The Biden administration and the Office of the National Cyber Director released the workforce development component of their National Cybersecurity Strategy, casting it as the beginning of a years-long journey to systematically build up the nation's cybersecurity skills and capabilities as digital security becomes an increasingly important part of every working American’s life.
The strategy, released Monday, is broken down into four “pillars” of action that each include numerous lines of effort in education, hiring, career development and federal workforce policies to both existing workers in cyber skills and encourage new and underrepresented employees to enter the field. Along the way, it promises to tap billions of dollars in federal funding for initiatives that aim to transform the way governments, businesses, schools and other organizations approach their workforce development.
On a call with reporters Monday, Camille Stewart Gloster, deputy national cyber director for technology and ecosystem security, said the release of the strategy marked the “start” of a process and conversation that ONCD expects to go on for years as the federal government and nation look to develop, foster and embed digital security skills into the everyday life of working Americans.
“This strategy articulates a bold vision and we recognize there are tasks in there in the short and long term to accomplish that vision,” said Gloster. “Today is the starting line of a journey towards achieving the strong cyber workforce that we all need and deserve.”
A “chicken in every pot” approach to cyber skills
In line with a message that ONCD and former Director Chris Inglis have preached for years, the strategy makes the case that it will take more than a boost in cyber-specific talent to secure the nation’s private and public technologies.
The first pillar calls for a “skills-based approach” to national workforce development to create a larger pool of digitally savvy Americans, not just in cybersecurity-specific skills but also for IT more generally and emerging technologies like artificial intelligence and quantum computing.
While the nation needs more cyber and IT workers, it also needs the rest of the workforce to learn and retain basic digital and cybersecurity skills as part of their lifelong professional toolset and career development. According to the National Skills Coalition, 92% of jobs in the U.S. require some level of digital literacy, skills that nearly a third of prime-age workers between 16 and 64 lack.
To kickstart this effort, the administration will work with domestic and international partners and tap from funding provided through existing legislation, such as the Bipartisan Infrastructure law passed in 2021 and the CHIPS and Science Act passed in 2022. Those laws set aside tens of billions of dollars to build up internet connectivity across the country, fund semiconductor research and development, and other efforts the administration believes need support from a generation of new tech and cyber workers.
The administration will use the National Cyber Workforce Coordination Group, an interagency body stood up in December 2022, and the National Science and Technology Council’s Committee of STEM to coordinate investments from these programs into existing workforce programs, individual federal grant disbursements and other funding vehicles.
On a call with reporters, Gloster told SC Media the process for tapping that funding may differ for each law, but her office is coordinating with stakeholders to ensure cybersecurity activities qualify for grants and other programs.
“We are working closely with the partners leading the implementation of those bills to ensure that cyber is a priority area of focus, so as many of the funding task orders and opportunities to submit grants against those monies are put out into the world, we have worked with partners to prioritize cyber as part of that,” she said.
Taking digital security principles back to school
In the education sector, the strategy outlines a multi-pronged approach to boosting cyber-specific courses and curricula at K-12 schools, colleges and trade schools, while boosting connections and partnerships between the education and working worlds to build better development pipelines for students to pursue digital skills.
It calls for schools to partner with hospitals, businesses, utilities and municipal governments to create realistic and relevant curiculums and training programs to teach students how to navigate and defend these systems from cyberattacks and others threats. The administration will work with Congress to ensure every state has a robust cyber training ecosystem in place through the NSF’s Regional Innovation Engines, the National Institute for Cybersecurity Education’s RAMPS and the Department of Education’s CTE CyberNet programs.
Meanwhile, industry and academic institutions are “encouraged” to create publicly available resources on cybersecurity that can used in classrooms, workplaces and state, local and tribal governments to establish baseline digital and cybersecurity skills within their own workforces. Federal agencies including the National Science Foundation, the Department of Defense and CISA will collaborate to create their own free educational resources that can flow down to states and schools.
ONCD is also working to develop a paid fellowship program for cyber educators, push schools to allow students to get course credit for outside cybersecurity trainings and is considering the creation of a “Presidential Cyber Award” to reward students who develop these skills in the classroom, similar to the Presidential Youth Fitness Award.
Lynne Clark, chief of the National Centers of Academic Excellence in Cyber Defense Program Office, a government office that partners with colleges and universities to set standards around cybersecurity curricula and develop competencies for students and faculty, said the center is on track to have 460 partnerships covering 174,000 college students by the end of next year and have added new partnerships in the first of half of 2023 alone. Clark cited studies by an outside think tank in 2020 that showed half of all cybersecurity bachelor’s degrees, 30% of associate degrees and 20% of non-degree cyber credentials were done through schools that partner with the center.
Making the cyber workforce look like the rest of the country
It’s no secret that the cybersecurity field is dealing with both a massive shortage of available talent as well as a diversity problem, with women, people of color and veterans drastically underrepresented.
While the industry has made some progress in these areas, the strategy calls for institutions to “address barriers that have prevented underserved and underrepresented populations from joining the cyber workforce.”
That includes building digital security training and education components with employers, labor unions and trade associations, tasking the Departments of Labor and Commerce with developing better metrics and data around the cyber workforce and possibly creating an independent National Center for Cyber Data to act as an authoritative resource for businesses and policymakers.
One important change advocated by ONCD is moving hiring practices away from prioritizing credentials and certifications and towards “skills-based” hiring, which the administration said is more predictive of a candidate’s performance on the job.
Community colleges, where women make up a larger majority of the student body, is seen as a particularly promising pipeline for reaching underrepresented talent, and the Office of Personnel Management will explore ways to “better align scholarship-for-service programs” at community colleges around the country.
Meanwhile, multiple federal agencies, including the NSA, Cyber Command and departments of Labor and Health and Human Services, will work to further boost programs designed to provide trainings, certifications, and up-skilling programs for military veterans to transition into digital security careers.
Bolstering the federal workforce
Finally, the strategy outlines a number of ways the federal government will look to attract and retain its own cybersecurity talent. Federal policymakers have long believed that while they can offer a unique mission that appeals to many cybersecurity workers who want to make a difference, they simply cannot offer salaries and benefits that are comparable to the private sector.
That effort starts with good data, and the federal government has largely operated in the dark thus far, unable to confidently state how many cyber employees it needs, the kind of skillsets they require or which agencies or initiatives those resources should be deployed.
The strategy calls for working with Congress to expand funding and increase the number of enrollees in existing programs like the Cyber Corps Scholarship for Service and the Cybersecurity Talent Initiative that provide scholarships in return for working for the federal government. Agencies will expand shared hiring actions that make it easier for feds to easily transfer to other departments and agencies and work to build in better pay and hiring flexibility around cybersecurity jobs.
Much of the work coordinating those pushes will be carried out by the Federal Cyber Workforce Working Group, while agencies like OPM will work to ensure that federal job listings emphasize the need for cybersecurity skills and proficiencies.