November 11, 2012:
Despite the growing threat of attacks, and thefts via the Internet, corporate and government Internet security managers are reluctant to confront the reality of how difficult it is to hire the most competent Internet security experts. The problem is that many of the most capable Internet security people are self-taught or the product of informal training programs. These experts rarely have college degrees and sometimes have a police record (for hacking, drugs, or other offenses). The lack of a college degree often keeps many good people out of corporate jobs while any hint of past legal problems will prevent you from getting a security clearance (essential for many government Internet security jobs).
These self-taught slightly dirty Internet security aces do not go without work. Some firms, mainly smaller ones, do hire the “irregulars” and then send them out to work as consultants for corporations and, for those who can get a security clearance, government and military organizations. The much higher cost of consultants, and the requirement of a security clearance for military and many government jobs, means that a lot of the best people simply cannot work on government projects. That’s one reason commercial organizations have much better security. A related reason is that commercial firms can pay for much more competent managers, who are quicker to spot Internet security problems and implement effective solutions.
Meanwhile, the U.S. government has quietly gone ahead and done what governments usually do in these situations: form several special security organizations for policing the internet. Because there is such a (trained, not to mention talented) manpower shortage right now (and in the foreseeable future), this was done on the cheap. This has not helped.
But there is hope, in the form a solution that was suggested even before September 11, 2001, to organize and reward the pro bono cybersecurity efforts that have been going on for some time. A lot of talented white hats (good hackers) just get pissed off and go after bad guys on their own nickel. An example is HoneyNet. This is a pro bono network of honeypots set up to attract, analyze, and document black hat (evil hackers) activities and techniques. One suggestion that did not fly was setting up a "Cyber Corps" as a separate corporation, with a few really good people to run it, and enough budget to pay market rate for the right people and still have a close working relationship with government agencies and commercial firms that spend a lot on net security (banks and brokerages for example).
Instead, a "Cyber Corps" program gives tuition assistance to college students studying computer security, in order to increase the number of qualified experts in this area. Meanwhile, the Department of Homeland Security established working relationships with existing computer security groups, while the Department of Defense encouraged the services to set up computer security operations. The air force established the Cyber Command, a major operation that, it is hoped, will give the air force the lead (and most of the budget) for defense related Internet security operations.
The U.S. Army sought to make something of the original Cyber Corps concept, by recruiting existing army reservists with computer security experience and organizing them into the Reserve Information Operations Command. These reservists have civilian jobs in computer and Internet security, and most make more than the government could afford to pay them. But in the event of an Internet "battle", the Reserve Information Operations Command would quickly provide the army with a collection of expert operators to analyze, and deal with, the threat. The army is still recruiting for this duty and will probably continue to, in order to expand this force as much as possible.
The U.S. government continues to set up more programs to harness and coordinate the efforts of white hat hacker volunteers who are willing to help out if the country finds itself in a Cyber War and is in need of all the help it can get. Other countries, especially China, have done the same.