Sunday, June 12, 2011

S 1159 Introduced – Cybersecurity Workforce

Last week Sen. Gillibrand (D, NY) introduced S 1159, the Cyberspace Warriors Act of 2011. As the name would suggest, this bill addresses cybersecurity personnel issues in the Department of Defense. Increasing the size of the cyber security workforce in the Active, Reserve, and civilian components of the Defense Department will have inevitable short term and long term effects on the cybersecurity workforce working on industrial control system issues.

Cyber Security Workforce Study

This bill would require the Secretary of Defense to hire an outside entity to review the cybersecurity workforce situation in DOD, specifically concentrating the recruitment, retention and development of ‘cyberspace experts’. An important component of the study would be the production of a “statement of capabilities and number of cyberspace operations personnel required to meet the defensive and offensive cyberspace operation requirements of the Department of Defense” {§2(b)(2)(A)}.

Along with the statement of personnel requirements for DOD’s cybersecurity workforce the study would be required to assess “the sufficiency of the numbers and types of personnel available for cyberspace operations, including an assessment of the balance of military personnel, Department of Defense civilian employees, and contractor positions” {§2(b)(2)(B)}.

The study would also look at the variety of “recruiting, training, and affiliation mechanisms” the Department could use “to address challenges to recruitment, retention, and training” {§2(b)(2)(D)} along with the identification of the types of incentives that DOD could use to overcome those challenges.

Finally, the study would look at the “legal, policy, or administrative impediments to attracting and retaining cyberspace operations personnel” {§2(b)(2)(F)} and propose “for legislative or policy changes necessary to increase the availability of cyberspace operations personnel” {§2(b)(2)(G)}.

Potential Effects on ICS Security

Not addressed in the current language of this bill would be the potential effects on the civilian cybersecurity situation caused by this increase in cybersecurity staffing at DOD. In the short term one would expect, because of the general shortage of cyber security personnel, particularly in the industrial control system realm, that any increase in the recruitment of personnel with current expertise for the DOD program would have a negative effect on the availability of personnel for civilian cybersecurity work.

Over the longer term, as DOD training and incentives for college training of cyber security increased, the overall size of the cybersecurity workforce would be expected to increase. Since military personnel with high-value skill sets have relatively low retention rates due to compensation (both base pay and bonuses) limits imposed by Congress, there would be an expected long-term increase in the availability of experienced cybersecurity personnel in the civilian sector.

It would be interesting to see if this study identifies industrial control system security as one of the specific skill sets necessary for the DOD cybersecurity program. I would expect that any offensive cyber operations would need the capability to affect industrial control systems of various sorts. Defensive cyber operations conducted by DOD could also require protection of a variety of industrial control systems.

I would expect that there would be much more focus on information technology systems, but this study could have a long-term effect on the industrial control system security personnel situation.

No comments:

/* Use this with templates/template-twocol.html */