The cybersecurity workforce shortage is undermining the ability of the United States to defend its people, infrastructures, and intellectual property. A 2016 study by the Center for Strategic and International Studies (CSIS) and McAfee, "Hacking the Skills Shortage," found that the cyber shortage is not just a regional or even a national problem; it is global. Around the world, 82 percent of respondents reported a lack of cybersecurity skills within their organization and 71 percent acknowledged that the talent shortfall makes organizations more vulnerable to attackers.
As we enter 2022, the shortage of cybersecurity professionals and operators has not gotten better. In fact, it has gotten worse. According to Cyber Seek, a tech job tracking data-base from the Commerce Department and the trade group, CompTIA, there are currently about 435,000 cybersecurity job openings available in the United States, up from approximately 314,000 in 2019 according. The move to remote work in response to the COVID-19 pandemic increased the workloads for skilled IT professionals, and combined with the rising rate of ransomware attacks, many security professionals are suffering from burnout. With all that going on, the need for experienced cybersecurity staff has not dwindled, causing recruiters and government officials alike to search for solutions to the skills shortage.
The cybersecurity skills shortage is particularly acute within the U.S. federal government. There are an estimated 35,000 openings in the federal government for cyber professionals, but there are not enough qualified people to fill them. Given the vital role such government agencies as the U.S. Department of Defense (DoD), the Department of Homeland Security (DHS) and the intelligence agencies play in protecting the United States, this skills gap is disquieting and merits attention from policymakers.
The U.S. is at a competitive disadvantage in developing the substantial number of cyber security skills needed to compete against such countries as Russia and Israel that use a “whole of government” approach to training the next generation of cyber skilled practitioners and professionals. Both Israel and Russia use compulsory service to build their cyber skills at scale. To compete, U.S. policy makers should consider creating a cybersecurity version of America Corps, with the same type of national commitment we once made to the Space Program.
Such a large scale, voluntary program could combine training and service opportunities with skills training to drive change at a large scale. Ensuring a whole of government approach, with the right level of funding, as suggested by the NSTAC Moon Shot report, would help ensure its success. Both the public and private sectors could partner to create training and internship opportunities for participants in the program. After serving in a Cyber America Corps type program, participants could be incented with training or college debt forgiveness and priority access to Federal and state cyber security roles to serve in public sector roles over the long run.
To grow the talent pipeline and close the cyber workforce gap, policy makers should focus on expanding existing programs that train students in the fields valued by the cybersecurity industry. The Cyber Corps Scholarship for Service (SFS) program is designed to increase and strengthen the cadre of federal information assurance specialists that protect government systems and networks. The program, administered through the National Science Foundation (NSF), provides grants to about 70 institutions across the country to offer scholarships to 10-12 full-time junior and senior college students each. With this structure, students are awarded free tuition for up to two years in addition to annul stipends – $22,500 for undergraduates and $34,000 for graduate students. There are also allowances for health insurance, textbooks, and professional development. Upon completing their coursework in areas relevant to cybersecurity and a required internship, students earn their degrees and go on to work as security experts in a government agency for at least the amount of time they have been supported by the program. After that, they can apply for jobs in the public or private sector, though according to the NSF, 70 percent of these graduates stay in federal service.
To date, the federal government has made a solid commitment to supporting the SFS program. The program is funded at the level of $55 million, from year to year. At a baseline, an investment of $50 million pays for roughly 2,000+ students to complete the scholarship program. Given the substantial cyber skills deficit, policymakers should significantly increase the size of the program to the range of $200 million. If this level of funding were appropriated, the program could support roughly 6,400 scholarships.
At the same time, this level of investment could help create a new generation of federal cyber professionals who could serve as positive role models for middle and high school students across the country to consider the benefits of a cyber career and federal service. On a long-term scale, this positive feedback loop of the SFS program might be its biggest contribution.
While the CyberCorps SFS program is laudable, it is currently available only to 70 institutions – and all are land grant colleges. Current law limits SFS scholarships to research universities. This policy needlessly limits access to scholarships for qualified students from hundreds of universities and colleges around the country. In addition to expanding the funding, the scholarship program should be expanded to include other learning institutions, given the large number of talented and deserving students in our country.
Policy makers should consider expanding – or creating a similar program – for community colleges. If we are going to close the cybersecurity talent gap across the country, we should focus resources on students pursuing associate degrees, which are valued in an industry that does not necessarily require a PhD or four-year computer science degree. A strong cybersecurity operation requires various levels of skills and having a flexible scholarship program at a community college could benefit a wide variety of applicants while providing the profession with other types of necessary skills.
Community colleges also attract a wider range of students than four-year institutions. Some community college students are recent high school graduates, but many more are working adults and returning students looking for a career change or valuable skills training.
Recruiting from community colleges also supports the creation of a diverse workforce. Data shows that 57% of community college students are women and 41% are minorities. Additionally, community college tuition is more economical than a four-year university. In-state community college tuition is about one third the cost of in-state four-year colleges, meaning the scholarship funds would go further with a program focused here.
Such an expanded program, through a public-private partnership, could attract high school graduates who do not yet have specific career aspirations into focusing on cybersecurity. The federal government could fund all or part of the tuition remission for students, while private companies could help develop coursework in cybersecurity. Interested students would have the opportunity to learn from college faculty and private sector practitioners.
For example, an IT company could offer several faculty members or guest lecturers to participate during a semester. Students would receive free tuition – paid by a federal program, perhaps with private sector contributions – but would not receive a stipend for living arrangements, as four-year college students do in the CyberCorps program. Students would receive a two-year certificate in cybersecurity that would be transferrable to a four-year school. Like the CyberCorps program, graduates would spend the same amount of time as their scholarship period working in a guaranteed government job.
