The Cyber Czar Has No Clothes

Imagine that instead of aggressively working to appoint nominee Brett Kavanaugh for the Supreme Court, President Trump chose to not refill the position. Seems crazy, right?  How can an important federal position suddenly fail to be worthy of a replacement?

In May 2018, the current administration eliminated the top cybersecurity position in the White House, the cybersecurity coordinator to the National Security Council. The administration defended their decision to terminate the position by arguing that addressing cyber threats was already a “core function” within the national security team. Yet, this explanation has not satisfied many cybersecurity experts (Bruce Schneier called it it a “spectacularly bad idea”) who say this move signals that the United States is not taking cyber risks seriously.  

Beyond concerns over where this leaves cybersecurity as a national security issue, the removal of a top cyber leadership position in the White House could indicate that other recent initiatives related to the cyber workforce are equally empty suits. By choosing not to backfill such a critical job, the White House demonstrated just how little importance it placed on addressing the acute shortage in our nation’s cyber workforce. Though the administration did release an Executive Order (EO 13800) and an official Request for Information (RFI) on Growing and Sustaining the Cybersecurity Workforce last year, they were surprisingly similar in focus and directive to those issued under the previous administration.  And the most recent publications that resulted from EO 13800 all demonstrate a general policy continuity between the Obama and Trump administrations as well.

So why could this be a bad signal if it’s just more of the same?

1. More of the same won’t help solve the cybersecurity workforce issue.

The focus on private-public partnerships as a way to address cybersecurity education, training, and workforce development programs does not address the problem at scale. The status quo is flawed. Creating robust training programs, internships, externships, apprentice programs, and investing in cybersecurity staff development takes time and is costly.  The continued policy of asking an industry to step up without any federal support is simply unsustainable.

2. It perpetuates the lack of a comprehensive national strategy on cybersecurity training and education.

Existing initiatives like the National Initiative for Cybersecurity Education and the National Cybersecurity Workforce Framework have been tackling this issue for some time. Although these programs have made progress, they are still relatively small initiatives when compared to  federal spending on other low priority areas for the administration, like the EPA.

Overall, government spending on cybersecurity is significant, but efforts to fund training, education, and workforce development have emerged as a series of fragmented programs across a variety of agencies. Though some of this disorder is necessary to test hypotheses and identify initiatives that work, there has been very little consolidated follow-up to really scale any programs deemed effective.

3. It forces the industry to rely on more costly and niche-developed solutions.

Employers (and individuals) bear the majority of the cost to obtain the necessary cybersecurity education and training to fill critical jobs. However, the fact remains that the cost of developing innovative and comprehensive cybersecurity curricula and programs is significant. Though many of us in the training industry recognize the need to integrate skill requirements with assessments, knowledge-based, and hands-on experiential learning, the requirements are so vast that the level of investment required to integrate all of those components are often beyond what any one organization can deliver.

The result is that universities, educational institutions, and training providers are forced to sell programs at a price point that becomes cost prohibitive for individuals and their employers. Even organizations that provide a portion of their training budget to their staff are unable to fund the full suite of knowledge training a worker might need over the course of their career.

One Step Back, Two Steps Forward

As we’ve said before, the United States responded to the space race with the Soviet Union by investing $1 billion in science and technology education programs across the country.  A cybersecurity “moonshot” would provide the United States with the opportunity to invest in cybersecurity in the same way it did during the space race.  By creating, funding, and prioritizing both defensive and offensive cybersecurity programs, the U.S. can position itself not only as the most secure nation in the world, but can also actively create hundreds of thousands of jobs that prepare people to succeed in the 21st century economy.