In 2016, security researchers presented attendees of DEFCON, the annual Las Vegas hacker convention, with some unnerving findings about internet-connected smart locks: After testing over a dozen varieties of the devices across multiple manufacturers, the researchers found that 75 percent of them had major security vulnerabilities that left them exposed to hackers, who could unlock them from a quarter of a mile away.
For Steven Weber, a political science professor at The University of California Berkeley and the director of The Center for Long-Term Cybersecurity, the security challenges facing smart locks epitomize a larger reality: When it comes to security, seemingly intangible digital vulnerabilities are increasingly having real-world practical consequences. This is a trend that will only increase as technology’s influence over everyday life continues to expand.
“The notion that there’s this thing called “cybersecurity” that’s distinct from this other thing called “security” — that’s an idea that is disappearing,” Weber said. “This change is going to have some significant implications for all of us over the next 10 years.”
Of these implications, many of the most important ones will affect the cybersecurity workforce. To meet the cybersecurity challenges of the future, companies and governments will need a new kind of cybersecurity worker.
The cybersecurity workforce gap is real: By 2022, the projected shortage of cybersecurity workers will reach 1.8 million, according to the Center for Cyber Safety and Education. This challenge extends beyond technology companies to those in healthcare, finance, and manufacturing. It’s also vexing the United States government, which has found that its own cybersecurity hiring has been hindered by “persistent recruiting, hiring, and retention challenges,” according to a June 2018 report from The Office of Management and Budget.
“Right now, there’s a real and significant shortage of people with the technical skills,” said Weber. “Everyone everywhere is struggling to fill these jobs.”
But simply filling the ranks of the cybersecurity workforce is only part of the long-term challenge facing the industry. As the idea of cybersecurity expands, companies and government groups are increasingly looking for workers whose expertise spans multiple disciplines. Financial services companies, for example, need cybersecurity workers who have accounting backgrounds and an understanding of financial regulations. Healthcare companies also need workers with similarly multi-disciplinary backgrounds.
Likewise, in the public policy sector there’s an increased demand for what University of California Berkeley law professor Chris Hoofnagle calls “public interest technologists.” Hoofnagle, who teaches a course that puts cybersecurity in the context of society, politics, and economics, said that these are people who “know enough about the technology but can also interact with the language of policymakers.”
He cited Dr. Danah Boyd, a trained computer scientist and academic whose research examines the intersection between the internet and modern society. (She is currently a researcher at Microsoft Research, and founder of Data & Society.) Another example is Ashkan Soltani, a privacy and security technologist who worked as the Federal Trade Commission’s chief technologist and in the White House as senior advisor on big data and privacy issues. “When used properly, these kinds of people can really be game-changers,” said Hoofnagle.
While having a broad understanding of cybersecurity in multiple contexts is a valuable skill, having a strong technical understanding of core cybersecurity concepts is also essential to climbing the ranks of the field, argued Weber. “If you’re going to be arguing policy on encryption and you don’t understand how cybersecurity works, then you’re not going to be able to make good smart decisions,” he said. But few university cybersecurity programs today teach those technical skills and instead lean almost exclusively on big policy questions. “Too many of these programs are training people who don’t really understand enough about the technology to be completely informed about the decisions they have to make,” said Weber.
But developing a technical understanding does not have to mean learning how to code, which is a common misunderstanding among those turned off from venturing into the field. Project management and incident response jobs, for example, rarely require technical expertise. Other roles, such as those in compliance and cyber threat intelligence, require a more big-picture view of cybersecurity, including where threats are coming from and how to prevent them. Indeed, in this approach understanding human behavior is particularly important. Cybersecurity workers need to be able to design systems within the context of how people are likely to use them. Cybersecurity, in other words, is as much of a human challenge as it is a technical one.
That kind of interdisciplinary, holistic understanding of the industry has become increasingly vital, argued Hoofnagle. Because the various stakeholders in the cybersecurity industry have isolated themselves from each other, they’ve often developed dramatically different ways of talking about similar issues, and in some cases, how they define certain words. A tech company’s definition of “privacy,” for example, is likely to be very different from that of the average user, a difference that makes it harder to have meaningful debates in moments of crisis.
Hoofnagle sees these kinds of differences in the classroom, where students across multiple fields often approach course topics such as privacy from vastly different perspectives. “Highly technical students will often interpret ‘privacy’ as relating to the collection of data or secrecy, but what they learn in reading the theory is that other people think of it more in terms of how data is used,” Hoofnagle said. “And other students will have this almost inscrutable position where a company has collected all of your data, yet they say, ‘Well, there is no privacy problem because it’s only disclosed to our service providers.'” For these students, education has been essential to closing this gap in understanding.
All of this is why the industry needs more people who can understand and speak the language of all cybersecurity stakeholders, and translate between them accordingly. This kind of holistic understanding will be essential to the industry over the next five to ten years. Professor Weber compared this vital shift to the philosophy behind community policing.
“In the same way that a really effective police force requires so much more than having people who can operate guns,” said Weber, “a cybersecurity workforce has to be broadly trained in the overall ecosystem dynamics of what they’re trying to protect.”