A program like this has the benefit of bringing in private sector experts, interesting younger students who have not yet made a career commitment, interesting veterans, attracting a diverse range of students, and likely costing the government less – once the start-up costs are accounted for. Such a program should not substitute, but complement the existing, highly valued CyberCorps SFS program.
Furthermore, a candidate should not need to have a degree or certificate from a college to be a well-trained cybersecurity professional. Certificate programs provide valuable training, and there are increasingly more of these. To take advantage of these individuals, however, governments and businesses would have to change their hiring requirements. It is not necessary to have a college degree to work in cybersecurity, and requirements should be updated to reflect this reality. Employers ultimately value concrete skills that deliver value on the job, not just degrees.
We must develop creative approaches to enabling the public and private sectors to share talent, particularly during significant cybersecurity events. Cybersecurity is a rapidly changing area -- what is valid today will become obsolete tomorrow. We know that the adversary is constantly innovating and changing course, often reacting to new defensive capabilities the private sector develops. It is unrealistic to think that government cyber practitioners would be able to keep up with such a rapidly evolving environment without private sector assistance. We should design a mechanism for cyber professionals – particularly analysts or those who are training to become analysts – to move back and forth between the public and private sector so that government organizations would have a continual refresh of expertise.
One way to accomplish this would be for CISA to partner with companies and other organizations such as universities to staff a cadre of cybersecurity professionals – operators, analysts, and researchers – who are credentialed to move freely between public and private sector service. These professionals, particularly those in the private sector, could be on call to help an impacted entity and the government respond to a major cyber event of national significance in a timely way. Both government and private sector cybersecurity professionals would benefit from regular job rotations of possibly two to three weeks each year. This type of cross-pollination would help everyone share best practices on technology, business processes and people management. CISA should include a flexible, public-private pool of certified professionals in its plan to rewrite its cybersecurity hiring and retention plan. Much like the National Guard, a flexible staffing approach to closing the skills gap could become a model of excellence.
The cybersecurity profession stands to benefit from diversity across many sectors. The number of women in the field is only 11% globally, according to the Women in Cybersecurity report by The Center for Cyber Safety and Education and Executive Women’s Forum on Information Security, Risk Management and Privacy. In North America, women constitute only 14% of cybersecurity professionals. The percentage is even lower for African Americans, who comprise only three percent of information security analysts in the U.S., per the Bureau of Labor Statistics figures. Clearly, training and recruiting more women and minorities could help alleviate the skills gap. Interestingly, many of what society traditionally considers “feminine” traits are highly valuable in cyber—collaboration, teamwork, creativity, and consensus-building, to name a few.
Additionally, we can both appeal to more women and woo more philanthropy-minded individuals by better explaining how cybersecurity work helps people. For example, among women engineering graduates, the numbers are highest in biomedical engineering and environmental engineering—fields where students can draw a direct correlation to helping humanity. Cyber is clearly a field that helps protect and empower people. If we brand the domain effectively, there is a target-rich environment of highly capable girls and women who could be joining the ranks to fill the current cyber skills talent gap.
Cybersecurity and advanced technology training should not be limited to universities and community college programs. Additional attention should be given to getting K-12 students interested in pursuing STEM related careers.
The NSTAC Moonshot report make this point: “Addressing this need will require an increase in the breadth and depth of K-12 Science, Technology, Engineering, and Math (STEM) programs that feed Cybersecurity Moonshot Initiative aligned strategic focus areas.” It further states, “Robust STEM education at all ages will also be a foundational element to cybersecurity education and workforce development initiatives. Innovative cloud-based technology must be leveraged to improve the speed and quality of STEM education. For example, AI, big data, and augmented reality offer the potential to help address roadblocks in K–12 and higher education. Such programs can leverage gamification, media, and distributed platforms for learning.”
Working to create a consistent nationally focused, age-appropriate cybersecurity curriculum for K-12 will assist in breaking down social and diversity barriers, as younger students understand that they are capable of succeeding in cyber and advanced technology fields.
While American universities are global leaders in engineering, even our best schools have gaps, particularly in cyber security training and education. The 2021 NSTAC Software Assurance in the Information and Communications Technology and Service Supply Chain addressed this challenge and urged policy makers to restructure computer science programs on a national basis.
According to the study, “The curricula of many universities have not effectively integrated secure development practices, the rationale for security to be part of design, development, and delivery, or the security ethos that it is every developer’s job to understand and embed security throughout system design, development, deployment, and maintenance.”
The report recommendation states, “After the Soviets launched Sputnik, the U.S. educational system saw a revolution emphasizing science and math, and Congress responded a year later with the National Defense Education Act, which increased funding for scientific and technical education. The U.S. Government should consider launching a similar ‘revolution’ to emphasize skills development and prevention as the best solution to many cyber problems. This revolution could start with increased investments in programs operating under the Elementary and Secondary Education Act (K– 12 programs), the Vocational Education Act (with a focus on community college curricula), and the Higher Education Act.”
We encourage policy makers to revisit the 2021 NSTAC report and implement its recommendations.
While not everyone in the U.S. needs to be a trained cybersecurity professional, cybersecurity touches everyone, and citizens need to have a fundamental understanding of how to protect themselves from cyber crooks and identify theft.
Public service announcements (PSA) have been successful in the past in raising the level of the public’s understanding of smoking and forest fires. “Only you can prevent forest fires” still conjures up an image of Smokey the Bear or the Native American’s tears for many, 30 years later.
Policy makers should consider making further investments in public service announcements to promote broad based cyber security literacy. These programs can be started up quickly and sustained over extended periods of time.