Section Four: What is the Role of Government in Cyber Workforce Development?

This section explores three aspects of governments’ role in cybersecurity workforce development:

1. The extent to which addressing the workforce shortage is the responsibility of the U.S. government,
2. The policy options available to the U.S. government, and
3. The lessons that the U.S. can take from cybersecurity workforce development abroad.

Finally, it will look at the responsibility of the larger cybersecurity ecosystem to consider how other stakeholders can and should engage with government efforts.

The U.S. government has a unique responsibility for enabling and incentivizing growth in the cybersecurity workforce because an inadequate workforce exposes the nation to serious consequences for economic and national security.

There are policy tools available to the U.S. government that could help drive the development of the cybersecurity workforce, but how these tools are implementable on a practical level depends heavily on how stakeholders in the U.S. cybersecurity community interpret the government’s role—and obligation—to invest in the cybersecurity workforce. On one end of the spectrum of opinions are proponents for a heavily market-driven solution.

Researchers at the RAND Corporation determined in a 2014 report that “the difficulty in finding qualified cybersecurity candidates is likely to solve itself, as the supply of cyber professionals currently in the educational pipeline increases, and the market reaches a stable, long-run equilibrium… It is unlikely that major new initiatives are needed to help the market stabilize in the long run.”¹ This perspective assumes that the financial incentives to provide strong cybersecurity are sufficient to drive improvement in the hiring market over time.

The challenge with this fundamentally laissez faire approach to cybersecurity workforce development is that the costs of flawed or inadequate cybersecurity practices—failures indirectly driven by unfilled cybersecurity positions—continue to stack up while the market meanders towards presumably more efficient workforce development systems. Estimations of global losses to cybercrime range from $600 billion² per year to some $6 trillion per year by 2021.³

The costs of bad cybersecurity extend beyond dollar figures. The U.S. government is obligated to protect the nation, but government is not solely responsible for providing for national cybersecurity. The discussion below also describes the role that other stakeholders play. Nonetheless, the expectations for government in cybersecurity are different because of its fundamental mandate to protect critical national interests. To give a prominent example, providing for secure and fair elections is largely dependent on ensuring that all actors across companies, state and local governments, and other institutions have the resources and capacity needed to protect their own networks, which is predicated on having knowledgeable experts on staff (or at least on call). To borrow a quote from former Homeland Security Secretary Jeh Johnson, “the American people have a right to know from our leaders: What are you doing about it?”⁴ Because the U.S. government holds an outsized responsibility for driving better cybersecurity, it also owns a large share of the responsibility (and practical necessity) to build the workforce that will provide that cybersecurity.

The costs of flawed or inadequate cybersecurity practices continue to stack up while the market meanders towards presumably more efficient workforce development systems.

Unsurprisingly in the face of rising costs of cybersecurity failures—financial and otherwise—many stakeholders argue that a more proactive stance in cybersecurity workforce development is warranted. But even here, there is a diversity of opinion on where the onus for intervention sits within the cybersecurity ecosystem. For example, the Business-Higher Education Forum makes a business case for investments from across the community that incentivize collaborative efforts of businesses and academic institutions.⁵ Others—this author included—have argued that an inadequate cybersecurity workforce is a national security liability,⁶ and therefore the U.S. government is obligated more than other stakeholders to support community-wide workforce development efforts as part of its responsibility to provide for the national defense. While experts can debate where the U.S. government’s responsibility falls on the spectrum from market-driven solutions to extensive federal investment, current and growing threats to U.S. interests clearly warrant some degree of involvement.

Policymakers—at a variety of levels of government—can fund the development of research and programs, set their own spending priorities to support particular pathways, facilitate and incentivize opportunities for collaboration among stakeholders, and lead by their own example. This is not an exhaustive list; many more options exist.

While the U.S. government holds a share of the responsibility for building a more robust national cybersecurity workforce, public policy is only one of the drivers of change in the workforce. Government cannot simply will (or legislate, regulate, or fund) a stronger workforce into existence. Government can, however, can set spending priorities, support development of certain pathways through their own workforce, and incentivize collaboration between stakeholders, all of which have the potential to contribute to overall progress.

In practice, these sorts of policy options can take several forms. To take one category of potential policy levers—setting spending priorities—federal, state, and local governments have a number of tools at their disposal. One would be to fund research. This could take place on several levels.

Government cannot simply will (or legislate, regulate, or fund) a stronger workforce into existence.

The first potential level of research would be to better understand the current state of the workforce and its drivers, including compiling better data and statistics for a baseline to evaluate future progress. Some examples of government funding for cybersecurity workforce development exist, but these funding opportunities more frequently tend to focus on launching specific programs,⁷ developing new teaching methodologies or curriculums,⁸ or providing scholarships for individual students⁹ rather than developing foundational research. The CyberSeek website is a good beginning, but there is much more work to be done (and funded) in order to get an adequate picture of the current workforce.

