The latest official plan to follow the National Cybersecurity Strategy represents an unusual mix of the highly general and the very specific in its provisions.
The White House releases the US National Cyber Workforce and Education Strategy.
As expected, the White House, through the Office of the National Cyber Director, released the National Cyber Workforce and Education Strategy early this morning. The plan builds on the National Cybersecurity Strategy, released on March 1st of this year. It's an ambitious, "whole-of-nation" effort. A number of agencies have been given specific roles and missions, and the strategy includes a long and heterogeneous list of private-sector partners.
"Unleashing America’s cyber talent."
The strategy isn't confined to educating Americans for jobs in the cybersecurity workforce. One of its objectives is to raise cybersecurity awareness and basic skills among the population at large. The motivation for this aspect of the strategy is the pervasiveness of activities in cyberspace in commerce and other aspects of daily life. The document "charts a course for preparing Americans for today’s jobs and enable everyone to participate fully in our interconnected society." The strategy, especially as outlined in the accompanying factsheet, represents a mix of the genuinely strategic--large-scale, enduring objectives, with a general approach to achieving them--and the highly specific, low-level tactical work particular agencies will undertake to support the strategy.
"Guiding imperatives" for workforce development and cyber education.
The strategy outlines three "guiding imperatives." The factsheet that accompanied the release of the Strategy listed them:
- "Leverage adaptable ecosystems to effect change at scale: The NCWES represents a whole-of-nation effort to spark, support, and scale local ecosystems for cyber education and workforce development."
- "Enable the lifelong development of cyber skills: All Americans should be equipped with foundational cyber skills that are needed to navigate daily life. Those in every sector of the workforce should be prepared with industry-specific or occupation-specific cyber skills. Further, people who are in the cyber workforce should be equipped with specialized cyber skills that will change over the course of their careers."
- "Grow and enhance the cyber workforce through improving its diversity and inclusion: A diverse workforce is a key strategic advantage. It increases the pool of eligible workers and which provides novel ways to solve problems and develop innovative solutions to our most complex challenges. The NCWES charts a course for providing all Americans with access to the good-paying jobs of the future."
Four "pillars" will sustain work to achieve those imperatives:
- "Equip Every American with Foundational Cyber Skills – enable everyone to enjoy the full benefits of our interconnected society,"
- "Transform Cyber Education – address the immediate demand for a skilled cyber workforce while also preparing learners to meet the future needs of a dynamic technological environment,"
- "Expand and Enhance the National Cyber Workforce – collaborate with a wide range of stakeholders, adopt a skills-based approach to recruitment and development, and increase access to cyber jobs for all Americans, including underserved and underrepresented groups," and, finally,
- "Strengthen the Federal Cyber Workforce – communicate the benefits of careers in public service amongst both job seekers and current employees and lower the barriers associated with hiring and onboarding."
Federal agency roles and missions in the National Cyber Workforce and Education Strategy.
Nine Federal agencies were assigned specific tasks under the strategy. These for the most part represent taskings as opposed to general ongoing missions:
- The National Science Foundation (NSF) will invest more than $24 million in CyberCorps®: Scholarships for Service over the next four years. The awards will go to the University of Alabama at Birmingham, California State University Sacramento, the University of Tennessee Chattanooga, Tuskegee University, the State University of New York at Buffalo, Mississippi State University, and Idaho State University.
- National Security Agency (NSA), through its National Center of Academic Excellence in Cybersecurity (NCAE-C), will issue four grants to develop four new Cyber Clinics at accredited U.S. colleges and universities in Nevada, Minnesota, Louisiana and Virginia. These clinics will serve as pilots, and will also, the White House says, "support communities and small governments that would otherwise not have access to cyber risk assessment and planning assistance and provide an opportunity for over 200 students to develop competencies while in a supervised learning environment." NSA also assumed a goal of increasing the number of NCAE-C-designated institutions to four hundred sixty by the end of 2024, and of increasing the number of its GenCyber summer camps to at least one hundred.
- The Office of the National Cyber Director (ONCD) will actively pursue greater diversity in its internships, seeking out members of underrepresented communities "such as women, people of color, and people with disabilities."
