PREMISE ONE: CYBERSECURITY IS A NATIONAL DEFENSE IMPERATIVE
Just as World War II made it apparent that the skies were a unique domain of warfare resulting in the creation of the US Air Force Academy in the 1950s, so, too, have recent events made it clear beyond doubt that cyberspace is now a unique domain of warfare.
As such, cybersecurity must be properly understood not just as privacy, consumer, and business issue with an adjunct military aspect, but for what it truly is. The most dominate element of national defense in the 21st century, because all the other domains of warfare are ultimately dependent on cyber technology.
PREMISE TWO: CYBER TECHNOLOGY HAS CHANGED THE NATURE OF NATIONAL DEFENSE WHICH CAN NO LONGER BE CONSIDERED IN MILARY TERMS
The defining characteristic of the Internet is ubiquitous interconnection. In 21st century America, our national defense must be understood as coequally dependent on a cybersecure private sector as a capable cyber ready military force.
In the 1940s, steel plants in Pennsylvania were not expected to erect radar and deploy anti-aircraft weapons to ward off a possible Japanese or German attack on the US critical infrastructure, however we have heretofore taken that posture with respect to cybersecurity.
It is established fact that in present day private institutions are faced increasingly with cyber-attacks often by nation state, state affiliated or state trained assailants. These attacks not only threaten consumer and corporate interests but the overall national interest.
National defense can no longer be thought of in strictly military terms.
PREMISE THREE: CYBERSECURITY IS ABOUT MORE THAN JUST TECHNICAL PROFICENCY
One of the major reasons we have made so little progress in creating a sustainably secure cyber system is that too often the issue is mischaracterized as essentially an “IT” problem.
Cybersecurity obviously has an important IT aspect to it; however, it is a far larger issue than just the IT. In reality, cybersecurity is an enterprise-wide risk management issue. Creating a secure cyber ecosystem requires coordination with IT, finance, HR, audit, and compliance, legal, operations, supply-chain management, logistics, and much more. Sophisticated cyber entities from the National Association of Corporate Directors through major colleges and universities are now appreciating this understanding. National cybersecurity training must similarly include this more comprehensive understanding of the issue.
THE CYBER WORKFORCE ISSUE NEEDS TO BE ADDRESSED IMMEDIATELY AND AT SCALE
Time is quickly running out to train our nation for the required collective defense. Indeed, this issue is miscast as development of a cyber workforce. It should be more accurately understood as national cyber defense mobilization.
Cyber-attack methods and business models are becoming ever more sophisticated and diffused to a growing cyber attack community. Attack methods considered highly advanced and capable only from nation states a few years ago are now widely practices by criminals. Cyber-attacks as a service are growing which will increasingly make sophisticated attack methods available to ever more dangerous and less manageable entities than traditional nation states.
The US is not prepared for this growth.
The federal government has been trying for years to compete with the private sector for scarce cyber resources and has had only marginal success. This situation is unlikely to get appreciably better so long as the demand for adequate personnel out strips supply, and all evidence suggest the trends are moving in the opposite direction.
The situation is far worse at the state and local levels which do not have the economic elasticity of the federal government. Without a dramatic increase in the supply of appropriate personnel it is almost impossible to see how financially strapped states and localities will ever be able to compete in the market for cybersecurity personnel. It bears repeating that due to the extensive interconnection between states and the federal governments not only are the states and their citizens going to continually suffer from attacks they cannot possibly defend themselves from, but they will provide massive pathways to federal systems creating an ever-present systemic risk to the nation.
WE CAN NEVER – EVER – CREATE A SUSTAINABLY SECURE CYBER NATIONAL DEFENSE WITHOUT AN ADEQUATELY TRAINED AND MOBILIZED CYBER WORKFORCE
When the Internet Security Alliance was founded in 2021, ISA campaigned for a cyber workforce development program citing the existence of nearly 100,000 cybersecurity positions. Now 20 years later, and despite numerous government and private workforce training programs the deficiency estimates have risen to about 600,000 vacant positions and climbing rapidly.
It is obvious, based on 20 years of evidence, that the patchwork system of disconnected and idiosyncratic training programs has not, will not and cannot fulfill our national needs.
