EXCLUSIVE Q&A – White House National Cyber Director Harry Coker, Jr. warned Sunday of a nationwide shortage in cybersecurity talent, issuing a plea for help in filling nearly 500,000 open positions in a critical field.
“The workforce is a significant challenge,” Coker told The Cipher Brief’s 2024 Threat Conference. “We have nearly 500,000 open cyber jobs and it's not because we don't have more than 500,000 talented people. We have the talent, so we can get there and we need to get there.”
Coker called for the elimination of what he called “this bogus four-year degree requirement for cybersecurity jobs,” in favor of a specific skills-based approach to hiring.
Coker, who was confirmed in December 2023 as the second National Cyber Director on the White House staff, serves as President Biden’s principal advisor on cybersecurity strategy and policy, and is responsible for determining the National Cybersecurity Strategy. He spoke Sunday with Vice Admiral Mike LeFever (Ret.), former Director of Strategic Operational Planning, at the National Counterterrorism Center, during the Cipher Brief 2024 Threat Conference at Sea Island, Georgia.
The following excerpts of the interview have been edited for length and clarity.
The Cipher Brief: Can you define your role in the federal cyber structure?
Harry Coker: My role is to be the president's principal advisor when it comes to cybersecurity strategy and policy, that's number one. And then to bring coherence to the federal cybersecurity ecosystem, that's number two. And those are vitally important. The president has plenty of advisors on cybersecurity and that's fine. Diversity of perspective is important, and that's one of the things that again makes our nation great, the diversity of perspectives and ways of doing business. But in Congress's wisdom, they recognized that we have a lot of strong players in the federal cybersecurity ecosystem, but we needed to have that coherence, bring entities together, which is a remit that we take very seriously and put the utmost importance on.
The big thing from my perspective is there may be some ambiguity and roles and responsibilities, but there is no ambiguity on what the nation needs to be doing to secure cyberspace.
The Cipher Brief: The cybersecurity strategy issued by your predecessor Chris Inglis, is now about 18 months old. How do you evaluate how it is going and the principles behind it?
Coker: Chris and the team had two major shifts in that National Cybersecurity Strategy. The first was to rebalance the responsibility for defending cyberspace from those that are least capable to those that are most capable. I said rebalance, not totally shift. We are not absolving any entity, individual or collective from their responsibility to defend cyberspace, but we are rebalancing it. Those that are least capable includes individuals, it includes our schools, our hospitals, our houses of faith. They are target-rich and cyber-poor and we want to rebalance that, not absolve responsibility.
The second big shift in that National Cybersecurity Strategy is to re-incentivize long-term investment in our nation's cybersecurity. There is merit in being first to market, but we need to look at the total cost of ownership of things, the long-term impact. So we want to invest not just to be first out there, but to be secure when we get there. That's a long-term investment that we all need to make. So those are the two big shifts in that National Cybersecurity Strategy.
The Cipher Brief: How does your office view private-public partnerships – a theme mentioned by many other federal agencies with leadership roles in cybersecurity?
Coker: The public-private partnership gets thrown around a lot and sometimes it is forgotten that the last “p” is partnership. I am heartened, having been in this job for roughly 10 months. From day one, it was clear that the federal cybersecurity team across the multiple departments and agencies realizes that we will not be successful in cybersecurity without our private sector partners. And that is totally different from when you and I grew up in uniform, way back when national defense was the area of those in uniform or civil servants. We protected the nation against these nation-state threats and the private sector developed capabilities and handed them off to us and we operated them. Cybersecurity does not allow for that approach.
The private sector is on the front line, every moment of every day taking on the same types of nation-state actors that the federal government takes on. So they are true partners and frankly, the private sector becomes aware of some of these threats before the federal government might. So that partnership is in effect out of necessity. It's been a necessity for a long time. It has not always been realized like it is right now.
So that's encouraging, and that's not to say it's perfect. Information-sharing is an area where we need to continue to improve. We need to continue to push that forward.
The U.S. government has made the conscious decision to declassify some information to make the American public and the world aware of the threats and intentions. A number of years ago that would not have happened, but the importance of information-sharing is there, and part of the shift that I see is that there's recognition that what needs to be protected are sources and methods, not necessarily the information itself.
It is a true partnership now — imperfect, but we are moving in the right direction.
The Cipher Brief: The requirements that cybersecurity demands revolve around a trained workforce. Where are we going to find the people? How do we groom the talent?
Coker: The workforce is a significant challenge. We have nearly 500,000 open cyber jobs and it's not because we don't have more than 500,000 talented people. We have the talent, so we can get there and we need to get there. The question is, will we get there and how? We're focused on a number of fronts with these 500,000 open cyber jobs. In our partnership with the Office of Personnel Management (OPM) and Office of Management and Budget and other departments and agencies, we are working towards getting rid of this bogus four-year degree requirement for cybersecurity jobs. It's a legacy bad practice that we're working to correct, and the federal government is actually leading on this one. OPM has taken on the huge lift of going towards a skills-based approach to hiring.
We actually kicked off a campaign with our partners in Service for America, and I mentioned that because the name says it all. Oftentimes, individuals working in cybersecurity or those who are considering it don't realize that jobs in cybersecurity really are serving this nation.
The Cipher Brief: How do you view the global threat landscape in terms of cybersecurity?
Coker: It's complex, it's interconnected, and it's competitive. That's the top level, and those words are obvious. The threats we laid out involve five disturbing trends.
The first one involves the increasing attacks on America's critical infrastructure. Cyberattacks on critical infrastructure are not for espionage purposes, it's not for financial gain. It is to disrupt and destroy America's ability to mobilize in case of crisis and/or conflict. So in this competition phase that we're in — and we want to stay in competition, as opposed to crisis and conflict — we need to manage it so that we don't go into crisis and into conflict but cannot lose sight of the fact that critical infrastructure is under steady attack.
The second disturbing trend in the threat landscape is cybercrime – in particular, ransomware, which doubled last year. That impacts all of us as individuals, and collectively. It hits our loved ones. We need to continue to work together to minimize that, but that has been going in the wrong direction.
The third disturbing trend on this threat landscape was the increasingly complex supply chain. It's a tough area, and I had the opportunity a few weeks ago to talk to the National Governors Association CISOs, the day after there was a supply chain challenge in the Middle East.
Although that was kinetic-based, I was able to analogize that to the CISOs, on what it could look like in cyberspace. That got their attention. So that complex supply chain is a challenge for us.
The fourth disturbing trend was increasing availability of commercial spyware. Again, that used to be the domain of the intelligence community. Now individuals can have their own spyware and do as they please. That's a challenge area that we need to mobilize around.
The fifth area disturbing trend is artificial intelligence. I agree that there are great opportunities in artificial intelligence, but this is, I believe, the first technology of that power that can be in the hands of individuals. We just need to continue to work with our partners around the globe on how to harness it for the positive aspects and how to mitigate the risk of the more challenging aspects.
The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals.
Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.
Have a perspective to share based on your experience in the national security field? Send it to Editor@thecipherbrief.com for publication consideration.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief
