Federal leadership is needed to close the cyber talent gap [Commentary]

Last May, President Trump signed a long-anticipated Executive Order on “Strengthening Our Nation’s Cybersecurity” (Executive Order 13800). In that order, he asked various federal agencies for a comprehensive report card on the ‘state’ of our country’s cybersecurity — albeit with a focus principally on the federal government — and we are just a few days away from seeing their grades.

One of those report cards will deal with the nation’s cyber talent gap, and the EO asks a task force of agencies led by the Departments of Homeland Security and Commerce (and its National Institute of Standards and Technology) a series of largely rhetorical questions about whether and how it’s being closed.

Why rhetorical? Because we already pretty much know the answers. Precise estimates on the size of the gap may vary, but every bit of empirical evidence indicates that it’s a ‘hugely’ one. For example, a survey released earlier this year by the Information Security Certification Consortium (ISC2), sponsored in part by my former employer, projects that gap to be as much as 1.8 million worldwide by 2022. Given our country’s digital dependence, much of that gap is likely to be found within our own virtual borders. And more importantly, there’s no evidence that our nation’s education system is going to make a dent in the gap anytime soon.

In my view, cyber talent — the ‘wetware’ in our networks — is perhaps the most critical element of our cyber infrastructure … not just in the federal government but in the U.S. overall, and as the gap grows, so too does our vulnerability.

A Great and Growing Gap, and What to Do About It

That’s a problem, yet all we’ve done as a nation — at least to date — is to admire it. To be sure, individual organizations and institutions, even some states (like Florida, which established an innovative Center for Cybersecurity to integrate the cyber workforce development efforts of all of its state universities) are doing their part to close that gap, but the U.S. has never treated this as a national problem, one that requires a national solution.

The good news is that the Trump EO has at least started that conversation. To be sure, it began as almost an afterthought. Early drafts of the order neglected the subject altogether, focusing instead on the technical aspects of cyber, but thanks to the efforts of a committed few working behind the scenes, the talent gap was added to the order’s various taskings. However, if the report concludes what we already know — that the gap exists, and current efforts to close it remain inadequate — that does us little good. So, what can we do to rectify all that rhetoric? Here some ideas, some incremental, some a bit more ambitious:

• Expand cyber ‘scholarships for service.’ One of the easiest and quickest fixes would be to expand the size and scope of the National Science Foundation’s Cyber Scholarship for Service program. Right now, NSF’s relatively meager budget limits its size to just a few hundred cyber students a year, all with a rather loose post-graduate federal service commitment. That’s not nearly enough to satisfy the government’s needs, much less the nation’s. Let federal agencies put their own money into the program, and let them pick the recipients up front, when they’re sophomores or juniors, so that they can give them internships — and security clearances — that will make them job-ready on day one. I’d also give the private sector access to the program, with their own money of course, but with the graduates they hire subject to a national service commitment (see my previous blog).

• Establish tougher cyber academic standards. Today, NSA and DHS jointly manage something called the Centers for Academic Excellence (CAE), which sets academic standards for cyber and information security degree programs. That program is fine as far as it goes, but it needs to be put on steroids. At present, CAE certification remains largely a paperwork exercise, and everyone in the cyber education business knows that it tells you little about the quality of a cyber degree or graduate. That’s not intended as a backhanded critique of the CAE program; it was never designed nor funded to do more than it has, but it’s time to raise the bar. Make cyber accreditation — and I use that term deliberately — as rigorous as it is for any law, medical, engineering or business school. And get the nation’s colleges and universities, under the leadership of the Department of Education, to adopt them, just as they have with other accreditation standards.

