In our last post we made the case for a national, virtual, cybersecurity academy. In this post we will discuss the key points of our proposal and in our next post we will discuss the advantages of our proposal which we suggest as the only practical way for the USA to quickly, comprehensively, sustainably, and cost effectively address cyber workforce the persistent cybersecurity workforce issue.
In brief, it is important to understand first what ISA is not proposing. ISA is not proposing a physical academy. The ISA is also not proposing a military academy. The ISA is not proposing funding only technical cyber education.
ISA is proposing that the federal government create a virtual national academy for cybersecurity. The model ISA is suggesting is the same as for the current service academies. Cadets would receive a free college education in return for 5 years government service in cybersecurity. The academy would provide a full education, just as the military academies do. The emphasis on cybersecurity would be equivalent of a major course of study. Their home college/university /community college would provide the rest of the coursework. Graduates would be placed in government jobs similar to the process as our military service academies are placed, however, they would not be in the military (the military academies already have their own specialized programs). Cyber academy graduates would go in state, local, and federal government institutions, working in cybersecurity for 5 years. After their five-year hitch with the government, graduates likely would take cybersecurity jobs in the private sector where, due to the interconnected nature of the internet, they would continue to be assisting in our national defense.
UNDERSTANDING THE NATURE OF THE CYBERSECURITY WORKFORCE ISSUE
When the Internet Security Alliance was founded in 2001, we campaigned for an aggressive cyber workforce development program because there were 100,000 vacant cybersecurity positions that could not be filled.
The most recent estimates are that – twenty years later – we have at least 600,000 vacant cybersecurity jobs on the US – and the gap is growing rapidly.
One of the major reasons we are not making progress in closing the cyber workforce need (we prefer the term national defense mobilization need) is that, for the most part, the issue has been addressed in a too narrow context – primarily an issue of technical proficiency. The focus has been on getting a range of technical training programs out there – and in that we have largely succeeded in doing that. Virtually every college/university and many community colleges have one.
In reality, however, cybersecurity is a much broader issue than technology. Cybersecurity is best understood as a three-legged stool that is roughly equal parts technology, economics, and public policy. Solving the cyber defense national mobilization issue will require looking at the issue in economics terms.
In short. the issue is a simply one of supply and demand. The demand for skilled cybersecurity personnel is outstripping the available supply. Since its unlikely that we are going to diminish the need for trained personnel the only answer is to stimulate the supply. The way we need to do this is by rebalancing the economics.
Virtually every family in the USA with children between the ages of 8 and 18 are worried sick about how they can possibly send their children to college because the costs of even public universities is, literally, frighteningly high. Obviously, this issue is even more acute for the less financially well-off elements of our nation. The children are worried, too, because they have gotten the message that they could take out student loans – and have these loans burden them until they are near retirement.
The allure of free tuition is a powerful driver to vastly expand the cyber workforce pool beyond what we are currently training which are people for the most part who are techies at heart. But frankly, there simply are not enough of them. We need to get parents all over the country to say to their kids – such as the hundreds of thousands of who love playing video games – that they actually can go to college free of charge and be guaranteed a great job when they get out – doing much of what they are doing in their games – solving problems with computers and technologies. It’s called cybersecurity.
By providing a strong economic incentive to consider going into cybersecurity – one that currently doesn’t exist – we have our best chance to quickly and dramatically increase the supply of people who we will train for cyber defense.
HOW WOULD THE VIRTUAL CYBERSECURITY ACADEMY WORK?
When we needed to respond to the previous new domain of warfare – air warfare – we established the Air Force Academy. Essentially, the Air Force received the same deal as Annapolis and West Point – free college tuition in return for 5 years government service. That is exactly the deal we should be offering candidates for the national cybersecurity service academy
Providing an economic incentive is the first step in building a national cybersecurity service academy. However, since we are already behind by literally hundreds of thousands of jobs while attack methods are getting more sophisticated, we don’t have the time, or money, to build an elite physical, service academy.
We need a 21st century solution to this 21st century issue. We need to make the cyber service academy a virtual service academy using digital technology and remote learning. This virtual solution is much faster and much more economical than a physical academy and also opens up availably to “attend” to everyone in the country. We already know that we have a sizable number of trained instructors with operational curricula in these numerous programs at our colleges and universities.
We obviously would need a process to certify the curriculum, but that process is routine in most academic disciplines. If we want to jump start the program, we could grandfather in a set of sites (e.g., the national cyber centers of excellence) while other institutions could adapt their curriculum as needed to eligible to apply for the program.
However, for the allure of free college tuition to be powerful enough to expand out talent pool, the grant needs to be not just for the cyber academy program. The cyber academy program would be analogous to a major course of study. Just as a student needs to take a range of courses, including their major, to graduate the same would be true with the academy. Students would select their colleges/universities/community colleges as they do now, but the cyber academy would be their “major.” They would take the rest of their course work at the college they chose and admitted them – similar to the current ROTC program except for non-military service. The government would pay the college, the full tuition, at regular rates for the academy students. Thus, the students would get the full college experience they want, but with free tuition and the government gets a continual supply of trained personnel.
The final core element of the proposal is that just as graduates from military academies get placed, so too would the graduates of the cyber academy. However, placement would not be simply in the military. Cybersecurity has a military aspect, but it is not strictly a military issue (and the military academies already have their own excellent programs tailored to the specifics of military cybersecurity).
Graduates of the cybersecurity academy would go to all levels of government. While the federal government has its own shortages of adequately trained cybersecurity personnel the shortages at the state and local governments are far more sever because the states and localities have far less resources to compete for the current limited pool of talent. In fact, it’s virtually inconceivable that the states and localities will ever be able to adequately compete with the federal government and private sector for cyber talent without a massive increase in the trained labor pool who would be made available to them via the academy program.
Another feature of the ISA proposal is that graduates, once they enter their government services will be paid at standard government rates – not the inflated levels government now must pay. In this process the government essentially recovers a good portion of the investment they made by paying for tuition. Thus, the program is a cost-effective solution.
However, that point strays into the description of the advantages of the virtual cybersecurity academy proposal, which is the subject of the next post.