In a series of recent posts, we have noted the time has come for us to create a national virtual cyber service academy, modeled on our traditional military academies, but updated for the digital age (link). We subsequently detailed the public policy argument for this academy (link) and outlined a governance model for it (link). In this post we will summarize some of the many advantages for creating this national, virtual cybersecurity service academy – it will take multiple posts to cover them all, but we will start with these.
ADVANTAGE ONE: WE WILL, FINALLY, CREATE A PATHWAY TO NATIONAL CYBERSECURITY
It is axiomatic that none of the technologies, frameworks, coalitions, or strategies to enhance our cybersecurity can ever succeed without sufficient adequately trained personnel to implement these tools.
There are literally hundreds of thousands of high-paying cybersecurity jobs we don’t have the people to fill just in the US. World-wide, there are millions of these jobs vacant – many dealing with networks we are interconnected with in the US. Despite recent spending increases and the existence of a number of very good training programs, the gap is continuing to grow with estimates of increases of as much as 30% in the next few years. Things are especially bad in the critical government sector. A recent CSIS study showed that the federal cyber workforce is near 35,000 and the gap has increased by 25% in the past 3 years. The future for the federal sector is even bleaker as natural attrition is going to make things worse. There are 16 times more federal “IT” workers over 50 years old than under 30 years old.
The piecemeal efforts we have tried over the past 20 years are clearly not sufficient. By creating a national cybersecurity academy, we can efficiently and effectively, and permanently, solve this fundamental problem. The academy is the only practical path to do solve this problem quickly and at marginal cost.
As policy makers debate the cost of establishing a national cybersecurity academy, they would do well to remember that the tens of billions we are already spending on various cybersecurity initiatives are all inherently undermined by the lack of trained personnel. Solving the cybersecurity personnel shortage needs to be cybersecurity priority number one.
ADVANTAGE TWO: CREATING AN ACADEMY PLACES CYBERSECURITY IN ITS PROPER, NATIONAL SECURITY CONTEXT
We need to stop using the antiquated term “cybersecurity workforce development.” What we really are talking about is national security mobilization.
It wasn’t until after WWII that we realized that the skies were a unique domain of warfare. And that our lack of preparation for this new domain of conflict contributed to things like the Japanese successful bombing of Pearl Harbor. If the constant stream of successful cyber-attacks our government has experienced, over the past few years didn’t convince us that this is a national security issue, the events in Ukraine should. Hopefully, we won’t need a cyber–Pearl Harbor before we decide to prepare our defense with trained personnel.
The reality is we are already under attack. We are under attack all day, every day, thousands of times a day, including from nation-states and state-affiliated attackers. Things are getting worse – much worse – and we don’t have nearly enough trained people to defend ourselves. Much like modern aircraft fundamentally changed the nature of international conflict, so too has digitalization altered the nature of conflict and hence the nature of effective defense. Our cybersecurity requires a very different set of skills than the traditional military. Cybersecurity training requires not only technical training in the technology itself but a wide range of associated skills, such as, strategic thinking, probability estimation, human resources (people are our greatest vulnerability), as well as supply chain management, auditing, and strategy.
We can’t solve our cybersecurity problems without understanding them. This begins with thinking about and talking about this issue using the proper terminology. We need national defense mobilization effort, and we need it soon. At the very least our government agencies need adequate personnel.
There is another sense in which the national cyber academy would place the cybersecurity issue in its correct context – as an economics issue. Our personnel shortage is a classic economics problem – supply and demand. We simply do not have an adequate supply of trained people to meet the ever-growing demand. The answer to this economic problem is to use economic stimulus to generate an adequate supply of trained people. That economic stimulus is the same one we use for our traditional military defenders — free college tuition to students who will repay the nation by devoting 5 years of government service in our national defense.
ADVANTAGE THREE: THE CYBERSECURITY ACADEMY IS COST-EFFECTIVE
One characteristic of this program is that its cost can be largely managed on a year-to-year basis simply by increasing or lowering the number of applicants allowed into the program. For illustrative purposes we will assume that policy makers would want to solve the federal cyber mobilization shortage in 4 years.
While there are hundreds of thousands of cybersecurity jobs vacant in the country there are “only” about 36,000 vacant at the federal level and a roughly equal number of vacancies at state and local government levels. That’s roughly 70,000 jobs we need to fill at all three levels combined. Postulating classes of 10,000 students at the current average cost of tuition and fees at a 4-year public college (roughly $20,000) a hybrid virtual-physical cyber academy operating in concert with our existing educational structures– roughly equivalent to ROTC –would cost the federal government about $800,000. If we add a very generous 20% on top for administration and we have a $1billion dollar a year program.
A program of that size would solve our federal cybersecurity personel shortage in 4 years. At this funding level, in eight years, the entire government – including state and local shortage — would be solved. A program twice the size would resolve all our government’s cybersecurity cyber personnel issues in four years.
Keeping in mind that the tens of billions we are already spending on government cybersecurity is being undermined by the lack of trained personnel, this is a modest and very cost-effective step. Moreover, when these students get out, they would be paid at normal GS levels – not the vastly inflated process government is currently paying as they try to keep up with industry (which frankly they can never do successfully) – and government would have a permanent supply of adequately trained people at modest cost, while also re-couping some of their investment through lower salaries.
ADVANTAGE FOUR: THE ACADEMY ADDRESSES OUR CYBERSECURITY ISSUE AT ITS PROPER SCALE
The data shows us clearly that the current piecemeal system of acquiring sufficient cyber personnel is not working. We need a dramatic increase in trained personnel, and we need them fast. One might wonder if it’s feasible to recruit thousands of students into these programs. As a point of reference, last year there were 41,000 applicants to the five current service academies and only about 4,000 received appointments. So, just from that population there are about 38,000 students interested in national service and while they all probably wouldn’t want the cyber service academy presumably many might be interested – and that population alone is 4x the size we would need to populate a 10,000 a year class of cyber cadets to apply for the national cybersecurity academy.
In addition, there is barely a family with children between the ages of 7 and 17 in our country that is not apoplectic over how to send their child – or heaven knows multiple children – to college because of the cost. The prospect of enabling a child to go to college free of charge would no doubt motivate parents all across the country to encourage their young children to look into this cybersecurity field.
But could we actually motivate the required number of students? The students are apoplectic too. They are fully aware that in the 21st century a college degree is the union card to a middle-class lifestyle. And they also know paying for college with loans generally means they will be paying for college almost until they retire.
In addition, there are millions of young people immersed in computer games and e-sports. The stars of the e-sports teams could be recruited to urge applying for the academy in a targeted marketing plan.
The bottom line is that creating a national, virtual cybersecurity academy is immensely “do-able” and would solve one of our most fundamental cybersecurity challenges in a comparatively short amount of time at a very affordable price which would generate substantial return on investment.
The biggest challenge is just committing to do it.
Next: Even more reasons for creating a national cybersecurity academy.