Summary and Introduction

This report unpacks the many issues and questions that collectively make up “the cybersecurity workforce development challenge” in the United States. Our aim is to inform the discussion, make the case that the challenge warrants policy intervention, and highlight areas ripe for further research and policy intervention. We argue that filling cybersecurity jobs is critical for improving U.S. cybersecurity, but that no single action, effort, or theory will address the pervasive difficulties of filling cybersecurity jobs. Instead, lasting solutions will require a network of connected policies and community-wide efforts. Accordingly, the goal of the report is to expand on the range of policy options available rather than to advocate for any one solution. However, the discussion does consider the relative merits of different policies and will endorse those policies that offer particular promise.

Introduction

On March 7, 2017, a group of open-source designers called the Apache Software Foundation released an update fixing a dangerous flaw in Struts, one of their widely-used products. Within 24 hours, servers that had not yet been updated were already under attack.¹ As far as security updates go, this was a tricky one. Experts warned that “patching the security hole was labor-intensive and difficult” because Struts was so frequently and deeply integrated into websites.²

On March 9, credit reporting agency Equifax disseminated the official notification of the vulnerability to its internal teams, triggering the company’s policy of required patching within 48 hours.³ The patch was not installed. Equifax’s systems—and the deeply sensitive data they held—were left vulnerable. On September 7, Equifax announced they had been victim to one of the internet’s largest data breaches, exposing personal information on roughly half of the U.S. population.⁴ Over the next two weeks, the company’s stock plummeted.⁵ Three weeks after the breach, the company’s CEO resigned.⁶

Certainly, there were a mix of worrisome factors at play throughout this situation. Among those factors, the Equifax breach shows the critical importance of maintaining a cybersecurity team ready to tackle whatever the internet can throw at system. Currently, U.S. cybersecurity jobs are sitting unfilled by the hundreds of thousands. That is a lot of breaches—and worse—waiting to happen.

At industry conferences and in the halls of government, discussions on cybersecurity workforce development are increasingly prominent. However, stakeholders across the cybersecurity community tend to see “workforce development” not as a single problem to address, but rather as shorthand for a broad range of issues and subtopics, which makes it especially difficult to evaluate and mitigate the root causes of the preponderance of unfilled cybersecurity jobs.

Lasting solutions will require a network of connected policies and community-wide efforts.

In many spheres, and perhaps reflecting the more conventional narrative, the overwhelming number of unfilled jobs in cybersecurity is a function of simply not having enough people in the education pipeline. Under this model, policy solutions include programs encouraging more middle school students—and especially girls—to pursue studies in science, technology, engineering, and mathematics (STEM); expanding computer science programs at four-year universities; and funding initiatives like CyberCorps⁷ that are designed to attract students to cybersecurity and government service.

An alternative school of thought argues that the underlying cause of the seemingly unfillable jobs is not an inadequate supply of talent in the labor market, but rather that the cybersecurity community lacks effective mechanisms to match job seekers with job providers. Possible policy solutions under this second model hinge on better alignment between education and industry and include exploring new ways to measure and communicate workers’ competence, greater educational focus on applied skills, and building opportunities for collaboration between educators and employers.

A third set of opinions holds that the constrained hiring environment incentivizes industry leaders to develop their own solutions to fill jobs or reduce the number of employees needed to meet critical functions. For example, increased use of managed service providers could allow employers to outsource their cybersecurity functions to specialized companies that can protect systems and resolve problems more efficiently—and with fewer workers—than each client company could on their own. Meanwhile, technological advancements may reduce the number of employees needed for certain functions like monitoring security logs. According to this logic, the constrained hiring environment itself could drive efficiency and innovation.

For better or worse, all three schools of thought are correct. With the estimated global shortfall of cybersecurity workers close to 3 million,⁸ the scale of the problem is great enough that there are plenty of root causes for both narratives to be accurate in their diagnosis. Beyond simply the size of the workforce, its demographic composition raises serious red flags. Women make up only 24 percent⁹ of the cybersecurity workforce and people of color continue to be markedly underrepresented at senior levels,¹⁰ suggesting serious lost opportunities for the cybersecurity industry. Given the need to diversify, expand, and realign, no single approach can address the various problems and incongruities that cause the unfilled jobs. The cybersecurity community needs solutions from a multitude of schools of thought, each of which can ameliorate some part of the larger issue.

