May 31, 2022

Our service academies – West Point, Annapolis the Airforce and Merchant Marine Academies are the ultimate public private partnership.

Government offers private citizens high quality education at no cost, and in return the graduates are obliged to provide three years of service to the government, and many stay on well-past that obligation. The system has a proven track record of providing the USA with the world’s best defenders and virtually no one argues that the price is not worth the benefit to either the students or the nation. This is a system that works.

Of course, we have expanded this system over time as the threat environment changed, first with West Pont, followed by Annapolis and so forth. Although the military use of the air existed in the mid-19th century with reconnaissance balloons even during the US Civil War, it wasn’t until however, until World War II demonstrated that air superiority became a full-fledged domain of warfare that the US finally established the Air Force Academy in the early 1950s.

It is now obvious that cyber weaponry has created a unique 21st century domain of warfare and much like, modern air technology fundamentally changed many notions of war so too does cyber technology. There is, in fact, an unresolved and important debate as to what counts as cyber warfare. Is it just when nation state military agents engage in a defined conflict such as in Ukraine? Or are the attacks by nation-state actors on private entities a modern version of warfare? Indeed, is warfare confined to identified nation state action, or is spate supported action, such as the Ransomware attack on Colonial Pipeline a version of warfare? And where does responsibility for defense transfer from law enforcement personnel to the military?

Although these complicated issues will need to be unpacked, its best to start with what we do actually know and take steps to address the very threating position we know we are facing

We do know we are under attack. We are under attack all day every day – thousands of times a day in varying cyber ways. And the “we” here is everyone. Citizens are losing their personal data; corporations are losing their intellectual property and the government is losing critical national security information. We absolutely know all this.

We also know we don’t have nearly enough personnel to address these ongoing attacks. Not only do we know we have a workforce shortage we have known it for decades. We also know, there is no way for us to finally establish a sustainably secure cyber system if we don’t have enough properly trained people to manage it.

When I started at the Internet Security Alliance in 2002, I recall our campaigning for an increased focus on cyber workforce development since there were over 100,000 cyber jobs unfilled. Twenty years after that gap has increased sixfold. Of course, we are training far more people than in 2002, but it’s not nearly enough. If over 20 years a problem we have been trying to resolve, and despite some very fine work, is growing far worse than we would be insane not to try something different.

According to the most recent research there are now nearly 600,000 unfilled positions, in cybersecurity. In the last 12 months, job openings have increased 29%, more than double the rate of growth between 2018 and 2019, according to Gartner TalentNeuron, which tracks labor market trends. According to the Director of the Cybersecurity and Infrastructure Security Agency (CISA), Jen Easterly “if we don’t do something about this there will be 3.5 million unfilled cybersecurity jobs by 2025.”

It is apparent that the fractured workforce development programs we have today is not addressing the growing need. With cyber becoming an increasing aspect of international conflict, and private sector loss we need an accelerated and, consolidated strategy.

We need a National Service Academy for Cybersecurity. This would mean that, just like our existing service academies, students would receive a free college education — focused on cybersecurity to the same degree the Air Force Academy focuses on air warfare — and in return graduates would be assigned to three years of government cybersecurity service.

There are two important distinctions to make about this proposal. First, we are proposing a service academy, not necessarily a military academy. This is because cyber conflict is not confined to traditional military domains. Graduates of the Cyberservice Academy would be placed in all manner of government structures, military, civilian and even state and local government because the workforce shortage, if anything, even more dire there than in the military cyber domain.

Moreover, once their government service requirement is fulfilled many might well choose to stay with their government employment, as is the case with the military, or move to the private sector. However, even when these service academy graduates move to the private sector, they would still be preforming a form of national service since US cybersecurity depends not just on the government’s cybersecurity but the interconnected private networks many of which serve our national critical industry.

A second important distinction is that the national cyber-services academy should be a virtual academy. Any college or university should, upon accreditation, be able to participate in the program with the same requirements as if they were in a physical location. By adopting this distributed model utilizing modern remote learning capabilities curriculum, materials and instructors could reach vastly larger groups of candidates thus dramatically increasing the talent pool and turbo-charging the process to get more trained personnel into the cyber world.

An added benefit of creating a national cyber service academy with a coordinated link to government service is that we will likely develop a version of the esprit de corps that the traditional service academies have. Obviously, this may not be as strong as with the physical military academies, however there would be a sense of joint mission and common ground that might well help establish the culture of security in both government and industry that will be required to have a more secure system.

With a perineal cyber workforce gap of over 600,000 growing at nearly 30% a year we obviously need to take immediate action. This proposal integrates the economic incentive of free tuition with utilizing modern educational technology and the commitment to government service in a critical – perhaps the most critical – aspect of national defense in the current time. It offers an accelerated pathway to filling the cyber workforce gap and offers the government a reliable and affordable stream of trained personnel which is essential to solving our cybersecurity problem and does so with comparatively little government expenditure.

There are some aspects of our cybersecurity problems that are incredibly challenging. Figuring out how to secure AI or the vastly expanding vulnerabilities that 5 G and enhanced cloud utility are extremely challenging problems. At a different level rebalancing the overall economics of private sectors defending critical infrastructure from nation sate attacks with only commercial financing is difficult. How do we deal with China’s Digital Silk Road – a toughie.

But we actually do know how to train a work force. We have done it multiple times in this country. We had to vastly increase military forces in WW II and train Rosie the Riveter to run the factories – we did it. In the 1990s “computer literacy” was considered a major problem. No one even talks about that anymore. We can do this. We even have a cadre of excellent trainers available; we just need to access modern technology to best leverage them. We just need a creative solution and commit to it. A national cyber service academy is perhaps just such a “doable” solution to one of our major cybersecurity problems.