Welcome to Codebook, the only newsletter with a wrestling finishing move (the StuxNeckbreaker).
Feel free to reply to this email with tips, comments or Survivor Series challenges.
Illustration: Sarah Grillo / Axios
The cybersecurity skills shortage is dire — one commonly cited estimate predicts 3.5 million unfilled jobs worldwide by 2021. Kevin Simzer, chief operating officer of cybersecurity firm Trend Micro, believes the most economical solution might be to train way more employees than his company needs —knowing that most will go to competitors.
The lack of available talent leaves security companies recruiting employees from rivals and offering them huge raises. "That's not sustainable," Simzer said.
The big picture: The skills shortage is not hypothetical. Cybersecurity is a field of growing demand, yet it hit 0% unemployment in 2016. And while most of the new jobs will not be the highest-skilled positions — the type that cybersecurity specialists, like Trend Micro, will be concerned about filling — the demand for lower skilled posts will inflate salaries and deplete talent pools.
Solution — train everybody: To fill its roster, Trend Micro offers a fully-paid three month bootcamp to 200 20-somethings with no cybersecurity experience. By design, only one in five will win a role in the company. The rest leave with a certificate that has proven to be a boon to employment elsewhere.
According to Simzer, it's cheaper, over time, for Trend Micro to train all those extra people and then cherry-pick its hires than to poach talent or compete for recent grads.
Who to target: A lot of people with no cybersecurity background join the program. Simzer says that the company targets people who've had some other great success in life, academic or otherwise — they're likely to be self-motivated: "We had an Olympic swimmer who was really successful. He won a bronze."
Exportable solution: Simzer argues the train-everyone approach could remedy cybersecurity shortages even outside specialist firms. "We don't have a patent on it. And it could definitely work for Acme Corp," he says.
Ray Ozzie created Lotus Notes. He is a well known technologist, former Microsoft CTO, and an all-around accomplished person. He has also just proposed a solution to the encryption debate that doesn’t address any of the issues currently being debated.
The encryption debate in brief:
Ozzie’s solution: As detailed in Wired, Ozzie proposes a system he calls Clear, in which tech companies hold individualized keys to unlock devices.
The problems Ozzie doesn't address:
Go deeper: Cryptographer Matthew Green discusses his issues with Ozzie's plan.
Go deeperer: Errata Security's Rob Graham goes over even more problems with it.
The FISA court denied more requests for top-secret surveillance warrants during President Trump's first year in office than in the rest of its history combined, according to ZDNet.
Why it matters: The court handles national security cases so secretive that they cannot be addressed in traditional court. It existed a hair shy of four decades before Trump took office, in which time it rejected only 21 applications. During Trump's first year, it rejected 26.
What it means: The secrecy of the court makes the numbers as hard to parse as they are startling. But the easiest explanation— and certainly the most attractive for Trump's critics — is that Trump appointees have taken more chances with applications.
Tomi Tuominen and Timo Hirvonen, researchers at cybersecurity firm F-Secure, have discovered a security flaw in the most popular line of digital hotel locks. The manufacturer was notified and has patched the problem — although with 40,000 hotels using the locks, not all of them may have updated yet.
The details: "It started at a hacker conference in Berlin in 2003," said Tuominen. "We came back to our room and found that our friend's laptop had been stolen. But the locks didn't show any signs of being broken into. The hotel didn't take us seriously because, I think, they thought we were hippies in black t-shirts."
How it works: They began by taking any key from a target hotel, even an expired one. That key gives them location-specific information to be used in the attack.
Go deeper in our full story.
Christopher Krebs cleared his Senate Homeland Security Committee hearing Wednesday to head the National Protection and Programs Directorate, the cybersecurity and critical infrastructure wing of the Department of Homeland Security.
Why it matters: To the Senate, it was largely a chance to emphasize the importance of election security issues. Sen. Claire McCaskill (D-Missouri) said that keeping a full-time staff of only a dozen assigned to the election was "woefully inadequate." Krebs said he'd make elections a "top priority."
Why he'll be confirmed for the role: Krebs is a well-respected official who was already the acting head of NPPD. Forty-eight former national security officials — including former DHS Secretary Michael Chertoff — sent a letter to committee leadership backing the nomination earlier this week.
The best title in the business: Until he is confirmed, Krebs has the most delightfully incomprehensible title in the government: He is (ahem) the Senior Official Performing the Duties of the Undersecretary for the National Protection and Programs Directorate.
Codebook will be back on Tuesday. Please water our plants while we're gone.