In a recent blog on cybersecurity, we discussed the widespread labor shortage in the cybersecurity workforce. We believe that it's not just a labor shortage but a skills shortage, and with the number of threats increasing daily, the way we train and vet cybersecurity analysts must change.
More training and practice in live, virtual environments, more coaching and mentorship and more peer review are all critical to identifying the best cybersecurity analysts. We believe a way to provide that real-world training is through the use of a federal governmentwide cyber range — a virtualized system that simulates a real-world environment and allows the safe use of cyber weapons and techniques.
For example, the Department of Homeland Security offers a Federal Virtual Training Environment (FedVTE) with free training to the federal workforce and veterans on subjects as diverse as Network Layer 1&2 Troubleshooting and Offensive and Defensive Network Operations. However, the training focuses on a familiarization of the terms, techniques, requirements and a generalized understanding of the subject matter versus in-depth technical knowledge transfer.
FedVTE is successful at providing introductory mass online training, but the government needs to take the next logical step in training: developing a federal cyber range used exclusively for training personnel on offensive and defensive tactics, techniques and tools in real-world conditions.
A governmentwide cyber range capability could be used to facilitate massive open online courses coupled with hands-on technical training in cyber disciplines such as Blue/Red Teaming or Cyber Protection. DHS has successfully implemented this type of training program for Industrial Control Systems (ICS) out of the ICS-CERT National Laboratory. The government could focus on common security tool suites such as DHS's Continuous Diagnostics and Mitigation (CDM) and programs focused on security engineering, security architecture, audit, hunt, fusion and risk management.
Developing and establishing a federal cyber range would allow the government to realize significant improvements — not just in the training of both civilian and contractor staff with real-world skills, but also in the retention of those qualified staff members, as they'd be receiving technical training they wouldn't be able to find in the commercial market. Furthermore, the government would gain an enhanced ability to identify problems and react appropriately in a timely manner.
Beyond the dedicated training aspect that a cyber range could provide, the government could use the facility as a proving ground for the testing of new products and technologies. Adverse conditions could be established to check, test and assess product capabilities against baselines established by government-customer agencies.
Customer agencies could also procure space in the range to test new configurations or build out a security stack to demonstrate simulated damage and recovery efforts during an attack. For example, the Marine Corps Cyber Range, which is slated for future use pending curriculum development, will serve as both a cyber training ground for Marines as well as a proving ground for their accreditation testing efforts.
A federal cyber range capability that provides advanced and thorough training in technical disciplines would be a sound and forward-thinking long-term investment for the government. Not only would a governmentwide cyber range allow for personnel from across the federal domain to be trained to a specific standard on tools that make up the CDM suite, but the government could teach, demonstrate and test best practices and tactics in offensive and defensive cyber. Real-world skills could quickly be transferred, lessons learned at the federal level could be shared at an agency level, and quality and skills of personnel would increase without reliance on outside vendor training and certification programs that only operate at the theory or knowledge level as opposed to the practitioner level.
The funding needed to establish a federal range would be more than repaid in the increased number of newly trained or cross-trained cybersecurity specialists the government would gain. This would help not only the government but all the entities it serves.
Marvin Marin is a technical program manager at NetCentrics and was recognized as a 2016 Finalist for the EC-Council Foundation's Chief Information Security Officer of the year. Marvin currently supports the U.S. Coast Guard Cyber Command as a Computer Network Defense Manager.