[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]




 
   CHALLENGES OF RECRUITING AND RETAINING A CYBERSECURITY WORK FORCE

=======================================================================

                                HEARING

                               before the

                            SUBCOMMITTEE ON
                           CYBERSECURITY AND
                       INFRASTRUCTURE PROTECTION

                                 of the

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             FIRST SESSION

                               __________

                           SEPTEMBER 7, 2017

                               __________

                           Serial No. 115-26

                               __________

       Printed for the use of the Committee on Homeland Security
       
                                     


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]




                                     

        Available via the World Wide Web: http://www.govinfo.gov
        
        
        
        

                               __________
                               
                               
                  U.S. GOVERNMENT PUBLISHING OFFICE
                   
 28-415 PDF                 WASHINGTON : 2018       
____________________________________________________________________
 For sale by the Superintendent of Documents, U.S. Government Publishing Office,
Internet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800
  Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001                                    
                               
                               
                               

                     COMMITTEE ON HOMELAND SECURITY

                   Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas                   Bennie G. Thompson, Mississippi
Peter T. King, New York              Sheila Jackson Lee, Texas
Mike Rogers, Alabama                 James R. Langevin, Rhode Island
Jeff Duncan, South Carolina          Cedric L. Richmond, Louisiana
Lou Barletta, Pennsylvania           William R. Keating, Massachusetts
Scott Perry, Pennsylvania            Donald M. Payne, Jr., New Jersey
John Katko, New York                 Filemon Vela, Texas
Will Hurd, Texas                     Bonnie Watson Coleman, New Jersey
Martha McSally, Arizona              Kathleen M. Rice, New York
John Ratcliffe, Texas                J. Luis Correa, California
Daniel M. Donovan, Jr., New York     Val Butler Demings, Florida
Mike Gallagher, Wisconsin            Nanette Diaz Barragan, California
Clay Higgins, Louisiana
John H. Rutherford, Florida
Thomas A. Garrett, Jr., Virginia
Brian K. Fitzpatrick, Pennsylvania
Ron Estes, Kansas
                   Brendan P. Shields, Staff Director
                 Steven S. Giaier, Deputy Chief Counsel
                    Michael S. Twinchek, Chief Clerk
                  Hope Goins, Minority Staff Director
                                 ------                                

      SUBCOMMITTEE ON CYBERSECURITY AND INFRASTRUCTURE PROTECTION

                    John Ratcliffe, Texas, Chairman
John Katko, New York                 Cedric L. Richmond, Louisiana
Daniel M. Donovan, Jr., New York     Sheila Jackson Lee, Texas
Mike Gallagher, Wisconsin            James R. Langevin, Rhode Island
Thomas A. Garrett, Jr., Virginia     Val Butler Demings, Florida
Brian K. Fitzpatrick, Pennsylvania   Bennie G. Thompson, Mississippi 
Michael T. McCaul, Texas (ex             (ex officio)
    officio)
             Kristen M. Duncan, Subcommittee Staff Director
             
                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable John Ratcliffe, a Representative in Congress From 
  the State of Texas, and Chairman, Subcommittee on Cybersecurity 
  and Infrastructure Protection:
  Oral Statement.................................................     1
  Prepared Statement.............................................     3
The Honorable Cedric L. Richmond, a Representative in Congress 
  From the State of Louisiana, and Ranking Member, Subcommittee 
  on Cybersecurity and Infrastructure Protection:
  Oral Statement.................................................     4
  Prepared Statement.............................................     7
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Ranking Member, Committee on 
  Homeland Security:
  Prepared Statement.............................................     8

                               Witnesses

Dr. Frederick R. Chang, Executive Director, Darwin Deason 
  Institute for Cyber Security, Southern Methodist University:
  Oral Statement.................................................     9
  Prepared Statement.............................................    10
Mr. Scott Montgomery, Vice President and Chief Technical 
  Strategist, McAfee:
  Oral Statement.................................................    15
  Prepared Statement.............................................    17
Dr. Michael Papay, Vice President and Chief Information Security 
  Officer, Northrup Grumman:
  Oral Statement.................................................    22
  Prepared Statement.............................................    24
Ms. Juliet ``Jules'' Okafor, Strategic Advisory Board Member, 
  International Consortium of Minority Cybersecurity 
  Professionals:
  Oral Statement.................................................    27
  Prepared Statement.............................................    28

                             For the Record

The Honorable James R. Langevin, a Representative in Congress 
  From the State of Rhode Island:
  Statement of Wesley Simpson, CISSP and Chief Operating Officer, 
    (ISC)\2\.....................................................     5
  Letter From Hon. James R. Langevin.............................    35

                                Appendix

Questions From Chairman John Ratcliffe for Frederick R. Chang....    47
Question From Chairman John Ratcliffe for Scott Montgomery.......    49
Questions From Chairman John Ratcliffe for Michael Papay.........    49


   CHALLENGES OF RECRUITING AND RETAINING A CYBERSECURITY WORK FORCE

                              ----------                              


                      Thursday, September 7, 2017

             U.S. House of Representatives,
                    Committee on Homeland Security,
                         Subcommittee on Cybersecurity and 
                                 Infrastructure Protection,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 3:14 p.m., in 
room HVC-210, Capitol Visitor Center, Hon. John Ratcliffe 
(Chairman of the subcommittee) presiding.
    Present: Representatives Ratcliffe, Fitzpatrick, Katko, 
Richmond, Demings, and Langevin.
    Also present: Representative Barragan.
    Mr. Ratcliffe. The Committee on Homeland Security 
Subcommittee on Cybersecurity and Infrastructure Protection 
will come to order.
    The subcommittee is meeting today to receive testimony 
regarding the challenges of recruiting and retaining a 
cybersecurity work force.
    I now recognize myself for an opening statement.
    Good afternoon. I would like to begin by thanking our panel 
for taking the time today to be here to testify. I appreciate 
your patience as we just finished up a vote series. I am glad 
that you waited for us. Your thoughts and your opinions are 
very important to us and will help inform us as we oversee the 
Department of Homeland Security in meeting its cybersecurity 
work force challenges.
    Cybersecurity is one of the most daunting National security 
and economic security challenges of our generation. As our 
adversaries grow in sophistication, so, too, will the 
challenges associated with preventing their attacks.
    My colleagues on this committee have heard me say this 
often, but I will say it again. America will remain the world 
superpower only so long as it remains the world cybersecurity 
superpower.
    As the lead civilian agency for our Federal cybersecurity 
posture, the Department of Homeland Security factors as a 
critical piece of this equation. It is a tremendous privilege 
to chair this subcommittee and I look forward to our continued 
partnership with the private sector and the administration on 
these important cybersecurity issues, because inaction is 
simply not an option.
    In 2014, it was estimated that $1 billion of personally 
identifiable information was stolen from cyber attacks. It is 
also estimated that the average cost of a data breach will be 
$150 million by 2020. Cyber attacks are growing in frequency 
and they are growing in their sophistication, but the 
availability of qualified cybersecurity professionals to deal 
with these challenges is unfortunately not keeping pace.
    There have been several studies over the past few years 
documenting the growing shortage of cybersecurity 
professionals. In this ever-increasingly connected world, the 
problem is only going to get worse. One estimate from the 
consulting firm of Frost & Sullivan is forecasting a shortage 
of a staggering 1.8 million cybersecurity workers world-wide by 
2022, just 5 years from now.
    Some industry estimates are that 53 percent of 
organizations now experience delays of 6 months or longer to 
find qualified cybersecurity candidates. We know that the 
entire industry is facing an unprecedented shortage of 
cybersecurity workers at all levels of competency, from front-
line defenders to CIOs.
    It is against this backdrop that the Department of Homeland 
Security must compete with the private sector to recruit and 
retain the best talent possible in order to carry out its 
cybersecurity mission and to protect our critical 
infrastructure. Unfortunately, DHS's issues are compounded by 
the additional hiring challenges often felt by the Federal 
Government.
    DHS must work to overcome slow hiring processes and work 
force supply and pipeline issues in order to build the 
essential work force required to meet its cyber mission. DHS 
must strategically plan for the training, recruitment, and the 
retention of its cybersecurity work force.
    The Homeland Security Committee passed several pieces of 
legislation that were signed into law to augment the 
cybersecurity work force at DHS, including the Border Patrol 
Agent Pay Reform Act of 2014 that expanded DHS's hiring 
authorities allowing the Department to better recruit and hire 
qualified cyber professionals. Unfortunately, these new 
authorities have not yet been fully implemented.
    This is an area where hearing from the experts before us 
today will provide valuable input as we conduct oversight of 
DHS's responsibilities and ensure that DHS has the human 
capital and resources necessary to carry out its important 
cybersecurity mission.
    The Federal Government supports a number of programs to 
recruit and retain its work force. In particular, the 
CyberCorps Scholarship for Service Program was authorized in 
the National Cybersecurity Enhancement Act of 2014 and focuses 
on recruiting and training the next generation of information 
technology professionals, industry control system security 
professionals, and security managers.
    Working with DHS, the National Science Foundation has 
awarded grants for the CyberCorps Scholarship for Service 
Program since 2011 to increase and strengthen Federal, State, 
local, Tribal, and territorial governments' cyber work force. 
As of January 2017, there were 69 active Scholarship for 
Service institutions, including eight in my home State of 
Texas. CyberCorps has provided scholarships to 2,945 recipients 
with 2,223 graduates serving Federal, State, local, Tribal, and 
territorial governments and 623 students are currently working 
toward that goal.
    The recent interest my office has received from both 2- and 
4-year colleges in my district about participating in the 
CyberCorps program is encouraging. It reinforces that 
stakeholders of all sizes, from all corners of the country want 
to be part of the cybersecurity work force solution.
    I look forward to a robust conversation with our 
distinguished panel of witnesses today that will support our 
efforts in strengthening DHS's effort to recruit and retain 
talented cybersecurity professionals.
    The Chair now recognizes the Ranking Minority Member of the 
subcommittee, the gentleman from Louisiana, Mr. Richmond.
    [The statement of Mr. Ratcliffe follows:]
                  Statement of Chairman John Ratcliffe
                           September 7, 2017
    Good afternoon.
    I would like begin by thanking our panel for taking the time today 
to testify. Your thoughts and opinions are very important as we oversee 
the Department of Homeland Security in meeting its cybersecurity work 
force challenges.
    Cybersecurity is one of the most daunting challenges of our 
generation, and as our adversaries grow in sophistication, so will the 
challenges associated with preventing their attacks. My colleagues on 
this committee have heard me say this often, but I'll say it again--
America will only remain the world's superpower so long as it remains 
the world's cybersecurity superpower.
    As the lead civilian agency for our Federal cybersecurity posture, 
DHS factors as a critical piece of this equation. It is a great 
privilege to chair this subcommittee, and I look forward to our 
continued partnership with the private sector and the administration on 
these important cybersecurity issues.
    Because inaction is simply not an option.
    According to the Cisco 2017 Annual Cybersecurity Report, ransomware 
is growing at a yearly rate of 350 percent and the firm Cybersecurity 
Ventures predicts cyber crime will cost the world in excess of $6 
trillion annually by 2021, making it more profitable than the global 
trade of all major illegal drugs combined. It is also estimated that 
the average cost of a data breach will be $150 million by 2020. Cyber 
attacks are growing in frequency and sophistication, but the 
availability of qualified cybersecurity professionals to deal with 
these challenges is not keeping pace.
    There have been several studies over the past few years documenting 
the growing shortage of cybersecurity professionals. In this ever-
increasing connected world, the problem is only going to get worse. 
Today, one estimate, from the consulting firm Frost & Sullivan, is 
forecasting a shortage of a staggering 1.8 million cybersecurity 
workers world-wide by 2022. One industry organization estimates that 53 
percent of organizations experience delays of 6 months or longer to 
find qualified cybersecurity candidates.
    We know that the entire industry is facing an unprecedented 
shortage of cybersecurity workers at all levels of competency--from 
front-line defenders to CIOs. Against this backdrop, the Department of 
Homeland Security must compete with the private sector to recruit and 
retain the best talent possible in order to carry out its cybersecurity 
mission and protect our critical infrastructure.
    Unfortunately, DHS's issues are compounded by additional hiring 
challenges often felt by the Federal Government. DHS must work to 
overcome slow hiring processes and work force supply and pipeline 
issues in order to build the essential work force required to meet its 
cyber mission. DHS must strategically plan for the training, 
recruitment, and retention of its cybersecurity work force.
    The Homeland Security Committee passed several pieces of 
legislation that were signed into law to augment the cybersecurity work 
force at DHS, including the Border Patrol Agent Pay Reform Act of 2014 
that expanded DHS's hiring authorities, allowing the Department to 
better recruit and hire qualified cyber professionals. Unfortunately, 
these new authorities have not yet been fully implemented. This is an 
area where hearing from the experts before us today will provide 
valuable input as we conduct oversight of DHS's responsibilities and 
ensure that DHS has the human capital and resources necessary to carry 
out its important cybersecurity mission.
    The Federal Government supports a number of programs to recruit and 
retain its work force. In particular, the CyberCorps: Scholarship-For-
Service Program was authorized in the National Cybersecurity 
Enhancement Act of 2014 and focuses on recruiting and training the next 
generation of information technology professionals, industrial control 
system security professionals, and security managers.
    Working with DHS, the National Science Foundation has awarded 
grants for the CyberCorps: Scholarship-For-Service program since 2011 
to increase and strengthen Federal, State, local, Tribal, and 
territorial governments' cyber work force. As of January 2017, there 
were 69 active Scholarship for Service institutions, including 8 in my 
home State of Texas. CyberCorps has provided scholarships to 2,945 
recipients, with 2,223 graduates serving Federal, State, local, Tribal, 
and territorial governments and 623 students currently working toward 
that goal.
    The recent interest my office has received from 2- and 4-year 
colleges in my district about participating in the CyberCorps program 
is encouraging. It reinforces that stakeholders of all sizes from all 
corners of the country want to be part of the cybersecurity work force 
solution.
    I look forward to a robust conversation with our distinguished 
panel of witnesses that will support our efforts in strengthening DHS's 
efforts to recruit and retain talented cybersecurity professionals.

