Cybersecurity training: The battle over mandates

 

Connecting state and local government leaders

A debate rages over a Senate proposal to require certification or licensing for all cybersecurity professionals who work on government information systems.

Few people would advocate putting cops on the street or soldiers into battle without first giving them proper training. Yet there is no standard governmentwide preparation program required for those who protect the government’s information systems and computer-controlled infrastructure from bad guys intent on mischief or harm.

Whether an obligatory return to the classroom will make a difference in countering those threats is at the heart of a debate spurred by a proposal to license cybersecurity professionals that work for or contract with the government. The mandate is part of an ambitious cybersecurity measure the Senate initiated, and it would affect tens of thousands of information technology workers.

Proponents see the measure as money well spent to improve information security through a more professional, better-trained cybersecurity workforce. But opponents believe mandatory licensing will tie up the industry in red tape and hinder its ability to keep training up-to-date with rapidly changing technology.

The measure, sponsored by Sens. John “Jay” Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine), would direct the Commerce Department to develop or coordinate and integrate a national licensing, certification and periodic recertification program for cybersecurity professionals.

It would then become unlawful for a person lacking the proper license and certification to provide cybersecurity services to an agency or for an information system or network designated as critical infrastructure.

Opinions about the proposal’s potential impact vary, but the different camps agree on one point: There are still many unanswered questions. For example, people wonder how “cybersecurity services” would be defined. They also speculate on which skills would need certification or licensing and whether using company-based certifications would be the right approach.

There are also questions about enforcement, legal liability, the value of certification versus licensing, and how federal requirements would impact states' rights and their traditional role in licensing various professions.

The Senate measure would apply to all federal IT systems and any others the president deems critical infrastructure, which could include privately owned assets such as the electric grid.

It wouldn’t be the federal government’s first attempt at demanding proof of training for cybersecurity professionals. The Defense Department has had a mandatory certification — but not licensing — requirement for its information assurance workforce since 2004. The program has certified only one-third of the department’s information assurance workforce so far, and though officials have yet to complete an extensive assessment of the program’s performance, they see signs that it is having a positive impact.

Licenses vs. certifications

The new proposal would affect the entire federal IT industry — from contractors to government employees and the many companies that provide information assurance certification and training.

The use of certification as a tool for hiring, placing and promoting employees is certainly nothing new. However, a mandatory licensing program would be unprecedented, and that proposal has proven particularly contentious.

“A lot of people have problems with where do you draw the line: Who has to get a license, who doesn’t, who would be the licensing authority, what would be the extra cost, what are the liability issues?” said Lynn McNulty, director of government affairs at (ISC)² and a former federal information security program manager. (ISC)² is one of numerous organizations that constitute an expansive training and certification industry.

McNulty said he’s not hearing a lot of complaints about the certification requirement, but many people have a problem with the licensing requirement.

During a roundtable discussion on certifications (ISC)² hosted in early June, several participants said the licensing requirement would represent a departure from the state-based approach to validating the qualifications of professionals such as doctors and lawyers.

Federal licensing of cybersecurity professionals “would fly against that principle, and it just doesn’t make a lot of good sense in my opinion,” said John Lainhart, public-sector service area leader for security, privacy, wireless and IT governance at IBM’s Global Business Services. He participated in the (ISC)2 roundtable discussion as a representative of the Information Systems Audit and Control Association, which provides cybersecurity training and certifications.

Critics say another problem with licensure and its added layers of federal oversight is that the government’s training and testing programs would not evolve as quickly as industry-driven certification programs.

That would be a significant slowdown for an industry that changes as rapidly as IT does, and could dampen rather than boost the growth of a newly trained cybersecurity workforce, said Dan Liutikas, another roundtable participant and senior vice president, chief legal officer and corporate secretary at CompTIA, an IT industry and training association.

Yet another issue with licensing is what form the testing should take. Alan Paller, director of research at the SANS Institute, a cybersecurity training, certification and research organization, supports the idea of evaluating security professionals’ skills in operational situations, as airplane pilots are tested.

He added that if the government establishes a licensing program for IT security professionals, it shouldn’t belong to the commercial world. “It should be owned by a completely independent organization that isn’t trying to sell something already, and they should not be able to do any training at all — none,” Paller said.

The current state of play

Establishing certification or licensing requirements would force the government to define skill sets and career paths for cybersecurity professionals. Such tracks are common for other government jobs but nonexistent for IT security.

“Everything always points back to the fact that we are calling things apples and oranges and grapes,” said Brenda Oldfield, director of cyber education and workforce development in the Homeland Security Department’s National Cybersecurity Division. “We do not have common terminology across the mission areas. Everything that we attempt to do in developing any plans for training and education of the civilian workforce or of the federal workforce depends upon this common lexicon.”

On that issue, the legislation might be getting ahead of itself, said Patricia Titus, former chief information security officer at the Transportation Security Administration and currently CISO at Unisys Federal Systems.