- The National Institute of Standards and Technology (NIST) "will award up to $3,600,000 for Regional Alliances and Multistakeholder Partnerships to Stimulate (RAMPS) cybersecurity education and workforce development projects."
- The Department of Labor (DOL) has already announced "a $65 million award in formula and competitive grants to 45 states and territories to develop and scale registered apprenticeship programs in cybersecurity and other critical sectors."
- The Office of Personnel Management (OPM) will host a second Tech to Gov Job Fair by the second quarter of FY 2024. It will also conduct an occupational study of Federal positions in "software development, software engineering, data science, and data management.
- The Department of Veterans Affairs (VA) has announced a Cybersecurity Apprenticeship Program for veterans.
- The Cybersecurity and Infrastructure Security Agency (CISA) will continue to lead Cybersecurity Awareness Month, with special emphasis on encouraging workforce diversity.
- Finally, the Department of Housing and Urban Development (HUD) will cooperate with the Partnership for Public Service "to increase early career talent pipeline and recruitment effort." HUD has committed to at least fifty placements next year.
Private-sector partners in the National Cyber Workforce and Education Strategy.
The private-sector partners named by the White House represent thirty-three for-profit companies, not-for-profit organizations, and educational institutions. These partners have all committed to specific initiatives, either new undertakings or continuations of existing programs that will advance the Strategy's goals. Many of those initiatives are designed to promote opportunities for specific communities, some widely distributed, others locally circumscribed. The organizations listed include craig newmark philanthropies, Women in CyberSecurity (WiCyS), Cybersafe Foundation, the SANS Institute, the Cyber Readiness Institute (CRI) and the Center on Cyber and Technology Innovation (CCTI), Girl Security, Trellix, the Society for Human Resource Management (SHRM), Omidyar Network, NPower, Task Force Movement (TFM), Check Point Software Technologies, Black Tech Street, MassBay Community College, Accenture & Immersive Labs, the National Cybersecurity Alliance (NCA), the Aspen Institute’s Cybersecurity Program, American University, Dakota State University (DSU), the Information Technology Senior Management Forum (ITSMF), Mastercard, iKeepSafe, Lightcast, Google, Crowdstrike, Microsoft, the Last Mile Education Fund, Whatcom Community College, the American Association of Community Colleges, SAP, and ConSol USA.
Implementation, and working with Congress on cyber workforce and education challenges.
The Strategy concludes with an avowal of the importance of cooperation with the Legislative Branch. "The Administration will work with Congress to prioritize cyber workforce and education activities to meet the challenges of today and tomorrow, and equip Americans with the cyber skills necessary to thrive and prosper in our increasingly interconnected society." The document is accompanied by appendices that include relevant definitions, a descriptive account of foundational cyber skill, a list of responses to a Request for Information (RFI), and extensive references in endnotes.
Further reflections on the Strategy, by representative leaders from both government and the private sector.
(Added, 2:30 PM ET, July 31st, 2023.) A panel hosted by the Atlantic Council convened early Monday afternoon, shortly after the Strategy was released. It offered a keynote address by Kemba Walden, Acting National Cyber Director, and opening remarks from Rob Shriver, Deputy Director of the U.S. Office of Personnel Management. Their brief addresses were followed by a panel discussion moderated by Safa Shahwan Edwards, Deputy Director of the Atlantic Council's Cyber Statecraft Initiative. The panelists included Dr. Diana Burley, Vice Provost for Research and Innovation and Professor at American University, Rob Duhart, Vice President, Deputy CISO at Walmart, Dr. Kathi Hiyane-Brown, President of Whatcom Community College, and Camille Stewart Gloster, Deputy National Cyber Director for Technology and Ecosystem Security.
Director Kemba Walden's keynote specified "national security" and "economic prosperity" as the Strategy's intertwined goals, and she saw DEI (diversity, equity, and inclusion) as the keys to achieving them. "Diversity," Director Walden said, is "America's super power."
OPM Deputy Director Rob Shriver suggested skills-based hiring as an important way of avoiding the stultifying effects of a false credentialism. Many good, and important, jobs in cybersecurity, don't require a college degree, for example. Why should we insist on one? If skills are well-mapped to requirements, why not simply test for those skills, and remove pointless barriers from jobseekers who could well make an immediate contribution to an organization? Walmart's Rob Duhart agreed that some reflection on qualifications was warranted--traditional qualifications have tended to impede organizational access to people who in fact are capable of solid performance in a cybersecurity role. He also noted the importance of planning for reskilling and lifelong learning in a field that shifts and evolves as quickly as cybersecurity.