As the community learns which pathways and tools provide the best return on investment, government at all levels can drive growth in those areas. State governments in particular have room to shape these options. For example, the California Apprenticeship Initiative,¹⁰ offered through the California Community College Chancellor’s Office, gave local educators the opportunity to start development on cybersecurity apprenticeship programs.¹¹ At the federal level, a recent Department of Labor notice of funding opportunity for apprenticeship expansion is in the same spirit, albeit with significantly different requirements for program scale.¹² When crafted carefully to align with industry and education requirements and capabilities, strategic efforts to drive program development go a long way to creating alternative pathways into cybersecurity jobs.

Beyond grant writing and other forms of direct support, governments can also drive change by being strategic about spending on their own efforts. For example, when evaluating proposals for work on government contracts, agencies could give a degree of preference to proposals that hire staff trained through apprenticeships or to firms that utilize the NICE Workforce Framework. Similarly, future contracts might relax requirements for specific degrees to allow greater flexibility for innovative education and hiring pathways.

Because change in the cybersecurity ecosystem is so dependent on a wide network of stakeholders, some of policymakers’ influential options come from more indirect forms of support. Given their position and authority, government actors are often ideally placed to facilitate opportunities for collaboration among other stakeholder. For example, the National Initiative on Cybersecurity Education (NICE) supports two annual conferences¹³ designed to bring stakeholders together to discuss workforce development and educational efforts. This government support creates a rich environment for industry, academia, and the public sector to compare requirements and capabilities, and to engage a diverse community in generating and evaluating strategies for workforce growth. Similarly, platforms like the NICE Working Group¹⁴ that enable community-based resource sharing and ongoing dialogue between stakeholders are a low-cost way to indirectly support workforce growth by facilitating opportunities for collaboration. However, they are limited by the degree of engagement and support they receive from the wider community. Facilitating dialogue among stakeholders is a tool best used in conjunction with a suite of other efforts.

When crafted carefully to align with industry and education requirements and capabilities, strategic efforts to drive program development go a long way to creating alternative pathways into cybersecurity jobs.

An easily-overlooked—but remarkably powerful—tool for governments seeking to support cybersecurity workforce development is simply to lead by example. The state government of North Carolina, for example, places disabled veterans as apprentices in cybersecurity roles in their Department of Information Technology and other state agencies¹⁵ through a collaboration with the Innovative Systems Group, a contractor and apprenticeship program sponsor, and local educational institutions.¹⁶ As private sector employers evaluate the business case for implementing unconventional hiring practices, this model sets a valuable precedent. However, not all good ideas are completely novel. Government can continue to build and support offices like the National Initiative on Cybersecurity Education that have a proven track record of good work in establishing standards and building collaboration for the community of stakeholders in the field.

Policymakers can look to other governments for examples of varying solutions to the cybersecurity workforce challenge, but they must recognize that many of these solutions cannot function properly in a U.S. context without significant adaptations.

The cybersecurity workforce shortage is by no means a uniquely American phenomenon. There are some differences in the perceived causes of the shortage, but the shortage itself remains essentially the same. For example, survey respondents in Latin America and the Middle East and North Africa are more inclined to cite business conditions that do not support additional personnel as the reason for the shortage, whereas in North America and Europe, respondents were more inclined to say that qualified personnel were difficult to find. Globally, 66 percent of respondents still felt that too few information security professionals worked in their department.¹⁷

National governments have many strategies for developing their cybersecurity workforce, but a common thread is recognition that private sector engagement will play a key role bringing about future success. One difference of note, particularly in the United Kingdom and Europe, is that this public-private collaboration is often the basis for apprenticeship programs. For example, the United Kingdom’s Department of Digital, Culture, Media, and Sport (DCMS) sponsored a program that placed apprentices in cybersecurity roles across a range of employers responsible for critical national infrastructure,¹⁸ a promising program for employers who need the skills and talent pipeline, and for government policymakers looking to improve security in critical infrastructure. Especially in Germany, Austria, and Switzerland, apprenticeships across all industries are a key feature of strong national traditions in career and technical education.¹⁹ Companies based in those countries that maintain a workforce in the United States have been eager to encourage the United States to adopt similar practices.²⁰

Globally, 66 percent of respondents still felt that too few information security professionals worked in their department.