    Mr. Richmond. Let me first thank the Chairman for holding 
this hearing because our Nation faces an evolving array of 
cyber threats and it is crucial that we have a robust, talented 
cybersecurity work force.
    For some time now, experts have predicted that the demand 
for cybersecurity professionals was quickly outpacing our 
supply. In 2012, the Bureau of Labor Statistics projected that 
by 2020 there would be 400,000 computer scientists available to 
fill 1.4 million computer science jobs. Recent estimates 
suggest that the deficit is growing instead of shrinking and 
may reach 1.8 million by 2022.
    Let's be clear: This is nothing short of a threat to our 
National security.
    These are the professionals we rely on to help us prepare 
for and respond to the next WannaCry, Mirai, or Fancy Bear. 
These are the people who will prevent State-sponsored hackers 
from taking down our electrical grid or infiltrating our State 
election systems. These are the experts we need to stand on the 
front lines during a major cyber attack and make sure we have 
functioning hospitals, banks, transportation systems, and lines 
of communication.
    We need cybersecurity professionals in the private sector 
protecting our intellectual property and personal data, and we 
need them in the public sector protecting our Nation's most 
sensitive intelligence. Yet we know that the Federal Government 
and DHS in particular is struggling to compete with the private 
sector for cyber talent.
    What is more, this administration has failed to fill even 
the most critical, senior-level, cybersecurity posts, asking 
agencies like DHS's National Programs and Protections 
Directorate to carry out broad, complex cybersecurity missions 
without a permanent under secretary. This lack of leadership 
makes us vulnerable.
    We should be doing everything we can to right-size our 
cybersecurity labor force. There is a lot more we can do. We 
need to introduce students to computers before they get to 
college, even the ones who go to schools that can't afford 
expensive tech programs and specialized instructors. I also 
believe there is untapped potential in vocational schools, 2-
year programs, minority-serving institutions, and our 
historically black colleges and universities.
    Once we have figured out how to get more people to choose 
cybersecurity as a career, we need to convince them to turn 
down a higher-paying job and spend some time in Federal 
service.
    Within the Federal Government, we need to promote 
recruitment and retention programs, particularly at DHS which 
has lagged behind other cyber-focused Federal agencies like the 
NSA or FBI in attracting cyber talent. For its part, DHS needs 
to be more forward-thinking and learn to anticipate the needs 
of an evolving work force that values professional development, 
a flexible work culture, the ability to transition in and out 
of positions or even fields.
    In closing, there is no question that the cyber work force 
challenge is a daunting one, but the stakes are too high for us 
to ignore it. Last year, the global economy lost over $450 
billion to cyber criminals and over 2 billion personal records 
were stolen in the United States alone. Meanwhile, studies show 
that less than half of United States' businesses would say that 
they are prepared for a cyber attack, and that small Main 
Street businesses are struggling the most.
    I look forward to hearing the testimony of our witnesses 
today and hope we can identify innovative ways to work together 
to address cybersecurity work force challenges.
    Mr. Chairman, before I yield back, I would like to submit 
for the record from Wesley Simpson, chief operating officer of 
(ISC)\2\, along with the 2017 Global Information Security 
Workforce Study: Women in Cybersecurity; and the report the 
2017 Global Information Security Workforce Study: U.S. Federal 
Government Results.
    Mr. Ratcliffe. Without objection.
    [The information referred to follows:]
    Statement of Wesley Simpson, CISSP and Chief Operating Officer, 
                                (ISC)\2\
                           September 7, 2017
    Chairman Ratcliffe, Ranking Member Richmond, Members of the 
subcommittee, thank you for the opportunity to provide written 
testimony for today's hearing titled Challenges of Recruiting and 
Retaining a Cyber Workforce. This hearing is an important one as it 
highlights a critical work force and ultimately a critical National 
security challenge that we face: Ensuring that we are training enough 
cybersecurity professionals to address the current and projected work 
force shortage in the public and private sector.
    My name is Wesley Simpson and I am the chief operating officer of 
the International Information System Security Certification Consortium, 
commonly known as (ISC)\2\, the world's leading cybersecurity and IT 
security professional organization. We are an international, non-profit 
membership association for information security leaders. We have 
125,000 members world-wide and continue to grow just as the cyber work 
force needs grow.
    In addition to the training and certification work that we do, 
including the internationally recognized CISSP certification, we are 
also committed to education of the general public through our support 
for the Center for Cyber Safety and Education. We believe it is crucial 
not only to close the current gap in cybersecurity professionals, but 
we must also do so in a diverse way bringing more women and minorities 
into the field of cybersecurity. Information on our work with the 
Center for Cyber Safety and Education can be found at 
www.iamcybersafe.org.
    Earlier this year, (ISC)\2\ in partnership with the Center for 
Cyber Safety and Education, Booz Allen, Frost & Sullivan and Alta 
Associates released the 2017 Global Information Security Workforce 
Study. This is the 8th biennial release of the study and the largest to 
date. We surveyed 19,641 cyber professionals representing 170 
countries. This included 2,620 professionals from the U.S. Federal 
Government.
    According to our survey we are on pace to reach a cyber work force 
gap of 1.8 million jobs by 2022--a stunning 20% increase from our 
forecast made in 2015. As part of our study, we also segmented out the 
data for certain demographic groups and I will provide information 
around the Government work force, and women in the cyber work force 
later in my remarks.
    Globally, our survey found that 66% of information security workers 
said their staffs are short-handed--too few professionals to address 
the threats they encountered. That's an increase of 4 percent from the 
2015 survey. This number jumps to 68% when you consider only 
respondents from North America.
    Workers cite a number of reasons for the current shortage. These 
include: Qualified personnel are difficult to find; work force 
requirements are not understood by leadership; business conditions 
can't support hiring additional personnel; security workers are 
difficult to retain; and a belief that there is no clear information 
security career path.
    On the positive side, 70% of hiring managers surveyed are looking 
to increase their work force. In fact, 30% are planning to increase 
that work force by 20% or more. This is most evident in the fields of 
health care, retail, and manufacturing. So the job opportunities are 
there. In addition, fully 87% of cyber professionals started out in a 
different career. While most came from IT, a number come from other 
career fields. For North America, about 35% started in a different 
field. This indicates that training, retraining programs, and 
certification programs are working and are necessary to help close the 
current work force gap.
    Let me now turn to some of the segments that we examined within the 
larger data set, starting with the Federal Government. Overall there is 
some good news in the Government data. Half of the respondents feel 
that Government security has improved. This is due to improved security 
awareness, improved understanding of risk management and effective 
security standards. Some 36% believe that it the level of Government 
security has stayed the same, and 4% believe that Government security 
has gotten worse. Of those that felt the situation has gotten worse, 
they cited the need for more qualified professionals, adequate funding, 
and better security standards. In addition, respondents felt that the 
most important factor in securing an organization's infrastructure is 
the hiring and retaining of qualified information security 
professionals.
    We also asked about the key factors in retaining Government 
information security professionals. Interestingly, the top two 
responses were not directly related to compensation, but rather focused 
on training and certification. Respondents wanted the Government to 
offer training programs and to pay for cyber certifications. This was 
followed by improving compensation packages, flexible work schedules, 
and supporting remote/flexible working. So you can see that while 
compensation is important, other factors rise to the top in terms of 
retaining talent in the Government work force. When looking at 
incentives for new hires, we see a similar trend, with certification, 
training, and education reimbursement as the most effective recruitment 
tool followed by flexible work schedule.
    Let me close on this segment by providing three additional findings 
that are relevant to the question of attracting and retaining cyber 
professionals. First, 78% of respondents felt that greatest demand for 
new hires is in nonmanagerial staff. Second, the respondents felt that 
the most significant impact of the current work force shortage is on 
the existing information security work force. Finally, the greatest 
area of need for additional training and certification is in cloud 
computing. We need to fill that gap as soon as possible to ensure that 
we don't face burnout and departure from the current work force. And we 
need to get training programs in place in key priority areas like cloud 
security.
    Let me now turn to women in the cyber work force. As stated 
earlier, we strongly support bringing more gender and ethnic diversity 
into the cyber work force. It is a key to helping close the growing gap 
that we face in both the public and private sectors here in the United 
States. For this particular segment we partnered with the Executive 
Women's Forum on Information Security, Risk Management, and Privacy. As 
the overall report shows, the work force gap continues to rise. 
Globally, the number of women professionals in the field remains 
stagnant at 11% (14% for North America). While this is extremely low, 
it is higher than in Europe or Asia, both of which are in single 
digits. The report also shows that women continue to lag behind when it 
comes to pay equity, despite higher levels of education. The report 
found that more than half of women respondents have faced 
discrimination in the workplace. Globally, men are four times more 
likely to attain C-level and Executive-level positions and nine times 
more likely to hold managerial positions in the cybersecurity field. On 
the positive side, women do feel more valued when participating in 
mentorship, sponsorship, and leadership development programs.
    We believe that focusing on fixing the above-mentioned areas--pay 
inequity, creating a more inclusive workplace, valuing education, and 
providing mentorship and development opportunities for women to 
advance--can move the needle in the right direction and help bring more 
women into the cyber work force.
    In conclusion, demand for cyber workers continues to grow. 
Unfortunately, the current work force gap is also growing. We must work 
together--Government, training and certification organizations, 
educational institutions and the private sector--to help close that 
gap.
    Cybersecurity is a critical component of our National security. And 
the key factor to ensuring a more secure IT infrastructure is a skilled 
and trained cyber work force. As I highlighted in the data from the 
2017 Global Information Security Workforce Study, we have many 
challenges ahead of us. However, this study also points us to solutions 
such as training and certification, bringing diversity into the work 
force and through leadership development and mentorship, and finally 
through incentives and pay equity.
    I would like to request that the Global Information Security 
Workforce Study and the accompanying segments on Government and women 
be included in the record. Again, on behalf of (ISC)\2\ and its 125,000 
members, I thank you for the opportunity to provide our input. Thank 
you again for your focus on the cyber work force. We look forward to 
continuing to be a resource to the committee and to working with the 
subcommittee on this critical National security issue.

    Mr. Richmond. I would also ask unanimous consent that Ms. 
Barragan be allowed to participate in today's hearing.
    Mr. Ratcliffe. Welcome.
    Mr. Richmond. Thank you, Mr. Chairman. I yield back.
    [The statement of Mr. Richmond follows:]
             Statement of Ranking Member Cedric L. Richmond
                           September 7, 2017
    For some time now, experts have predicted that the demand for 
cybersecurity professionals was quickly outpacing supply. In 2012, the 
Bureau of Labor Statistics projected that by 2020, there would be 
400,000 computer scientists available to fill 1.4 million computer 
science jobs. Recent estimates suggest the deficit is growing instead 
of shrinking, and may reach 1.8 million by 2022.
    Let's be clear--this is nothing short of a threat to National 
security. These are the professionals we rely on to help us prepare for 
and respond to the next WannaCry, Marai, or Fancy Bear. These are the 
people who will prevent state-sponsored hackers from taking down our 
electrical grid or infiltrating our State election systems.
    And these are the experts we need to stand on the front lines 
during a major cyber attack and make sure we have functioning 
hospitals, banks, transportation systems, and lines of communication.
    We need cybersecurity professionals in the private sector 
protecting our intellectual property and personal data, and we need 
them in the public sector protecting our Nation's most sensitive 
intelligence. Yet, we know that the Federal Government--and DHS in 
particular--is struggling to compete with the private sector for cyber 
talent.
    What's more, this administration has failed to fill even the most 
critical, senior-level cybersecurity posts--asking agencies like DHS's 
National Programs and Protection Directorate to carry out broad, 
complex cybersecurity missions without a permanent under secretary. 
This lack of leadership makes us vulnerable. We should be doing 
everything we can to ``right-size'' our cybersecurity labor force--and 
there's a lot more we can do.
    We need to introduce students to computers before they get to 
college--even the ones who go to schools that can't afford expensive 
tech programs and specialist instructors. I also believe there may be 
untapped potential in vocational schools, 2-year programs, and 
minority-serving institutions.
    And once we've figured out how to get more people to choose 
cybersecurity as a career, we need to convince them to turn down a 
higher-paying job and spend some time in Federal service. Within the 
Federal Government, we need to promote recruitment and retention 
programs, particularly at DHS, which has lagged behind other cyber-
focused Federal agencies like the NSA or FBI in attracting cyber 
talent.
    For its part, DHS needs to be more forward-thinking and learn to 
anticipate the needs of an evolving work force that values professional 
development, a flexible work culture, and the ability to transition in 
and out of positions or even fields.
    In closing, there is no question that the cyber work force 
challenge is a daunting one--but the stakes are too high to ignore it. 
Last year, the global economy lost over $450 billion to cyber 
criminals--and over 2 billion personal records were stolen in the 
United States alone. Meanwhile, studies show that less than half of 
U.S. businesses would say they are prepared for a cyber attack, and 
small ``Main Street'' businesses are struggling the most.
    I look forward to hearing the testimony of our witnesses today, and 
hope we can identify innovative ways to work together to address 
cybersecurity work force challenges.

    Mr. Ratcliffe. Other Members of the committee are reminded 
that opening statements may be submitted for the record.
    [The statement of Ranking Member Thompson follows:]
             Statement of Ranking Member Bennie G. Thompson
                           September 7, 2017
    Good afternoon. I would like to thank Chairman Ratcliffe and 
Ranking Member Richmond for holding today's hearing to continue the 
work of identifying solutions to an on-going National challenge: The 
cyber work force shortage.
    I want to take this opportunity to express my growing concern about 
the number of cybersecurity leadership vacancies across the Federal 
Government.
    There are numerous vacancies in cybersecurity positions across the 
Executive Branch, and last month, 8 of the 28 members of the National 
Infrastructure Advisory Council resigned in protest of the President's 
failure to prioritize cybersecurity.
    Most dramatically, this administration has chased out the State 
Department's first cybersecurity coordinator and plans to bury the 
State Department's cyber office in the Office of Bureau of Economic and 
Business Affairs.
    And as we speak, there has been no nomination of someone to serve 
as the under secretary of the Department of Homeland Security's 
National Protection and Programs Directorate, which is tasked with 
leading the Federal Government's efforts to secure our Nation's 
critical infrastructure and protect Federal civilian networks from 
malicious cyber activity.
    A strong cybersecurity posture is essential to National security 
and to our ability to compete in the global economy.
    Policies necessary to build a strong cybersecurity posture require 
strong leadership.
    I urge the President to quickly address cybersecurity leadership 
vacancies and organizational issues.
    Turning to the issue at hand, I am eager to learn about innovative 
private-sector approaches to developing and maintaining the 
cybersecurity work force challenges.
    I also hope to hear where the Federal Government can better partner 
with the private sector to cultivate the cybersecurity talent.
    When I am in Mississippi, all too often, I get asked why so much 
focus is placed on importing cybersecurity talent from overseas instead 
of cultivating the talent we have here at home.
    I support tech-visas, but at the same time agree with my 
constituents that we must more aggressively build and recruit a 
domestic cybersecurity work force.
    We also must also do more to develop cybersecurity skills in 
overlooked talent pools.
    Today, African Americans and Hispanics--combined--make up only 12 
percent of the cybersecurity work force.
    We need to do a better job understanding why that is.
    We can and should continue expanding traditional career pathways to 
diverse populations--from building relationships between public and 
private-sector employers and diverse institutions of higher educations 
and implementing mentorship programs.
    But we also have to start thinking ``outside the box''.
    We need to get young people from all backgrounds interested in 
cybersecurity early and we need to figure out how to transition 
displaced employees into the cybersecurity work force.
    According to Juniper Research, the cost of data breaches globally 
will increase to $2.1 trillion dollars by 2019.
    And the State actors have demonstrated a clear interest in hacking 
into our critical infrastructure--from dams and the utility companies--
to our elections.
    We must build the cyber work force necessary to protect our 
National security and our economy.

    Mr. Ratcliffe. As I mentioned before, we are very pleased 
to have this distinguished panel of witnesses before us today 
on this vitally important topic. Dr. Frederick Chang is the 
executive director of the Darwin Deason Institute for Cyber 
Security at Southern Methodist University.
    Dr. Chang, it is great to see you again and have a fellow 
Texan here today. Welcome.
    Mr. Chang. Thank you.
    Mr. Ratcliffe. Mr. Scott Montgomery is the vice president 
and chief technical strategist of McAfee.
    We welcome you back to the subcommittee as well.
    Dr. Michael Papay is the vice president and chief 
information security officer of Northrop Grumman.
    Dr. Papay, it is always good to see you and thank you for 
being here today.
    Finally, Ms. Juliet Okafor is the vice president of global 
business development of Fortress Information Security.
    Ms. Okafor, welcome back to the subcommittee as well to 
you.
    I would now ask all of the witnesses to stand and raise 
your right hand so I can swear you in to testify.
    [Witnesses sworn.]
    Please let the record reflect that each of the witnesses 
has been so sworn. You all may be seated.
    The witnesses' full written statements will appear in the 
record. The Chair is now pleased to recognize Dr. Chang for 5 
minutes for his opening remarks.

  STATEMENT OF FREDERICK R. CHANG, EXECUTIVE DIRECTOR, DARWIN 
    DEASON INSTITUTE FOR CYBER SECURITY, SOUTHERN METHODIST 
                           UNIVERSITY

