working in this area," says Mike Bradshaw, head of security and smart systems at Finmeccanica IT unit Selex. "It's an area where demand exceeds supply ... it's going to take a while for supply to catch up."

A growing number of security firms - such as UK-based Protection Group International (PGI) - now also offer cyber services. PGI started out providing armed guards to protect merchant ships against pirates but has now hired former staff from Britain's GCHQ eavesdropping agency.

COUNTRY OR CASH?

A graduate with a good computer studies degree can walk into a $100,000 salary with a similar amount upfront as a golden handshake, several times what the U.S. National Security Agency would be likely to offer.

Western universities turn out far too few graduates with the necessary computer skills while some students complain that many of the courses on offer are too theoretical for the challenges of cyber warfare.

But applicants need not have a computer science degree to get lucrative jobs as long as they can do the hardest-to-fill jobs such as finding bugs in software, identifying elusive infections and reverse engineering computer viruses that are found on computers, said Alan Paller, founder of the non-profit SANS Institute in Washington.

SANS has worked with officials in Illinois, Massachusetts, New Jersey and other states to sponsor hacking contests that test skills in those and other areas. Educational background does not necessarily help in these contests.

Those who have "very good" skills in the most-needed areas can earn $110,000 to $140,000, while the very top get paid as much as $200,000 in private sector jobs, according to Paller.

While the private sector offers big cash, the government is still able to retain some talent by appealing to people's sense of public service and patriotism.

"I want to serve my country. What I am doing is important," one hacker who conducts classified research for the U.S. military told Reuters at the Def Con hacking conference in July. He declined to provide his name because he was not authorized to speak to the press.

There is also an expectation that government workers can move to more lucrative jobs in the private sector after several years in public service.

But some senior officers in Western militaries still fear they may struggle to attract the requisite talent, citing both cultural and administrative problems.

General Keith Alexander, head of both the NSA and Cyber Command, told Reuters earlier this year finding the right talent was a priority. He has attended events such as the Def Con hacker conference, trading his uniform for a black T-shirt.

Hiring outsiders has long been thought to be a tactic employed by the United States as well as China and Russia.

Western security officials believe Russia, China and other emerging cyber powers such as Iran and North Korea have cut deals with their own criminal hacker community to borrow their expertise to assist with attacks.

Russia and China, which have been accused by the West of mounting repeated attacks on government and commercial interests, deny direct involvement in hacking.

"We are at the very beginning of this process and we are building it brick by brick," says Colonel Gregory Conti, head of the cyber Security Department at the U.S. Military Academy, West Point. "It's going to be like the creation of the air force - a process of several decades getting the right people and structures." ($1 = 0.6209 British pounds)

(Additional reporting by Jim Finkle in Boston; Editing by Guy Faulconbridge and Giles Elgood)

FILED UNDER:
We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (17)
nose2066 wrote:
Isn’t it great that a whole security industry has been created – mainly because the code in operating systems like Windows and Android is so badly written?

Oct 13, 2013 9:08am EDT  --  Report as abuse
AdamSmith wrote:
Cyber Command?

Why does America even have a military? America has abandoned its own duty to even maintain its own borders at its airports.

Why have an American military when every day thousands of software engineer graduates on H1B visa, from India, China, and many other countries, fly right into our main airports, and take American jobs in American facilities of the high-tech sector?

Rarely mentioned in the press is the fact that the number of foreigners allowed to immigrate LEGALLY into the US this year has exploded. Approximately 1.2 million foreigners were issued American citizenship papers last year. And that number is set to continue to increase rapidly. Add to that the foreign high-tech workers on H1B visas, currently arriving at over 85,000 per year. The immigration reform bill recently passed by the Senate raises that to 420,000 new foreign engineer H1B visas per year.

Immigration is driving down wage rates, destroying the American middle class.

Immigration over the past 12 years caused more destruction of the American middle class than ten nuclear bombs. Why does America even have a military if they are going to abandon their duty to protect the American people?

And now this gigantic ongoing immigration is going to cause America to lose the cyber warfare competition because it allows the enemy open, free access to the inner sanctums of American tech companies, to come and go as they wish.

The militaries of other nations in the world protect their borders and airports. Their borders mean something. The most advanced countries, Germany, Japan, Israel, China, France, South Korea, Switzerland – they all guard their borders and airports carefully. They all prohibit immigration. Only America has been so thoroughly corrupted by big money. Only America is so utterly defenseless.

All other nations COMBINED, do not allow the levels of immigration that America is experiencing. It is the largest movement of human beings in the history of the world.

Millions of foreigners, fully LOYAL to their home countries, have been coming to America as students: Chinese, Indians, Mexicans, Brazilians, Pakistanis, Russians, Koreans, Iraqis, Iranians and other foreigners coming to sit in American class rooms. They then take that knowledge back to their home countries and work for companies or militaries competing against America.

It is asymmetric warfare and America is utterly defenseless.

Why does America even have a military? We are being literally invaded by immigration, and we do nothing.

Cyber warriors? Its just another channel for profits by the military. What America needs is a military that protects the American people from the massive immigration invasion that has already taken place, and destroyed our middle class.

Oct 13, 2013 9:32am EDT  --  Report as abuse
usagadfly wrote:
The primary problem in the USA is incompetent management, not a lack of technical talent.

American managers generally treat computer scientists who were born here in the USA with about as much respect as janitors. Somehow the notion that, since people are “a dime a dozen”, managers’ taste in receiving frequent written reports and mewling subordinates is unrelated to educated, experienced and intelligent computer professionals not wanting to suffer such treatment. Why spend years and decades honing intellectual skills to put up with poor treatment and overwhelming office politics?

Generally American managers prefer mainland Chinese Government agents who bow and scrape and send plenty of information to their true home to native born Americans. In this environment, why should a talented American care about what happens to such a system? Generally technical employment opportunities for Americans are greater outside the USA than within. The USA gets what it seeks, and home grown technical talent is not on the list.

Oct 13, 2013 10:58am EDT  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.