It is further axiomatic that we cannot defend our nation without enough trained people to defend it. That is why in earlier eras the federal government created the service academies.
We now need a national, virtual, cybersecurity service academy.
PROPOSAL: A NATIONAL VIRTUAL CYBERSECURITY ACADEMY FUNDED BY THE FEDERAL GOVERNMENT SIMILAR TO THE EXISTING MILITARY ACADEMIES
Its important to understand first what ISA is not proposing ISA not proposing a physical academy. The ISA is also not proposing a military academy. The ISA is not proposing funding only technical cyber education.
ISA is proposing that a virtual national academy for cybersecurity. The model ISA is suggesting is the same as for the current service academies. Free college education in return for 5 years government service in cybersecurity. The academy would provide a full education, just as the military academies do, the emphasis on cybersecurity would be equivalent to the degree of direct military training currently provided at West Point Annapolis, etc. Graduates would be placed, similarly to the military service academies, in state, local, and federal government institutions, working in cybersecurity for 5 years.
ADVANTAGES TO CREATING A NATIONAL, VIRTUAL CYBER SERVICE ACADEMY
1. Recruitment. The service academy provides compelling incentives to join the government cyber work force. As Clarks and Knake wisely noted in their landmark book, The Fifth Domain, the major issues with cybersecurity are not technical but economic. The real key to future cybersecurity is properly aligning economic incentives with national needs. The national cyber service academy. This proposal addresses one of the most vexing issues facing American families – especially working class and economically impacted families – college tuition. Parents all over the country will urge their children to investigate the cyber academy not only as a pathway to college but to a professional career with substantial economic upward mobility. Students themselves will be attracted to the opportunity to go to college and not be forever burdened with college loan debt. This proposal would vastly expand the talent pool beyond the traditional techie geek population to the hundreds of thousands of computer game players who would not normally think of going into cybersecurity.
2. Speed. A national cyber service academy can be initiated fairly quickly. There are already numerous cybersecurity programs, including ones that go beyond just technical aspects of cybersecurity, already operating. Designing an appropriate curriculum – essentially choosing from what is already available – is not difficult.
3. Size. This proposal offers perhaps the. Only practical way to attract the numbers of candidates needed to address the scale of the workforce problem. Within a few years the federal government would have an adequate cyber workforce trained specifically to address cyber issues from a government perspective, State and local governments would also for the first time have access to a well-trained pool of cyber workers. This is probably the only way states and localities will ever be able to have such an urgently need filled as they will never be able to compete in the market. As currently established — and they would have them for a minimum of 5 years. Moreover, the supply would keep coming with a new class every year. The government could manage the size of the workforce depending on need and cost. State and local access to the pool will also dramatically enhance the political attractiveness of the proposal.
4. Cost-Effectiveness. Since there is not a physical campus, the major direct costs are for curriculum development and personnel. Since the academy is virtual modern digital teaching techniques cold be utilized providing for uniformity for the instruction. In addition, many startup costs (such as curriculum) will moderate over time The virtual nature of the program will also allow for maximum usage of top teaching personnel. No doubt industry contributions will likely be able to supplement the comparatively modest costs. Moreover, government will pay the graduates standard government salaries – not the constantly inflated salaries currently needed to compete for the scarce cyber workers. Over 5 years of service much of the program will pay for itself.
5. Additional benefits. Most obviously our national defense will be almost immediately enhanced at a comparatively low cost. In addition, when graduates complete their government 5-year hitch they will likely go into cybersecurity positions in the private sector – which due to the vast interconnection – also strengthens our nation’s defense. In addition, as alluded to above this program opens a potentially wide door to currently underserved student populations who would not under current circumstances attend college and provides long-term economic advantages to their communities. Additional benefits come from the renewal of the value of government service as an esprit de corps may well emerge.
In short, we can never hope to secure our nation without a cybersecurity workforce. The national virtual cyber academy is the only practical approach that can address this issue with the speed and scale it requires. Compared to many other necessary cybersecurity initiatives it is inexpensive and “do-able” and generates multiple benefits beyond the core workforce development goal.