In a remarkable confluence of events, the White House released their much-awaited cybersecurity executive order less than a day before the outbreak of a massive global ransomware attack. Amidst the quickly moving news, even experts may be forgiven for missing Section 3 (d) of the executive order — the final paragraphs before the document gives way to definitions and formalities. This section calls for an interagency report due to the White House within 120 days with findings and recommendations for developing the cybersecurity workforce. The topic may seem like an unsexy afterthought, but is poised to become one of cybersecurity’s most critical challenges.
Current data shows a talent shortfall of 40,000 unfilled cybersecurity jobs per year in the United States, with a growing international talent gap to match. When taken in the context of national security, this skills gap has some very unsettling real-world consequences. As high private-sector salaries and enticing intelligence community job descriptions draw in the limited population of trained workers, other employers are pushed out of the hiring market. This is especially true for small businesses and state governments, many of whom control very valuable and sensitive data sets and systems (for example, drivers’ license and voter registration databases).
Meanwhile, employers in specialty areas like industrial control systems security — the experts responsible for protecting power grids and water systems — will either pay exorbitant premiums for limited talent or be forced to operate shorthanded as they protect potentially threatened critical systems. And these are just some of the many pain points that are on track to become much worse as the labor gap grows.
A Broken Workforce Pipeline
Given this rather grim picture of cybersecurity’s labor shortfall, what bottlenecks and leaks in the workforce pipeline are likely to emerge in the executive order-mandated interagency report on the state of the cybersecurity workforce? One answer is obvious: the higher education system as it stands currently cannot produce the number of trained workers the industry needs. U.S. universities confer an estimated 60,000 degrees per year in computer and information science, and many of those graduates will have taken few, if any, courses in cybersecurity. Even among those who are educated in the subject, recent graduates may have an excellent understanding of the overarching theoretical issues involved, but — with a few notable exceptions — university courses are unlikely to teach the practical, applied skills and tools needed to hit the ground running in a cybersecurity job.
“While our colleges and universities are standing up programs as fast as they can, it’s clearly not fast enough,” wrote Mary Alice McCarthy in an email on the emergence of cybersecurity programs in higher education. McCarthy, the director of New America’s Center on Education and Skills, continued:
Some of that has to do with the culture and organization of higher education, and some of it has to do with legal requirements of the Higher Education Act on how certificate and degree programs are accredited.
Simply put, for scalable solutions to the cybersecurity workforce shortage, the U.S. government will need to look beyond just higher education.
More than one Way to Build a Workforce
Recognizing that universities alone cannot bridge the workforce gap, there are a number of other solutions that the interagency report could recommend. Expect to see recommendations on cybersecurity bootcamps: accelerated, typically for-profit training programs that focus on the concrete skills and tools needed for cybersecurity jobs. These programs are an evolution on the model of the immersive coding bootcamps of prior years. With carefully considered interventions from government and industry groups to help avoid the pitfalls and challenges the coding bootcamps are working to overcome, these cybersecurity training programs could become an important part of the cybersecurity workforce ecosystem.
Community colleges are also rising to the challenge, and a growing list of two-year programs are now designated by the Department of Homeland Security and the National Security Agency as Centers of Academic Excellence in teaching cybersecurity and information assurance. Options for teaching cybersecurity are beginning to emerge below the postsecondary level as well, as K-12 educational programs take root. By way of example, the Air Force Association’s CyberPatriot program organizes cybersecurity competitions and camps for students, while providing ready-made curriculum modules to teachers.
Unsurprisingly, the military struggles with the same shortage of cybersecurity experts the civilian workforce faces and, there too, creative solutions are beginning to emerge. One proposal is to exempt incoming cyber-skilled soldiers from certain training requirements, allowing them to transfer in “laterally.” Another is to lean on the Reserve and National Guard to supply extra talent. Others suggest developing a new service academy, akin to West Point, the Air Force Academy, and the Naval Academy, dedicated solely to teaching cybersecurity. Notably, these options are likely to have follow-on benefits as the cybersecurity industry begins to appreciate the value of pulling veterans into cybersecurity jobs. By building a pool of cyber expertise in the services, military leaders are indirectly benefiting the private sector that will employ veterans who choose to enter the civilian workforce.
One key hurdle in both civilian and military workplaces will be expanding cybersecurity’s demographics. Cybersecurity today faces a particularly homogenous workforce. The industry is spectacularly lacking in women and minorities, which means the growth of the U.S. cybersecurity workforce is hobbled until recruiting efforts can find a way to tap into the whole of the American population. As a simple matter of numbers, a larger talent pool allows recruiters to pull in more people, and the United States needs as many minds as it can muster on this challenge. But perhaps more significantly, research shows that diverse teams produce better results, and when the product is ensuring the security and resilience of U.S. networks, results matter. As organizations begin to take notice — and action — on the disparity, the workforce may see accelerated growth.
The executive order itself specifically points to perhaps one of the most promising approaches to bridging the workforce gap: cybersecurity apprenticeship training. While historically associated with the construction trades, this hybrid system of classroom and applied learning is quickly demonstrating its utility for cybersecurity, and employers across the country have been quick to create registered apprenticeship programs.
Under a registered apprenticeship model, employers develop a training program, typically in conjunction with a local university, community college, or specialized firm, which couples rigorous, supervised on-the-job learning with a required number of classroom hours. This training program is registered with either the state or federal Department of Labor to ensure that the program meets baseline standards. Once established, apprenticeships provide learners with an opportunity to make money — rather than spend it — on a training program, often while working towards valuable industry certifications. Meanwhile, employers can ensure a steady pipeline of talent guaranteed to be familiar with their particular tools and methods.
While the idea of apprenticeship programs in the technology sector may still be quite new in the United States, the model is more common overseas. In particular, the United Kingdom has developed a government-led apprenticeship program that funnels talent directly into jobs protecting critical infrastructure, thus supporting a crucial national security priority. Certainly such a model would need to be adapted for implementation in the United States, but apprenticeship systems currently enjoy political support from both sides of the aisle, making this a particularly politically viable moment to push for policies that support and incentivize the growth of cybersecurity apprenticeships.
Last week’s executive order laid out some remarkably tall orders, but mundane though it may seem, addressing the workforce shortage may be one of the most intractable and important challenges. The cybersecurity training environment is genuinely a complex ecosystem, and no single solution will work in isolation. Given the scale of the problem and the long time horizons involved in making meaningful change in the workforce pipeline, observers should not expect the interagency report to outline anything more than a basic starting point. With that said, many good options and strategies are already in development. If agency heads are able to craft suggestions that support good work and incentivize effective and scalable solutions, the order-mandated report could chart the beginnings of a path toward the strong cybersecurity workforce the United States desperately needs.
Laura K. Bate is a Senior Program Associate with New America’s Cybersecurity Initiative and a WiSe Fellow with the American Security Project. A graduate of Georgetown University’s Security Studies Program, she writes on cyber policy, intelligence, and security issues.
Image: U.S. Navy photo by Mass Communication Specialist 3rd Class Michael A. Lantron