    Mr. Chang. Thank you. Chairman Ratcliffe, Ranking Member 
Richmond, Members of the subcommittee, thank you for the 
opportunity to appear before you today regarding the challenges 
associated with recruiting and retaining and cybersecurity work 
force.
    My name is Frederick R. Chang and I am the executive 
director of the Darwin Deason Institute for Cyber Security at 
Southern Methodist University in Dallas, Texas. I am also the 
Bobby B. Lyle Centennial Distinguished Chair in Cybersecurity 
and professor in the Department of Computer Science and 
Engineering.
    I don't need to reiterate to this group the nature of 
today's cyber threats and their consequences, so I will simply 
say that today's cyber insecurity is a multifaceted topic 
involving technology, policy, work force, and more. In my brief 
comments now, I will focus on the topic of work force.
    One of the reasons why cyber compromises are so prevalent 
today is that there is a lack of trained and qualified 
personnel to defend the Nation's cyber assets. This lack of a 
trained cybersecurity work force has been referred to as the 
cyber skills gap. The gap is large and growing, as Chairman 
Ratcliffe and Ranking Member Richmond have both mentioned.
    Hiring managers are having a hard time finding the talent 
they need right now and there is a critical need for technical 
talent. Organizations will get creative in their hiring 
practices. I believe the market will work in some very 
innovative ways to adapt to the changing conditions by, for 
example, retraining some workers for roles in cyber and moving 
them around to manage the workload. Talent can and will come 
from some unexpected places. I am sure we will hear some 
creative ideas from the other panelists.
    But the fact that the problem is growing is a serious issue 
because there have been a number of important activities that 
have been on-going for a while now around the country in 
academia, in industry and in Government. I will quickly touch 
on just a few of them now.
    The NSA/DHS centers of academic excellence, the DOD and NSF 
cyber scholarship programs have been good and useful programs 
and have helped to jump-start and bolster university 
cybersecurity programs around the country. As universities grow 
their cyber portfolios to train more students, they will 
benefit from comprehensive curricular guidance and important 
progress is being made on that front.
    Student cyber competitions are becoming increasingly 
popular. As long as we can ensure the right balance between the 
competitions and coursework, I am a supporter of these 
competitions because I think they build depth of knowledge and 
they provide a valuable team experience which will be useful 
when the students enter the work force.
    We are also seeing now more cyber summer camps for both 
middle and high school students. I think these summer camps are 
quite important because they will help us grow a pool of cyber- 
and STEM-, science-, technology-, engineering-, and math-
motivated students. We need a larger pipeline of folks from 
which to recruit into key cyber positions.
    We will also see an increasing effort to advance 
technologies that will help automate different cybersecurity 
tasks and this will assist in giving human cyber experts more 
time to perform other tasks that we will not be able to 
automate at the time.
    Let me close by saying that, in general, the actions that 
are being taken now are important, valuable, and are making a 
difference. But given that these actions are being taken and 
the fact that the cyber skills gap continues to grow tells me 
that we must do more.
    In 1958, science education in America got a shot in the arm 
when the National Defense Education Act was passed the year 
after the Soviet satellite Sputnik was launched into outer 
space. This act helped launch a generation of students who 
would study math and science. So while we need to work very 
hard today to recruit and retain urgent cyber positions today 
and in the near future, I hope we can also consider the future 
of cyber space.
    How secure will it be? How will we defend it? Today's 
students will be responsible for designing, creating, 
operating, maintaining, and defending tomorrow's cyber 
infrastructure. We need a large and capable pool of folks to 
staff these positions for the future.
    Thank you again for allowing me to be here today. I look 
forward to your questions.
    [The prepared statement of Dr. Chang follows:]
                Prepared Statement of Frederick R. Chang
                           September 7, 2017
    Chairman Ratcliffe, Ranking Member Richmond, Members of the 
subcommittee, thank you for the opportunity to testify before you in 
today's hearing regarding the challenges associated with recruiting and 
retaining a cybersecurity work force. My name is Frederick R. Chang and 
I consider it an honor and a privilege to come before this 
subcommittee. I am the executive director of the Darwin Deason 
Institute for Cyber Security at Southern Methodist University (SMU) in 
Dallas, Texas. I am also the Bobby B. Lyle Centennial Distinguished 
Chair in Cyber Security, Professor in the Department of Computer 
Science and Engineering in SMU's Lyle School of Engineering, and a 
senior fellow in SMU's John G. Tower Center for Political Studies. 
Prior to coming to SMU, I have held academic positions at the 
University of Texas at San Antonio and at the University of Texas at 
Austin. I have worked in the private sector and have also served as the 
director of research at the National Security Agency. I would also 
mention that I served as a member of the CSIS Commission on 
Cybersecurity for the 44th Presidency.
    SMU is a Nationally-ranked private university in Dallas founded 
over 100 years ago. The university enrolls more than 11,000 students--
including about 5,200 graduate students--who all benefit from the 
academic opportunities and international reach of seven degree-granting 
schools. The Carnegie Foundation recognizes SMU as a university with 
``high research activity,'' which ranges across disciplines from 
particle physics at the Large Hadron Collider at CERN, to geothermal 
energy, to the science of human speed, to cybersecurity through the 
Bobby B. Lyle School of Engineering. SMU's Lyle School of Engineering, 
founded in 1925, is one of the oldest engineering schools in the 
Southwest. The school offers eight undergraduate and 29 graduate 
programs, including master's and doctoral degrees, through the 
departments of Civil and Environmental Engineering; Computer Science 
and Engineering; Electrical Engineering; Engineering Management, 
Information, and Systems; and Mechanical Engineering. Finally, the 
Darwin Deason Institute for Cyber Security is a research institute with 
the goal of advancing the science, policy, application and education of 
cybersecurity through basic and problem-driven, interdisciplinary 
research.
                             the new normal
    Early computer worms and viruses date back to the 1970's and 80's 
and while they were rare and experimental back then, as we fast forward 
to 2017, terms such as ``malware'', ``data breach'', ``phishing'' and 
``botnets'' are unfortunately all too common today. We are no longer 
surprised to read about the latest data compromise or cyber attack as 
they are sadly a regular occurrence. In fact, not long ago a technology 
company ran a series of television commercials depicting that it is 
newsworthy when there is not a data breach. The internet, high-
performance computing clusters, high-density storage, ultra high-speed 
communication links, the cloud, our laptops, and smart phones are 
technologies that we take for granted today. They are so integral to 
our personal and professional lives that it is hard to remember a time 
when we didn't have these technologies available to us. But in the 
larger scheme of things the technologies that comprise cyber space are 
young and changing at a stunning rate of speed. As we have become 
increasingly dependent on these technologies we have also come to 
understand just how vulnerable these technologies are to malicious 
attackers of many kinds. We have also come to understand the 
consequences of these security vulnerabilities to us personally, 
professionally, and to our National security.
    The source of today's cyber insecurity is multifaceted, involving 
technology, policy, law, economics, work force, and more. In my brief 
comments this afternoon, I will focus on the topic of today's hearing: 
The cybersecurity work force. One of the reasons why cyber intrusions 
are so prevalent today is that there is a lack of trained, qualified 
personnel to defend the Nation's cyber assets. This lack of trained 
personnel has been referred to as the ``cyber skills gap''.
                          the cyber skills gap
    Over the past several years there has been increasing concern about 
the cyber skills gap problem, and the extent to which this gap 
contributes to the Nation's challenge in defending cyber space, today 
and into the future. An image that comes to mind is from the child's 
game of whack-a-mole. Cyber defenders within an enterprise are 
stretched too thin, quickly moving from issue to issue in an effort to 
keep their networks secure. Two natural questions to ask are: How large 
is the problem? Is the problem going to get worse in the future? There 
have been a number of studies and reports on this topic and I have 
listed a few illustrative bullets points below that shed some light on 
these questions. I would hasten to add that perhaps more important than 
the specific numbers that are listed are the trends that they suggest.
   The size of the global cyber skills gap was estimated at 
        about 1 million people in a 2014 report.\1\ \2\
---------------------------------------------------------------------------
    \1\ Cisco 2014 Annual Security Report, Cisco Systems, San Jose, CA, 
2014.
    \2\ Cobb, S. Sizing the Cybersecurity Skills Gap: A White Paper, 
2016. Paper can be found here: http://cisosurvey.org/wp-content/
uploads/2016/10/sizing-cyber-skills-gap-v1a.pdf.
---------------------------------------------------------------------------
   The size of cyber skills gap globally will grow to about 1.8 
        million in 2022. This is 20 percent higher than an estimate 
        made 2 years earlier.\3\
---------------------------------------------------------------------------
    \3\ 2017 Global Information Security Workforce Study: Benchmarking 
Workforce Capacity and Response to Cyber Risk, report can be found 
here: https://iamcybersafe.org/wp-content/uploads/2017/07/N-America-
GISWS-Report.pdf.
---------------------------------------------------------------------------
   The size of the cyber skills gap in the United States was 
        estimated to be over 200,000 in 2015.\4\ The size of the cyber 
        skills gap is estimated to grow to about 265,000 in North 
        America by 2022.\3\
---------------------------------------------------------------------------
    \4\ Setalvad, A. Demand to fill cybersecurity jobs booming, 
Peninsula Press, March 31, 2015, report can be found here: http://
peninsulapress.com/2015/03/31/cybersecurity-jobs-growth/.
---------------------------------------------------------------------------
   In the United States there were nearly 300,000 on-line job 
        listings for cybersecurity-related positions between April 2016 
        through March 2017, and the National average ratio of existing 
        cybersecurity workers to cybersecurity job openings is only 
        2.5, while the National average for all jobs is 5.6 according 
        to the website CyberSeek.\5\
---------------------------------------------------------------------------
    \5\ http://cyberseek.org/heatmap.html.
---------------------------------------------------------------------------
    In addition to the shortfall estimates above, it is instructive to 
look at some illustrative responses sampled from a variety of different 
surveys of different groups of cybersecurity professionals. The goal 
here is not to be exhaustive but rather to provide a perspective on 
some of the challenges facing enterprises as they address the 
challenges associated with hiring qualified cybersecurity workers.
    In one international survey, the North American respondents 
reported that they were not able to fill open cybersecurity positions 
about 26 percent of the time and that for all respondents, over a 
quarter of the time finding an appropriate person for the job can take 
up to 6 months. In the same survey, respondents reported that while 
they do receive quite a few applicants for each job opening, most 
applicants are viewed as unqualified--and this response is reflected by 
the North American respondents to the survey as well.\6\
---------------------------------------------------------------------------
    \6\ State of Cyber Security 2017, Part 1: Current Trends in 
Workforce Development, ISACA, 2017.
---------------------------------------------------------------------------
    In another survey that included only North American respondents 
(Information Technology (IT), and IT security professionals), 35 
percent reported that there is a shortage of IT security professionals 
at most every level, and 37 percent reported that there are lots of 
less experienced/trained people, but it is hard to fill the most-
skilled positions. In the same survey only 33 percent of respondents 
report that they have enough people to meet the threats they will face 
in the coming year and only 23 percent report that their security team 
is well-trained and up-to-date on the latest technologies and 
threats.\7\
---------------------------------------------------------------------------
    \7\ Chickowski, E. Surviving the IT Security Skills Shortage, Dark 
Reading Reports, May 2017.
---------------------------------------------------------------------------
    In a study we conducted at SMU we explored how organizations made 
cybersecurity investment decisions.\8\ We conducted semi-structured 
interviews with cybersecurity executives and managers from primarily 
four vertical sectors: Health care, financial, retail, and Government. 
Over 75 percent of the respondents were from U.S. organizations. 
Consistent with the findings reported above, our respondents reported 
that finding qualified cybersecurity talent was a key challenge. 
Sufficient budgets were often available for a particular cybersecurity 
project but that lack of availability of qualified personnel served as 
a limiting factor in budget requests. Respondents reflected that even 
though they had considerable professional networks from which to draw, 
they had difficulty finding the talent they needed.
---------------------------------------------------------------------------
    \8\ Moore, T., Dynes, S. & Chang, F. Identifying How Firms Manage 
Cybersecurity Investment. Paper presented at the 15th Annual Workshop 
on the Economics of Information Security, June 13-14, 2016 Berkeley, 
California.
---------------------------------------------------------------------------
    Finally, a theme that was highlighted in one of the earlier reports 
on the cyber skills gap emphasized the need for technical talent. 
Indeed this need is reflected in the report title: A Human Capital 
Crisis in Cybersecurity: Technical Proficiency Matters.\9\ A quote from 
the report describes the sentiment well: ``We not only have a shortage 
of the highly technically skilled people required to operate and 
support systems we have already deployed; we also face an even more 
desperate shortage of people who can design secure systems, write safe 
computer code, and create the ever more sophisticated tools needed to 
prevent, detect, mitigate, and reconstitute systems after an attack''.
---------------------------------------------------------------------------
    \9\ A Human Capital Crisis in Cybersecurity: Technical Proficiency 
Matters. A White Paper of the CSIS Commission on Cybersecurity for the 
44th Presidency, July 2010.
---------------------------------------------------------------------------
                        cyber students in demand
    The previous section provided some perspective on the size and 
nature of the cyber skills gap today and into the future and the trends 
are that the gap is large and challenging today and that it will worsen 
in the years ahead. As enterprises think through how they will staff to 
meet their cyber defense needs they will do well to think creatively 
and unconventionally as talent could well come from disciplines that 
are not traditionally associated with cybersecurity. Additionally, as 
cybersecurity becomes a higher priority within an enterprise, talented 
employees from different parts of the enterprise can and are being 
retrained to move into higher-priority cyber positions. In fact, we've 
offered an MS degree in Security Engineering for over a decade at SMU 
and that degree is popular with corporate employees who are interested 
in retraining themselves.
    For an enterprise it is clearly desirable to be able to hire 
highly-experienced professionals who can immediately perform at a high 
level, but due to the talent shortage and associated salary limitations 
that may not always be possible. An alternate strategy may be to 
strategically hire more junior talent and patiently grow the needed 
capability internally. Indeed in our own research \8\ some of our 
respondents expressed this perspective. So, in addition to the natural 
course of hiring college graduates for positions that are appropriate 
for their skill level, there is additional demand for cyber-capable 
college graduates. I am seeing this demand for our students at SMU as 
are my peers around the country for their students at their respective 
universities.
---------------------------------------------------------------------------
    \8\ See note, previous page.
---------------------------------------------------------------------------
    As part of our undergraduate computer science major, we've offered 
a security track for many years now in which students can take elective 
courses in security which allows them to emphasize cybersecurity as 
part of their undergraduate computer science major. We are seeing an 
uptick in the number of students who are pursuing this security track 
and we believe that when students pursue this track they very often go 
on to pursue a cybersecurity-related job upon graduation. In addition, 
anecdotally, we are seeing an uptick in the number of high-school 
seniors who plan to pursue cybersecurity in their undergraduate 
studies.
                           answering the need
    The cyber skills gap has been known about and discussed for many 
years now and over time, I've had my fair share of discussions with 
enterprise managers who are eagerly awaiting the arrival of more 
trained cyber defenders. As mentioned above these students are in high 
demand. While for many hiring managers the supply of students isn't 
arriving fast enough to meet the demand, there are many activities 
underway in the government, the private sector, and academia--often 
working together--that are helping to meet the demand. Let me touch on 
a few such activities below.
    Centers of Academic Excellence and Scholarships.--Historically the 
NSA/DHS Centers of Academic Excellence in Cyber Defense (CAE-CD) 
program (and extensions) have helped to jump start skill building in 
cybersecurity in higher education, by among other things, requiring the 
CAE-CD-designated universities to map their curriculum to specific 
information assurance knowledge units. Additionally the Government has 
funded scholarship programs (the NSF CyberCorps Scholarship for 
Service, and the Department of Defense, Information Assurance 
Scholarship Program) that have provided funding (tuition, books, 
stipend, etc.) for students to complete their cybersecurity education 
in return for service to the Government following graduation.
    Curricular guidance.--As more university capability, capacity, and 
programs are created to answer the need for more cyber defenders it 
will be important to have clear curricular guidelines that will assist 
in building these new programs. Cybersecurity is still a young field 
but is emerging as a distinct discipline. As universities compose new 
cybersecurity academic programs out of elements from computer science, 
computer engineering, information systems and the like, it will be 
extremely valuable to have comprehensive curricular guidance. The ACM 
(Association for Computing Machinery) Joint Task Force on Cybersecurity 
Education is in the process of creating this guidance and it is 
expected to be released later this year.\10\ Importantly it defines 
cybersecurity as an interdisciplinary area of study including elements 
from risk management, policy, human factors, law and more, but that 
fundamentally is a computing-based discipline.
---------------------------------------------------------------------------
    \10\ https://www.csec2017.org/.
---------------------------------------------------------------------------
    Cyber Competitions.--For over a decade now university students have 
been competing in a cybersecurity competition that is now known as the 
National Collegiate Cyber Defense Competition (NCCDC). The competition 
provides a challenging and motivating event in which students must 
defend a simulated small company network while operationally keeping 
services up and running while responding to business requests. 
Depending on how they do, points are scored and teams advance in the 
competition. The competition has grown in popularity over the years and 
now there are 10 regions across the country that compete, and the 
regional winners compete in a National finals event. At the National 
finals event, a National winner is crowned. Cyber competitions in 
general have become very popular, and there are now many in which to 
participate and they focus in different areas (cybersecurity, 
forensics, and capture-the-flag). With the increasing number of cyber 
competitions it is fair to ask about their educational impact.\11\ That 
said, cyber competitions provide a means to increase depth of technical 
knowledge in cybersecurity \12\ and there is some evidence that cyber 
competitions will attract individuals who will stay in the field a long 
time.\13\ At SMU there is a student-run security club where interested 
students meet to learn from each other and practice security concepts. 
A highlight for club members is to participate in cyber competitions 
including the NCCDC. The cyber competitions are popular with the 
students in part because they feel the competitions provide a valuable 
supplement to what they learn in class. Additionally, cyber 
competitions give students experience working as part of a team, and 
this is valuable when they graduate and join the work force. As the 
popularity of cyber competitions has continued to grow, they have moved 
into the K-12 domain as well.
---------------------------------------------------------------------------
    \11\ Fulton, S., Schweitzer, D., and Dressler, J. What Are We 
Teaching In Cyber Competitions? Frontiers in Education Conference 
(FIE), October 3-6, 2012.
    \12\ Manson, D., and Pike, R. The case for depth in cybersecurity 
education. ACM Inroads, Vol. 5, No. 1, pp. 47-52, March 2014.
    \13\ Tobey, D.H., Pusey, P., and Burley, D.L. Engaging learners in 
cybersecurity careers: lessons from the launch of the national cyber 
league, ACM Inroads, Vol. 5, No. 1, pp. 53-56, March 2014.
---------------------------------------------------------------------------
    Cyber summer camps.--Related to, but distinct from cyber 
competitions, are summer cybersecurity camps for K-12 students. For 
example, the GenCyber program, funded by NSA and NSF, offers a summer 
cybersecurity camp experience to middle and high school students, as 
well as teachers, in an effort to increase the pool of students who 
might go on to study cybersecurity in the United States. One of the 
goals of these summer camps is to teach students about cyber safe and 
correct on-line behaviors. Over the last several years, in keeping with 
the effort to get more K-12 students interested in the STEM (Science, 
Technology, Engineering, and Math) fields, among other things, SMU has 
conducted a Crime Scene Investigation (CSI) summer camp for middle 
schoolers. Students are introduced to the science, technology, and math 
behind CSI via expert presentations from real-world professionals and 
hands-on activities. For the past two summers we have added a 
cybersecurity module into the CSI curriculum.
    Augmenting human capability with technology.--Finally, there are 
some important efforts to augment human capability in cybersecurity via 
the use of technology. For example, there is promise in the use of 
advanced reasoning techniques to augment the human cyber expert by 
automating some portions of the cyber defense task (e.g., finding and 
fixing flaws in software). This was the goal of the recent DARPA Cyber 
Grand Challenge in which important advances were made in the ability to 
automate the process of detecting software vulnerabilities, creating an 
appropriate patch, and then applying that patch in real-time.\14\ To 
the extent that these, and other, difficult and time-consuming tasks 
can be automated, this will leave the time-limited human cyber expert 
more time to perform important analytic tasks that are not able to be 
automated at this time.
---------------------------------------------------------------------------
    \14\ https://www.darpa.mil/news-events/2016-08-04.
---------------------------------------------------------------------------
                              conclusions
    Many students I speak with are eager to join this new field and as 
mentioned previously we are seeing an uptick in that interest. I 
occasionally engage students in brief career-oriented discussions and a 
few themes emerge in these discussions as students think about their 
job choices that I thought might be relevant as we discuss recruiting 
and retaining top cyber talent.
    1. The students want challenging work. They are challenged in their 
        coursework to master difficult technical material, but also 
        exercise creativity in using those skills. They want nothing 
        less when they move into the workplace. They want to jump into 
        the game and show that they have what it takes.
    2. The students want to make a difference. As they evaluate 
        positions they will try to determine if the position will allow 
        them to make a difference--they want their efforts to have an 
        impact. Sure, salary will be a factor, but as one student 
        commented, for some they will choose ``mission over money''.
    3. The students want to keep their technical skills sharp. When 
        students graduate their technical skills are sharp and up-to-
        date. They understand that the computing and technological 
        landscape changes rapidly. They will want to work with the most 
        modern tools, with colleagues who they respect and from whom 
        they can learn, and in an environment that gives them 
        opportunities to refresh their technical skills.
    In closing, in my comments earlier I briefly mentioned a number of 
activities that the Nation is undertaking now in an attempt to help 
close the cyber skills gap including: Scholarships, new cybersecurity 
curricular guidance, cyber competitions, cyber summer camps, and 
technological advances that will augment human cyber capability. These 
activities are important, valuable, and are making a difference, but I 
believe we can and should do more. We now have a much better 
understanding of the constantly-changing nature of the cyber threat and 
the consequences of our cyber insecurity. Are there lessons to be 
learned from America's ``Sputnik moment'' nearly 60 years ago? 
Following the launch of the Soviet satellite Sputnik in 1957, science 
education got an infusion of funds of over a billion dollars in 1958 
when the National Defense Education Act was passed, and this helped 
launch a new generation of students who would to be motivated to go on 
to study math and science.\15\ The challenge to make cyber space more 
secure is a long-term, enduring problem. While we urgently need short-
term solutions to make available more cyber-trained workers to fill 
positions now and in the near-term, we also need to ask ourselves what 
will cyber space look like 10, 20, and 30 years from now--and how much 
more dependent will we be on it? Today's students will be responsible 
for designing, creating, operating, maintaining, and defending 
tomorrow's cyber infrastructure.
---------------------------------------------------------------------------
    \15\ Abramson, L. Sputnik Left Legacy for U.S. Science Education, 
All Things Considered, NPR, September 30, 2007. Story can be found 
here: http://www.npr.org/templates/story/story.php?storyId=14829195.

    Mr. Ratcliffe. Thank you, Dr. Chang.
    The Chair now recognizes Mr. Montgomery for his opening 
statement.

