“It is one of the most difficult national security issues that I’ve seen during the time I’ve been working on this.” The it that Eric Rosenbach, co-director of Harvard Kennedy School’s Belfer Center for Science and International Affairs, is talking about is digital interference in democratic election processes through hacking and social media influence.
“I worry that it’s one of the biggest threats to not only the United States but all democracies right now.” And that makes the demand for cybersecurity experts even more urgent. “The more people who are working in cybersecurity, the safer the country’s going to be,” he told me in an interview following his appearance at the Code Conference, gathering of top technology and entertainment companies.
Russia’s interference in the November 2016 election is well-documented. In a report released in January of last year, the CIA, FBI, and National Security Agency jointly stated with “high confidence” that the Russian government conducted a campaign to influence that election. Russian agents are believed to have hacked into computers connected to the Democratic and Republican parties, then leaked thousands of documents from the Democrats ahead of the election.
A cyber expert with the Department of Homeland Security testified before Congress that Russian hackers also scanned official election-related computers in 21 U.S. states looking for system weaknesses, but there is no evidence that the cyber-invaders altered any vote totals.
I asked Rosenbach if he thought the Russians were better at this kind of cyberattack, or if our systems are just more vulnerable than others. “I do think that the Russians are very capable and they’re very sophisticated in the way that they think about information operations. But, it’s not so difficult now that the blueprint is out there for others to do it, to know that you can hack people, then release the information, manipulate social media, and influence things,” according to Rosenbach.
“The other bad guy actors, the Iranians, the North Koreans, maybe the Chinese, will see what the Russians did during the 2016 election and see that it’s something that they want to do as well,” he told me. “We are vulnerable, and it’s very difficult to defend against.”
As part of the effort to protect our election systems from another attack, Rosenbach is leading a project through the Kennedy School called Defending Digital Democracy.
“What I’ve tried to do is bring in the tech sector, political operatives and cybersecurity wonks like me, to work on this in a collaborative way, with the states, with the federal government, and with others to try to make some difference,” Rosenbach said.
There are not enough boots-on-the-ground cybersecurity experts to go around. A much-cited report from ISACA says that 40,000 information security jobs are already going unfilled in the public and private sectors each year — at least 10,000 of those are government jobs — and the number will grow to 3.5 million by 2021. More than 69 percent of government and corporate security information leaders and contractors surveyed in 2016 said they couldn’t find enough experts with the right skills to address current cyber threats.
Interestingly, that same report showed that “87% of cybersecurity workers globally did not start in cybersecurity, yet 94% of hiring managers indicate that existing experience in the field is an important consideration.” The report calls for all employers to think outside the box when looking to fill the worker gap, including internal training of current employees and working with outside training programs to recruit nascent talent.
The Departments of Homeland Security and Commerce have called on the White House and Congress to work together to launch a high-profile national Call to Action “to draw attention to and mobilize the public and private sector resources to address cybersecurity workforce needs.”
Additionally, the report said it is crucial for the government to increase funding for cybersecurity programs, noting that, in addition to workers, there is a “shortage of knowledgeable and skilled cybersecurity teachers at the primary and secondary levels, faculty in higher education and training instructors.”
High education institutions, including Harvard, have been developing curricula to attract new talent to the cybersecurity field. “For example, I teach this online class that gets you a certificate and that doesn’t make you an expert. But it’s that type of distance education and EdTech and modern education system I think can really help get more cybersecurity people, in force,” said Rosenbach. “I think it’s a great space for people to reinvent themselves.”
Another hurdle in the government’s efforts to attract talent is geography. The majority of the government’s cybersecurity work is done in Washington, DC, while California, Texas, and Massachusetts are the centers of cutting-edge technology. Rosenbach spends a lot of time in Silicon Valley and told me that cybersecurity is not always top-of-mind. “Just look at this conference. It’s really great people. It’s interesting. They’re talking about their leadership challenges, but I only heard cybersecurity mentioned maybe once. It’s not on their radar, it seems.”
“I’ve always found that the tech sector will want to help, but they don’t always know exactly what the challenge is, and so they go back into their normal operating environment.” Rosenbach served in the Obama Administration under Defense Secretary Ash Carter and was part of recent efforts to engage the private sector in national security conversation.
“We need to build a bridge. When I was working with Secretary Carter, one of the things we did is open this little outpost in Silicon Valley called Defense Innovation Unit Experimental and we’re trying to rebuild those bridges so there would be more trust and that the government could work with the private sector on things related to defense and cybersecurity.”
Rosenbach said he recognizes that it can be difficult for private tech businesses to partner with the Defense Department. “You can understand the tension. That’s hard from a commercial perspective in the optics. But, I think it needs to happen.”
Just last week, Google CEO Sundar Pinchai vowed that the company would not design or deploy artificial intelligence as weapons or to gather surveillance violating internationally-accepted norms. The new set of guidelines came in response to backlash from employees against Google’s Project Maven contract with the Pentagon, which included using AI to interpret drone videos. “We want to be clear that while we are not developing AI for use in weapons, we will continue our work with governments and the military in many other areas,” said Pinchai.
“It’s the information age and the obvious fact is that during the information age, people are going to use and manipulate information to try to attack our way of life and so, simple things like being skeptical of information that doesn’t seem quite right are important,” he told me. “Protecting your own information and demanding that big tech firms and the government protect your information, are really important.”
WorkingNation is highlighting the talent gap in cybersecurity ahead of our Town Hall event: Cracking the Code: Bridging the Cybersecurity Skills Gap on June 26. RSVP today to attend this informative discussion featuring leading cybersecurity experts.