Amazon’s Cybersecurity Investigators Step Into the Spotlight
Amazon’s Chief Security Officer, Steve Schmidt, recently highlighted pressing issues in cybersecurity during an exclusive interview, addressing the current workforce crisis, regulatory challenges, and threats facing elections in the upcoming months.
Short Summary:
- Steve Schmidt emphasizes the significant gap in the cybersecurity workforce, estimating over half a million positions are unfilled.
- The need for harmonized cybersecurity regulations is critical to reduce compliance costs and enhance operational efficiency.
- Amazon is committed to bolstering educational pathways in cybersecurity, with initiatives like free training and partnerships with CISA.
In a recent conversation with Nextgov/FCW, Steve Schmidt, the Chief Security Officer of Amazon, delved into various aspects of national cybersecurity policy following a significant session at AWS’s flagship summit in Washington, D.C. The dialog covered a spectrum of topics, particularly the acute shortage in the cybersecurity workforce, the ramifications of inconsistent cyber regulations, and the state of election security in November 2024.
“The most important thing to look at is the supply of people with expertise as a pipeline,” Schmidt remarked, referring to the ongoing workforce crisis in cybersecurity. He outlined the need to nurture interest in this field early on.
During his interview, Schmidt spoke candidly about the pressing issue of the cybersecurity labor gap, with industry reports indicating that more than half a million positions remain vacant across the United States. Schmidt suggested that to ameliorate this situation, educational initiatives must begin in middle and high schools to inspire students to pursue careers in cybersecurity.
He argued that the skill sets required for a successful career in this industry often center around reasoning and problem-solving, rather than purely technical knowledge. Schmidt reflected,
“A lot of those skills people think about as particular technical things. They’re actually more around logic, reasoning and understanding cause and effect analysis.”
Moreover, Schmidt noted that not every cybersecurity expert needs to possess a traditional four-year degree. He argued that practical experience in reputable companies should also be valued in the hiring process. Schmidt believes that requiring a degree can inadvertently limit the pool of talent, as many capable candidates may not fit this conventional mold. He explained:
“If somebody’s got a lot of experience in this space in a reputable company already, a four-year degree or the absence thereof shouldn’t hold them back.”
As the cybersecurity landscape becomes more intricate, Schmidt emphasized that the inconsistency in regulatory frameworks poses significant challenges for companies like Amazon. Speaking on the federal government’s efforts toward cybersecurity regulatory harmonization, he expressed concern about the additional costs and confusion stemming from competing requirements from different agencies like FedRAMP and CISA.
“Inconsistent regulation means that we’re not really sure what to do in each jurisdiction at what point in time,” Schmidt said, highlighting the struggles tech companies face under such fragmented regulations.
He further commented on the SEC’s new cyber reporting rule, which mandates publicly traded companies to disclose cybersecurity incidents within four business days. Schmidt contemplated whether this timeframe is sufficient:
“What are you going to get in four days? Forensics takes time,” he explained, questioning the effectiveness of such an arbitrary reporting window.
As for education, Amazon has made strides to address the cybersecurity workforce issue by launching various training programs and collaborating directly with the Cybersecurity and Infrastructure Security Agency (CISA). Schmidt reiterated Amazon’s commitment to enhancing the U.S. cybersecurity workforce during discussions with CISA Director Jen Easterly.
“We’re investing more than $1.2 billion in education and skills training for over 300,000 employees,” Schmidt declared, highlighting Amazon’s broad educational initiatives designed to build a more skilled cybersecurity workforce.
In conjunction with these efforts, Amazon offers a suite of free online courses, including a significant number focused on cybersecurity skills, reflecting an ongoing commitment to bolster the sector’s workforce. Schmidt pointed out:
“We provide tactical and strategic lessons on how to keep systems and tools protected, and ways to accelerate the pace of innovation while staying secure.”
Another focus of the conversation was on the intersection of artificial intelligence (AI) and cybersecurity. Schmidt articulated that AI could serve both offensive and defensive roles in cyber operations, depending on its application. He noted:
“The way that adversaries are using AI tools tends to be to make less sophisticated adversaries more effective.”
When discussing the current threat landscape, Schmidt acknowledged the significance of collaboration among organizations to combat sophisticated nation-state threats effectively, mentioning “Volt Typhoon” as one notable example of advanced persistent threats that require a collective approach to cybersecurity.
He emphasized how the vulnerabilities exploited by cybercriminals are often due to a lack of resources to strengthen defenses, particularly in the education sector, where institutions face budget constraints that hinder investment in cybersecurity personnel.
“School systems have the same problems that everybody else does: They don’t have enough cybersecurity talent,” Schmidt noted, asserting the importance of equitable funding to safeguard educational institutions.
As the U.S. heads into a critical election season, election security remains paramount. Schmidt raised concerns regarding the threat of disinformation campaigns and the overall resilience of election infrastructure amidst evolving cyber threats. He indicated that vigilance and preparedness are key to ensuring secure elections, despite ongoing concerns that foreign interference could disrupt democratic processes.
“We hear frequently that election infrastructure will be secure this year, but that disinformation could have a significant impact,” Schmidt remarked, underscoring the complexities of safeguarding the electoral process.
In the wake of these pressing challenges, Schmidt’s insights bring clarity to the need for cohesive strategies in cybersecurity—highlighting the intersections of workforce development, regulatory harmonization, and the evolving threat landscape as critical areas for attention and policy advancement.
As Amazon positions itself at the forefront of these debates, it continues to enhance its commitment not only to its cybersecurity infrastructure but also to the broader community’s security across sectors. The industry’s focus on nurturing a capable workforce, bridging regulatory divides, and achieving operational resilience is pivotal in confronting likely future threats.
Schmidt concluded the interview by reiterating the necessity for ongoing engagement between public and private sectors to develop robust cybersecurity strategies that can adapt to the rapidly changing landscape. “Stepping into the spotlight means not just reacting, but proactively shaping the cybersecurity future.”