    STATEMENT OF SCOTT MONTGOMERY, VICE PRESIDENT AND CHIEF 
                 TECHNICAL STRATEGIST, MC AFEE

    Mr. Montgomery. Good afternoon, Chairman Ratcliffe, Ranking 
Member Richmond, and Members of the subcommittee. Thanks very 
much for the opportunity to testify today.
    I am Scott Montgomery, vice president and chief technical 
strategist of McAfee, one of the world's leading independent 
cybersecurity companies.
    Inspired by the power of working together, McAfee creates 
enterprise, Government, and consumer solutions that make the 
world a safer place.
    As a group, we have studied this well-documented work force 
shortage for several years now and we need to do something 
about it immediately. Following are some recommendations for 
training and incentivizing more people and also using 
technology to help fill the gap.
    First, we should expand programs that are working today, 
such as the NSF CyberCorps Scholarship for Service Program 
which manages to retain an impressive 80 percent of its 
graduates as workers for the Federal Government. We should also 
consider expanding this program to focus on community colleges. 
These institutions tend to attract a diverse variety of 
students, including recent high school grads, but also 
returning veterans and other adult students who might be 
working full or part time.
    I want to recognize full committee Chairman McCaul's Cyber 
Scholarship Opportunities Act and its Senate counterpart that 
was recently voted out of committee. Both require the NSF 
program to include students pursuing an associate's degree in 
cybersecurity without the intent of transferring to a 4-year 
institution.
    The public sector as well as the private sector have thorny 
challenges in attracting and retaining cybersecurity talent. At 
the very high level, there are three categories of Government 
cyber professionals. There are operators, the people who 
implement and keep security technology running, researchers who 
explore the latest in cyber defense, and finally analysts, 
experts that can respond to an event in the first few minutes. 
It is this third area where Government and the private sector 
have the most serious need.
    Congress gave DHS expedited hiring authority for 
cybersecurity 3 years ago, an authority that could address many 
of the suggestions. It is incumbent upon the Department not 
only to move these plans forward, but also to come up with 
creative ways to address the known pay disparity between the 
public sector and the private sector. Whether this is through 
accelerated grades or accelerated retirement packages, there 
has to be some creative way where we can address the pay 
disparity.
    We should also explore creative ways to enable the public 
and private sectors to share talent. Adversaries are constantly 
innovating and changing course. It is unrealistic to think that 
Government cyber practitioners will be able to keep up with a 
rapidly-evolving environment by themselves.
    We should design a mechanism for cyber professionals to 
move back and forth between the public and private sector so 
that the Government organizations would have a continual 
refresh of expertise, much like the National Guard.
    We should work quickly to solve this cyber work force 
challenge. But in the mean time, while we still have this gap, 
we must rely on technology, such as moving to the cloud and 
using automation wisely. We can automate lower-level tasks, 
freeing up personnel to serve in key roles that humans can best 
fill. Those are the analysts who can use creative insight to 
determine why an attacker might have chosen a particular attack 
method or target or how best to respond to an incident.
    When considering the role of security technologies, it is 
important to understand the market-like forces that drive the 
effectiveness of cybersecurity defense. Information 
technologies continuously improve over time.
    Paradoxically, cyber defense do not follow this pattern. 
Their effectiveness peaks shortly after release and degrades 
quickly thereafter. When a new defensive capability is first 
released, adversaries don't take much notice. But once it is 
deployed at scale, they adopt evasion tactics and 
countermeasures causing the effectiveness to degrade 
significantly.
    We also see the current paradigm of constant integration of 
point products as ineffective and unsustainable, particularly 
given the substantial number of cyber professionals needed to 
knit together these disparate systems. Not only are technology 
efficiencies already declining by the time the lengthy 
acquisition and deployment cycles are complete, but 
organizations are unable to deal with the complexity of what 
they have acquired and deployed.
    An approach where technology enabled with strong 
collaboration can be deployed rapidly to security platforms 
using open-source communication means as required. Both the 
public and private-sector organizations need their tools to 
utilize these kinds of open-source communication mechanisms.
    No single industry partner can cover the vast spectrum of 
security and privacy problems or catch every issue every time. 
Only by working collaboratively in the private and public 
sectors can we defeat cyber attackers.
    I look forward to our discussion and would be happy to 
answer any questions. Thank you.
    [The prepared statement of Mr. Montgomery follows:]
                 Prepared Statement of Scott Montgomery
                           September 7, 2017
    Good afternoon, Chairman Ratcliffe, Ranking Member Richmond, and 
Members of the subcommittee. Thank you for the opportunity to testify 
today. I am Scott Montgomery, vice president and chief technical 
strategist of McAfee, LLC.
    I am pleased to address the subcommittee on the challenges of 
recruiting and retaining a cybersecurity work force. My testimony will 
address the broad contours of the cybersecurity skills shortage, both 
in the public and private sectors, and what we can do about it. One 
involves people: Training more, broadening our perception of what 
attributes and skills are needed, and incentivizing Government 
investments in cyber specialists. The other involves technology: Moving 
to the cloud, using automation wisely, and encouraging industry to move 
to interoperable platforms.
    First, I would like to provide some background on my experience and 
McAfee's commitment to cybersecurity. I help drive the company's 
technical innovation, evangelize our expertise, thought leadership, and 
offerings to public and individual audiences; and work to increase the 
public trust by cooperating with law enforcement on cyber criminal 
investigations and disruption. With more than 20 years in content and 
network security, I bring a practitioner's perspective to the art and 
science of cybersecurity. I have designed, built, tested, and certified 
information security and privacy solutions for such companies as 
McAfee, Secure Computing, and on behalf of a wide variety of public-
sector organizations.
                  mcafee's commitment to cybersecurity
    McAfee is one of the world's leading independent cybersecurity 
companies. Inspired by the power of working together, McAfee creates 
business and consumer solutions that make the world a safer place. By 
building solutions that work with other industry products, McAfee helps 
businesses orchestrate cyber environments that are truly integrated, 
where protection, detection, and correction of threats happen 
simultaneously and collaboratively. By protecting consumers across all 
their devices, we secure their digital lifestyle at home and away. By 
working with other security players, we are leading the effort to unite 
against State-sponsored actors, cyber criminals, hacktivists, and other 
disruptors for the benefit of all.
                      the cybersecurity skills gap
    In 2016 the Center for Strategic and International Studies (CSIS) 
and McAfee undertook a study titled Hacking the Skills Shortage based 
on a global survey of IT professionals. Some of the findings about the 
cybersecurity talent gap include:
   82 percent of those surveyed reported a lack of 
        cybersecurity skills within their organization.
   71 percent agreed that the talent shortfall makes 
        organizations more vulnerable to attackers, and 25 percent say 
        that lack of sufficient cybersecurity staff has actually 
        contributed to data loss or theft and reputational damage.
   The most desirable skills cited in all 8 countries surveyed 
        were intrusion detection, secure software development, and 
        attack mitigation.
   76 percent of respondents say their governments are not 
        investing enough in programs to help cultivate cybersecurity 
        talent and believe the laws and regulations for cybersecurity 
        in their country are inadequate.
    Since that July study, the numbers haven't improved any. According 
to a recent Global Information Security Workforce Study, the 
cybersecurity work force shortage is projected to reach 1.8 million by 
2022. The cybersecurity skills shortage is equally troublesome in the 
Federal Government. Tony Scott, the Federal Government's former CIO, 
said in a GovLoop article, ``There are an estimated 10,000 openings in 
the Federal Government for cyber professionals that we would love to 
fill, but there's just not the talent available.'' Given the vital role 
such Government agencies as the Departments of Defense and Homeland 
Security as well as the intelligence agencies play in protecting the 
United States, this skills gap is disquieting and merits attention from 
policy makers.
    None of this is news. We've studied this work force shortage for 
several years now, and if we're serious about its importance we need to 
do something about it immediately. Following are some recommendations 
for training and incentivizing more people and also using technology to 
help fill the gap.
                   train and cross-train more people
Expand the Current CyberCorps Program
    First, we need to focus on expanding existing programs that train 
people in the cybersecurity field. For example, The CyberCorps 
Scholarship for Service (SFS) program is designed to increase and 
strengthen the cadre of Federal information assurance specialists that 
protect Government systems and networks. The program is structured so 
that The National Science Foundation (NSF) provides grants to about 70 
institutions across the country to offer scholarships to 10-12 full-
time students each. With this structure, students get free tuition for 
up to 2 years in addition to annul stipends--$22,500 for undergraduates 
and $34,000 for graduate students. They also get allowances for health 
insurance, textbooks, and professional development. Some universities 
also partner with the Department of Homeland Security (DHS) on these 
programs.
    Generally, students must be juniors or seniors and must qualify for 
the program by attaining a specific GPA, usually at least a 3.0 or 
higher. Upon completing their coursework and a required internship, 
students earn a degree, then go to work as security experts in a 
Government agency for at least the amount of time they have been 
supported by the program. After that, they can apply for jobs in the 
public or private sector.
    With additional funding, the CyberCorps SFS program could be 
expanded to more institutions and more students within each of those 
schools. To date, the Federal Government has made a solid commitment to 
supporting the SFS program, having spent $45 million in 2015, $50 
million in 2016, and the most recent administration's budget requesting 
$70 million. As a baseline, an investment of $40 million pays for 
roughly 1,500+ students to complete the scholarship program.
    With the cyber skills deficit being substantial, policy makers 
should significantly increase the size of the program, possibly 
something in the range of $180 million. If this level of funding were 
appropriated, the program could support roughly 6,400 scholarships. 
This investment would make a dent in the Federal cyber skills deficit, 
estimated to be in the range of 10,000 per year. At the same time, this 
level of investment could help create a new generation of Federal cyber 
professionals who could serve as positive role models for a countless 
number of middle and high school students across the country to 
consider the benefits of a cyber career and Federal service. On a long-
term scale, this positive feedback loop of the SFS program might be its 
biggest contribution.
Create a Community College Program
    While the CyberCorps program serves college juniors and seniors who 
are already well along the learning path, we believe another program, 
or an expansion of the SFS program, could seek to attract high school 
graduates who don't yet have specific career aspirations. Private 
companies could partner with a community college in their area to 
establish a course of study focusing on cybersecurity. The Federal 
Government could fund all or part of the tuition remission for 
students. Interested students would be taught both by college faculty 
and private-sector practitioners. For example, an IT company could 
offer several faculty members/guest lecturers who would participate 
during a semester. Students would receive free tuition--paid by a 
Federal program, perhaps with private-sector contributions--but they 
would not receive a stipend for living arrangements, as 4-year college 
students do in the CyberCorps program. Students would receive a 2-year 
certificate in cybersecurity that would be transferrable to a 4-year 
school. Like the CyberCorps program, graduates would spend the same 
amount of time as their scholarship period, working in a guaranteed 
Government job.
    Community colleges tend to attract a variety of students--including 
recent high school graduates but also returning veterans and other 
adult students who might have pursued other careers or might even be 
working full- or part-time. The community college option could also 
further ethnic and racial diversity in a cyber program--something that 
is badly needed. This diversity would be a plus rather than a minus for 
the cybersecurity profession, as the field requires a diverse set of 
skills and individuals. Not all of these skills are strictly technical, 
and for those that are technical, not all require high levels of formal 
education. You don't need a Ph.D.--or even a bachelor's degree--to work 
in cybersecurity. For instance, a 4-year degree is not necessarily 
required to work in a security operations center (SOC). As pointed out 
earlier, a strong security operation requires various levels of skills, 
and having a flexible scholarship program at a community college could 
benefit a wide variety of applicants while providing the profession 
with other types of necessary skills.
Encourage Cultural Changes to Close the Cyber Skills Gap
    As cybersecurity is one of the greatest technical challenges of our 
time, we need to be creative in attracting more people to the work 
force. One of the ways we can do this is by changing our way of 
thinking about the industry. Cybersecurity professionals can--and do--
have broad and varied backgrounds. Diverse skills and experience can 
enable them to examine problems from a different perspective, bringing 
creativity rather than just linear thinking to cyber problems and 
solutions. The legacy tech innovator Bell Labs proved that diverse 
teams produce more creative, high-quality products. Likewise, a diverse 
incident response team can benefit from look at cyber incidents and 
responses from a multitude of perspectives.
    We must also address the gender and diversity gap, which would help 
alleviate the skills gap. In North America, women constitute only 14 
percent of the information security work force, according to a Women in 
Cybersecurity report by the Executive Women's Forum and (ISC). The 
numbers are even worse for African Americans, who comprise only 3 
percent of information security analysts in the United States, 
according to the Bureau of Labor Statistics figures cited in an article 
in Forbes. Research on large, innovative organizations has shown that 
gender and racial diversity improves the organizations' financial 
performance. The title of this article in Scientific American states 
the case well: How Diversity Makes Us Smarter: Being around people who 
are different from us makes us more creative, more diligent and harder 
working. McAfee believes we need to focus on hiring a diverse work 
force, which will in turn make us an even stronger company.
Pass Legislation like the ``Cyber Scholarship Opportunities Act of 
        2017''
    I'd also like to take a moment to applaud the recently approved 
``Cyber Scholarship Opportunities Act of 2017'' that was passed through 
the Senate Commerce, Science, and Transportation Committee, as well as 
Chairman McCaul's ``Cyber Scholarship Opportunities Act of 2017.'' Both 
bills require the SFS program to include students pursuing an 
associate's degree in a cybersecurity field without the intent of 
transferring to a bachelor's degree program, people who have a 
bachelor's degree already, or people who are veterans of the Armed 
Forces.
    This is encouraging news for closing the skills gap at the operator 
and junior analyst levels. McAfee supports these bills and hopes they 
get signed into law. However, there is still more work to be done. The 
Senate bill directs the NSF to provide awards to improve cybersecurity 
education and increase teacher recruitment. We hope the Senate 
considers those with hands-on cybersecurity experience as potential 
candidates for teaching.
The Thorny Problem of the Government's Gap
    The cybersecurity skills gap also extends to Government. Quite 
simply, the public sector can't keep up with the private sector in 
terms of pay scale and benefits. We have to change that to be able to 
attract and retain excellent cyber professionals in the public sector. 
To date, the SFS program has been particularly effective in adding to 
cybersecurity talent in the Government. While all graduates are 
required to begin their careers by serving in the Government, an 
impressive 70 percent, according to NSF, actually remain in Government 
jobs. I'd like to unpack this issue a bit and distinguish between 
different types of cyber professionals in Government organizations.
    At a very high level, there are three categories of cyber 
professionals. First there are operators--the people who implement the 
security technology and keep it running in systems and networks. You 
don't need a Ph.D. in computer science to fill an operator role, and in 
fact the Government has a good supply of such people either directly or 
through contractors. Then there are researchers, people who explore the 
latest in cyber defense. Again, the Federal Government is well-served 
here by labs in the Department of Defense, DARPA, IARPA, and the 
intelligence community. The third category is analysts--the people who 
can respond to a breach in the first few minutes and conduct the 
necessary analytical work to understand the implications of an attack 
and develop a remediation plan. This is the area where the Government 
has the most serious need and where they need people who are not just 
technically trained but also astute and creative problem solvers.
    In order to attract this kind of talent, the Federal Government 
needs to find ways to incentivize people and reduce obstacles to them 
serving in cybersecurity positions. The salary issue cannot be 
overlooked, as this is a major incentive for most professionals--
especially in the most sought-after areas of IT like cybersecurity. 
Government needs to offer competitive salaries, and if that's not 
possible, Government should offer better retirement packages to be more 
on a par with the private sector. Alternatively, agencies could offer 
cybersecurity personnel the ability to up-level their positions (e.g., 
from a GS12 to a GS13) more quickly than usual.
    Congress gave DHS expedited hiring authority for cybersecurity 3 
years ago--an authority that could address many of these suggestions. 
It's incumbent upon the Department to move these plans forward as soon 
as possible.
    Another impediment to getting cybersecurity personnel where they 
need to be in Government agencies has to do with clearances. Often an 
agency will require an advanced clearance to enter a facility when, in 
fact, many of the systems don't house Classified data. As there's a 
limited number of personnel with high-level security clearances--and as 
it takes a long while to get one--this also contributes to the 
cybersecurity talent shortage in Government. Expediting the vetting 
process and carefully reviewing which clearances are truly necessary to 
work on a system, while still protecting National security, would both 
be steps in the right direction.
    Another topic that deserves attention is the need to review and 
declassify materials over time. This merits a lot more study, and I 
know there are efforts within the Defense Department, in particular, to 
better determine what data actually needs to be Classified and for how 
long. If data were to be declassified more quickly, more cybersecurity 
professionals with lower or no clearances would be able to be of 
service.
                public-private sector cross-pollination
    We must also develop creative approaches to enabling the public and 
private sectors to share talent, particularly during significant 
cybersecurity events. Cybersecurity is a rapidly changing area, and 
what's valid today might well be superseded tomorrow. We know that the 
adversary is constantly innovating and changing course, often reacting 
to new defensive capabilities the private sector develops. It's 
unrealistic to think that Government cyber practitioners would be able 
to keep up with such a rapidly-evolving environment without private-
sector assistance. We should design a mechanism for cyber 
professionals--particularly analysts or those who are training to 
become analysts--to move back and forth between the public and private 
sector so that Government organizations would have a continual refresh 
of expertise.
    One way to accomplish this would be for DHS to partner with 
companies and other organizations such as universities to staff a cadre 
of cybersecurity professionals--operators, analysts, and researchers--
who are credentialed to move freely between public and private-sector 
service. These professionals, particularly those in the private sector, 
could be on call to help an impacted entity and the Government respond 
to a major hack in a timely way. Both Government and private-sector 
cybersecurity professionals would benefit from regular job rotations of 
possibly 2 to 3 weeks each year. This type of cross-pollination would 
help everyone share best practices on technology, business processes, 
and people management. DHS should include a flexible, public-private 
pool of certified professionals in its plan to rewrite its 
cybersecurity hiring and retention plan. If DHS is not ready to act, 
Congress should establish a blue-ribbon panel of public and private-
sector experts to study how a flexible cadre of cybersecurity 
professionals could be started and managed. Much like the National 
Guard, a flexible staffing approach to closing the skills could become 
a model of excellence.
             how technology can help alleviate the problem
    Even though we should work hard and think creatively to fill it, 
the cyber skills gap won't be closed any time soon. In the mean time, 
we must rely technology more and more.
Moving to the Cloud
    Both the Government and industry are moving their IT operations to 
the cloud. Last year, McAfee surveyed over 2,000 professionals for our 
annual cloud security research study, Building Trust in a Cloudy Sky: 
The State of Cloud Adoption and Security. We found that hybrid cloud 
adoption tripled in the last year, increasing from 19 percent to 57 
percent in organizations surveyed. Additionally, IT executives believed 
their IT budget would be 80 percent cloud-based within an average of 13 
months, and 73 percent of companies are planning to move to a fully 
software-defined data center within 2 years.
    Here's the relevance to the work force shortage: As more 
organizations move to the cloud, the cloud providers rather than the 
organizations are delivering a baseline of foundational technology--
hardware, operating systems, and so forth. This reduces the overall 
amount of labor that an organization's IT and information security 
staff needs to exert, leveraging cloud's inherent economies of scale. 
However, the move to the cloud will not, by itself, close the cyber 
skills gap in the short run; there are just too many open slots to 
fill. Indeed, our recent cloud study also found that 49 percent of 
businesses are currently delaying cloud deployment due to a 
cybersecurity skills gap. Nevertheless, the move to the cloud will help 
reduce the labor shortage; it will just take more time to pay off as 
more organizations off-load their IT environments to cloud providers.
Human-Machine Teaming
    One strategy for addressing the cybersecurity skills deficit is to 
use automation--through such solutions as machine learning and 
artificial intelligence. Legacy IT systems, however--like many of those 
in the Federal Government--lack the ability to take advantage of the 
most contemporary security architectures and development techniques. 
While it is possible to isolate or wrap security around a legacy 
system, the approach is far inferior to a well-designed secure 
implementation designed for the security challenges of 2017 and beyond.
    This speaks to the need for investments in IT modernization and 
modern cybersecurity solutions, which the President's Executive Order 
addresses. We support these much-needed policy changes, which will 
allow for better use of automation, or machine learning.
    The ideal situation for now is what McAfee calls human-machine 
teaming. This means taking advantage of the particular strengths of 
each. Machine learning can save security teams both time and energy, as 
it is the fastest way to identify new attacks and push that information 
to endpoint security platforms. Machines are excellent at repetitive 
tasks, such as making calculations across broad swaths of data. That's 
one of the strengths of machine learning: Its ability to crunch big 
data sets and draw statistical inferences based on that data, detecting 
patterns hidden in the data at rapid speed.
    Humans, on the other hand, are best at insight and analysis (the 
cybersecurity analysts referred to earlier). With the assistance of 
machine learning, human analysts can devise new defenses quickly, 
adapting to attackers' automated processes and limiting their 
effectiveness. The human intellect is capable of thinking like an 
adversary and understanding a scenario that might never have been 
executed in any environment previously. Machines can take over some 
simple processes, automating them so the humans can be free to 
understand context and implication, such as why a bad actor might want 
to attack a Government agency.
Fostering Interoperability
    When considering the role of security technologies, it's important 
to understand the market-like forces that drive the effectiveness of 
cybersecurity defense. Most information technologies continuously 
improve over time. Paradoxically, cyber defense technologies do not 
follow this pattern. Their effectiveness peaks shortly after release 
and then degrades. When a new defensive capability is first released, 
bad actors take little notice, but once deployed at scale, they adopt 
evasion tactics and counter-measures, causing the effectiveness to 
significantly degrade.
    Where does that leave us? We see the current paradigm of constant 
integration of point products--individual software applications--as 
ineffective and unsustainable, particularly given the substantial 
number of cyber professionals needed to knit together disparate 
systems. Not only are technology efficiencies already declining by the 
time the lengthy purchase and integration cycles are complete, but 
organizations are unable to deal with the complexity of supporting 
upwards of 30 or 40 independent tools and technologies. That's a losing 
game, but it's the one security practitioners find themselves playing.
    We need a different approach where technology--enabled with strong 
collaboration--can be deployed rapidly to security platforms so they 
can communicate with each other over open communication protocols. 
Organizations in both the public and private sector need security tools 
that are interoperable and interchangeable to protect against existing 
and prospective threats. As cybersecurity solutions become 
interoperable, they become more efficient and cost-effective. They also 
become easier to maintain than a IT environment of disparate systems, 
the classic IT hair ball. Over time, more interoperable cybersecurity 
systems will contribute to closing the skills gap as they get more 
widely deployed. We call on the cybersecurity industry to design 
technology to an open standard, on an open platform, so customers are 
not locked into proprietary technologies that don't work with each 
other or allow for change.
    McAfee has taken a major step toward fostering interoperability by 
opening our Data Exchange Layer (DXL)--a communications fabric that 
enables unprecedented collaboration in an open-source, real-time 
system--to other developers and vendors to use at no expense. OpenDXL--
is at the core of our mission to enable security devices to share 
intelligence and orchestrate security operations at rapid speed. As of 
today, there are 13 companies connected to the DXL ecosystem, 12 others 
in testing or development, and 14 additional companies in the design 
phase.
    OpenDXL is a big part of what we mean by Together Is Power. No 
single industry partner can cover the vast spectrum of security and 
privacy problems. No single industry partner will catch every issue 
every time. Only by working collaboratively in the private and public 
sectors can we defeat cyber attackers. This means bringing the best 
ideas, the best technologies and the best people to bear on our common 
security problem. It means leveraging technologies guided by the 
strategic intellect that only humans can provide. And to ensure that we 
have enough human intellect to work with our continually evolving 
technology, we need to encourage more people from diverse backgrounds 
to enter the cybersecurity field, train them, and--particularly in the 
case of Government--reward them.
    I look forward to our discussion and will be happy to answer any 
questions.