Herein lies the challenge of U.S. cybersecurity workforce development: There is no single underlying problem, but rather an interconnected and multifaceted array of issues that ties together K12 education, diversity and inclusion, higher education, industry certifications and competencies, military and intelligence recruitment, apprenticeship and work-based learning, veterans’ employment, federal hiring practices, and much more. There are substantial and complex discussions to be explored in each and every one of these areas. The “cybersecurity workforce development conversation” is really a network of conversations. There is no one policy change that will resolve the issue. Solutions must rely on input from stakeholders from the whole economy, and will involve interconnected efforts across the entirety of the cybersecurity ecosystem.

Virtually the entire global economy has a stake in building a stronger cybersecurity workforce. Why then should policymakers make it their job to address this issue particularly? Amidst competing priorities and limited resources, what sets the cybersecurity workforce apart as a policy issue? The answer lies in national security and economic stability. Because different states, cultures, and government structures have different expectations and means for providing security and stability, the answer will vary across national contexts. This report focuses on the United States; however, many lessons will translate to other contexts, and there is much the United States can learn by observing other governments.

There is no doubt that many cybersecurity roles are intended to “provide for the common defence,”¹¹ though it is true that the national security implications of cybersecurity work vary across roles inside and outside of government. There is no official count of the number of cybersecurity workers working for the federal government,¹² much less in state and local governments. However, it is clear that the government is naturally positioned as a major consumer of cybersecurity talent because it must deliver the workers needed to serve not just the military and the intelligence community, but also the individual information security needs of each of the federal departments and throughout state and local governments. Strong national security relies on a ready supply of cybersecurity talent to fulfill missions like securing command and control systems in the military’s theaters of operations, monitoring communication networks for violent extremism, protecting our democratic institutions, informing a robust conversation on internet security and privacy, and securing citizens’ sensitive data.

A strong cybersecurity workforce is also critical to economic stability. Economic growth and innovation depends on fundamentals like secure financial transactions and reliable intellectual property rights. Banks must ensure they can safely hold and move financial assets, and inventors must protect their new designs to reap economic returns on their work. Data breaches and other cyberattacks are driving up the costs of doing business in an interconnected world. In a report examining possible economic futures, researchers outlined the problem rather starkly, saying that “annual cybersecurity costs in high-income economies like the U.S. have already begun to outweigh the annual economic benefits arising from global connectivity.”¹³ Future economic prosperity depends on curbing the growing costs of cybersecurity, which in turn depends on having the workforce needed to prevent costly attacks. Because of the exigency of the economic and the national security cases for a strong cybersecurity workforce, developing that workforce is more than just an industry-wide challenge; it is grounds for policy intervention.

Developing the cybersecurity workforce is more than just an industry-wide challenge; it is grounds for policy intervention.

This report will explore critical questions in designing policy to enable and incentivize changes to spur growth in the cybersecurity workforce.

• What are cybersecurity jobs? Section One outlines different taxonomies and frameworks for understanding the diverse work lumped into the category of “cybersecurity.” It also describes patterns in cybersecurity hiring and considers whether these patterns are effective for workforce development.
• How do we teach cybersecurity? Section Two will detail challenges in teaching cybersecurity in a conventional classroom environment and explore alternatives that may help address those challenges.
• How do we measure and communicate competence in cybersecurity hiring? Section Three explores this question.
• What is the role of government in cybersecurity workforce development? Section Four explores the U.S. government’s obligation to building the cybersecurity workforce.

Finally, the report will conclude by outlining opportunities for further research.

This report presents a range of views on the topics above in order to best illustrate the state of these critical and complex debates. While there are no easy answers, some options are certainly better than others, and this report does take positions on which are the best options.