* Governments, companies struggle with recruitment
* Cyber attacks could cost up to $400 billion globally
* Salaries rise as cyber security demand outpaces supply
By Peter Apps and Brenda Goh
LONDON, Oct 13 (Reuters) – For the governments and
corporations facing increasing computer attacks, the biggest
challenge is finding the right cyber warriors to fight back.
Hostile computer activity from spies, saboteurs, competitors
and criminals has spawned a growing industry of corporate
defenders who can attract the best talent from government cyber
units.
The U.S. military’s Cyber Command is due to quadruple in
size by 2015 with 4,000 new personnel while Britain announced a
new Joint Cyber Reserve last month. From Brazil to Indonesia,
similar forces have been set up.
But demand for specialists has far outpaced the number of
those qualified to do the job, leading to a staffing crunch as
talent is poached by competitors offering big salaries.
“As with anything, it really comes down to human capital and
there simply isn’t enough of it,” says Chris Finan, White House
director for cyber security from 2011-12, who is now a senior
fellow at the Truman National Security Project and working for a
start-up in Silicon Valley.
“They will choose where they work based on salary, lifestyle
and the lack of an interfering bureaucracy and that makes it
particularly hard to get them into government.”
Cyber attacks can be expensive: one unidentified
London-listed company incurred losses of 800 million pounds
($1.29 billion) in a cyber attack several years ago, according
to the British security services.
Global losses are in the range of $80 billion to $400
billion a year, according to research by the Washington-based
Center for Strategic and International Studies that was
sponsored by Intel Corp’s McAfee anti-virus division.
There is a whole range of attacks. Some involve simply
transferring money, but more often clients’ credit card details
are stolen. There is also intellectual property theft or theft
of commercially sensitive information for business advantage.
Victims can also suffer a “hacktivist” attack, such as a
directed denial of service to bring a website down, which can
cost a lot of money to fix.
Quantifying the exact damage is almost impossible,
especially when secrets and money are not the only targets.
While no government has taken responsibility for the Stuxnet
computer virus that destroyed centrifuges at Iran’s Natanz
uranium enrichment facility, it was widely reported to have been
a U.S.-Israeli project.
Britain says it blocked 400,000 advanced cyber threats to
the government’s secure intranet last year while a virus
unleashed against Saudi Arabia’s energy group Aramco, likely to
be the world’s most valuable company, destroyed data on
thousands of computers and put an image of a burning American
flag onto screens.
GOING VIRAL?
Most cyber expertise remains in the private sector where
companies are seeing an steep increase in spending on security
products and services.
Depending on the cyber threat, a variety of firms are
bidding for cyber talent. Google is currently
advertising 129 IT security jobs, while defence companies such
as Lockheed Martin Corp and BAE Systems are
looking to hire in this area.
Anti-virus maker Symantec Corp is also doing good
business. “The threat environment is exploding,” Chief Executive
Steve Bennett told Reuters in an interview in July.
The perception of an increased threat, has also led to
explosive demand for the best talent.
The U.S. Bureau of Labour Statistics says the number of
Information Technology security roles in the U.S. will increase
by some 22 percent in the decade to 2020, creating 65,700 new
jobs. Experts say it is a similar situation globally, with
salaries often rising 5-7 percent a year.
“Recruitment and retention in cyber is a challenge for
everybody working in this area,” says Mike Bradshaw, head of
security and smart systems at Finmeccanica IT unit
Selex. “It’s an area where demand exceeds supply … it’s going
to take a while for supply to catch up.”
A growing number of security firms – such as UK-based
Protection Group International (PGI) – now also offer cyber
services. PGI started out providing armed guards to protect
merchant ships against pirates but has now hired former staff
from Britain’s GCHQ eavesdropping agency.
COUNTRY OR CASH?
A graduate with a good computer studies degree can walk into
a $100,000 salary with a similar amount upfront as a golden
handshake, several times what the U.S. National Security Agency
would be likely to offer.
Western universities turn out far too few graduates with the
necessary computer skills while some students complain that many
of the courses on offer are too theoretical for the challenges
of cyber warfare.
But applicants need not have a computer science degree to
get lucrative jobs as long as they can do the hardest-to-fill
jobs such as finding bugs in software, identifying elusive
infections and reverse engineering computer viruses that are
found on computers, said Alan Paller, founder of the non-profit
SANS Institute in Washington.
SANS has worked with officials in Illinois, Massachusetts,
New Jersey and other states to sponsor hacking contests that
test skills in those and other areas. Educational background
does not necessarily help in these contests.
Those who have “very good” skills in the most-needed areas
can earn $110,000 to $140,000, while the very top get paid as
much as $200,000 in private sector jobs, according to Paller.
While the private sector offers big cash, the government is
still able to retain some talent by appealing to people’s sense
of public service and patriotism.
“I want to serve my country. What I am doing is important,”
one hacker who conducts classified research for the U.S.
military told Reuters at the Def Con hacking conference in July.
He declined to provide his name because he was not authorized to
speak to the press.
There is also an expectation that government workers can
move to more lucrative jobs in the private sector after several
years in public service.
But some senior officers in Western militaries still fear
they may struggle to attract the requisite talent, citing both
cultural and administrative problems.
General Keith Alexander, head of both the NSA and Cyber
Command, told Reuters earlier this year finding the right talent
was a priority. He has attended events such as the Def Con
hacker conference, trading his uniform for a black T-shirt.
Hiring outsiders has long been thought to be a tactic
employed by the United States as well as China and Russia.
Western security officials believe Russia, China and other
emerging cyber powers such as Iran and North Korea have cut
deals with their own criminal hacker community to borrow their
expertise to assist with attacks.
Russia and China, which have been accused by the West of
mounting repeated attacks on government and commercial
interests, deny direct involvement in hacking.
“We are at the very beginning of this process and we are
building it brick by brick,” says Colonel Gregory Conti, head of
the cyber Security Department at the U.S. Military Academy, West
Point. “It’s going to be like the creation of the air force – a
process of several decades getting the right people and
structures.”