    Mr. Ratcliffe. Thank you, Mr. Montgomery.
    The Chair now recognizes Dr. Papay for 5 minutes for his 
opening remarks.

     STATEMENT OF MICHAEL PAPAY, VICE PRESIDENT AND CHIEF 
         INFORMATION SECURITY OFFICER, NORTHRUP GRUMMAN

    Mr. Papay. Thank you, Chairman Ratcliffe, Ranking Member 
Richmond, and Members of the subcommittee for hosting today's 
important hearing.
    As our Government, military, and society become 
increasingly dependent upon digital technology, it is a 
National and economic security imperative to ensure that we 
have a cyber-trained work force to meet this demand.
    My name is Dr. Michael Papay and I am the vice president of 
cyber initiatives and the chief information security officer 
for Northrop Grumman, the leading cyber provider across the 
Federal Government.
    As critical as technology is, at Northrop Grumman, we 
firmly believe that our employees are the single-most important 
aspect of cybersecurity, and we have made it a top priority to 
not only support the development of a larger cyber-qualified 
work force globally, but also to increase its diversity.
    Like DHS and the Federal Government, Northrop Grumman can 
offer prospective employees something unique, the opportunity 
to do really exciting, cutting-edge work that is vital to our 
National security. For many cyber professionals, it is this 
sense of mission that drives them.
    In 2012, I had the privilege of participating in the 
Homeland Security Advisory Council Task Force on Cyber Skills. 
I applaud DHS for adopting many of the task force 
recommendations, including additional cyber training which 
Northrop Grumman provided to hundreds of DHS employees. 
Northrop Grumman has also incorporated the majority of 
recommendations into our internal cyber work force strategy.
    At Northrop Grumman, we look at the continuum of education 
from elementary school through the professional ranks to build 
a diverse, highly-skilled work force. The Northrop Grumman 
Foundation is honored to be the presenting sponsor of the Air 
Force Association's CyberPatriot Program, a youth, teen cyber 
defense competition which boasted over 4,400 teens from all 50 
States last year. While most STEM programs report a female 
participation rate around 12 percent, I am especially proud 
that CyberPatriot boasts 23 percent female participation.
    Northrop Grumman is actively engaged with universities 
across the country to help to develop curriculum, fund hands-on 
student research and development projects and educate future 
cyber professionals. Because cyber is such a complicated and 
dynamic challenge, we need a work force that brings with it a 
diversity of thought, culture, education, experience, and 
problem solving. Diversity drives innovation and breeds 
success.
    Therefore, in many cases, we are specifically targeting 
investments to increase the participation of women and 
underrepresented groups in the cyber profession. For example, 
cyber scholars at the University of Maryland, Baltimore County, 
and the Cyber Warrior Diversity Program at Morgan State 
University and Coppin State University.
    As part of our retention efforts and to support their 
growth, we rotate cyber professionals around the company to 
keep them engaged and challenged while also offering on-going 
educational and training opportunities. We even developed our 
own in-house cyber academy to provide our employees, customers, 
and even policy makers with the macro understanding and 
technical skills cyber often requires.
    A few final thoughts to leave the committee with. On 
clearances, beyond just a shortage of cyber professionals, 
there is also a lack of cleared cyber professionals. We need to 
figure out ways to improve the clearance process to ensure that 
both the Federal Government and contractors have the cleared 
employees to do all the critical National security work that is 
required.
    More cyber-trained Federal employees. Cyber training across 
the Federal Government is inconsistent. The Federal Government 
as a whole needs to put a greater emphasis on ensuring its 
employees have the cyber understanding and tools to effectively 
and securely do their jobs.
    Increased partnerships and coordination. There is no single 
answer to addressing the shortage of cyber workers. Continuing 
to work across academia, Government, and industry is essential 
to leveraging investments, best practices, and collectively 
working together to ensure that our great Nation continues to 
securely grow and prosper in this increasingly digital age.
    I would be happy to answer any questions. Northrop Grumman 
looks forward to working with the subcommittee on this effort. 
Thank you again.
    [The prepared statement of Dr. Papay follows:]
                  Prepared Statement of Michael Papay
                           September 7, 2017
    Thank you Chairman Ratcliffe, Ranking Member Richmond, and Members 
of the House Homeland Security Subcommittee on Cybersecurity and 
Infrastructure Protection for holding today's hearing on the critical 
topics of attracting, retaining, educating, and training our Nation's 
cyber work force. As our Government, military, and society overall 
become increasingly dependent upon digital technology, it is a National 
AND economic security imperative to ensure that we have the cyber-
trained work force to meet this demand.
    My name is Dr. Michael Papay and I am vice president of cyber 
initiatives and chief information security officer (CISO) for Northrop 
Grumman, a leading cyber provider across the Federal Government and 
producer of innovative solutions from autonomous systems to strike 
platforms to space products. Given the often sensitive and critical 
National security nature of our work; it is absolutely essential for 
resilient cybersecurity to be a key component to all that we do. From 
original code, to hardware, to uninterrupted mission performance while 
enduring cyber threats, our customers trust us to deliver systems that 
enable them to confidently execute the mission in any environment, 
including cyber space. We are proud of our strong reputation earned 
through 70 years of integrity, innovation, dedication to the customer, 
and a proven track record of performance. As important as technology 
is, at Northrop Grumman we firmly believe that our employees are the 
single most important aspect of cybersecurity. Therefore, we have made 
it a top priority to not only support the development of a larger cyber 
qualified work force globally but also to increase its diversity.
    Thank you again for having me here today and I hope that my 
testimony is useful. I look forward to your questions.
                   attracting and retaining employees
    Northrop Grumman is at the forefront of cyber research, 
development, and technology, and it is our people that make this 
possible. While Northrop Grumman, like the DHS and the Federal 
Government, must continue to work to overcome a perception hurdle for 
cyber talent--we can offer prospective employees something unique--the 
opportunity to do really exciting, cutting-edge work that is vital to 
our National security. For many cyber professionals (and employees 
across Northrop Grumman and the Federal Government) it is this sense of 
mission that drives them.
    As part of our effort to ensure that our cyber employees are 
continually challenged and provided opportunities for growth, we move 
them around inside the company from customer to customer, tough problem 
to tough problem. We utilize rotational programs that expose and train 
our cyber work force in defending our network, enabling our customers' 
missions, and supporting full spectrum cyber operations. We work with 
employees to help them create their own growth along the cyber career 
path, give them the time to take the training necessary to maintain 
their certifications, and keep their knowledge and skills fresh. We 
even offer educational assistance in some instances.
    To provide our employees, customers, and even policy makers with 
the macro understanding and technical skills cyber often requires, 
Northrop Grumman created its own, in-house ``Cyber Academy''. We also 
utilize a matrix model for customer mission support and employee 
development--allowing us to hire for critical skills and redeploy our 
talent across programs. We are committed to providing positions that 
work best for our employees by allowing flexible work schedules and 
opening up work locations in customer-approved non-traditional cyber 
hubs throughout the country to broaden our talent pool.
    At Northrop Grumman, we are focused on attracting all those who are 
interested and qualify through a sense of mission, passion for solving 
complex challenges, and desire to work on cutting-edge technologies 
that they are unable to do anywhere else in the world.
     partnering with the federal government and dhs cyber training
    In 2012, I had the privilege of participating in the Homeland 
Security Advisory Council Task Force on CyberSkills, an initiative that 
was launched to help develop a National security work force as well as 
enable DHS to recruit and retain its own cyber talent. I applaud DHS 
for adopting many of the Task Force's recommendations. At Northrop 
Grumman, I am pleased to note that we have incorporated the majority of 
these recommendations as part of our internal cyber work force 
strategy. Members of my team also participated in the DHS Cyber 
Education and Workforce Development Working Group and then the NIST 
National Initiative for Cybersecurity Education (NICE). Northrop 
Grumman representatives are members of both the Collegiate Working 
Group and the K-12 Working Group. Our engagement brings industry 
perspective in full collaboration with Government and academia. We also 
contribute to the NIST NICE Workforce 2.0 model which creates a 
framework for professionalization of the cyber career.
    Partnering with our Federal Government customers on cyber work 
force education and training is critical to supporting a National 
security mission and our mutual success. One of the key findings of the 
CyberSkills Task Force was the need to provide more cyber training to 
DHS employees and I am pleased that Northrop Grumman has helped support 
this initiative. Starting in 2014, as part of our National 
Cybersecurity & Communications Integration Center (NCCIC) contract, we 
began using 39 cyber training courses to help DHS employees increase 
their efficiency and improve retention. Our training program heavily 
leveraged our internal Northrop Grumman Cyber Academy for a large 
portion of the course content and developed a three-level competency 
model. Hundreds of DHS employees received targeted training ranging 
from how to review cyber threat analysis reports to effectively 
coordinating with partners. Northrop Grumman cyber practitioners 
provided advice and guidance on National-level cyber security policy as 
well as implementation and support of new or existing technical 
solutions to enhance the mission. These training plans aligned to Cyber 
Skills and Cyber Pay initiatives, with incentives tied to requisitions 
and future hirings.
              northrop grumman cyber workforce development
    Growing a cyber work force from the ground up begins with inspiring 
youth to pursue this field. At Northrop Grumman and for our customers, 
in working to build a cyber work force, we look at the continuum of 
education--from elementary school through the professional ranks--and 
are collaborating with academia and organizations world-wide to help 
address this issue and build a diverse, highly-skilled work force.
    For more than 7 years--Northrop Grumman has partnered with the Air 
Force Association to present the CyberPatriot National Youth Cyber 
Education Program. CyberPatriot is one of our most successful and 
impactful initiatives and features the wildly popular annual cyber 
defense competition. It started in 2009 with 8 teams and I'm proud to 
say over 4,400 teams participated this past year from all 50 States, 
Canada, and Department of Defense Dependent Schools in the Pacific and 
Europe. Given the fact that teams average about 5 students, we are 
reaching tens of thousands of youth each year who are learning how to 
harden and protect computers and networks. A full 87 percent of 
CyberPatriot participants go on to pursue STEM degrees in college. In 
addition to deep technical skills, the students, through the program 
structure, their mentors and hands-on experience, also develop their 
talents in cyber ethics, collaboration, communication, and leadership--
all life skills that enhance their career readiness. Northrop Grumman 
has awarded more than $350,000 in scholarships to winning teams. Like 
others in industry and Government, the company has employed these high 
school students as paid summer interns, more than 300 to date, working 
side-by-side with our cyber professionals. Many of these interns have 
stayed with Northrop Grumman, returning summer after summer for paid 
internships through high school and then college. While most STEM 
programs report a female participation rate around 12 percent, I am 
especially proud that CyberPatriot boasts 23 percent female 
participation! None of this could be accomplished without the academic 
partner of the program, the University of Texas San Antonio's Center 
for Infrastructure Assurance and Security. To that end, we have found 
that you cannot only focus on higher education or at the high school 
level. In many cases, students have already decided upon their desired 
field by the 5th or 6th grade. Therefore, the earlier you can expose 
students to STEM topics in an engaging and exciting way as we do with 
the CyberPatriot Elementary School Cyber Education Initiative, the 
greater likelihood they will pursue a STEM path.
                        university partnerships
    Northrop Grumman is actively engaged with universities across the 
country to provide an industry perspective on cyber curriculum and 
degree programs to prepare students for real-world challenges. We 
helped launch the Nation's first cyber honors program at the University 
of Maryland--College Park called ACES, the Advanced Cybersecurity 
Experience for Students. ACES is a living learning community for 
exceptional students from a variety of majors to enhance their cyber 
studies. We've also assisted in creating the Nation's first 
undergraduate Cybersecurity Engineering degree at George Mason 
University in Fairfax, Virginia. Further, at the University of 
Maryland--Baltimore County (UMBC), we are providing grants to students 
from diverse academic and socio-economic backgrounds to pursue 
cybersecurity education. At great schools ranging from Cal Poly Pomona 
to the University of Cincinnati and dozens of others across the country 
our employees are actively engaged in helping to develop curriculum, 
fund hands-on student projects, and educate future cyber professionals.
                               diversity
    Because cyber is such a complicated and dynamic challenge, we need 
a work force that brings with it diversity of thought, culture, 
education, experience, and problem solving--diversity drives innovation 
and breeds success. Diversity is truly a strategic asset. Working with 
university and professional organizations that cater to diverse 
populations is a great way to attract cyber employees and build a 
stronger, ethnically and racially diverse work force. We partner with 
the Society of Hispanic Professional Engineers, Women in Technology, 
Women in Cyber Security, and Society of Women Engineers to name just a 
few organizations. We need to ensure that young girls, minorities, and 
other underrepresented populations recognize that they are welcome and 
can succeed in the cyber work force. This past year working with a 
small, disadvantaged business located in Baltimore, Maryland we 
developed the Cyber Warrior Diversity Program at Morgan State 
University and Coppin State University, two Historically Black Colleges 
and Universities (HBCU). This training is designed to prepare 
individuals to defend information systems and networks by training, 
testing, and providing certifications in accordance with the DoD 
Information Assurance Workforce Improvement Program. Additionally, the 
Northrop Grumman Foundation is funding a 3-year, $2 million program 
with the National Society of Black Engineer's (NSBE) designed to expand 
the Nation's engineering work force through a partnership with 
Historically Black Colleges and Universities (HBCUs). The Northrop 
Grumman Corporation/NSBE Integrated Pipeline Program will provide 72 
engineering students with $8,000 scholarship grants, internships with 
Northrop Grumman and year-round academic and professional development 
support. The program's three HBCU partners--Florida A&M University, 
Howard University, and North Carolina A&T State University--will 
receive grants, technical assistance, and a package of programs 
researched and managed by NSBE.
    Expanding the diversity of the cyber work force is critical to not 
only ensuring that we have a sufficient number of cyber professionals 
but also the range of perspectives and backgrounds necessary to counter 
a constantly-evolving threat.
                           breaking barriers
    I am honored to be here today representing Northrop Grumman and 
proud of our company's efforts to help develop a robust pipeline of 
innovative thinkers, engineers, and passionate professionals who will 
secure our Nation's cyber future. A few final thoughts to leave the 
committee with:
   Clearances.--Beyond just a shortage of cyber professionals, 
        there is also a lack of cleared cyber professionals. We need to 
        figure out ways to improve the clearance process to ensure that 
        both the Federal Government and contractors have the cleared 
        employees to do all the critical National security work that is 
        required.
   More Cyber-Trained Federal Employees.--Cyber training across 
        the Federal Government is inconsistent. The Federal Governments 
        as a whole needs to put a greater emphasis on ensuring its 
        employees have the cyber understanding and tools to effectively 
        and securely do their jobs.
   Increased Partnerships and Coordination.--There is no single 
        answer to addressing the shortage of cyber workers. Continuing 
        to work across academia, Government, and industry is essential 
        to leveraging investments, best practices, and collectively 
        working together to ensure that our great Nation continues to 
        securely grow and prosper in this increasingly digital age.
    I would be happy to answer any questions and Northrop Grumman looks 
forward to working with the committee on this effort.
    Thank you again.

    Mr. Ratcliffe. Thank you, Dr. Papay.
    The Chair now recognizes Ms. Okafor for 5 minutes.

