The global shortage of cybersecurity professionals is nearly 3 million. In other words, we could meet the global cybersecurity workforce shortage if all the people in Arkansas earned their computer science degrees, put on their hacker-hunting hats, and got about the business of protecting our data.
The problem is, we need them right now.
Between September 2017 and August 2018, US firms posted 314,000 positions for cybersecurity professionals, a 40% increase on current staffing levels. For most of these positions, companies sought people with computer science degrees who could write and read code and analyze data to detect and thwart attacks. In 2017, universities in the United States awarded 49,000 degrees in Computer Science, but only a fraction of those graduates specialized in cybersecurity, having focused on software development or networking or data analytics instead. This was the highest number of Computer Science degrees awarded by US universities in a single year since 2003, but it wasn’t nearly sufficient to meet the demand.
Furthermore, although Computer Science departments are expanding at an frenetic rate, most can’t hire professors fast enough. The number of tenure-track faculty in Computer Science departments in the United States grew 17% between 2013 and 2017 while the number of undergraduates majoring in Computer Science doubled to 186,000. If all of those Computer Science majors graduated tomorrow with a specialization in cybersecurity, that would still leave 128,000 positions unfilled.
The numbers don’t tell an encouraging story. And yet, it’s a puzzle we must solve. Cyber attacks continue, and we need qualified people to detect, thwart, and recover from them. How can we narrow the gap so that cybersecurity forces don’t continue to be so short-staffed?
One way is to rely more on artificial intelligence and machine learning. Just as credit card companies use data analytics to detect anomalous purchases and freeze your card before the thief goes on a spending spree, machine learning is used in cyber defense regimens to identify would-be attacks and determine how best to block them. While some short-sighted views tout AI as the eventual replacement for human cyber expertise, whatever advanced analytics the good guys use, the bad guys can, too, leading to an analytics arms race that will require humans to mediate and tweak. Still, in the short term and beyond, it makes sense to use AI and machine learning as a screening mechanism to reduce the human defenders’ workloads.
Another approach is to join forces across industry sectors by federating cyber intelligence. For more than a decade, the Department of Energy has shared threat intelligence among the national labs. Similar approaches have been proposed for other industries, including the electric power grid. These can help organizations with similar missions and, thus, similar attack surfaces to share information about current and emerging threats, limiting the damage to the ones attacked first and preventing a spread that could cripple them all. Unfortunately, competition among such organizations and corporate politics tend to stymie the free and open exchange of cyber threat data, reducing the effectiveness of this approach. Governments can and should provide incentives for companies to share threat intelligence. If incentives alone don’t work, governments should at least require companies that support critical infrastructures to share such data in real time.
Government’s involvement must not end there, however. Instead, it must move boldly to accelerate the training of an adequately sized cyber workforce.
Some politicians have argued for making college tuition free. Others have lambasted the extremely high cost of a college education that saddles young people with mortgage-sized student loan payments that prevent them from participating in the economy beyond paying that incredibly high monthly bill. Why not reduce the cost of college and directly address the cybersecurity workforce shortfall simultaneously?
Here’s the idea. The Federal Government, working with industry experts, academicians, and their own CyberCom would create a year-long bootcamp-style curriculum in cybersecurity. That curriculum would likely cover coding, networking, operating systems, computer organization, penetration testing, encryption, authentication systems, and currently used network monitoring and defense tools. The curriculum would include assessments to test students’ command of the material.
The curriculum and assessments would then be released to universities and community colleges, which would then teach the year-long standardized curriculum online a non-degree basis to a population as big as 10% of their current enrollment. With 17 million undergraduates currently studying in the United States, this would end up offering the year-long program to 1.7 million students if all post-secondary institutions participated. Of course, not all institutions will or can participate, so significantly fewer than 1.7 million students would enroll to receive the training. Even if only half of the 1.7 million-student target received training, that would still create a pool of 850,000 new cyber professional candidates.
Students would pay $1,000 for the year-long program, which would cover half their university’s cost of teaching the online coursework. That charge would ensure they have some skin in the game. The Federal Government would pay the other half. At the end of their training, students would take a comprehensive exam. Those who passed would be given a recognized credential that would qualify them to work as a cybersecurity professional who could fill one of the 314,000 unfilled jobs.
Each university would then be paid $10,000 for each successful graduate of the program, which they would then be required to use to provide additional financial aid grants to their students. If 500,000 students pass the exam and earn the credential, creating a hard-to-imagine glut of cyber professionals in the marketplace, the federal government would contribute $5 billion additional to financial aid coffers, plus $850 million in tuition subsidies for the 850,000 students enrolled in the national program.
In other words, for about the price of the proposed US-Mexico border wall, we could solve the cyber workforce problem within one year and help many students pay for college.
Bold? Yes. Expensive? Yes. But there are worse ways to spend $5.9 billion.
We have a tremendous problem that needs solving. This approach would.