The White House issued a recent Executive Order on America’s Cybersecurity Workforce in an effort to put a renewed focus on the federal government’s deficit of some 300,000 cybersecurity practitioners.
The EO directs federal agencies including the Department of Homeland Security, the Department of Defense, the White House Office of Science and Technology, the Office of Management Budget, the Department of Commerce and others, to bolster both the size and skill of the workforce through a series of initiatives that include:
- The creation of a Federal Cybersecurity Rotational Program that allows federal cybersecurity workers to serve in a series of temporary assignments within different federal agencies.
- The further development of aptitude assessments that can be used to identify employees who exhibit IT skills and encourage them to apply for IT and cybersecurity positions. This would build on the current Federal Cyber Reskilling Academy.
- The creation of the President’s Cup Cybersecurity Competition to identify and reward federal and military cybersecurity employees who excel in particular areas of need.
- The creation of a National Cybersecurity Workforce Consultative Process that will lean on experts from both the public and private sectors to make assessments of the overall federal cybersecurity workforce and then provide recommendations on how to strengthen it.
- Continue working with the National Initiative for Cybersecurity Education to support its ongoing workforce development training.
The Cipher Brief tapped a range of cyber experts with both public and private sector cyber experience, to offer their thoughts on what the EO gets right and what more needs to be done.
Tom Bossert, Former Homeland Security Advisor to President Trump
Former Homeland Security Advisor to the President
"I commend the President and his team for laying out a plan to expand and improve our Executive Branch’s cyber workforce. It has parts that mirror the National Security Professional Development Executive Order that I drafted under President George W. Bush and parts that streamline recruitment. Both are critical. Implementation will be the key."
Stewart Baker, Former General Counsel, National Security Agency
Former General Counsel of the National Security Agency
"This is a surprisingly good set of ideas, and I’m not grading on a curve for the Trump administration. It would have been a surprisingly good set of ideas for the Obama administration. It starts from the core insight that cybersecurity is not a credentials business. It’s a field that has always rewarded self-starters, autodidacts, and talent rather than postgraduate degrees. If so, the way to find talent is to test for it, hold contests, and give people a chance to show what they can do. That’s the heart of the order, and it makes sense."
"I don’t see anything novel by way of private sector engagement," says Baker. "The private sector needs less help because it has the funds to hire away a good deal of the cybersecurity talent that the federal government discovers and trains."
Joel Brenner, Senior Research Fellow at the Massachusetts Institute of Technology, says "There are two useful and well understood propositions to keep in mind when thinking about cyber workforce training, which are:
- The U.S. does not have enough skilled cyber defense operatives, while the Chinese are turning them out at a rapid rate (in part simply because they are so many more Chinese people than Americans). This is the challenge at the national, not merely the federal level. The E.O. understands and addresses this challenges in section 3. Commissioning a report on gaps in private sector skills in critical infrastructure is a good idea. Let’s wait to see the follow-on. As for a President’s Cup competition, I’m not impressed. What would have to happen to make the follow-on stronger? Money in the form of grants and scholarships for high-level training. If one wants to move the needle, one puts money on the table.
- Skill levels within the federal government are extremely uneven. Section 2 of the E.O. is strong and clear on this point. Its emphasis on what the military calls joint service – that is, spending time on a qualified assignment in another branch of the military, or in this case, another government agency through rotational assignments – is excellent and should be applauded. The plan to standardize training and vocabulary is similarly to be welcomed."
Joel Brenner, Senior Research Fellow, Massachusetts Institute of Technology
"There is also a third proposition that is not well understood and that the E.O. does not address, to wit: The need for cyber operators is not merely at the journeyman level but is chiefly at the cyber warrior level – that is, the NSA level. DHS, which the E.O. places at the pinnacle of expertise, has nowhere near the capacity or know-how of NSA when it comes to cyber defense (though among non-Defense and non-Intelligence agencies it is probably the best)."
"There are two reasons for that," according to Brenner. "First, the U.S. doesn’t have enough talent at that level to duplicate NSA’s expertise within DHS. Second, the way we develop the best cyber defenders is by converting cyber offensive specialists to the defense. This is a new version of the old story: If you want to keep your bank secure, engage a bank robber to advise you. That is largely why NSA reorganized to eliminate the division between offense and defense; it now integrates them better. But of course DHS has no offensive mission. That means the pool of offensive warriors from which to draw for the defense is very small, consisting of NSA’s workforce, former NSA types who are now making much more money in the private sector, and cyber criminals. The E.O. does not address this deep problem, and I’m not sure it could."
Randy V. Sabett, Special Counsel of the Cyber/Data/Privacy practice at Cooley, LLP says "Overall, President Trump's EO from Thursday, May 2, contains a number of very promising elements. On balance, I think it clearly identifies a skilled cyber workforce “as a goal and priority for resources” and the EO has the potential to strengthen gaps in the current cybersecurity workforce. From a broad brushstroke perspective, I think the components likely to be most useful involve one (or both) of two characteristics: (a) financial benefit for the individual and (b) cross functional and practical training. From an individual perspective, cyber workforce concerns often arise from the inability of government or private sector to maintain a stable base of employees."
Randy Sabett, Special Counsel, Cyber/Data/Privacy Practice, Cooley LLP
"Demand is much greater than supply, so cyber professionals are very mobile. The components of the EO around a cyber rotational assignment program; providing bonuses, advancements, and meritorious recognition for service members who win the annual cybersecurity competition; and elevation of the cyber learning environment are all intended to lead to individual growth in their cyber careers. This will translate directly to financial gain for those individuals, establishing an incentive for others to follow and should result in an improved cyber workforce."
"From a cross functional and practical training perspective," says Sabett, "cybersecurity (more so than many other disciplines) requires the gaining of knowledge and skills from more than just book knowledge of the topic. Many, if not most, of successful cybersecurity efforts are led by people who developed skills by being “in the trenches” or “on the front lines”, as those phrases often get used to describe cyber experience. Efforts such as the cyber rotational assignment program, the usage (and flow down to the private sector) of the NICE Framework, and the annual cybersecurity competition will all lead to opportunities for cyber professionals to gain real cyber world cyber skills that can be applied to real world problems. Each of these will necessarily involve practical, “on-the-job” style training that is a necessary supplement to traditional classroom education in the cybersecurity area."
Read more on cyber/tech in The Cipher Brief