STATEMENT OF JULIET ``JULES'' OKAFOR, STRATEGIC ADVISORY BOARD 
  MEMBER, INTERNATIONAL CONSORTIUM OF MINORITY CYBERSECURITY 
                         PROFESSIONALS

    Ms. Okafor. Thank you, Chairman Ratcliffe, Ranking Member 
Richmond, and Members of the House Homeland Security 
Subcommittee on Cybersecurity Infrastructure Protection.
    I am pleased to appear before you today to discuss the 
challenges of addressing the severe people problem that hinders 
our ability to address the advancing threat against our 
Nation's critical infrastructure.
    Technology alone cannot bridge the increasing skills gap 
our Federal Government continues to face in recruiting and 
retaining highly skilled cybersecurity talent. Similar to the 
private sector, it is our belief that the Federal Government 
must take a more innovative approach to the recruitment and 
retention of our future cyber work force.
    My name is Juliet Okafor, J.D., vice president of business 
development for Fortress Information Security and Strategic 
Advisory Board member for the ICMCP, the International 
Consortium of Minority Cybersecurity Professionals. I am the 
first black and female employee of Fortress Information 
Security, a minority-owned cyber risk, intelligence, and 
management start-up based in Orlando, Florida.
    Fortress was founded in 2015 by two entrepreneurs who 
thought to apply practical business intelligence to address the 
most complex and emerging challenges across IT, OT, and third-
party risk management facing the global critical 
infrastructure. Our approach for the market, bundling 
analytics-enabled security-risk orchestration technology, risk 
governance, and the people. It stemmed from the constant 
concern reported by CISOs of the world's largest organizations 
about their ability to hire skilled security staff to fill 
critical technical security roles.
    In May 2016, I joined the International Consortium of 
Minority Cybersecurity Professionals as the first female co-
chairwoman of the Strategic Advisory Board. I lead strategic 
planning and roadmap development for strategic initiatives, 
partnerships, and community outreach.
    In this role, spend much of my time listening to the 
efforts taken by the largest global corporations, small 
businesses, and educational institutions regarding building a 
talented, diverse, highly diverse, and innovative cyber work 
force, and then identifying opportunities, programs, tools, and 
processes that we can implement with these enterprises to 
leverage and expand diversity-inclusion programs.
    The key organizational objectives of ICMCP are, No. 1, to 
increase the number of female and minority students pursuing 
cybersecurity-related disciplines at both the undergraduate and 
post-graduate levels by funding scholarship opportunities; 
facilitate the career advancement of existing member 
cybersecurity practitioners through mentoring and grants 
leading to advanced degrees and/or professional certifications 
in the field of cybersecurity; promote public awareness of 
cybersecurity and the opportunities for minorities and 
underrepresented groups in the profession; No. 4, function as a 
representative body on issues and developments that affect the 
careers of minority and women cybersecurity professionals; No. 
5, establish a mechanism for gathering and disseminating 
information toward minorities and underrepresented groups.
    In my testimony today, I will highlight the challenges 
being faced across the public and private sectors in 
recruitment and retention of cybersecurity talent. These 
challenges are compounded for diverse populations which face 
issues with career investment for existing diverse 
practitioners and retention challenges that also exist in 
keeping diverse talent once they are recruited.
    I will also discuss the efforts and progress made by large 
and small enterprises, grassroots and nonprofits, like the 
organizations I represent today, and the efforts that they are 
making to address the cybersecurity industry's largest and most 
critical vulnerability, the human factor.
    Our research shows that these challenges extend across 
Government and private sector with scarce talent in high 
demand, making it even more critical to focus efforts on 
increasing capacity.
    As noted in the Cybersecurity National Action Plan and 2017 
budget, the goal remains to identify, recruit, develop, retain, 
and expand the pipeline of the best, brightest, and most 
diverse cybersecurity talent for Federal service and for our 
Nation.
    Additionally, a 2014 CIA Diversity in Leadership Study 
commissioned by the director of the CIA, one of the Nation's 
largest intelligence and security agencies, said that the lack 
of diversity in its leadership ranks is of great concern and 
that diversity is critical to the mission.
    The agency further stated that a lack of diversity of 
thought and experience was identified by Congressional 
committees and independent commissions as a contributing factor 
to past intelligence failures and that diversity is mission 
critical is no longer a debatable proposition, if it ever was.
    I thank you for allowing me to speak with you today.
    [The prepared statement of Ms. Okafor follows:]
             Prepared Statement of Juliet ``Jules'' Okafor
                           September 7, 2017
    Thank you Chairman Ratcliffe, Ranking Member Richmond, and Members 
of the House Homeland Security Subcommittee on Cybersecurity and 
Infrastructure Protection. I am pleased to appear before you today to 
discuss the challenges of addressing the severe ``people problem'' in 
addressing the advancing threat to our Nation's critical 
infrastructure. Technology alone cannot bridge the increasing skills 
gap our Federal Government continues to face in recruiting and 
retaining highly-skilled cybersecurity talent. Similar to the private 
sector, it is our belief that the Federal Government must take a more 
innovative approach to the recruitment and retention of our future 
cyber work force.
    My name is Juliet Okafor, JD, vice president of business 
development for Fortress Information Security and strategic advisory 
board member for the International Consortium of Minority Cybersecurity 
Professionals (ICMCP). I am the first black and female employee of 
Fortress Information Security, a minority-owned, cyber risk 
intelligence and management start-up based in Orlando, Florida. 
Fortress was founded in 2015 by two serial entrepreneurs, who sought to 
apply practical business intelligence to address the most complex and 
emerging challenges across IT, OT, and Third-Party Risk Management, 
facing the global critical infrastructure. Our approach to the market--
bundling analytics-enabled security risk orchestration technology, risk 
governance, and people stemmed from the constant concern reported by 
CISO's of the world's largest organizations about their ability to hire 
skilled security staff to fill critical technical security roles.
    In May 2016, I joined the International Consortium of Cybersecurity 
Professionals as the first female co-chairwoman of the Strategic 
Advisory Board and chair of the fundraising committee for ICMCP. I lead 
strategic planning and roadmap development for strategic initiatives, 
partnerships, and community outreach. In this role, I spend much of my 
time listening to the efforts experienced by the largest global 
corporations, small businesses, and educational institutions regarding 
building a talented, diverse, and innovative cyber work force. Then 
identifying opportunities, programs, tools, and processes that 
enterprises can leverage to expand diversity and inclusion programs.
    ICMCP's the key organizational objectives are to:
    1. Increase the number of female and minority students pursuing 
        cybersecurity-related disciplines at both the undergraduate and 
        post-graduate levels by funding scholarships opportunities.
    2. Facilitate the career advancement of existing member 
        cybersecurity practitioners through mentoring and grants 
        leading to advanced degrees and/or professional certifications 
        in the field of cybersecurity.
    3. Promote public awareness of cybersecurity and the opportunities 
        for minorities in the profession.
    4. Function as a representative body on issues and developments 
        that affect the careers of minority cybersecurity 
        professionals.
    5. Establish a mechanism for gathering and disseminating 
        information for minority cybersecurity professionals.
    In my testimony today, I will highlight the challenges being faced 
across the public and private sectors in recruitment and retention of 
cybersecurity talent. These challenges are compounded for diverse 
populations, which faces issues with career advancements for existing 
diverse practitioners and retention challenges that also exist in 
keeping diverse talent once they are recruited. We will also discuss 
the efforts and progress made by large and small enterprises, and 
grassroots non-profits like the organizations I represent today, 
Fortress Information Security and ICMCP, have made in addressing the 
cybersecurity industry's largest and critical vulnerability--the human 
factor.
    Our research shows that these challenges extend across Government 
and private sector, with scarce talent and high demand, making it even 
more critical to focus efforts on increasing capacity. As noted in the 
Cybersecurity National Action Plan and 2017 Budget, the goal remains `` 
. . . to identify, recruit, develop, retain, and expand the pipeline of 
the best, brightest, and most diverse cybersecurity talent for Federal 
service and for our Nation.'' Additionally, a 2014 CIA Diversity in 
Leadership study commissioned by the director of the CIA, one of the 
Nation highest intelligence and security agency cited that the lack of 
diversity in its leadership ranks is of great concern as diversity is 
``critical to the mission''. The agency further stated that ``a lack of 
diversity of thought and experience was identified by Congressional 
committees and independent commissions as a contributing to past 
intelligence failures . . . that diversity is mission-critical is no 
longer a debatable proposition--if it ever was''.
        the shortages in the cybersecurity work force diversity
    According to Frost & Sullivan's 2017 International Information 
Systems Security Certification Consortium (ISC) Global Information 
Security Workforce Study (GISWS) of over 19,000 information security 
professionals globally, across 170 countries, women represent only 11 
percent of the total cybersecurity work force despite a projected work 
force shortfall of 1.5 million people during the next 5 years due to a 
lack of trained professionals. The percentage representation of African 
Americans and Hispanics in cybersecurity has been reported at 
approximately 12 percent combined, for both these groups. This data 
takes on added meaning when we consider the projected growth in the 
U.S. minority population over the next few decades where the Hispanic 
population is expected to grow to 28.8 percent of the U.S. population 
and the African American population is expected to climb to almost 20 
percent according to Census data reflecting population growth 2014-
2060.
    In a recent USEOC Report, projections for selected STEM occupations 
with fast employment growth, projected 2012-22, Information Security 
Analysts have a 37 percent projected growth rate (currently 75,100 jobs 
annually and 102,500 jobs created annually by 2022), with a Median 
Annual Wage in 2013 of $88,590.00. Global Information Security 
Workforce Sub-Reports issued by various industry groups (to include 
(ISC)2) cite the consistent underrepresentation of African Americans 
and Hispanics in STEM careers. Only some 6 percent of STEM workers are 
African American compared to an overall 10 percent of the U.S. work 
force. Similarly, Hispanics comprise only 7 percent of the STEM work 
force while making up 15 percent of the U.S. work force. In the past, 
human bias was understood to be largely a conscious and intentional 
reason for such gross underrepresentation. New research from the fields 
of neuroscience and sociology now suggest that human biases are largely 
unconscious and unintentional.
    As the demographics of the U.S. population continue to become more 
diversified, the importance of increasing the participation of women 
and minorities in the work force becomes of paramount concern. Ashley 
Tolbert, a recent Information Security graduate from Carnegie Mellon 
now working in the Bay Area in Cyber Security Operations, writes of her 
experiences as a student, intern, and professional in the cybersecurity 
field that ``a lack of diversity and inclusion in the information 
security field is one of the foremost impediments to attracting and 
retaining diverse talent, which the industry sorely needs. Since 
cybersecurity is one of the biggest challenges to our Nation's National 
and economic security and we're facing a major talent shortfall in the 
industry, strategies to ensure all capable talent regardless of race, 
ethnicity, or sexual orientation feel welcome and included is 
important.''
    This work force shortfall should be of much consternation given 
that cyber crime and information theft, to include cyber espionage, 
remain the most serious economic and National security challenges that 
our country faces. It has also been reported that this under-
participation by large segments of our society represents a loss of 
opportunity for individuals, a loss of talent in the work force, and a 
loss of creativity in shaping the future of cybersecurity. Not only is 
it a basic issue of digital diversity and equality, but it threatens 
our global economic viability as a Nation.
  the roots of the cybersecurity workforce diversity goes back to our 
                    middle schools and high schools
    The work force shortfall and the growing diversity gap in the 
cybersecurity industry in the United States also reflects the broader 
challenge that the USA faces in science, technology, engineering, and 
mathematics, or STEM, programs in our schools. Until we can get more 
students matriculating with STEM-related degrees, these challenges 
faced within the cybersecurity industry and overall information 
technology industry will persist. According to the PEW Research ``Fact 
Tank'' Report of International Students in Math and Science, American 
15-year-olds were ranked 38th out of the 71 countries included in the 
report. The results were only slightly more encouraging for our 8-year-
olds, who were ranked 11th out of the 38 countries included. As a 
country, we have to be laser-focused on quality and retention in middle 
and high school STEM programs, as these formative years determine the 
future talent pipeline for the cybersecurity work force. Strategies and 
programs are needed to provide significantly more apprenticeship 
opportunities as well as opportunities in colleges and universities, to 
include an infusion of Federal resources to support everything from 
curriculum and faculty development to tuition support.
    Chairman Ratcliffe, our STEM imperative cannot be more urgent for 
minority students when we consider the projected growth of minority 
populations according to the census data and the reported labor trends 
citing the fact that over 90 percent of all jobs by 2030 will require 
information technology skills.
  the imperatives for grassroots organizations and private enterprises
    Nonprofits and educations institutions are tackling the cyber 
divide by creating academic scholarship opportunities to attract more 
females and students of color into the career field. For existing 
minority cybersecurity practitioners, ICMCP is deploying strategic 
mentoring programs geared toward fostering the career growth of junior 
and mid-level practitioners into becoming the next generation of 
executive decision makers. Studies by various groups, have underscored 
the importance of work-based learning programs, mentorship, 
apprenticeship, sponsorship, and employee affinity groups as key 
strategic components of successful diversity and inclusion programs and 
employee retention initiatives.
    Toward fulfilling these five key organizational objectives, last 
year ICMCP was able to accomplish the following thanks to the 
generosity of our sponsors,
   Awarded 10 Academic Scholarships @$5K
   Awarded 5 Certification (average $3K)
   Awarded 1 Executive Development ($16K)
   Placed 12 interns in cybersecurity positions
   Matched 17 Proteges to Mutually-Matched Mentors
   Assisted and facilitated the job placements of over one 
        dozen minority cybersecurity professionals at various levels in 
        several industries
   Implemented the first operational Security Operations Center 
        (SOC) at an academic institution toward ensuring students 
        graduate with hands-on skills to augment their classroom 
        learning.
    So far in 2017, ICMCP has already accomplished the following:
   Awarded over $100K in academic scholarships,
   Awarded at least 10 certification vouchers (ISC2, CompTIA, 
        SANS, ISACA, IAPP),
   Coordinated the placement of 15 interns and 20 job-seekers.
    We should also mention our participation in note-worthy and 
Government-led initiatives diversity underpinnings also tackling the 
``Great Minority Cybersecurity Divide'' which include:
                                gencyber
    The National Security Agency's GenCyber program, co-sponsored by 
the National Science Foundation, sponsors cybersecurity summer camps 
for students and teachers at the K-12 level. The goals of the GenCyber 
program are to help increase in cybersecurity and diversity in the 
cybersecurity career field; help students understand correct and safe 
on-line behavior and to improve the teaching methods for delivering 
cybersecurity content in the K-12 curricula. This year the program 
sponsored 130 GenCyber camps and reached nearly 5,000 students and 
1,000 teachers across the Nation.
   the consortium enabling cybersecurity opportunities and research 
                                (cecor)
    The Consortium Enabling Cybersecurity Opportunities and Research 
(CECOR) funded by the Department of Energy is a collaborative effort 
among 13 colleges and universities and 2 National laboratories to 
develop a K-12 pipeline for the cybersecurity work force.
            cybercorps scholarship for service (sfs) program
    SFS is a program designed to increase and strengthen the cadre of 
Federal information assurance professionals that protect the 
Government's critical information infrastructure. This program provides 
scholarships that may fully fund the typical costs incurred by full-
time students while attending a participating institution, including 
tuition and education and related fees. The scholarships are funded 
through grants awarded by the National Science Foundation, NSF.
    But this is clearly not enough. To make significant progress in 
developing and employing the cybersecurity capacity our Nation needs, 
we need to be filling over 200,000 cybersecurity jobs annually 
according to the Frost and Sullivan ISC2 GISWS Report and to be filling 
these jobs with diverse candidates.
                             diversity wins
    Chairman Ratcliffe, several studies have proven that diverse teams 
wins and specifically in the private sector, diversity has been shown 
to positively impact bottom-line revenues. In fact recent reports are 
showing that every incremental percentage point in African American and 
Hispanic representation at NASDAQ-listed tech companies is linked with 
a 3 percentage point increase in revenues. If the racial/ethnic 
diversity of tech companies' work forces reflected that of the 
engineering talent pool, the sector at large could generate a 20-22 
percent increase in revenue--an additional $300-$370 billion each year. 
Companies with above-median Hispanic representation (currently standing 
at roughly 5-6 percent of the technical work force) are linked with 
annual revenues that are 40 percent higher than companies that fall 
below the median in Hispanic representation. The links between African 
American representation and revenues were also positive, yet did not 
show statistical significance.
    There is also a linkage between racial/ethnic diversity and 
operating margins--every 1 percentage point increase in racial/ethnic 
diversity at a tech company is linked with 0.3--0.4 percentage point 
increase in operating margins. Extrapolating to the tech sector 
achieving levels of racial/ethnic diversity that reflect the talent 
marketplace would be linked with $6-7 billion in additional operating 
earnings industry-wide, or roughly a 2-3 percent increase in total 
industry earnings.
    These links between diversity and financial performance are not 
unique to the tech industry--a range of studies conducted in other 
industries support them. For instance, research published in the 
American Sociological Review found that firms with high levels of 
racial/ethnic diversity have more than 98 percent higher sales revenue, 
serve over 54 percent more customers, are roughly 33 percent more 
likely to have above-average market share, and are nearly 30 percent.
    Our analysis is supported from the commercial sector, by the well-
known consulting firm of McKinsey & Company, who conducted a 2015 study 
of 366 public companies across a range of industries in the United 
Kingdom, Canada, the United States, and Latin America. The resulting 
analysis of the 366 companies revealed a statistically significant 
connection between diversity and financial performance. The companies 
with the highest gender diversity were 15 percent more likely to have 
financial returns that were above their National industry median, and 
the companies with the highest racial/ethnic diversity were 35 percent 
more likely to have financial returns above their National industry 
median. The correlation does not prove that greater gender and ethnic 
diversity in corporate leadership automatically translates into more 
profit--but rather indicates that companies that commit to diverse 
leadership are more successful.
                               conclusion
    Mr. Chairman, in closing, there are lots of vital efforts underway 
to tackle the problem we have titled the ``The Great Diversity Divide'' 
and progress is being made. Sadly however, with over 250,000 unfilled 
jobs in cyber each year, with the average representation of women in 
the cybersecurity industry averaging barely 10 percent for the past few 
years, same with the combined representation of African Americans and 
Hispanics with 1 or 2 percentage points, there is much more that can be 
done and that must be done when we consider the projected minority 
population growth and trends in the labor market.
    Thank you for the opportunity to testify before you today, and I 
look forward to any questions that you have.

    Mr. Ratcliffe. Thank you, Ms. Okafor.
    I now recognize myself for 5 minutes for questions.
    I want to start out by thanking you all again for your very 
thoughtful opening statements.
    Dr. Chang, I want to start with you because I know in 
addition to your prior Federal experience at NSA you are now 
essentially on the front lines teaching and educating our 
future cyber work force. Therefore so I would like your 
perspective on whether working for a larger purpose factors 
into whether students will choose to serve the Government. In 
other words, does the potential of protecting our homeland and 
working at a Classified level, incentivize students and young 
people?
    Mr. Chang. Yes, I believe it is. I on occasion have the 
opportunity to chat with students about career choices, about, 
you know, individual opportunities they may seek. It would be 
fair to say that for a number of the students they believe that 
there is potentially something larger than just salary. Now, 
clearly salary will have a bearing, but I did have one 
particular student, who, by the way, is a veteran, a former 
Marine, the guy is a rock star. He is a terrific cyber 
performer. Any company represented here I think would really 
enjoy having him. He specifically made the point that for him 
and many people that he knows would basically choose mission 
over money.
    They want to have an impact, they want to make a 
difference. They are trained, they are ready, they want to get 
in the game. To the extent that they understand that, whatever 
organization will allow them and their skills to make a 
difference, they would absolutely raise the hand.
    Mr. Ratcliffe. Terrific, thank you.
    Mr. Montgomery, with so much focus in recent years about 
expanding cyber educational opportunities, like we have talked 
about and in your opening statement as well, why do you think 
the cyber skills gap is getting worse?
    Mr. Montgomery. Well, demand. Think about what is under 
control of most organizations. They control the number of 
people that they can hire. They control the budget for 
technology. Another static factor is the number of hours in the 
day, that doesn't change. But think about what does change 
dynamically. The number of systems that you use in your own 
household, for example, rages beyond control.
    I remarked to a reporter today I have five more IP-enabled 
devices in my book bag today than I did 5 years ago. I don't 
see that trend diminishing. So demand, and I don't mean demand 
for the skills of the personnel, I mean the demand upon those 
personnel themselves.
    So if you have these dynamic factors, the number of 
systems, the attacks against those systems, the lucrative 
nature of cyber crime, the interconnectivity of devices to just 
about everything these days, it creates an untenable math 
problem that the practitioner can't solve by himself.
    So we don't have enough kids coming in, we all know that, 
but we are also making the existing problem of the existing 
practitioner worse because of the raw demand of computer power.
    Mr. Ratcliffe. Terrific, thank you.
    Dr. Papay, what programs have you found to be most 
effective for your company's recruiting and retention efforts? 
Are there metrics at Northrop Grumman that are used to judge 
the success and failure of recruitment and retention programs?
    Obviously, one of the purposes of this is that we are 
trying to learn from some of the private-sector best practices 
and whether or not those can apply or should apply in the 
Federal sector.
    Mr. Papay. Thank you, Mr. Chairman. So we approach the 
problem just like any other business would. Where do you want 
to spend your money? Where do you want to invest your time and 
energy in looking at, first of all, the recruiting side and 
then on the retention side. So let me just give you a few 
numbers, like, some metrics that we look at for Cyber Patriot, 
for instance.
    If we look at the Cyber Patriot participation of the 
students that are coming in there in the middle schools and 
high schools, about 87 percent of the kids that are in that 
program go on to pursue a STEM degree in college. That is a 
pretty good number.
    Then you look at how many of those kids go on and get a 
college degree and come to work at big companies or go work for 
the Government, then how long can you keep them with the 
company? So we look at numbers, like, something like a 92 
percent of those kids that come out of the Cyber Patriot 
Program and then come in to work for Northrop Grumman as an 
intern or as a summer hire, about 92 percent of them come back 
again and stay and either continue their education or continue 
their career with us or both.
    So you have got to think about where you want to invest 
your money and where you want to spend the time. I think the 
Federal Government can look at that like a business.
    Mr. Ratcliffe. Terrific.
    My time is expired.
    The Chair now recognizes the Ranking Minority Member for 
his questions.
    Mr. Richmond. Sure.
    Dr. Chang, I will just start with a comment where you are. 
So if you look at SMU, whose tuition is, give or take, 
somewhere around $45,000 a year, not including room and board, 
the demand upon students as they come out of college now, the 
financial demand is a serious obstacle as we talk about--maybe 
somebody has a solution for it. Who knows?
    So the question becomes, and I think that you are right 
when you start talking about supply and demand and you start 
talking about the overall good of the country, demand is so 
high right now, whether you are talking about Samsung and a 
refrigerator that hooks up to the internet of things or you are 
talking about my sous vide device where I can cook over wifi in 
my home while I am here in the District of Columbia and it is 
in New Orleans.
    So the demand is very extraordinary, which then the supply 
is still limited and it is going to be limited for a while. So 
the question I have is, as Government, how do we think outside 
the box? How do we do things in a creative manner to create 
some capacity? How do we compete for those students who have a 
number of challenges that they have to deal with?
    Just as a side, do you know any State or local governments 
that are doing a good job at retention or recruitment?
    Mr. Chang. I will offer a couple of thoughts. So I think 
there is sort-of this notion of top-down and bottom-up. So the 
bottom-up perspective basically says when students graduate 
they kind-of know and follow where the other students go. So if 
they join a company or an organization and the students say, 
hey, that is a really great place, come join me, they sort-of 
keep track of each other. So there is this sort-of bottom-up 
perspective that if you get some number of students, they may 
attract some others.
    I think there is also sort-of a top-down perspective as 
well that says if DHS, for example, were able to recruit a 
really big-name cyber professional, that would be a little bit 
of a magnet for some other students. So I think maybe some 
Fortune 500 CISO or something like that or some big name out of 
Government, I do think the students would say, gosh, that is 
somebody I admire, that is somebody I respect, somebody I can 
learn from, might be an interesting strategy as well.
    Mr. Richmond. Anyone else?
    Ms. Okafor.
    Ms. Okafor. Thank you. I believe that cybersecurity has a 
branding problem. One of the biggest inhibitors in my 
conversations with students and practitioners looking to enter 
the field from non-IT-related industries is that it is mostly 
military or it is seen as highly technical with penetration 
testing. It sort-of in some situations lacks the kind of cool 
that I think a lot of millennials are looking toward when they 
are looking to build out their career.
    Then when you talk about the Federal Government and you 
think about some of the issues that we are facing in society 
today, some people are reticent to enter something that both 
seems very, you know, sort-of situated around military and then 
institutionally-based.
    So one of the things that I noticed is, a number of years 
ago when I, and I won't share my age, but when I was growing 
up, I saw a number of commercials as a young black woman who 
grew up in Brooklyn about the military and the benefits the 
military had very early on. For a commitment up front, you got 
a lot on the back end. I think cybersecurity needs to really 
start to broaden its awareness of the opportunities in it and 
get people to invest in the mission very early on.
    That will then allow them to, as they are being sort-of 
approached by other industries, it is not just the money 
because they are aware of what the benefits are and they also 
understand what the task is that they would be a part of. So I 
think that would be much more helpful with regards to the 
branding issue I see.
    Mr. Richmond. Thank you. I guess just from my perspective, 
and you all can just tell me if you agree, part of it is just 
that when you work for Government it is so rigid. When you are 
in the cybersecurity space or really coding space or whatever 
you want to call it, you know, the days of wearing a suit, the 
days of all of this structure are really going away because 
people have the ability to work anywhere and work in any kind 
of environment.
    Are we perpetuating our own barrier by our traditional 
means of how we think about the workplace as opposed to what 
technology offers?
    With that, Mr. Chairman, I will yield back.
    But, you know, a yes or a no or a sentence would help.
    Mr. Papay. Yes. I will expand a little bit. One of the 
things that I think, and to Ms. Okafor's point, cyber doesn't 
know boundaries, it doesn't know buildings, it doesn't know 
facilities, it doesn't know data centers, it doesn't know 
anything. It knows where the demand is. So the notion of going 
to this same cube to work on something that affects someone in 
Ohio versus Montana versus Texas, it is a little bit at cross 
purposes, absolutely.
    Mr. Ratcliffe. All right.
    The Chair now recognizes the gentleman from Rhode Island, 
Mr. Langevin.
    Mr. Langevin. Thank you, Mr. Chairman. I want to thank you 
for holding this hearing.
    I want to thank our distinguished panel for being here. I 
appreciate the contributions that each of you have made in your 
own right to advancing the field of cybersecurity.
    So, Mr. Chairman, in March, NICE, National Initiative for 
Cybersecurity Education, issued a request for information on 
scope and sufficiency of efforts to educate and train the 
Nation's cybersecurity work force. I responded to highlight 
several areas that I hope that they will focus on.
    I ask unanimous consent, Mr. Chairman, if I could, that the 
letter that I sent to be included in the record as context for 
my questions for this distinguished panel.
    Mr. Ratcliffe. Without objection.
    [The information follows:]
                   Letter From Hon. James R. Langevin
                                    August 1, 2017.
Ms. Danielle Santos,
Cybersecurity Workforce RFI, National Institute of Standards and 
        Technology, 100 Bureau Drive, Stop 2000, Gaithersburg, MD 
        20899.
    Dear Ms. Santos: The National Institute of Standards and Technology 
has requested information on the scope and sufficiency of efforts to 
educate and train the American cybersecurity work force of the future. 
Investment in our nation's cybersecurity work force is crucial to our 
national and economic security, and I write to applaud NIST for its 
efforts in this matter. While we often focus on the technologies that 
result from research, it is at least as much the skilled work force 
behind the breakthroughs that drives our country forward.
    Unfortunately, we are far behind where we need to be. Within the 
cybersecurity work force today, we have hundreds of thousands of jobs 
unfilled, thereby limiting our ability as a nation to respond to the 
malicious actors who daily target our infrastructure, finances, and 
intellectual property. We need short-, medium-, and long-term solutions 
that reach all components of the educational pipeline from K-12 
education to university programs to certifications. We also need to 
explore retraining and apprenticeships as ways to infuse additional 
talent into the field.
    In order to properly understand the scope of the challenge, it is 
crucial that NIST applies measures and metrics to the cybersecurity 
work force, and I was pleased to see their inclusion within the 
request. As a nation, we must analyze the expected demand for 
cybersecurity personnel, the efficacy of training programs in producing 
skilled workers, and the ability of our educators, both in number and 
in capability, to instruct students. Furthermore, we must share across 
our communities the lessons and best practices learned from these 
studies to ensure that students throughout the nation have access to 
the best cybersecurity education possible no matter where they live.
    Additionally, the dynamic nature of technology development ensures 
that even our best-laid plans will require adaptation as innovative 
technologies come on the market. This is perhaps one of the most 
significant challenges that we will face in shaping tomorrow's work 
force, and it will require novel approaches to training. The emerging 
use of artificial intelligence to assist cybersecurity tasks, for 
example, may dramatically alter the tasks of a computer and network 
security engineer in the coming decades. Similarly, the rapid growth in 
connected devices may create new classes of cybersecurity professionals 
focused on the unique challenges posed by the Internet of Things. We 
must prepare our work force for this future while also preparing them 
to be adaptable to the disruptions that we expect but cannot predict.
    Only by continuing to invest in our skilled work force will we be 
able to ensure our nation's continued security and prosperity in the 
digital economy. This request for information is a positive 
contribution to understanding where the work force is today and what we 
must do in the future. I thank you for your leadership on this issue 
and I look forward to the results of your request.
            Sincerely,
                                         James R. Langevin,
                                                Member of Congress.

