Cyber-security arms race is a gold rush for hackers

The next arms race is on and the governments involved are speeding to amass the expensive weaponry of 21st century battle -- hackers.

The next arms race is on and the governments involved are speeding to amass the expensive weaponry of 21st century battle -- hackers.

No one, it seems, has enough and acquiring the cyber-security talent capable to conduct offensive and defensive operations is sending salaries for hackers through the roof, according to recent reports.

The most frequently quoted accounts of the shortfall come from Jim Gosler, a veteran cyber-security specialist and former official of the CIA, the National Security Agency and the Department of Energy. In 2008 Gosler estimated that the United States needed between 20,000 and 30,000 technicians with the requisite skills to defend cyberspace. At the time, he said there were about 1,000. Most security experts say the number still holds at about 1,000, a 97 percent shortfall.

John Bassett, associate fellow at the Royal United Services Institute in London and a former senior official at Britain's Government Communications Headquarters (GCHQ), told Reuters yesterday "There is absolutely not enough of them, you need an order of magnitude... more than we have at the moment."

The same 1,000 hackers are just recruited and poached from one agency or contractor to another, Allan Paller, Research Director of the SysAdmin, Audit, Network, Security (SANS) Institute, told NPR for a story on the topic last year.

"You go looking for those people, but everybody else is looking for the same thousand people," says SANS Research Director Alan Paller. "So they're just being pushed around from NSA to CIA to DHS to Boeing. It's a mess."

The shortage of skills has made the U.S.'s critical infrastructure vulnerable to cyber attack, Kevin Gronberg, Senior Counsel, Committee on Homeland Security, U.S. House of Representatives, said Tuesday during a penal discussion on cyber security at critical infrastructure facilities in the U.S. and 13 other countries.

For hackers, it's a sellers market that is unlikely to dissipate.

NextGov compiled some stats on security salaries across government agencies:

  • certified information systems auditors -- $100,855
  • certified security administrators -- $99,512
  • operators and testers, who monitor log files, manage system configurations and hack networks to identify weaknesses -- $76,000
  • Operators and testers with more technical skills, such as computer forensics -- $88,000
  • private sector operators and tester -- $175,000
  • information assurance personnel with master's degree GS-15 level -- up to $130,000
  • Chief Information Security Officers (CISOs) -- up to $180,000, plus premiums up to $220,000
  • Pentagon personnel reported the highest average annual salary -- $103,330

Those salaries are only likely to increase as the governments and contractors struggle to recruit and retain the necessary talent. Basset told Reuters the personalities of hackers makes retention more difficult than other engineering skills.

"Given the nature of hackers, it's going to be like herding cats," said Bassett. "You might be able to give them some money or tools which they would find interesting and keep them pointing in a certain direction for a certain period of time. But whether that would then give them any residual loyalty is a very open question."

The scarcity of security skills is a national security crisis, but for the engineers who have the skills to do perform a patriotic duty -- and for those with the aptitude and willing to change career course -- the current arms race is a gold rush.

Related Content: