The Defense Digital Service’s mission to “drive a giant leap forward in the way the Department of Defense builds and deploys technology and digital services” is something we can all get behind. As citizens we commend the work they have done as well as their plans to expand on these efforts — we are thrilled to work with them to help further this vision and mission. In light of this week’s report, the work the DDS is doing is more important than ever.
This week, the Pentagon’s combat testing office released initial findings from a report on the Pentagon’s cybersecurity capabilities. The full report, which will likely be released this week and painted a bleak picture of the military’s cybersecurity posture.
This is not the first report highlighting the Pentagon’s cybersecurity challenges. In October the Government Accountability Office issued a report that found the U.S. military had failed to make cybersecurity a major focus until recently, despite years of warnings. The report said that Federal information security had been at the top of the list of “High Risk” issues since 1997.
The test office’s findings report that the Pentagon’s cyber testing is “handicapped by lack of expertise” and tools to assess software-intensive weapons systems. While “weapons systems” are not the norm for most of our customers, a handicap of expertise is something we see across industries and in companies of all sizes – as is concerns over sensitive systems. In today’s landscape, and with 3.5 Million unfilled cybersecurity jobs expected by 2021 it’s nearly impossible to stay ahead of cyber attackers.
A growing attack surface, economically incentivized adversaries, and a growing cybersecurity skills gap have made it more difficult than ever for organizations to shore up their defenses. Despite growing concerns about breaches all the way up to the board (and even the White House), many find themselves using the same “tried and true” approaches to security. And yet we’ve seen that these approaches are more tried and less true as they fail not prevent attack. The answer is a break from the status quo.
The Pentagon has already begun this process by implementing crowdsourced security, adding to their defenses by proactively engaging with security experts from around the world to identify vulnerabilities before adversaries. Late last year the DoD announced they were expanding these efforts. At the time of the announcement the Director of the Defense Digital Service Chris Lynch said:
“Finding innovative ways to identify vulnerabilities and strengthen security has never been more important. When our adversaries carry out malicious attacks, they don’t hold back and aren’t afraid to be creative. Expanding our crowdsourced security work allows us to build a deeper bench of tech talent and bring more diverse perspectives to protect and defend our assets. We’re excited to see the program continue to grow and deliver value across the Department.”
Another key takeaway in this week’s report was that most Pentagon cybersecurity jobs “are not compensated commensurate with the position’s required time and expertise.”
This is not just an issue facing the public sector. Cybersecurity professionals are in high demand, which means they can command higher paychecks — It also means they have more opportunities and choices when it comes to how, when and where they work. The globalization of our workforce means more flexibility about where and when professionals work – including those in cybersecurity. We work with ethical hackers around the world – in nearly every country. Nearly a quarter of these hackers earn a living through crowdsourced security, working full time as “bug hunters”. Moreover, more than 80 percent have landed jobs in cybersecurity via bug hunting.
Cyber attacks are not abating, and the risk of breach is not decreasing. In a recent report 71% of cyber criminals said they could breach the perimeter of a target within 10 hours. With high-profile breaches now the norm, adoption of crowdsourced security will only increase. So while this Pentagon report highlights that we have a long way to go, there is good news too. As more organizations take on a proactive approach, embrace the ethical hacking community, and find and fix the vulnerabilities found, we’ll start to see a shift. It won’t happen overnight, but the change is coming. Stay tuned.