There are over half a million cybersecurity job openings across the United States, including more than 30,000 cybersecurity positions left unfilled in the public sector. The problem is far from new, and while much concern about the gap has been expressed by members of Congress, the shortfall remains. What will it take to not only fill the need, but to meet the challenge in a way that is fair and inclusive?
Looking at this challenge from a number of perspectives – starting in the schools and pulling insights from across the globe – how can legislators address the cyber needs of government, industry, and democracy; and, where are solutions emerging across the Federal government?
An Education Problem
When schools transitioned to online learning during the coronavirus pandemic, more than half of educators said their students are not learning about cybersecurity, a nationwide survey revealed. It was not because of a lack of interest on the students’ part.
Seventy-five percent of the more than 900 K-12 educators said their students had a “medium or high” level of interest in learning about cybersecurity career paths, but more than two-thirds (67 percent) said their students have a low level of awareness of steps needed to obtain a cybersecurity job. In other words, students are being forced to connect the dots on their own without instruction.
“It really has to be a partnership across industry, government, and the school system because schools often can’t do it on their own,” said Pamela McComas, program manager and solutions architect at General Dynamics Information Technology (GDIT).
Over the past four years, the Department of Homeland Security (DHS) has partnered with the nonprofit National Integrated Cyber Education Research Center (NICERC) – now CYBER.ORG – to provide free K-12 cybersecurity curricula and hands-on professional development for teachers. According to the DHS website, the partnership has helped get cybersecurity curricula into the hands of over 15,000 teachers impacting 820,000 students in 42 states.
The decision to implement the curriculum is held at the state level, with DHS and NICERC offering support. To date, CYBER.ORG’s program aligns with state standards in only half of states. There is no Federal requirement for cyber education like the Common Core Standards Initiative provides for math and English language arts.
McComas also mentioned the nonprofit Girls Who Code as an example of an organization that has been successful in bringing cyber and IT security to the younger generation. Other nonprofits like the Baltimore-based Digital Harbor Foundation and the Cyber Peace Corps are also working to educate and elevate the cyber abilities of the next generation with a focus on equity.
And while nonprofits and schools work to provide cyber education for a better tomorrow, the cyber workforce needs are ever-pressing as attacks continue today.
“This is something that we have to attend to,” said Sen. Angus King Jr., I-Maine, of the cybersecurity threat, in a speech on the Senate floor last month. “This is not something that may happen. This is something that is happening now.”
Cybersecurity Commission’s Recommendations
Fortunately, there is no shortage of individuals who have been tasked with addressing the cyber workforce gaps. Three congressionally-mandated commissions have all made recommendations on how to address the issue.
The Cyberspace Solarium Commission – tasked with devising a strategy for defending the nation in cyberspace and on which Sen. King serves as a co-chair – released its report in March, days before the pandemic prompted mass telework across the Federal government. The report includes three pages of recommendations for Congress on the strategic objective to “recruit, develop, and retain” a stronger Federal cyber workforce. The commission urges Congress to expand funding for the CyberCorps: Scholarship for Service, a National Science Foundation (NSF) program started in 2001 that has enjoyed bipartisan support in Congress.
The National Commission on Military, National, and Public Service also released its report in March and recommended the creation of a civilian cybersecurity reserve to provide support for the cybersecurity needs of Federal agencies.
With the Solarium and Service commissions scheduled to complete their work this year, a third commission – the National Security Commission on Artificial Intelligence –is scheduled to submit its final report to Congress in March 2021. That commission’s chair and vice chair, a former Google CEO and Deputy Secretary of Defense, respectively, pitched their ideas for a U.S. Digital Service Academy and a National Reserve Digital Corps last month.
All three commissions were created by acts of Congress, but the primary question remains – will Congress act on the recommendations to close the cyber workforce gap?
Last year, the House Homeland Security Committee’s Cybersecurity, Infrastructure Protection, and Innovation Subcommittee held a hearing on “Growing and Diversifying the Cyber Talent Pipeline.”
Rep. Cedric Richmond, D-La., who chairs the subcommittee, cited research showing that nine percent of the U.S. cybersecurity workforce is African American, and four percent of cybersecurity workforce is Hispanic. He said that only 11 percent of the cybersecurity workforce are women.
“We have to start younger, show that there is a place for women in cyber, and change the perception,” said GDIT’s McComas, who started in the field about a decade ago as one of only a few women brought on to work on a large cyber contract.
“We still are not tapping into diverse talent streams,” said Rep. Richmond, at last year’s hearing. “If we are serious about fixing this problem, we need to put our money where our mouth is.”
Both Rep. Richmond and Rep. John Katko, R-N.Y., the subcommittee’s ranking member, expressed support at the hearing for the NSF’s CyberCorps Scholarship for Service program.
“There is no silver bullet to solve the problem,” said Rep. Katko, of cyber workforce issues. But this has not stopped legislators from putting forth ideas.
Rep. Sheila Jackson Lee, D-Texas, introduced the Cyber Security Education and Federal Workforce Enhancement Act in the last session of Congress to create an office of Cybersecurity Education within the DHS to oversee the cyber workforce and education effort in K–12 and post-secondary settings, as well as career development. The bill, H.R. 1981, has not been reintroduced this session of Congress.
The Cyber Ready Workforce Act, introduced by Sen. Jacky Rosen, D-Nev., to create a Department of Labor-sponsored grant program to increase cybersecurity apprenticeship programs has not gotten out of committee. Matching legislation introduced in the House also remains stuck in neutral.
Federal Reskilling Efforts
With the legislative branch deliberating on cyber workforce bills, other parts of the government have continued to act to address the issue.
The Cyber Threat Intelligence Integration Center (CTIIC) in the Office of the Director of National Intelligence (ODNI) offers a rotational, joint duty program for Federal employees.
“There are so many foundational and advanced skillsets that people can build upon when they are entering cyber from a different career path,” GDIT’s McComas said. “We often see that people who have data or trend analysis skills easily translate to cyber.”
CTIIC’s partnership program allows for cybersecurity knowledge to be spread across various agencies, and gives CTIIC a clearer view into agency leadership, the center’s director Erin Joe said.
Another initiative to reskill the Federal workforce is the Federal Cyber Reskilling Academy backed by the Office of Management and Budget (OMB), which trains Federal employees from outside of IT fields to become cyber defense analysts.
“By continuing to invest and support reskilling programs, coupled with hands-on opportunities to apply those skills, the Federal government is positioning itself to strengthen our cybersecurity workforce capabilities,” then-Federal CIO Suzette Kent said. “We cannot overcome the shortage in the Federal cybersecurity workforce overnight.”
DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has worked to solve the issue in part through its National Initiative for Cybersecurity Careers and Studies.
CISA recently released its Cyber Career Pathways Tool to help individuals navigate career options in the field. The interactive tool shows a total of 52 positions across five “skill communities” of IT, cybersecurity, cyber effects, intel (cyber), and intelligence. For each position, the knowledge, skills, and abilities required are listed.
“Growing and strengthening the pipeline of cyber talent is a top priority for CISA,” the agency’s Assistant Director for Cybersecurity Bryan Ware said.
The tool was created by the Interagency Federal Cyber Career Pathways Working Group, led by CISA, the Department of Defense, and the Department of Veterans Affairs. CISA advertises the tool for use by both teenagers and adults.
“We need to attract new talent,” Ware said. “It is more important than ever in this digital age for government and industry to invest in supporting the development of our cyber workforce.”