What is the single most important public policy issue in cybersecurity?
Hint: the answer is the same as if we asked what is the single greatest vulnerability to our cyber systems?
It’s people.
We don’t have nearly enough properly trained cybersecurity professionals. Current estimates are that we have 700,000 cybersecurity jobs we can’t fill (world-wide the number is 4.5 million). This includes a shortage of 35,000 open positions in the US federal government alone. And despite a spate of new programs being announced in recent years the gap continues to grow – currently at about 10% a year.
The reason this is the most important issue is that it is axiomatic that none of our cybersecurity initiatives – not the regulations, not the standards, frameworks or technologies – nothing can work as well as we need it to work without adequately trained people to implement these techniques. We don’t have these people and the current efforts to attract them are failing.
The number one priority in the new national cybersecurity strategy ought to be to resolve the workforce gap, but it is not. Workforce development is buried as level 4.6.1 in the new implementation plan stating simply that the implementation plan for workforce development is for ONCD to “develop and publish a workforce development strategy”—due date Q2 of 2024.
To be fair the ONCD has done this. But this document is largely a repetition of pretty much the same platitudes that we have been hearing for the past 20 years while the workforce gap has grown from 100,000 to 700,000. There is no denying that the rhetoric is well said, but we are long past the time for broad strokes, we need action.
We can begin by recasting the issue to give it its true importance in terms of our national defense. US cyber systems are under constant attack, all day every day by aggressive elements often tied to, if not sponsored by, adversarial nation states. Our nation is under attack, and we do not have enough cyber soldiers. This is more of an issue of national defense mobilization than workforce development.
Appreciating the priority of the issue as well as its expanse we need to address it in a risk management framework. We need to quickly create a system that will guarantee our priority defense systems will have enough well-trained people to properly defend us. Hence our federal government needs to be our top priority.
We might well fault ourselves in the cyber community for not pressing this issue more fervently earlier. In truth this is reminiscent of the lack of vision the US had before World War II when we didn’t yet appreciate that the skies were actually a domain of battle, and as a result were woefully undermanned when the Japanese Air. Force bombed Pearl Harbor. One of the first things we did after WWII was to create the Air Force Academy so we would never be caught off guard like that again. That is, until now when we are making the same mistake by not understanding the extent of the cyber battlefield and again lacking an adequate defensive force.
We need to follow the example the “greatest generation” set with the establishment of the Air Force Academy. We need to create a national, virtual, cybersecurity academy that uses the same incentives to attract people to sign up – free college tuition in return for government service.
There isn’t a family in the country with children between the ages of 5 and 15 that is not apoplectic about how they can afford to send their children to college. Ironically, we can leverage the crisis we face with the cost of higher education to help address an urgent national defense gap.
Last year there were 40,000 students who applied to the traditional service academies and were turned down. If we simply offered them the option of instead attending the cybersecurity academy – and a mere 25% agreed to do so – we could enroll 10,000 new cybersecurity trainees right now and do so on an annual basis – creating a reliable supply chain of well-trained cyber defenders for our government. At that rate we could solve – solve is a word we rarely use in terms of cybersecurity – we could solve the federal government’s cyber workforce gap in less than 4 years.
In our next post we will lay out some particulars of the national cybersecurity academy proposal and detail some of the many advantages this initiative would generate
FOR GREATER DETAIL ON THE ISSUES DISCUSSED IN “TWENTY-FIVE STEPS TO IMPROVING SECURITY WITHOUT NEW REGUALTIONS” SEE FIXING AMERICAN CYBERSECURITY: CREATING A STRATEGIC PUBLIC-PRIVATE PARTNERSHIP (GEORGETOWN UNIVERISTY PRESS 2023).