The Office of Personnel Management still hasn’t designated a job series for IT security professionals, she said. Right now, such workers are categorized as IT specialists, managers or program analysts.

“I think OPM needs to develop an IT security job series, and part of that series then would be the requirements of what the individuals have to do,” Titus said. Those might include certification, appropriate training and relevant job responsibilities, she added.

Oldfield has been working for years to establish a common set of skills for information security professionals in the government. Most recently, that effort has been folded into the education component of the Comprehensive National Cybersecurity Initiative, the multiyear, multibillion-dollar program launched by the Bush administration. Oldfield co-leads the education initiative for DHS in cooperation with DOD.

“We have to be able to validate that cyber professionals have the skills needed, but we have to identify what those skills are uniformly,” she said.

Officials have identified numerous federal documents that specify different IT security competencies that workers should possess. The challenge is to bring them all together. That’s the job of an interagency work group being established to identify critical roles and unify agencies’ training efforts. Such consolidation will also likely produce cost savings by eliminating duplicative efforts.

“Many times there are high-end training classes and laboratory experiences conducted that have empty seats, and they could offer those seats to other agencies if we were comparing apples to apples,” Oldfield said.

DOD’s experience

As experts weigh the potential value of a governmentwide cybersecurity certification or licensing requirement, they are turning to DOD for lessons about how its program has fared.

DOD’s certification requirements cover a spectrum of management and technical information assurance roles for some 90,000 military, civilian and contract employees. Officials created the program in 2004 in response to departmental Directive 8570, released a manual of instructions in 2005 and updated that manual in 2008. Under the program, they identified commercially available, accredited certifications that information assurance employees and contractors need to have to work on DOD systems.

“The idea of a common lexicon that’s provided by these certifications is something that was lacking before,” said George Bieber, director of DOD’s Information Assurance Workforce Improvement Program.

At the launch of the program, Pentagon officials created a working group with representatives from the military services to define the functions or skills the certifications would cover. Then they examined which existing certifications aligned most closely with the desired skills.

DOD’s legal representative originally said they needed to use certifications rather than licensure because the latter is not a federal or DOD function, Bieber said. Officials also decided to take advantage of existing commercial certifications rather than develop custom programs so that employees would have skills they could use in the private sector or at other agencies.

DOD’s program hasn’t moved as quickly as officials had hoped. Their goal was to have about 40 percent of targeted workers certified by now, but only about 30 percent have been. Bieber blamed the shortfall on an aggressive schedule, funding constraints, changing culture and the extra work needed to make changes in supporting systems, such as personnel databases. However, DOD officials still hope to have all 90,000 certifications done by 2011.

Studies conducted by a couple of DOD offices have shown that security seems to improve as more employees are certified. DOD officials are in the process of collecting data to assess the program more broadly.

Bieber said he has heard that certifications help increase a cybersecurity staff’s problem-solving abilities by providing them with a common lexicon when addressing incidents.

“It’s really enabled the security issues to be handled at a lower level, whereas before it was going up,” he said.

The DOD model expanded?

It’s uncertain whether the requirements outlined in the Rockefeller-Snowe bill would expand the DOD model of using commercial certifications or prompt the development of new standards. And experts disagree on which approach is best.

Paller said the way DOD developed its program by surveying commercial certifications was a huge error. He believes a certification program should measure specific skills that people use in specific jobs — something he said DOD’s approach doesn’t do. Rather, it found a lowest common denominator, he said.

“My sense is if we care about this enough to make it a national law, we ought to make it much more technical and much more sophisticated,” Paller said.

However, others see expanding DOD’s approach as the way to go.

Lainhart said DOD’s program, which is based on U.S. and internationally recognized certifications, is preferable.

“Let’s not reinvent the wheel,” Lainhart said. “We’ll achieve a global standard that way by using the certifications that are out there, and I think that’s again consistent with [President Barack Obama’s] cybersecurity policy review.”

Indeed, what will follow from the administration’s recently completed 60-day review of cybersecurity policy could be a big factor in determining the new proposal’s fate.

The reviewers’ report recommends that the federal government initiate a national public awareness and education campaign. It adds that shared training and rotational assignments across agencies — and potentially with the private sector — would be efficient and beneficial. However, the administration hasn’t said whether it favors mandatory certifications and licenses for cybersecurity professionals.

Even with all the unanswered questions, some experts are happy just to be having the conversation. Bieber said he thinks all the focus on cybersecurity will turn more attention on training and certification efforts.

“One of the things I love about the Rockefeller-Snowe bill is it's provocative, and it’s creating these discussions,” said Mason Brown, director of the SANS Institute and a participant in the (ISC)2 roundtable discussion. “If we expect something in draft format and out of committee or out of the gates to be perfect, we’re a little bit nutty.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.