The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: There are even fewer women in U.S. government cybersecurity than there are globally

April 10, 2019 at 7:26 a.m. EDT

THE KEY

Cybersecurity is notorious for being a male-dominated field. But the U.S. government has an even smaller percentage of women working in cybersecurity jobs than the global average of women working in the field. 

About 11 percent of U.S. federal, state and local government cybersecurity pros are women, according to data provided to me by (ISC) 2, a nonprofit organization that provides cybersecurity certifications. About 24 percent of cybersecurity pros globally are women, according to the broader (ISC) 2 report that data is drawn from. Those women also tend to be younger and better educated than their male counterparts, the report found.

But the report's findings actually reveal a bigger problem: It's incredibly difficult to answer the question of how many women work in cybersecurity. 

That's because the definition of what counts as a cybersecurity worker can vary greatly from one organization — and one study — to another. All this makes it even trickier to tackle long-standing issues such as low female representation in the workforce, because no one knows just how big the problem is or whether it’s getting better or worse.

“We don’t have a good read on who is actually in the cybersecurity workforce,” Laura Bate, a policy analyst with the New America think tank's Cybersecurity Initiative, told me. “It makes it hard to know what works, to come up with empirical proof of what policies, either by corporate decision-makers or government policymakers, work in increasing the recruitment and retention of women in cybersecurity.”

The ISC (2) report is a good example of this. The organization had previously counted people as cybersecurity workers only if they had specific titles or filled specific roles at an organization, such as chief information security officer.

When using that metric in previous studies, (ISC) 2 found women held only 11 percent of global cybersecurity jobs. This time, the organization asked survey respondents whether they spent more than one-fourth of their time on cybersecurity, and the percentage of women in global cybersecurity jobs more than doubled.

“By broadening the scope of our research to encompass the men and women doing the work in organizations of all sizes across public and private sectors, and around the globe, we found a significant increase in the number of women in the cybersecurity workforce,” the report's authors write.

That shift probably does give a more accurate representation of the percentage of women working in cybersecurity because the field is difficult to narrow down to just particular job titles, said Kiersten Todt, resident scholar at the University of Pittsburgh Institute for Cyber Law, Policy, and Security.

But it also makes it impossible to tell whether more women are actually entering the cybersecurity field or if the increase is just due to methodology changes, Bate said. And that question hasn’t been effectively answered by other studies, Bate told me, despite a heavy focus by the industry on recruiting more women into the field.

When Bate and a co-author, Elizabeth Weingarten, published a New America study in March focused on recruiting more women into cybersecurity, they were hampered by the lack of solid information about how many women were in the field. 

“Most of the growth seems to correlate to methodological shifts,” Bate said. 

It's even tougher to gather solid information about the federal government’s cybersecurity workforce because agencies don’t use consistent definitions for who counts as a cybersecurity worker — a point that the government’s own auditors regularly rail against.

When (ISC) 2 looked specifically at the federal government in a 2017 report, it found that 15 percent of cybersecurity pros were women — but that was using the old definition that the organization has since disavowed.

When I asked the Office of Personnel Management, the agency responsible for tracking federal employee categories, a representative pointed me toward a (pretty clunky) database that was capable of breaking down the percentage of women in government information technology jobs — but not specifically in cybersecurity. As of September 2018, women held 27 percent of those government IT jobs, according to that database.

One thing is clear despite all the differences in figures: The percentage of men in cybersecurity jobs is far greater than women. And that's a major problem given the national shortage of about 300,000 cybersecurity jobs and the rapidly growing capabilities of cyber criminals, Bate told me. 

“We cannot secure our systems if we don’t have people to fill those jobs — and if we’re only tapping half the population, we’re not meeting that need,” she said. 

But the lack of widely accepted, accurate numbers crowds out more elaborate conversations about what sort of work those women are doing in the field and whether they’re getting the right opportunities to advance, said Todt, who was executive director of an Obama-era commission on long-range cybersecurity issues including the cybersecurity workforce.

“I absolutely believe gender diversity is essential, but you’ve got to be thoughtful and deliberate and do it the right way,” she said. “You’re always going to want more than what exists, but if it’s growing that’s encouraging.”

PINGED, PATCHED, PWNED

PINGED: Republican and Democratic senators expressed alarm Tuesday at a Trump administration housecleaning at the Homeland Security Department that included the resignations of Secretary Kirstjen Nielsen, acting deputy secretary Claire Grady and U.S. Secret Service Director Randolph D. “Tex” Alles.

Sen. Tom Carper (D-Del.) said on Twitter that the forced resignations could undermine the department's cybersecurity mission and were creating “turmoil” that was “unacceptable.” 

Sen. Mitt Romney (R-Utah) called the situation “dangerous” given DHS’s many responsibilities.

PATCHED: The voting machine company Election Systems and Software has shared its entire suite of hardware and software for independent cybersecurity vetting by Idaho National Laboratory, the company said Tuesday.

The news came in a letter from ES&S to four Democratic senators who asked what the company was doing to secure the 2020 election. Lawmakers have criticized ES&S and other major election systems manufacturers for being too opaque about their security practices.

The company has also installed new cybersecurity protections on its corporate networks including adding anti-phishing measures to its email systems, the letter states.

PWNED: Equifax and its Canadian division fell short of their privacy obligations, worsening the toll of a 2017 data breach that compromised the personal information of more than 140 million people, Canada’s privacy commissioner said, according to a Reuters report.

Equifax Canada has entered into a compliance agreement to address the concerns, Reuters reported.

“Given the vast amounts of highly sensitive personal information Equifax holds . . . it was completely unacceptable to find such significant shortcomings in the company’s privacy and security practices,” Privacy Commissioner Daniel Therrien said.

PUBLIC KEY

Cybersecurity news from the public sector:

Hackers attacked California DMV voter registration system marred by bugs, glitches (Los Angeles Times)

New Space ISAC plans to elevate the industry's awareness of cyberthreats - CyberScoop (Cyberscoop)

Web’s ‘Dark Patterns’ Targeted as U.S. Senators Take Aim at Tech (Bloomberg)

CIA Considering Cloud Contract Worth ‘Tens of Billions’ (Nextgov)

PRIVATE KEY

Cybersecurity news from the private sector:

Tracking your pregnancy on an app may be more public than you think (Drew Harwell)

New variants of Mirai botnet detected, targeting more IoT devices (Ars Technica)

FireEye says it is responding to a second Triton intrusion - CyberScoop (Cyberscoop)

CHAT ROOM

Have you heard that paranoid tale about how Google, Facebook and other tech giants are actually eavesdropping on you through your phone all the time to deliver targeted ads? It's almost certainly a myth, as a few experts explained on Twitter on Tuesday. 

First, University of Southern California law professor Orin Kerr took the legal angle in a lengthy thread:

Then CATO Institute Senior Fellow Julian Sanchez took the tech angle in another thread:

The bottom line, Sanchez says: It just doesn't make any economic sense for the companies to do it. (Even if it were legal, which it's not).