Closeness to the community and a willingness to serve the underserved are, Dr. Hiyane-Brown said, distinctive contributions community colleges can make to the development of cybersecurity education. Dr. Burley saw exercises as a valuable tool for teaching non-technical people the "rules of the road" in cybersecurity, and discussed the role that four-year universities can play not only in research, but in reaching the life-long learners Duhart mentioned. Institutions like hers can contribute problem-solving and critical thinking skills to those lifelong learners.
Camille Stewart Gloster reviewed some of the grants available for workforce development, and described some of the ways in which the Administration had worked to "leverage" Congressional action in its Strategy.
Industry comment on the National Cybersecurity Workforce and Education Strategy.
Eduardo Azanza, CEO and Co-founder at Veridas, gave full-throated approval to the new Strategy. “The White House’s strategy lays a solid groundwork for a safer and more innovative digital landscape. With technology constantly evolving, cybersecurity challenges are bound to change, and professionals are instrumental in maintaining the integrity of the cyber world. Specifically, as AI becomes more integrated into our daily lives, it’s essential that the workforce is equipped to navigate the complexities that come with its use," Azanza wrote. "This strategy has not come at a more critical time. As cyber threats surge and AI technologies advance at an unprecedented rate, concerns about privacy and data safety have sparked public discourse. The emphasis on cyber education and training in this initiative holds the promise of equipping companies with the knowledge and skills to effectively safeguard their data and adhere to privacy laws and guidelines– this could improve the public attitude and trust in AI, while ensuring businesses avoid potential lawsuits. The White House's forward-thinking approach to addressing the nation’s workforce will hopefully help guide the U.S. while it keeps up with the ever-evolving challenges of cybersecurity.”
The Society for Human Resource Management (SHRM) wrote to say that, in support of the Strategy, they've made their human resources cybersecurity kit, HR + Cybersecurity, available without charge to HR organizations.
(Added, 10:30 PM ET, July 31st, 2023.) Industry reaction has remained broadly favorable to the Strategy. Debbie Gordon, Founder and CEO of Cloud Range, approves of the document, but would like to have seen the Strategy be a bit more tactical, especially with respect to developing training that will fill workforce gaps. "We are excited to see the Biden Administration addressing the critical cyber workforce needs." she said. "While this is a significant step forward in direction, there are some areas where 'the how' or more guidance could be beneficial."
As several of the panelists at the Atlantic Council event earlier today did, she called out the importance of competency-based as opposed to credentialed qualification. "For example, in section 2, under Transform Cyber Education, it mentions 'expand competency-based cyber education.' Expanding competency-based cyber education is only attainable by utilizing simulation-based training to overcome the age-old conundrum of you can't get experience without a job and you can't get a job without experience. The only way to do this is to incorporate experiential learning in the form of advanced simulation into cyber education programs. Too many people are coming out of universities and community colleges with degrees or certifications that they still can't get a job because they have no practical experience. Utilizing simulation based training to augment traditional cybersecurity training will enable students to be prepared to be productive on the job from day one, and will give employers the confidence that they have experienced candidates at the ready."
Sherron Burgess, VP Strategy at Cyversity, liked the way the Strategy seeks to shape an ecosystem. "The National Cyber Workforce and Education Strategy sets a direction for both workforce and education, while taking an ecosystem-focused approach. This strategy builds on previous efforts from the administration—holistically approaching the gap—engaging stakeholders across education, industry, research, etc. and spanning federal and industry workforces," Burgess wrote. "The Biden Administration’s strategy also represents an innovation in transforming cyber education, which is absolutely necessary in engaging underrepresented groups through new and existing initiatives. Finally, we commend the strong focus of the strategy on lifelong skills—and removing some of the conventional barriers to entry to cybersecurity. And, importantly, the strategy follows the newly released GAO Cybersecurity Workforce report, 'National Initiative Needs to Better Assess Its Performance' on NIST's NICE program, highlighting its strengths and the shortcomings."
