November 14, 2018

The Atlantic Council’s Cyber Statecraft Initiative hosted a public panel on November 14, 2018, to discuss the human element of cybersecurity. The panel, underwritten by Raytheon, was comprised of Mr. Sean Berg, Senior Vice President and General Manager of Global Governments and Critical Infrastructure at Forcepoint; Ms. Amy Chang, Senior Threat Intelligence Analyst for Cybersecurity Operations at JPMorgan Chase; Dr. Andrea Little Limbago, Chief Social Scientist at Virtru; and Mr. Eric Welling, Deputy Assistant Director, Cyber Division at the Federal Bureau of Investigation. Atlantic Council Board Director Gen. James E. Cartwright USMC (Ret.) delivered opening remarks, and nonresident senior fellow at the Cyber Statecraft Initiative, Mr. Pete Cooper, moderated the discussion.

The panel emphasized that, as cyberattacks continue to grow more widespread, more damaging, and more costly, it is easy to forget that behind every breach is a person—that no matter how advanced a piece of malware or how large a botnet, the adversary is always human. It is also just as easy to forget that cyber defense starts with people. Mr. Berg cited that $98 billion was spent on cybersecurity measures in 2018, but that the number of attacks and breaches is still climbing. He also emphasized that while most cybersecurity approaches focus outward on threats, boundaries and network protection, the security industry needs to remember to look inward at what it is protecting: people and data. Dr. Limbago and Ms. Chang explained that organizational-level changes need to occur for private or public entities to improve their security. When it comes to human adversaries, Mr. Welling emphasized that law enforcement and other organizations need to develop ways to remove incentives for malicious behavior. Cyber criminals, like the rest of us, respond to costs and benefits. If we can remove the benefits and raise the costs of cybercrime, we will start to see progress.

All the panelists agreed that although serious steps have been taken by many organizations to address the human vulnerabilities within organizations and in business, a comprehensive solution has yet to be identified, let alone implemented. As the criminal world becomes more experienced and more specialized, we must adapt so that we can respond accordingly. It has become a whole of government, whole of nation problem that we must work together to address.

Compounding this problem is that fact that the cybersecurity industry is experiencing a massive skills shortage. One way to remedy this problem is to diversify the candidate pool when filling entry-level security positions. By opening positions to non-technical individuals, companies will attract candidates with different skills—such as individuals with advance degrees in foreign languages, business, law, history and international relations. A more diverse workforce will provide the diversity of thought needed to tackle security issues that span countries and disciplines. However, the panel noted that opening the cybersecurity pipeline to non-technical applicants requires a rethink of how companies incentivize and attract new talent. Non-technical applicants will obviously require training for technical literacy as well as opportunities to be mentored by and connected with experts in the field.

The Atlantic Council itself offers one such opportunity through its Cyber 9/12 Strategy Challenge, a series of competitions around the world that provide students across academic disciplines with a deeper understanding of the policy challenges associated with cyber crisis and conflict. Part interactive learning experience and part competitive scenario exercise, it challenges teams to respond to a realistic, evolving cyberattack and analyze the threat it poses to national, international, and private sector interests. The Council has held several Strategy Challenges already this year, with competitions having taken place in London, UK; Lille, France; Austin, Texas; and Washington, DC, in the first few months of 2019. Upcoming Challenges in Geneva, Switzerland, on April 25 and 26 and Sydney, Australia, in October will continue to diversify and strengthen the talent pool across the globe.