Ideas for Filling the Cybersecurity Skills GapTestimony Given to Presidential Commission on Enhancing National Cybersecurity
A group of cybersecurity policymakers recommends a series of steps the U.S. federal government and the private sector should take to ensure that the nation will have enough cybersecurity specialists in the coming decade.
Among those steps are providing student debt forgiveness for those studying cybersecurity, creating internships and mentorship programs as well as moving to centralized recruiting and training for the federal government.
In testimony given Sept. 19 before the presidential Commission on Enhancing National Cybersecurity, witness after witness stated the need for government-backed initiatives to enhance the IT security workforce in government and the private sector.
"This shortage is reflected at every level, from basic entry-level network managers to senior researchers," says Neal Ziring, technical director for capabilities at the National Security Agency. "The technologies of cyberspace will continue to grow and change, and attackers will continue to develop new tradecraft. Without a solid workforce, we will not be able to maintain or improve security in the long term. ... The shortage will continue indefinitely unless we take action to alleviate it."
200,000 Shortfall in Cybersecurity Specialists
The situation is acute in the federal government.
Commerce Secretary Penny Pritzker, in her prepared remarks, points out that the nation faces a shortfall of 200,000 cybersecurity specialists. That gap hits government particularly hard. "Since arriving at Commerce, I have faced a chronic shortage both in quantity and quality of cybersecurity personnel," she says. "Yet I do not have the authority, flexibility or resources to do enough about it. ... The federal government's challenges are compounded by a smaller talent pool, uncompetitive salaries and a cumbersome hiring process."
But even when qualified personnel are identified, getting them on board remains a challenge. "As many of you know, Washington is not Silicon Valley; hiring takes months, not minutes," Pritzker laments. "In all honesty, I feel like Sisyphus here. I meet biweekly with my CIO and often find out that by the time we bring someone new on board, someone else has been lured away by private sector perks or poached by an agency that offers hiring bonuses or higher pay."
Gregory Wilshusen, director of information security issues at the Government Accountability Office, says he doesn't expect the situation in the federal government to improve soon. "Ensuring that the government has a sufficient number of cybersecurity professionals with the right skills and that its overall workforce is aware of information security responsibilities remains an ongoing challenge," Wilshusen says in written testimony.
Studies over the years show the struggle in building an IT security staff. For example, a GAO survey earlier this year of federal agencies' CISOs reveals their difficulties in recruiting, hiring and retaining security personnel. Wilshusen says the problem of maintaining a sufficient security staff makes it more challenging for agencies to effectively carry out their responsibilities.
In building the federal government's cybersecurity workforce, Pritzker suggests the commission consider recommending a centralized system to recruit, train and place federal cybersecurity personnel as well as creating specialized pay scales to compete with the private sector.
"We need to rethink recruitment with bold ideas like debt forgiveness for graduates of certified programs, tuition-free community college in return for federal service and cybersecurity apprenticeships within civilian agencies," the Commerce secretary says.
NSA's Ziring offers similar suggestions for building the IT security workforce, including supporting students pursuing cybersecurity degrees and certificates directly through scholarships and indirectly through internship programs and industry incentives. Ziring cites as an example the National Science Foundation Cybercorps Scholarship for Service Program, which he contends has been successful in drawing talented undergraduate and graduate students into cybersecurity and then placing them in government positions at the start of their careers.
Teaching the Teachers About Cybersecurity
"High schools and universities are being challenged to introduce cybersecurity to the nation's next generation in order to create a substantial pipeline of inspired cyber students," says Rick Geritz, CEO of the online learning platform LifeJourney. "The reality is that high schools and teachers lack cybersecurity skills and training."
Geritz suggests in his testimony that mentoring by cybersecurity specialists can play a role in addressing the shortage of qualified educators.
"Evidence informs us that mentoring is critical - to both students and teachers - to imparting up-to-date knowledge about the field, the marketplace needs and career opportunities," Geritz says. Mentoring programs "must be designed to facilitate the spirit of collaboration among all participants committed to the universal goal - to optimize the national - and ultimately the planetary - human capital base."
In his testimony, Geritz cites studies that show significant mentoring relationships help drive individuals into specific careers.
Geritz also recommends offering cybersecurity training for all teachers, irrespective of their background or current assignments. Such training, he says, would enable more educators to inspire students to become part of America's digital economy. He also suggests a "day of cyber," which would expose all students to cybersecurity skills so they'd understand the career opportunities in the field.
Seeking Well-Rounded CIOs
Karen Evans, a former federal CIO who heads the U.S. Cyber Challenge, a program of competitions and encampments aimed to attract young people to cybersecurity workforce, testified about the skills federal agencies' CIOs are lacking.
"Many CIOs argue they don't 'have a seat at the table,'" Evans says. "I would argue that a seat at the table is earned by having the skills and abilities to contribute to the agency's mission - including protecting the agency from threats."
Federal law assigns responsibility for agencies' IT security to their CIOs. Evans points out that CIOs serve as strategic advisers to the heads of federal agencies regarding the use and management of information while managing the risk associated with use of technology to provide the mission services.
Evans says the commission in its findings should urge rigorous enforcement of federal rules that CIOs possess the technical and policy skills needed to serve their agencies.
"The skills set needed by the CIOs includes more than just understanding policy," she says. "CIOs who have technical skills and understanding combined with the good communications and interpersonal skills will be successful."
President Obama, in an executive order issued in February, created the Commission on Enhancing National Cybersecurity, requiring it to submit a final report by Dec. 1 with recommendations for how the government and private sector can strengthen cybersecurity over the next decade while protecting privacy, ensuring public safety and economic and national security (see Cybersecurity Commission Includes Former Heads of NSA, NIST).
Exploring ways to strengthen the cybersecurity workforce is only one component of the commission's charter. In developing its recommendations, the commission will identify and study advances in technology, management and IT service delivery that should be developed, widely adopted or further tested throughout the government and private sector.