I just love it when people without appreciable “cyber skills” urge the cultivation of them on the rest of us. This post by M. Anthony Mills at RealClearPolitics is typical of the genre:
Start with a truism: There is a gap between the demand for technical skills in the modern economy and the supply of workers who possess those skills. Employers cannot find enough qualified applicants to fill a growing number of jobs that require such skills. It has been called the “STEM crisis.”
This is true across domains — from science and engineering to finance and health care — in part because information technology is beginning to infuse all aspects of the economy. One of those domains is cybersecurity.
Which brings us to a second truism: Cybersecurity is among the major challenges facing today’s public and private sectors, and one that will only grow as our economy becomes ever more digital. It is already daunting, given the ubiquitous data-sharing that defines our social-media age. Nearly every person has a computer in his or her pocket — often linked up to the cloud and various social media — making just about every employee a potential cyber target. Cybersecurity is no longer a specialized issue of concern to one’s IT department, but something that impacts nearly everyone. Consider that Facebook has over 2 billion users worldwide.
The problem with his truisms is that they aren’t true. If there were a STEM crisis, you’d expect salaries in science, technology, engineering, and math to be rising. Except in biosciences which is subsidized ferociously by government at all levels, they aren’t. What’s actually happening is that businesses, naturally enough, want to pay as little as possible for workers with the skills they want, so they complain that there are no workers available as a justification for importing foreign workers, whom they’ll pay less because they can get away with it.
Health care’s a different story. If the number of people in health care is inadequate, it’s because it’s effectively capped.
The reason for the highly publicized security breaches at big companies and the government, e.g. Equifax, is not technical. It’s managerial. There have been management decisions that it’s not worth paying for and enforcing security so the culture of security necessary to preserve it never comes about.
Here’s a sad reality about national cybersecurity. It’s asymmetrical warfare. The advantage is with the attacker. We can digitally cut ourselves off from the rest of the world. We can attack potential cyberadversaries (more malicious traffic comes from China than everywhere else added together; much of the balance comes from Eastern Europe). We can’t really defend ourselves. There are some things we can do to mitigate the risks but we don’t even do those. That’s not a technological problem. It’s a management and political one.