• Tap new sources of potential cyber talent … like women, minorities and vets. Many have commented on the need to attract more women and minorities to the cybersecurity field, and there are plenty of pilot programs that have attempted to do so. Let’s identify those that have worked and fund them with cyber education grants — to states, public and private universities, community colleges, even school districts — that prove that they can do so successfully. Veterans also offer a relatively untapped source of raw cyber talent. And I’m not talking about cyber-trained vets … they typically have their pick of cyber jobs. Rather, I’m suggesting something like the old ‘troops to teachers’ program that was created at the end of the Cold War; it provided post-service opportunities for downsized servicemen and women to become educators … and in so doing, help address a national teacher shortage. So, a model exists, and the funding may already be there in the form of the new GI Bill — but the training programs necessary to turn a vet with aptitude into a cyber ninja are in short supply.

• Drive cyber apprenticeship and two-year degree programs. We can’t just limit our focus to undergraduate and graduate degrees in cyber … the gap is too big, and the skills required too varied. Not all cyber work requires a fancy diploma. We need to expand the cyber talent pipeline to include the 21st century version of the apprenticeship programs that have served our nation so well in the past, as well as two-year degree programs from our country’s community colleges. Undergraduate and graduate-level accreditation standards would have to be modified, of course — not compromised, but modified — but that can be done with a little leadership from the Departments of Education and Labor. Bottom line: If apprentice programs can train ‘blue collar’ workers (and I use that term very respectfully) to build airplanes, satellites and nuclear submarines, then we can do the same to add more cyber talent to the pipeline.

• Increase the supply of cyber teachers, especially in K-12. New, tougher two-year, undergraduate and graduate accreditation standards will incentivize colleges and universities to strengthen their cybersecurity degree programs. However, they depend on a K-12 pipeline of STEM and related students that historically has never produced more than a trickle … especially when it comes to women and minorities. The shortfall isn’t helped by declining school district budgets, as well as declining student interest, but it starts with teachers. There just aren’t enough of them who know enough about cyber to ignite the interest of their students. NSA has already laid the groundwork for addressing this shortfall, piloting a short ‘summer camp’ for current K-12 cyber teachers, but much more is needed. This oft-neglected area is ripe for national investment … in this case, perhaps with additional competitive grants to states, school districts, colleges, and universities to develop innovative programs that increase the pipeline of cyber-skilled teachers.

A National Problem That Demands Federal Leadership

These are just a few of the initiatives that I hope to see in the Executive Order’s cyber workforce report. There are lots of other ideas floating around out there, but the key will be to take the best of them, weld them into a national cyber workforce development strategy, and put some money where our mouth is! Other nations — ranging from the United Kingdom to the United Arab Emirates — have already done so, and we should humbly follow their lead.

Note that this does not require the federal government to do this all by itself. To the contrary, that’s the job of colleges and universities, community and junior colleges, states and school districts. But it will require the federal government to provide leadership in this area … not more rhetoric, but real leadership. The invisible hand of the market just can’t keep pace with the demand for cyber professionals, nor with the cyber threats that drive that demand.

Given our reliance on all things cyber, this is a national problem, and it demands a national solution that only the federal government can drive.

A retired career federal executive with almost 40 years of public service, Ron Sanders was recently named director of the University of South Florida’s School of Public Affairs. Ron has been contributing to Federal Times since 2013 and will continue to do so in his new capacity.

More In

Space Force shifts upfront range upgrade costs to commercial firms

Under a new $4 billion contract, commercial launch firms will place task orders and pay directly for various services required to support.

Pentagon prize challenge seeks ‘ready-now’ uncrewed systems

DIU is establishing a $20 million prize pool for the project, and the solicitation will stay open through the end of the year on a rolling basis.

Space Force demos rapid turnaround on latest GPS III launch

The launch was the second in a series the Space Force is running to test its ability to launch high-value satellites in response to operational needs.

Behemoth Golden Dome may face lackluster scrutiny in Trump’s Pentagon

Hegseth's decision to shutter DOT&E was at least partially triggered by the office's plans to oversee Golden Dome's test plans, sources told Defense News.

Meta and Anduril work on mixed reality devices for the US military

Anduril and Meta plan to build VR/AR extended reality headsets for the military as part of the the contract that Anduril took over from Microsoft.