Cyber warrior shortage hits anti-hacker fightback


* Governments, companies struggle with recruitment

* Cyber attacks could cost up to $400 billion globally

* Salaries rise as cyber security demand outpaces supply

By Peter Apps and Brenda Goh

LONDON, Oct 13 (Reuters) - For the governments andcorporations facing increasing computer attacks, the biggestchallenge is finding the right cyber warriors to fight back.

Hostile computer activity from spies, saboteurs, competitorsand criminals has spawned a growing industry of corporatedefenders who can attract the best talent from government cyberunits.

The U.S. military's Cyber Command is due to quadruple insize by 2015 with 4,000 new personnel while Britain announced anew Joint Cyber Reserve last month. From Brazil to Indonesia,similar forces have been set up.

But demand for specialists has far outpaced the number ofthose qualified to do the job, leading to a staffing crunch astalent is poached by competitors offering big salaries.

"As with anything, it really comes down to human capital andthere simply isn't enough of it," says Chris Finan, White Housedirector for cyber security from 2011-12, who is now a seniorfellow at the Truman National Security Project and working for astart-up in Silicon Valley.

"They will choose where they work based on salary, lifestyleand the lack of an interfering bureaucracy and that makes itparticularly hard to get them into government."

Cyber attacks can be expensive: one unidentifiedLondon-listed company incurred losses of 800 million pounds($1.29 billion) in a cyber attack several years ago, accordingto the British security services.

Global losses are in the range of $80 billion to $400billion a year, according to research by the Washington-basedCenter for Strategic and International Studies that wassponsored by Intel Corp's McAfee anti-virus division.

There is a whole range of attacks. Some involve simplytransferring money, but more often clients' credit card detailsare stolen. There is also intellectual property theft or theftof commercially sensitive information for business advantage.

Victims can also suffer a "hacktivist" attack, such as adirected denial of service to bring a website down, which cancost a lot of money to fix.

Quantifying the exact damage is almost impossible,especially when secrets and money are not the only targets.

While no government has taken responsibility for the Stuxnetcomputer virus that destroyed centrifuges at Iran's Natanzuranium enrichment facility, it was widely reported to have beena U.S.-Israeli project.

Britain says it blocked 400,000 advanced cyber threats tothe government's secure intranet last year while a virusunleashed against Saudi Arabia's energy group Aramco, likely tobe the world's most valuable company, destroyed data onthousands of computers and put an image of a burning Americanflag onto screens.


Most cyber expertise remains in the private sector wherecompanies are seeing an steep increase in spending on securityproducts and services.

Depending on the cyber threat, a variety of firms arebidding for cyber talent. Google is currentlyadvertising 129 IT security jobs, while defence companies suchas Lockheed Martin Corp and BAE Systems arelooking to hire in this area.

Anti-virus maker Symantec Corp is also doing goodbusiness. "The threat environment is exploding," Chief ExecutiveSteve Bennett told Reuters in an interview in July.

The perception of an increased threat, has also led toexplosive demand for the best talent.

The U.S. Bureau of Labour Statistics says the number ofInformation Technology security roles in the U.S. will increaseby some 22 percent in the decade to 2020, creating 65,700 newjobs. Experts say it is a similar situation globally, withsalaries often rising 5-7 percent a year.

"Recruitment and retention in cyber is a challenge foreverybody working in this area," says Mike Bradshaw, head ofsecurity and smart systems at Finmeccanica IT unitSelex. "It's an area where demand exceeds supply ... it's goingto take a while for supply to catch up."

A growing number of security firms - such as UK-basedProtection Group International (PGI) - now also offer cyberservices. PGI started out providing armed guards to protectmerchant ships against pirates but has now hired former stafffrom Britain's GCHQ eavesdropping agency.


A graduate with a good computer studies degree can walk intoa $100,000 salary with a similar amount upfront as a goldenhandshake, several times what the U.S. National Security Agencywould be likely to offer.

Western universities turn out far too few graduates with thenecessary computer skills while some students complain that manyof the courses on offer are too theoretical for the challengesof cyber warfare.

But applicants need not have a computer science degree toget lucrative jobs as long as they can do the hardest-to-filljobs such as finding bugs in software, identifying elusiveinfections and reverse engineering computer viruses that arefound on computers, said Alan Paller, founder of the non-profitSANS Institute in Washington.

SANS has worked with officials in Illinois, Massachusetts,New Jersey and other states to sponsor hacking contests thattest skills in those and other areas. Educational backgrounddoes not necessarily help in these contests.

Those who have "very good" skills in the most-needed areascan earn $110,000 to $140,000, while the very top get paid asmuch as $200,000 in private sector jobs, according to Paller.

While the private sector offers big cash, the government isstill able to retain some talent by appealing to people's senseof public service and patriotism.

"I want to serve my country. What I am doing is important,"one hacker who conducts classified research for the U.S.military told Reuters at the Def Con hacking conference in July.He declined to provide his name because he was not authorized tospeak to the press.

There is also an expectation that government workers canmove to more lucrative jobs in the private sector after severalyears in public service.

But some senior officers in Western militaries still fearthey may struggle to attract the requisite talent, citing bothcultural and administrative problems.

General Keith Alexander, head of both the NSA and CyberCommand, told Reuters earlier this year finding the right talentwas a priority. He has attended events such as the Def Conhacker conference, trading his uniform for a black T-shirt.

Hiring outsiders has long been thought to be a tacticemployed by the United States as well as China and Russia.

Western security officials believe Russia, China and otheremerging cyber powers such as Iran and North Korea have cutdeals with their own criminal hacker community to borrow theirexpertise to assist with attacks.

Russia and China, which have been accused by the West ofmounting repeated attacks on government and commercialinterests, deny direct involvement in hacking.

"We are at the very beginning of this process and we arebuilding it brick by brick," says Colonel Gregory Conti, head ofthe cyber Security Department at the U.S. Military Academy, WestPoint. "It's going to be like the creation of the air force - aprocess of several decades getting the right people andstructures."

View Comments (6)