Given cybersecurity’s inclination towards on-the-job learning, importing apprenticeship models for cybersecurity in the United States is an interesting proposition, but the difference in context between the United States and Europe means that many aspects of these programs would need to be adjusted for a U.S. environment. Implementation would require major adaptations in funding sources and shifts in philosophies about how such programs might work.²¹ However, workforce development experts are willing to take on the challenge. For example, 3aaa—a U.K-based apprenticeship development company—is working with TranZed Apprenticeship Services in Baltimore, Md. to implement cybersecurity (and other) apprenticeships in the area.²² But not all efforts in this vein originate from abroad. Similar homegrown efforts have taken shape in Illinois,²³ Virginia,²⁴ and New Mexico²⁵. Further research could help illuminate how this workforce development solution, so successful internationally, can be adapted to help fill the U.S. workforce shortage in cybersecurity.

The United Kingdom and Europe are certainly not alone in presenting useful workforce development lessons in cybersecurity; other case studies have much to offer. Israel, for example, is home to a remarkably robust cybersecurity community.²⁶ Israel benefits from a combination of mandatory conscription and military expertise in cybersecurity.²⁷ The result is a steady supply of practitioners emerging from cybersecurity units that go on to establish and staff private-sector technology firms.²⁸ While this model may not be especially viable in other contexts (particularly in countries without such high levels of military participation), Israel’s focus on the military as a tool to shape its cybersecurity workforce warrants closer study. The cybersecurity workforce development systems in states like Russia, China, and North Korea are somewhat more opaque, but further open-source (and unclassified) research into these workforce training systems would very likely add significantly to the cybersecurity workforce conversation in the United States.

Whether from the private sector, higher education, the military, or any one of dozens of categories of stakeholders, there are plenty of opportunities to collaborate and invest. However, cybersecurity has particularly significant implications for national security and economic stability, which means that the U.S. government has particular incentive to initiate and coordinate such community-wide collaborations and investments. Significant workforce development efforts are not likely to succeed without buy-in from this all stakeholders; but the market alone is not likely to start these efforts before the costs of inadequate cybersecurity become intolerably high. Therein lies the central challenge—and opportunity—for policymakers in cybersecurity workforce development: initiating collaborative solutions that engage the wide array of stakeholders in cybersecurity workforce development.

Businesses and other actors across the cybersecurity community can and should recognize the benefits for their own long-term success in improving the overall state of the workforce, though it is unreasonable to expect them to act out of altruism alone to improve the alignment between cybersecurity education and jobs. Here too, policymakers can incentivize and educate to reduce friction in implementation of novel solutions.

U.S. government decision-makers have the responsibility and many of the the tools to shoulder outsized responsibility for investment in U.S. cybersecurity workforce development, but they are not alone. The cybersecurity workforce is an ecosystem with many inputs, influencers, and interlocking parts. There is no central authority, and for all its ability to influence that ecosystem, U.S. federal, state, and local governments can only incentivize, facilitate, and model improvement in cybersecurity development. The federal government cannot create that improvement on its own but must work with outside partners in the private sector, higher education, nonprofits, state and local government. That can include C-suite officers in industry, hiring managers at firms, faculty and administrators at colleges and universities, state and local workforce development agencies, parents and students, subject matter experts employed in the field and in adjacent areas of study, and many, many others. All these stakeholders have a role in driving improvements in the workforce.

Government policymakers cannot and should not expect any of these stakeholders to act outside of their perception of their own best interests. The opportunity, then, is to align incentives, lower the costs of collaboration and innovation, and educate stakeholders on the long-term collective and individual benefits of investment in the workforce. It is still incumbent on stakeholders outside of government to critically assessing their policies and ensuring they fit with cybersecurity's relatively unique realities. The rapid growth of the field and the limited existing infrastructure and resources to adapt mean that doing business in cybersecurity is different than in other industries, and prudent employers will benefit from regularly evaluating the need for agility and innovation in their cybersecurity workforce development strategy.

The scale of the challenge in cybersecurity workforce development is large enough to provide plenty of room for stakeholders to develop solutions. Regardless of who carries the responsibility of investing funding and attention into the problem, the entire cybersecurity community has an interest in improvement. Apart from the “rising tide lifts all boats” nature of investment in workforce development, the interconnectedness of the inputs and influencers in the workforce—from schools to startups to government intelligence agencies—creates an ideal (and unavoidable) opportunity for cooperation between public and private sectors.²⁹

A stronger cybersecurity workforce offers outsized benefits all stakeholders (and, conversely, outsized costs of an inadequate workforce), therefore supporting that development warrants greater-than-normal investment from all stakeholders. Employers that, in other sectors, might be able to wait for trained talent to come knocking must implement more robust training programs.³⁰ Educators who have relied on conventional systems for teaching technology fundamentals must consider means for exposing their students to more applied learning opportunities. Policymakers, for their part, can help stakeholders reach these ends by shining a light on the compelling economic benefits of collaboration and innovation and by carefully aligning stakeholder incentives wherever possible.