Introduction by ISA President Larry Clinton
The federal government spends roughly $70 billion a year on our cybersecurity. The very first billion ought to go to funding a virtual cybersecurity academy.
The reason, as we outlined in our previous post (read here), is that we are wasting much of the current $70 billion spent because we don’t have nearly enough adequately trained people to implement our cybersecurity standards, frameworks, regulations, or technologies. Nothing can work without adequate people to implement these techniques. Nation-wide we have 750,000 cybersecurity positions we can’t fill – 35,000 in the federal government alone. The workforce gap is currently growing at about 10% a year with estimates that the rate of the increase in the gap could soon approach 30%. This is one of the major reasons why our current cybersecurity defenses are not protecting us – things are getting worse, not better.
Ironically, this is one of the very few aspects of the complex cybersecurity problem that we actually know how to solve. In truth, while there are theories, we really don’t know how to secure AI, or prosecute the vast numbers of cyber criminals, or sustainably fund critical infrastructure against nation-state cyber-attacks (all issues we will discuss in later posts). However, we do know how to train a workforce. We just haven’t done it.
THE ESSENCE OF THE CYBER WORKFORCE SHORTAGE
The great Cesar/Philosopher Marques Aralias counseled of all things seek their essence. The essence of our cyber workforce issue is – economics. This is a simple problem of supply and demand. The vast and growing demand for adequately trained cybersecurity professionals has, and is continuing, to outstrip the supply. Therefore, the solution to this problem is to stimulate the supply.
The way to stimulate the required supply is, again, economics. However, the key is to apply the economic stimulus at the proper place. The economic compensation for trained cyber professionals is actually quite good. One of the great ironies (perhaps market failures) is that we can’t fill tens of thousands of high-paying high-status jobs. The problem is at the entry level. We need to provide stimulus to get people into the supply chain.
CAN WE FIND THE STUDENTS TO POPULATE THE ACADEMY?
As a baseline, the ISA proposal is to recruit a class of 10,000 students a year. At that scale, we would be able to fill all the 35,000 federal cyber openings in 4 years. As graduates complete their government service (say 4 years) they would likely continue their careers in the government or perhaps in the states localities or private sector – all continuing to defend our nation from cyber-attacks.
As it happens, we also have a major issue in the US regarding the cost of higher education. All across America there are families who are desperately looking for ways they can send their children to college without bankrupting the parents or the kids. Free tuition, just as provided by the traditional service academies, is an enormous lure for thousands of young people and families.
Last year 40,000 students applied for entrance to service academies and were denied entry. It is extremely likely that many of these students would opt for the cyber academy if that option was presented. Even if only a minority, say 25%, were interested that would be an annual class of 10,000 new cybersecurity trainees. Moreover, the cyber academy could forgo the significant physical requirements of the service academies. Thousands of physically disabled candidates might very well be interested and eligible. That doesn’t even begin to tap the literally millions of young people fascinated by e-sports and computer games who might be excellent candidates for the cyber academy.
HOW A VIRTUAL CYBER ACADEMY WOULD WORK
The ISA proposal differs from earlier cyber academy proposals in that we believe building an actual campus would be both economically unreasonable and politically unfeasible. Instead, we propose utilizing the multiple cyber training programs at numerous colleges, universities and community colleges that op-in to the program and link them using digital and distance learning technologies. This will dramatically allow for the fairly limited qualified faculty to reach thousands more students.
The federal government would bring together a group of cybersecurity experts from industry, academia and government agencies who would determine an appropriate curriculum. Participating entities would agree to offer the curriculum as the academy program. Students would attend the participating colleges of theory choice, similar to ROTC. The federal government would pay the students tuition and in return the student would be obliged to perfume a specified term of government service.
In our next post we will discuss the multiple advantages of this proposal including the fact that running the academy as we have outlined it would be cost neutral to the federal government.
FOR GREATER DETAIL ON THE ISSUES DISCUSSED IN “TWENTY-FIVE STEPS TO IMPROVING SECURITY WITHOUT NEW REGULATIONS” SEE FIXING AMERICAN CYBERSECURITY: CREATING A STRATEGIC PUBLIC-PRIVATE PARTNERSHIP (GEORGETOWN UNIVERISTY PRESS 2023)