And Candy Alexander, President of ISSA, approves of the Strategy's timing. "The cyber skills shortage has been an ongoing issue for more than 20 years and with the digital footprint encompassing all areas of our lives this comes at a great time. Current education does not provide hands on skills-based readiness to bring entry level and those changing careers to a real work situation. With the combination of skills needed in the industry and communities of individuals in need of skills and career paths, the National Cyber Workforce and Education Strategy couldn’t be timelier."
Alexander added that ISSA has been watching the workforce for years, and has seen scant progress. Perhaps the Strategy will change this for the better. "ISSA has long been studying the life and times of the cybersecurity professional for the past 7 years and has seen little change in the skills gap. In fact, it is widening. The Biden Administration's strategy is exactly what the industry needs and addresses what we have been advocating for: the collaboration of education institutions, government programs, corporate organizations, and the cyber association communities to build pathways to bridge the gap between pure education and employment."
(Added, 9:00 AM ET, August 1st, 2023.) Laurie Salvail, Executive Director of CYBER.ORG wrote to describe her own organization's contribution to K-12 education in cybersecurity. "The release of the National Cyber Workforce and Education Strategy illustrates the Biden-Harris Administration’s commitment to cultivating the next generation of cybersecurity professionals needed to secure cyberspace. CYBER.ORG, in partnership the Cybersecurity and Infrastructure Security (CISA) through the Cybersecurity Education and Training Assistance Program (CETAP) grant, is proud to provide no-cost K-12 cybersecurity curriculum to students, educators, and organizations nationwide to ensure all students have access to cybersecurity careers. This is more critical than ever as the nation faces a growing cybersecurity workforce shortage and seeks to improve diversity in the cybersecurity field. CYBER.ORG is proud to be part of the solution by empowering all students nationwide with access to cybersecurity education regardless of background through its programming, including Project REACH.”
(Added, 12:00 noon ET, August 1st, 2023, with the quotation emended at 8:45 AM, August 2nd, 2023.) Bruce Byrd, general counsel of Palo Alto Networks, wrote with approval of the flexibility the Strategy seems to embody. "As the world’s cybersecurity leader, Palo Alto Networks prioritizes cybersecurity awareness and education to allow individuals of all ages and backgrounds to stay safe online. We commend the release of the National Cyber Workforce and Education Strategy and welcome the opportunity to work with the Office of the National Cyber Director to implement its vision. The Strategy recognizes the dynamic nature of cybersecurity, the need for a flexible and scalable approach to meet the workforce demands, and the importance of fostering diversity, equity, inclusion, and accessibility in the talent pipeline. Cybersecurity is for everyone."
(Added, 1:45 PM ET, August 1st, 2023.) Dr. José-Marie Griffiths, President of Dakota State University, one of the institutions mentioned as a partner in the factsheet that accompanied the release of the Strategy, commented on the essentially collaborative nature of the goals defined by the Strategy. “The National Cybersecurity Strategy published today reinforces the idea that no single entity can address the digital security issues faced in workforce and education. It truly is an ecosystem, as there is not a single pathway to solving these challenges. Addressing cybersecurity issues requires multiple institutions and organizations to work together to protect the United States and its population from harm," Dr. Griffiths wrote. "Dakota State University is leading this effort by extending beyond our traditional academic role and engaging on multiple fronts, through non-traditional educational programs and unique partnerships and research. Examples of our distinctive programs are listed in the report -- our Governors Cyber Academy, and CyberSafeSD and CyberSkils2Work programs. We’re pleased to be part of the solution as we work closely with industry and the federal government to address the cybersecurity challenges of tomorrow.”
(Added, 4:45 PM ET, August 1st, 2023.) Emily Phelps, Director at Cyware, wrote, “We're encouraged to see the Biden-Harris Administration recognize and take action to address the cybersecurity skills and diversity gaps that have continued to impact organizations and individuals. Improving diversity among cybersecurity professionals will not only help increase the volume of cybersecurity experts, but diversity of perspectives and backgrounds will make the industry more effective overall." She added, "In cybersecurity, we must think about our work as the industry vs. the adversary. Improving accessibility to cyber education, diversifying the cyber workforce, bolstering cybersecurity understanding, and increasing collaborative partnerships will help establish a strong foundation to close the skills gap and support resiliency.”