US bill seeks cybersecurity scholarships
Send your kid to hacker school
The US House of Representatives has overwhelmingly passed a bill that would direct almost $400m toward research designed to shore up the nation's cybersecurity defenses.
The Cybersecurity Enhancement Act would approve $108.7m over five years to
establish continue a cybersecurity scholarship program. In return, students would serve in federal government posts upon graduation.
This is precisely the kind of thing computer security supporters have advocated for years. Citing studies that suggest the US is woefully behind other nations in its supply of skilled cybersecurity personnel to secure critical networks, they argue the federal government needs to do more to attract and train new talent.
The bill, which was passed 422 to 5, would also require the White House to conduct an agency-by-agency assessment of cybersecurity workforce skills. It now heads to the Senate for consideration. More from The New York Times and IDG News is here and here. ®
It's about time...
I was wondering, what with practically outlawing creative hacking with the DMCA/PatriotAct nonsense, when they would wake up and realise that the best person to have on your security detail is Somebody Who Can instead of somebody who just thinks they can.
Why did those 5 Repuglicants vote no?
perpetuating the fundamental error
This initiative is likely to do little more than perpetuate the error of considering "cyber security" as a technological issue. It isn't - it's a conceptual issue. It's current state of weakness is a function of the same appalling quality of risk judgement that is increasingly evident in national policy decision-making (Katrina, Homeland Security, banking &c.). We have become so dependent on rule-based systems (both technological and social/legislative) that we have effectively ceased to be able to think flexibly and holistically. As a result we race behind the bad guys fixing a cascade of symptoms, unable to recognise, let alone address, the fundamental disease.
Contrary to popular opinion, software development is not such an overwhelmingly complex activity that it's impossible to create error-free code. You just have to pay attention, really understand what you're doing, and, most importantly, actually care about what you're delivering. It seems the majority of developers/programmers don't , don't and don't - not because they use abstracted high-level development tools but because they rely on such tools to absolve them from taking the personal responsibility for getting it right. It's an attitude problem before all, and is no different from the almost universal desire of our student population to get the degree without having to make the effort required to actually learn the subject.
We need people in charge of our security (and that includes not only "security specialists" but also application and service designers, programmers, testers, deployers, service managers and users) who actively seek to bear the requisite responsibility for fulfilling that task . Such people will make sure of their own accord that they are sufficiently competent to do so. Absent that attitude, no training programme will help.