The Biden administration has already hosted expansive summits on ransomware and open-source software security. Now it’s taking a similar approach in an attempt to tackle problems in the cybersecurity workforce.
On Tuesday, the White House will bring experts, private sector companies and federal agencies together to brainstorm around one of the most pressing challenges in cybersecurity: people or, more accurately, the lack of them.
The meeting will be led by National Cyber Director Chris Inglis and includes leadership from the Departments of Homeland Security, Commerce and Labor, as well as Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency; Anne Neuberger, White House deputy national security advisor for cyber and emerging technology; Susan Rice, director of the Domestic Policy Council; and James Kvaal, undersecretary of education.
While the total number varies depending on the source, most estimates peg the shortage of qualified cybersecurity workers in the hundreds of thousands. CyberSeek, a non-profit organization backed by the National Institute for Cybersecurity Education that maps job openings, currently flags more than 714,000 open or unfilled cybersecurity positions around the country. It’s a problem that impacts both governments and businesses alike and is happening as both sectors are attempting to coalesce around ambitious long-term plans to increase the resiliency of systems and data against nation-state and criminal hackers alike.
“With approximately 700,000 cybersecurity positions open, America faces a national security challenge that must be tackled aggressive. During the summit, participants will help chart a path toward a more secure future in which all Americans have the opportunity to raise the bar on cybersecurity through greater awareness, education, and training,” the White House said in the announcement. “The summit will also serve as a call to action — to ensure that all Americans can capitalize on the benefits of the digital domain and to ensure that our nation carries through on the positive opportunities ahead of us.”
They will be joined by executives from the private sector and experts from academia and the cyber community, though the White House says more announcements on that front are forthcoming. Thus far, SC Media has confirmed that Barbara Massa, executive vice president of business operations at Mandiant, will be in attendance, as will Heather Adkins, vice president of security engineering at Google. A Microsoft spokesperson declined to comment and directed SC Media to the White House.
The summit will focus on three core challenges that have kept the supply of cybersecurity talent from keeping up with demand. One is finding a way to better utilize trade schools, apprenticeships, community colleges and other non-traditional educational institutions to create new skill-based pathways into a cybersecurity career. Another will look at tapping into underserved and diverse communities, including women and people of color, who have long been underrepresented in the field and industry leaders are working to make the field more welcoming to other backgrounds.
Finally, the meeting will look at how to invest wisely in educational initiatives to ensure American workers are trained to succeed and stay secure in a digital economy, regardless of whether they work directly in cybersecurity or other fields. While more cyber practitioners are badly needed, a massive part of any organization’s attack surface comes from the actions and decisions of their non-cyber employees, who can often upend millions of dollars in security spending by clicking on a malicious link.
As Inglis put it earlier this year when discussing the need for fundamental skills up and down the workforce: “We don't necessarily need to make [everyone] a python programmer — but that we make them cyber aware."
Boosting the national cyber workforce has been a long-held goal for the Biden administration as well as its predecessor, the Trump administration. There are few, if any, straightforward solutions to the problem, at least in the short-term. More and more of our national infrastructure is being put under the control or direction of potentially vulnerable software, or connected to the internet, where it's within reach for state-backed or criminal hacking groups. But the often highly technical work needed to secure those systems is being carried out by an increasingly smaller proportion of the workforce.
There is no easy method to quickly teach or acclimate new workers the fundamentals of cybersecurity or the IT and networking principles that underpin them. That means that even as companies and agencies are desperate to fill open roles, they’re often not willing to put the security of their organization or its customers in the hands of a novice.
Some have questioned whether untrained or undertrained cybersecurity workers would ultimately be a net boon or drag on companies remains an active debate.
Jake Williams, a former hacker at the National Security Agency and current executive director of threat intelligence at Scythe, has argued that putting untrained or lightly trained cybersecurity workers on the job is irresponsible and wouldn’t be accepted in other fields where safety and competence are considered core priorities.
"Your airline pilot started in a single engine Cessna. Nobody called it gatekeeping. And before that, they learned lots of ‘mostly irrelevant’ facts in ground training,” Williams remarked last week on Twitter. “Cyber is one of the only fields where we pretend that skipping the basics is okay to put butts in seats.”
In an email, Williams told SC Media he thinks the government and military actually do a very good job of recruiting and training cyber employees but "for the commercial workforce, the situation is a bit more bleak." That's in part due to what Williams, who is also a senior instructor in digital forensics at the SANS Institute, characterized as the poor state of many commercial cybersecurity training programs that churn out degrees without ensuring that graduates are being properly schooled on the fundamentals of IT security that they require before they can be trusted with protecting an organization's sensitive data.
"Those trying to break into the cybersecurity field, often lament that employers need to 'be realistic about skills' and 'take a chance on someone with passion to learn.' The unfortunate reality is that [small and medium-sized businesses], many of which are making their first security hire, simply cannot afford to hire people without a broader cross section of security knowledge and/or experience. This leaves a disconnect between expectations and reality for many cybersecurity bootcamp graduates.
Others have called for the country to respond with a mass mobilization effort to train a generation of cybersecurity workers and put them in a position to gain experience as they work. James Lewis, senior vice president and director of the strategic technologies program at the Center for Strategic and International Studies, said last month that the U.S. is not “serious” about solving the cyber workforce shortage and won’t get anywhere near closing the gap by relying on slower, more traditional means of education or training.
He drew a comparison to efforts by the U.S. military during World War II to train an entire generation of pilots to compete with Germany, Japan and others for dominance of the skies. There is no initiative on the part of policymakers to do something similar with cybersecurity, while shortages and competition with the private sector for qualified workers only continues to grow.
“You need to create a pipeline, you need to put untrained bodies at the front, and you need to have pilots come out the other end, and you need to do that at scale and we’re not doing that,” Lewis said.