For the governments and corporations facing increasing computer attacks, the biggest challenge is finding the right cyber warriors to fight back.
Hostile computer activity from spies, saboteurs, competitors and criminals has spawned a growing industry of corporate defenders who can attract the best talent from government cyber units.
The U.S. military’s Cyber Command is due to quadruple in size by 2015 with 4,000 new personnel while Britain announced a new Joint Cyber Reserve last month. From Brazil to Indonesia, similar forces have been set up.
But demand for specialists has far outpaced the number of those qualified to do the job, leading to a staffing crunch as talent is poached by competitors offering big salaries.
“As with anything, it really comes down to human capital and there simply isn’t enough of it,” says Chris Finan, White House director for cyber security from 2011-12, who is now a senior fellow at the Truman National Security Project and working for a start-up in Silicon Valley.
“They will choose where they work based on salary, lifestyle and the lack of an interfering bureaucracy and that makes it particularly hard to get them into government.”
Cyber attacks can be expensive: one unidentified London-listed company incurred losses of 800 million pounds ($1.29 billion) in a cyber attack several years ago, according to the British security services.
Global losses are in the range of $80 billion to $400 billion a year, according to research by the Washington-based Center for Strategic and International Studies that was sponsored by Intel Corp’s McAfee anti-virus division.
There is a whole range of attacks. Some involve simply transferring money, but more often clients’ credit card details are stolen. There is also intellectual property theft or theft of commercially sensitive information for business advantage.
Victims can also suffer a “hacktivist” attack, such as a directed denial of service to bring a website down, which can cost a lot of money to fix.
Quantifying the exact damage is almost impossible, especially when secrets and money are not the only targets.
While no government has taken responsibility for the Stuxnet computer virus that destroyed centrifuges at Iran’s Natanz uranium enrichment facility, it was widely reported to have been a U.S.-Israeli project.
Britain says it blocked 400,000 advanced cyber threats to the government’s secure intranet last year while a virus unleashed against Saudi Arabia’s energy group Aramco, likely to be the world’s most valuable company, destroyed data on thousands of computers and put an image of a burning American flag onto screens.
Most cyber expertise remains in the private sector where companies are seeing an steep increase in spending on security products and services.
Depending on the cyber threat, a variety of firms are bidding for cyber talent. Google is currently advertising 129 IT security jobs, while defense companies such as Lockheed Martin Corp and BAE Systems are looking to hire in this area.
Anti-virus maker Symantec Corp is also doing good business. “The threat environment is exploding,” Chief Executive Steve Bennett told Reuters in an interview in July.
The perception of an increased threat, has also led to explosive demand for the best talent.
The U.S. Bureau of Labour Statistics says the number of Information Technology security roles in the U.S. will increase by some 22 percent in the decade to 2020, creating 65,700 new jobs. Experts say it is a similar situation globally, with salaries often rising 5-7 percent a year.
“Recruitment and retention in cyber is a challenge for everybody working in this area,” says Mike Bradshaw, head of security and smart systems at Finmeccanica IT unit Selex. “It’s an area where demand exceeds supply … it’s going to take a while for supply to catch up.”
A growing number of security firms – such as UK-based Protection Group International (PGI) – now also offer cyber services. PGI started out providing armed guards to protect merchant ships against pirates but has now hired former staff from Britain’s GCHQ eavesdropping agency.
Country or cash?
A graduate with a good computer studies degree can walk into a $100,000 salary with a similar amount upfront as a golden handshake, several times what the U.S. National Security Agency would be likely to offer.
Western universities turn out far too few graduates with the necessary computer skills while some students complain that many of the courses on offer are too theoretical for the challenges of cyber warfare.
But applicants need not have a computer science degree to get lucrative jobs as long as they can do the hardest-to-fill jobs such as finding bugs in software, identifying elusive infections and reverse engineering computer viruses that are found on computers, said Alan Paller, founder of the non-profit SANS Institute in Washington.
SANS has worked with officials in Illinois, Massachusetts, New Jersey and other states to sponsor hacking contests that test skills in those and other areas. Educational background does not necessarily help in these contests.
Those who have “very good” skills in the most-needed areas can earn $110,000 to $140,000, while the very top get paid as much as $200,000 in private sector jobs, according to Paller.
While the private sector offers big cash, the government is still able to retain some talent by appealing to people’s sense of public service and patriotism.
“I want to serve my country. What I am doing is important,” one hacker who conducts classified research for the U.S. military told Reuters at the Def Con hacking conference in July. He declined to provide his name because he was not authorized to speak to the press.
There is also an expectation that government workers can move to more lucrative jobs in the private sector after several years in public service.
But some senior officers in Western militaries still fear they may struggle to attract the requisite talent, citing both cultural and administrative problems.
General Keith Alexander, head of both the NSA and Cyber Command, told Reuters earlier this year finding the right talent was a priority. He has attended events such as the Def Con hacker conference, trading his uniform for a black T-shirt.
Hiring outsiders has long been thought to be a tactic employed by the United States as well as China and Russia.
Western security officials believe Russia, China and other emerging cyber powers such as Iran and North Korea have cut deals with their own criminal hacker community to borrow their expertise to assist with attacks.
Russia and China, which have been accused by the West of mounting repeated attacks on government and commercial interests, deny direct involvement in hacking.
“We are at the very beginning of this process and we are building it brick by brick,” says Colonel Gregory Conti, head of the cyber Security Department at the U.S. Military Academy, West Point. “It’s going to be like the creation of the air force – a process of several decades getting the right people and structures.” ($1 = 0.6209 British pounds)