There are many problems facing the cybersecurity community today, and they will only get worse before they get better. Despite this bleak view, former Cybersecurity and Infrastructure Security Agency (CISA) Director Chris Krebs reminded the audience at Black Hat USA 2022 to place their hope in people to have a more secure future.
The cybersecurity industry has a problem: In 2021, there were 3.5 million cybersecurity positions left unfilled, and it’s expected that in 2025, there will still be 3.5 million job openings in the industry. This worrisome gap isn’t new. In 2013, there were 1 million open cybersecurity positions. For an industry that is considered durable, well-paid and vital to national security, cybersecurity’s future is looking bleak.
Juxtapose the workforce shortage with an equally concerning problem: the lack of technology-centered education in the United States K-12 system. The 2020 State of Computer Science report, for example, found that only 47% of high schools in the U.S. teach computer science. Going deeper, access to computer science education is lowest for students from marginalized backgrounds, and the actual participation levels in these programs varies. This weakens the younger generation’s ability to aid us in the fight to secure technology.
These people-centric problems impacting cybersecurity are just pieces of the puzzle for why the industry’s future looks so worrisome. Put simply by Krebs during his keynote speech at Black Hat on Wednesday:
“Things are going to get worse before they get better.”
As he reflected on what the future holds for the cybersecurity community, Krebs argued the community needs to analyze these four factors to answer the question of where this industry is going: technology, bad actors, government, and people. He stressed that looking at the past, present and future of these factors can teach key the security community how to reorient their goals in order to prepare for a more secure future.
Here's a breakdown of Krebs' key points.
Technology's part in the problem
Krebs argued that up to this point, we have made the entirety of technology more complex and intertwined than ever before. Looking just five years down the line, more and more objects in our daily lives will become connected to the internet, increasing the threat surface for our adversaries.
If we have any hope in making technology more secure in the future, Krebs believes that any company or organization having some stake in the internet or in software, is undeniably connected to the fate of national security. Therefore, making things better in the future means holding people accountable to better secure the technology we are serving.
Bad actors target the low hanging fruit: the software supply chain
Bad actors impacting the fate of cybersecurity is obvious according to Krebs: “They target the software supply chain because that’s where the access is,” and access for these cybercriminals is where the money is.
Krebs also noted that cybercrime will only get worse, since these criminal organizations are only becoming more complex, and are advancing at a similar pace to technology in general. If the cybersecurity industry does not keep up technologically with these criminals, and we neglect to hold them accountable, the future possibilities for cybercrime will be endless.
Government has a key role to play, but needs to step up
Krebs, being a former high-ranking government official, understands that government is a key factor in determining the state of cybersecurity. He feels that government (localized to the U.S.) “has to clean up its own act,” which means reorganizing the various factions within our bureaucracy to make it more approachable and efficient. Also, Krebs doesn’t see current government regulations giving the outcomes that we need in order to aid the industry.
Government doing better means making “the front door clearly visible” for private-public partnerships, said Krebs. He also feels that government will have to make regulations based on outcomes, rather than on checklists. Taking a hard look at the way our government is organized, and optimizing it to combat the problems our industry is facing, will provide the most hope for the future of cybersecurity.
The people problem — and the hope
People in general play a large role in the state of cybersecurity. Krebs already reminded the audience about worrisome labor shortages and lack of technology-centric education. But looking to the future, he has more hope in people than he does in any of the other factors mentioned. A new generation of smarter, increasingly technology-native minds are stepping into this industry when it needs them the most. Krebs argued that a savvier, quicker to problem-solve workforce is exactly what the future of cybersecurity needs.
The cybersecurity community must go all-in
But it can’t just be left off to the younger generation to tackle the future problems cybersecurity will face. Krebs stressed that it’s going to take the security community as a whole to step up as leaders in reorienting cybersecurity’s path forward. Above all else, Krebs believes that it is the people who drive solid principles, establish key partnerships, make thoughtful plans, and engage with our public that bring hope to the future of cybersecurity.
Featured image source: Bree J. Fowler