    Mr. Langevin. Thank you, Mr. Chairman.
    So to the panel, in all of your testimony, you point out 
that there is a strong demand signal for more cybersecurity 
workers. Yet, and you in particular, Dr. Chang, can appreciate 
as one of the members of the CSIS task force with me and 
Chairman McCaul, and I thank you for your work there, but 
understand that this is not a new problem. The demand signal 
really has existed for well over a decade now. One of the 
biggest challenges that policy makers have faced, in my view, 
is figuring out why there really hasn't been more of a market-
driven response to the shortage.
    So based on your experiences, why has the cybersecurity 
work force gap lagged behind the broader computer science gap 
which has seemed much more responsive to the growing demand for 
software engineers?
    Mr. Chang. Yes, so a couple of things. So I think it is 
very thoughtful when you make a comparison between 
cybersecurity and computer science. The field of computer 
science as a major has been around for many years now, as you 
know. In terms of a specific discipline for cybersecurity, it 
is very new.
    It seems to us that we have been sort-of thinking about 
cybersecurity for a very long time, but as a discipline 
distinct from computer science, computer engineering, 
information technology, it really is very new. So as students 
begin taking some of these programs from these different 
universities, they are not getting the same thing.
    I mention in my testimony the idea that when universities 
begin building up their cybersecurity programs there really 
needs to be a common curricular guidance so that everybody 
basically says cybersecurity is kind-of the same thing. Because 
right now it is a little bit of a mix-and-match and so you 
will, you know, you will get a major or a minor or a 
certificate or something, but you are not getting quite the 
same thing.
    So it is, you know, still a little bit of a new thing. I 
think it is now public awareness has raised, but it is still 
basically a pretty infant discipline.
    Mr. Langevin. Thank you.
    Mr. Montgomery. I would agree, and I don't want to sound 
like a broken record, but it is demand. It is demand. The 
demand for practitioners has far outpaced the ability for the 
educational system to deliver because we have changed 
everything. You didn't buy anything on your telephone 10 years 
ago. Many of us didn't buy anything on the internet 10 years 
ago. Many of us didn't have broadbands to our house 10 years 
ago. Certainly, no one had an internet-connected refrigerator 
or television 10 years ago.
    So it is absolutely that I don't think that it is a lack of 
interest or a lack of programs. I don't think it is a lack of 
educational institutions offering education. I think it is 
nascent from the cybersecurity as a discipline standpoint, but 
we simply have far more demand than our ability to fulfill and 
that will worsen as more devices are IP-enabled. The Patriot 
Missile has an IP address while it is in flight. That is going 
to get worse before it gets better.
    Mr. Papay. Congressman Langevin, if I may agree with Scott 
here for a second, I know it doesn't happen often, the demand 
is building up because all of the things that are out there 
that are legacy systems as well are now possible attack 
targets. So you even think about DHS's mission, not just one 
from a responsibility to provide information out to businesses 
and Government organizations through US-CERT, but also the work 
that DHS does in TSA and CBP, all those are opportunities for 
people who are cyber-trained to become part of DHS's mission 
and protect the systems that DHS delivers for our Nation. So 
the demand may be even more than we see up front because of 
that number of legacy systems that are out there that need 
protection.
    Mr. Langevin. Thank you.
    Ms. Okafor. I would add a caveat that it is not the demand 
itself, but the lack of response to the demand, meaning we are 
not changing fast enough with regard to the systems that we 
have in place.
    For instance, the Ranking Member talked about, you know, 
sort of the rigidity of the Federal Government. I am often 
concerned with the kind of education that exists to prepare 
people for a cybersecurity job. You need more hands-on 
learning. But often, you are still seeing these certificate 
programs come up that teach using just books.
    So what happens? They graduate school and then it becomes a 
company's responsibility to invest in training the work force 
to actually start on Day 1. So there is a gap there because 
organizations are not quickly responding, due to bureaucracy or 
politics, to the demand of the new work force.
    Then finally, we talk about technology as an enabler, but I 
want to talk about the fact that technology is engineered by 
people. Unless we address the fact that people still continue 
to have unconscious bias and are reticent to change and, 
therefore, it is impacting our ability to hire quickly enough 
to bring on the right people to address the demand. Thank you.
    Mr. Langevin. Thank you.
    I know my time is expired.
    I thank all of you for your insights into this. I just, you 
know, I just see the, you know, the fact that, you know, 
computer scientists are learning new language, new things are 
being coded. I mean, the web programming languages are new and 
apps have only existed for a decade, but, you know, there are 
plenty of app coders, but we don't see enough market demand 
moving into cybersecurity, I would say, filling those roles.
    So we have a couple hundred thousand openings right now in 
the cybersecurity field and we just don't--it doesn't seem like 
that is migrating enough in terms of training enough people in 
that field, so it is a challenge.
    But I know my time is expired. I yield back. I will perhaps 
have some questions for the panel that I will submit for the 
record. Thank you.
    Mr. Ratcliffe. Advise the gentleman I intend to have a 
second round if you are interested in staying around.
    The Chair recognizes the gentlelady from Florida, Mrs. 
Demings.
    Mrs. Demings. Thank you so much, Mr. Chairman.
    Thank you to our witnesses and welcome.
    Particularly to you, Ms. Okafor, who comes from my home 
town.
    What a very interesting topic. I want to thank our Chairman 
and Ranking Member for it.
    Mr. Montgomery, I would just like to go back to what you 
were saying about demand. You know, I spent a lot of years in 
law enforcement and we used to talk a lot about being proactive 
and not reactive. DHS was created 17 years ago or so to change 
the way we do business. So did we just not see the demand 
coming? Or did the internet exceed our wildest dreams?
    Mr. Montgomery. Can it be both? If I had told you when 
homeland was founded what you would be able to do from the 
confines of your pocket and your phone, would you have believed 
it?
    I believe that the pace of technology has accelerated so 
dramatically in the last 20 years so much faster than the prior 
200, the things that we do and take for granted today, they 
simply didn't exist 10 years ago, 15 years ago, 20 years ago.
    So I think it is we are always going to err on the side of 
availability and progress. There is definitely contention 
between availability and progress and security and privacy. The 
practitioner's first job is to say no, you can't do that, it is 
new, I don't understand it yet. But what do we say as 
consumers? Hey, I just need it to work. So there is definitely 
contention.
    I don't think the Government missed the boat or missed the 
size of the problem any more than anyone else did. It is simply 
a question of the pace outpacing our ability to respond. I 
don't think that is a Government issue, I think that happens in 
every organization, whether they are in the private sector or 
not.
    Mrs. Demings. You also talked about a shared work force, if 
you will, combining a private and public sector employee to do 
both jobs. I think the pros of that are very, very obvious. 
Could you talk about some of the cons of having that kind of 
work environment?
    Mr. Montgomery. Well, certainly clearances and the 
clearance process make it trickier for certain systems to be 
protected. But let's face it, the overwhelming percentage of 
systems and the overwhelming percentage of data are 
Unclassified. Certainly, as the Department moves toward the 
cloud and embraces that economy of scale like everyone else, 
that rotating work force could be relegated to the cloud 
management aspects which are more public. So I think there are 
ways to offset sort-of the recurring nature or the temporary 
nature of workers by simply relegating them to more 
Unclassified roles.
    I see tremendous benefit in that a private citizen may not 
understand what the word ``mission'' means until they are 
exposed to it. I am a software engineer by background, but my 
own exposure to the word ``mission'' came with involvement in 
the Department of Defense. I take that word more seriously now 
than I did when I was a kid in the cube. I think the same thing 
could be said of these cyber partnerships between the private 
and public sector.
    Mrs. Demings. Thank you.
    Ms. Okafor, in a study that was done this year involving 
women who had worked or working in cybersecurity, over half of 
them reported that they had been discriminated against in some 
way. You certainly talked about being a first on more than one 
occasion. I would like to hear about your own experiences of 
discrimination within the field and hear some more about what 
recommendations you would make for employees in the private and 
the public sector to create an environment that is more 
conducive to recruiting women and other minorities.
    Ms. Okafor. I would be happy to share. So it is, you know, 
it is not easy to be the first black woman, but I wear it as a 
badge of honor. The biggest areas of discrimination I face 
tends to be overt. There is a subtlety mostly of a suggestion 
that I perhaps don't know what I am talking about or perhaps 
need to be explained.
    I find often that I need my male coworkers to vouch for 
some of my big ideas, unlike some of my male counterparts. So I 
can't say that in my experience I have faced anything that 
would sort-of, you know, touch anything near some more overt 
forms of racial discrimination, but there are lots of 
conversations that I am not included in because lots of the 
dealing happens after hours in places that perhaps they don't 
think I would perhaps be welcome.
    So what I suggest for organizations is really starting to 
question itself. I talk a lot about organizations conducting 
both third-party and self-assessments of the culture. The 
culture of an organization is critical, not only with regard to 
who they are hiring and who is in the organization, but also an 
unhappy, unproductive work force cannot be a secure work force.
    So those two are linked; and therefore, an organization 
needs to understand how it treats its employees, how it is 
perceived by the market with regard to attracting employees and 
then ensuring that they give opportunities for women to be seen 
as having the right frame of mind, the right thoughts on big 
projects, to have executives that they can see as being perhaps 
an ideal that they could perhaps reach.
    So I feel like you can no longer separate the need for 
diversity of thought, gender, racial diversity without also 
saying that without doing that you are impacting directly the 
ability to secure the organization, secure the Nation. Thanks.
    Mrs. Demings. Thank you so much. I am out of----
    Mr. Montgomery. I am sorry, if I can just add briefly.
    Mrs. Demings. OK, please go ahead.
    Mr. Montgomery. I can't agree enough. No insider threat 
starts their career as a threat to their organization. It is 
through cultural pressure, cultural unhappiness. We have seen 
this at TSA on the front lines. No one starts unhappy. It is 
their environmental pressures that create insider threat, so I 
totally agree on checking your culture and reassessing from 
time to time.
    Mrs. Demings. Thank you so much.
    Thank you, Mr. Chairman.
    Mr. Ratcliffe. The Chair now recognizes the gentleman from 
New York, Mr. Katko.
    Mr. Katko. Thank you all for being here. I constantly hear 
from my constituents back home about this issue, about the 
whole cybersecurity issue. They are terrified. Getting it right 
is critically important.
    I have really got to commend both of you for the last 
colloquy you had because it is really important to have the 
discussions. You can't make change until you identify the 
problem. Once you identify the problem, then you can address 
it. So I encourage you to continue to speak up and let us know 
how we can help, if in any way. So it is a very important issue 
and keep it up.
    But, Dr. Montgomery, I want to talk a bit about the public/
private-sector cross-pollinization I call it, pollination, 
whatever we want to call it. I am very interested in that. I 
think it is something that can be a very dynamic thing. I am 
also interested in how we can better expand that and better 
utilize that moving forward as a way to get people from both 
the Government sector and the private sector get on the same 
page more instead of having this more stratified relationship 
that we have now.
    So would you like to comment on that a little bit? I would 
like to have others as well.
    Mr. Montgomery. Sure. So first and foremost, having some 
industry influence inside the confines of Government is never 
going to be a bad thing. Exposing permanent Government 
employees----
    Mr. Katko. So what you are saying is people in Government 
don't always know everything that is right for industry?
    Mr. Montgomery. I would never say it that way specifically.
    Mr. Katko. That is shocking.
    [Laughter.]
    Mr. Katko. Well, I am, I am telling you that is why we want 
to do it.
    Mr. Montgomery. But I think that sharing of ideas, there is 
certainly process in the Government that has to be observed 
with respect to data classification. But beyond that sort of 
rigid wall, the whole reason that enterprise works and industry 
works is because it is allowed to try to solve problems more 
creatively.
    The other thing I think that helps a lot with respect to a 
visiting work force, so to speak, is the diversity of that work 
force itself. Many of them will be returning veterans whose 
experience in the most difficult places on earth lends itself 
pretty well to crisis situations in a civilian organization as 
well.
    But if you think about visiting professionals, you may wind 
up having all sorts of diversity, whether it is racial 
diversity, whether it is more women in the workplace, but that 
constant influx of new ideas is how problems get solved.
    Cybersecurity is almost, when you look at the highest ends 
of the practitioners, it is almost more like an art than a 
science and it takes a lot of different points of view. Right 
now, we don't have enough points of view, including more people 
who aren't necessarily, ``cyber practitioners'' to be some of 
these rotating personnel who will sharpen the ideas of the 
cyber practitioners, being exposed to those ideas in the cyber 
workplace.
    I can't say enough about how this will help spur new 
thinking, both in the private sector as well as the public 
sector.
    Mr. Katko. The Department of Homeland Security has just 
secured its first loaned executive, as they call it. I think we 
need more. I say that because even in my subcommittee which I 
chair, the Transportation and Protective Service Subcommittee, 
we now have a Secret Service agent that is detailed to us. He 
is giving us a totally different perspective on the Secret 
Service side of things.
    So I totally agree with it. Now you see a lot of colonels 
come through here and they do their time, if you will, on 
Capitol Hill before they become a general. They have to 
understand how this place works if they are ever going to be 
able to be effective at their jobs as a general for the most 
part.
    So I would like to hear from you all, not just that it is a 
good idea. How can we expand it? What can we do better with 
that? What would you suggest we do?
    Go ahead, Dr. Papay, you want to try?
    Mr. Papay. Sure. So one of the things that as you are 
facing this big demand, a shortage of people, we are never 
going to fill the gap by just continuing to funnel new kids in 
the bottom. You are not going to get to 1.8 million jobs in 
2022 doing it that way. So the importance of information 
sharing now becomes clear in our role as cyber defenders. I 
share information on a tactical level and a strategic level 
with both my defense industrial base partners and the 
Government counterparts.
    We need to adopt a much more broad information-sharing 
approach that takes advantage of the fact that my folks now 
don't have to find every threat targeted at my company because 
somebody else over there found that threat first, let me know 
about it, and I put it in automatically, automatic information 
sharing, I am up, I am good, and I am protected. So I think 
scalable solutions are the key and information sharing is one 
of those.
    I don't think we realized it at the time when we were 
thinking about, hey, we have got to get information sharing 
more broad. It is a scalable solution that helps us solve that 
gap.
    Mr. Katko. Ms. Okafor.
    Ms. Okafor. I would agree with him. Two of the examples 
that I have seen that work really, really brilliantly is when 
you have the public and private sector actually collaborate 
around a goal. I have seen cyber exercises in particular 
industries, so, for instance, maritime security via U.S. Coast 
Guard. They have been doing these exercises all across the 
country where they are inviting U.S. Coast Guard cybersecurity 
professionals in addition to industry and they are actually 
doing exercises together. So they can each come to the table 
with what they know and actually solve a problem.
    I have also seen this done with GridEx, which is an 
initiative led by the Department of Energy, and all of the 
energy companies who are naturally sharing information, they 
come together to work to do tabletop exercises, cybersecurity 
workshops, and this is an opportunity in a much more informal 
setting to actually have a real conversation.
    I think the problem with the public and private sector, 
they speak different languages. Oftentimes in these very rigid, 
hierarchical structures, people are not willing to share. So 
these are some of the things I have seen in real life that 
actually have people leave and they feel much more enlightened 
than they started.
    Mr. Katko. Thank you.
    Dr. Chang, anything?
    Mr. Chang. Yes. I will mention information sharing, though, 
in a different way. So at our university, there is a security 
group where students meet on their own time voluntarily once a 
week to basically share information with each other. You see 
that they are exploring different career options.
    One of the sessions they have is to basically bring 
companies in to kind-of describe what those companies do. So 
when you are a student, maybe you have heard of Google or 
Facebook or Microsoft or something, you probably haven't heard 
of DHS or TSA or, you know, Customs and Border Protection or 
something.
    So the extent to which students find out that, gosh, 
working at this particular organization has a really cool cyber 
mission, they just wouldn't know. So the extent that you can 
kind-of get the word out there I think would be quite 
appealing.
    Students really do, they are sponges, they are soaking it 
up. So they actively seek information. If the word got out 
there a little bit more that there is an interesting cyber 
mission, that would be helpful.
    Mr. Katko. It just seems to me that a great way to do it is 
with cross-pollinization. I hope we can continue to expand 
this. If there are ideas you think about later of what we can 
do to incentivize that or do something, it should go both ways.
    I mean, we would want people from Capitol Hill to come work 
in industry for 6 months and see that side of it as well. It 
would definitely give them a different perspective, especially 
as the pay disparity between the two, so maybe that is not such 
a good idea.
    [Laughter.]
    Mr. Katko. But it is very, very important. I encourage you 
all to partake in it as best you can. We are going to endeavor 
to do the same.
    With that I yield back, Mr. Chairman.
    Mr. Ratcliffe. Thank you.
    The Chair now recognizes the gentlelady from California, 
Ms. Barragan.
    Ms. Barragan. Thank you, Mr. Chair.
    I represent a majority minority district. It is about 75 
percent Latino and African American. I recently read a report 
that said only about 12 percent of the information security 
work force was made up of African Americans, Asian Americans, 
and Latinos. What is the cybersecurity industry doing to ensure 
a more representative work force?
    Go ahead, you want to start?
    Ms. Okafor. OK. So yes, the fact you stated is completely 
correct. The activities are disparate, and I think that is part 
of the problem is not a lot of the organizations are working 
together. But what we are seeing from the large organizations, 
like a McAfee, like Google, Facebook, what they are doing is 
most recently Google actually put a new Howard University 
campus on its campus in order to start to raise awareness of 
minority students about the opportunities at Google.
    What we have also seen is a rise in those organizations 
sponsoring HBCU programs, doing college tours that take into 
consideration HBCUs and primarily Hispanic-serving 
institutions.
    What they are attempting to do is, instead of expecting, as 
in the past, that minorities and women find them, they are 
actually going out into those communities and using the 
channels that they know those communities actually look to for 
additional information.
    What they are also trying to do is sort-of broaden overall 
awareness with, you know, sort-of social activism, things that, 
you know, that represent strongly with women, taking part in 
some of the urban community events that they might not 
typically be seen.
    Then more than anything, actually doing career days where 
they are having their employees go on-site, do either lunch-
and-learns that I have seen or they are actually doing 
workshops with some of the students just to talk to them about 
the opportunities.
    So the activities have not been combined and I think that 
might be part of the problem. But what I have seen is a 
frequency, an increasing amount of frequency in the activities 
that they are conducting.
    Ms. Barragan. So the district I represent also is a very 
low-income community. Median income is about $44,000. Only 
about 11 percent of students go on to college. So everything I 
am hearing is having the word ``college'' in it, you know, on 
colleges it is happening. You are telling me, you know, a lot 
of college tours. What about the students who don't want to do 
a 4-year? What kind of opportunities are there for them in this 
work force? What can we do to make sure that they are not left 
out?
    Before I let you answer, you know, I used to be on a 
council in a very affluent city called Hermosa Beach. They had 
something called UCode, and you could sign up as a student and 
you could go after school. It was not--it was expensive. Even 
people there said it was not affordable. You don't see anything 
like that in Compton or Watts where I represent. Certainly, it 
would be very challenging for people there to send their kids 
to something that is so expensive. So what can we do to make 
sure we don't leave these communities out?
    Mr. Papay. So, ma'am, another great example of that is a 
partnership we just started with the National Society of Black 
Engineers where, like you say, you reach out to them through 
these societies where you can reach a larger population. This 
is a--it is an integrated pipeline program to provide 72 
engineering students with $8,000 scholarship grants at 
historically black colleges and universities.
    You don't have to go to a 4-year university to get into the 
cyber program. You know, we are hiring kids in high school and 
getting them started that early. Then if they want to stop 
after 2 years and then work on some certifications, that is 
what you need to get started in cyber.
    Then you continue and if they are interested and they want 
to go on for a further degree, great, we will support that. But 
you have got to reach in to them early and say here is an 
opportunity for a scholarship. If you don't have a lot of 
money, a great chance to go to a school nearby and get started.
    Ms. Okafor. Also, the idea of the lack of, you know, either 
the pipeline or the lack of ability to track talent often comes 
down to dollars and cents. The digital divide is a big issue 
with the number of minorities and Latino students not having 
the same access to technology at a younger age as some of their 
white counterparts or white peers.
    So a number of institutions, like Symantec, they are 
donating some of their technology to schools in areas with 
primarily underrepresented groups. I have seen that quite a 
bit.
    The other thing that I am seeing is a rise in the number of 
apprenticeships that are available to either students of 
vocational programs and junior colleges or high school students 
who demonstrate an ability to pass a certain criteria or a 
test.
    In doing so, what they are doing is building loyalty to the 
organization early on, but they are also creating hands-on 
learning that will allow them to be ready on Day 1 with the 
organization making the initial investment in that talent and 
saying we think you are important enough to invest our money 
and our resources to train you.
    So there is a preponderance of apprenticeships, hands-on 
learning programs, internships that are focusing on junior 
colleges, community colleges, and also vocational institutions.
    Ms. Barragan. Great, thank you.
    I yield back.
    Mr. Ratcliffe. Thank the gentlelady for coming to our 
subcommittee hearing.
    I am going to exercise my discretion as the Chairman to ask 
a second round of questions, and I invite any Members that want 
to do that and I will recognize you as well, really for the 
purpose of asking one question.
    I think we have had a great discourse on some of the areas 
where we need to focus, some of the solutions. But with respect 
to the overall goal here, assisting the Department of Homeland 
Security in accomplishing its cyber mission, I want to make 
sure that I have given each of you the opportunity to highlight 
the most important and the most immediate steps that you think 
DHS can take to mitigate the shortage of cybersecurity workers 
at the Department.
    I know, Mr. Montgomery, that you have identified the 
CyberCorps, expanding that as one of the things.
    It is not intended to be redundant, but I want to make sure 
that we have captured everything valuable that you all might be 
able to relate to us.
    So I will just go down in order and start with you, Dr. 
Chang.
    Mr. Chang. OK. So as I mentioned, occasionally I have 
conversations with students about career choices and so forth. 
I expressly put to them the question, if you were motivated to 
work for the Government, what do you think?
    So the organizations that kind of rose to the top for them 
were NSA and FBI. One student actually mentioned that they had 
watched ``CSI: Cyber'' on TV and thought that was really cool, 
so I don't know how many other students watch ``CSI: Cyber'' 
but, you know, maybe that sort-of rose, you know, created a 
little bit more demand for FBI. So I think it is really 
important, again, to kind-of raise awareness.
    Another thing that comes up, and I think this is important, 
the students come out of school at the top of their game and 
they are technically really sharp, they kind-of, you know, want 
to stay sharp. If they thought that they would move to an 
organization that weren't using the best tools, that didn't 
have the best people, they would be less motivated to go there.
    So I would really encourage the idea that it is a place 
that is, you know, sort-of at the leading edge, you get to work 
with really cool people, it has got a great mission. These are 
some of the thoughts that students have.
    Mr. Ratcliffe. Terrific. Thank you, Dr. Chang.
    Mr. Montgomery. So two things I think that are immediate. 
No. 1, I would echo Dr. Papay's comments on information 
sharing. If there is an incident at CBP and it is a system that 
exists in every other portion of the department, CBP should 
automatically share that information to the rest of the 
Department, it shouldn't be a discussion, it shouldn't be a 
committee, it shouldn't be tabled, it should be automatic.
    So if a system is attacked, we know the root cause, we know 
how to protect against that particular attack. All of that 
should be made available to the rest of the Department 
immediately, automatically, without anybody having to touch it. 
There are ways to do that and they don't actually cost that 
much, they are actually free, so employ them.
    The second thing I would say is, we talk about the math 
problem, there is a finite number of people, there is a finite 
amount of budget, 24 hours in the day. So anything that reduces 
the labor on those practitioners has to be employed. The public 
cloud is part of this, right?
    So let us say a system, to secure a system takes one 
practitioner 10 hours, just making this up. By contracting with 
a public cloud provider or a hybrid cloud provider like 
Northrop, the amount of labor that the practitioner has to 
spend goes down to only 4 hours because the cloud provider is 
providing 6 hours of that labor, you have to employ those 
techniques. You are not going to get more workers, we already 
talked about that, so you have to reduce the amount of labor.
    How do you do it? Automation, information sharing, cloud 
technologies.
    Mr. Ratcliffe. Thank you.
    Dr. Papay.
    Mr. Papay. I think if I could make one additional 
recommendation, it would be for the new administration at DHS 
to go back and look at that 2012 Homeland Security Advisory 
Council Task Force on Cyber Skills report where we laid out 11 
recommendations, and refresh it a little bit, look at it again 
with a new eye and say, hey, that was 5 years ago, how many of 
these are still valid, how many of these haven't we done, 
should we pick up a couple more and really push, because that 
was a lot of effort by a lot of people across academia and 
Government and industry to participate in that.
    Mr. Ratcliffe. Terrific.
    Ms. Okafor.
    Ms. Okafor. One of the things I think is a key way for the 
public sector to benefit from the private-sector ingenuity and 
innovation is USA Jobs. I myself have taken the steps of trying 
to apply for jobs in the Federal Government and found a job in 
the private sector. So I can imagine that there are lots of 
people who perhaps would be interested in working for the 
Government who just are daunted by the process.
    You know, if anything, Google, Facebook, you know, the 
McAfees and the Northrop Grummans of the world, they have 
figured some of that stuff out, we don't have to reinvent the 
wheel. So why not use some of that work that has already been 
done? So we don't have to completely innovate, we are just 
enhancing some of the things we know have already been done.
    So I would say I do believe that there is some of this that 
could be focused on technology, but easily the private sector 
could help with some of the hiring practices through the system 
currently existing. Thanks.
    Mr. Ratcliffe. Very good.
    Would the gentlelady from Florida like to be recognized? 
Well, very good then.
    I really want to thank the witnesses for your insightful, 
thoughtful, and frankly, very valuable testimony today.
    I also want to thank the Members for their questions.
    Members of the committee may have some additional questions 
for some of you and we would ask you to respond to those in 
writing.
    Pursuant to committee rule VII(D) the hearing record will 
be held open for a period of 10 days. Without objection, the 
subcommittee stands adjourned.
    [Whereupon, at 4:32 p.m., the subcommittee was adjourned.]



                            A P P E N D I X

                              ----------                              

     Questions From Chairman John Ratcliffe for Frederick R. Chang
    Question 1a. It seems right now that we are waging war against 
criminals who would hack our systems, and the role of the cybersecurity 
professional is one of defender. Do you foresee technical solutions 
that could perform the work that cyber defenders do now?
    Answer. I believe we will see continued innovation and investment 
in technologies that aim to assist the human cyber defender. As was 
discussed in the hearing, the cyber skills gap is large and growing, so 
to the extent that technological breakthroughs can be achieved to 
assist existing cyber defenders would potentially be of great value. In 
my written testimony I briefly referenced the recent DARPA Cyber Grand 
Challenge. The goal of the Cyber Grand Challenge was to explore the 
possibility of actually automating the complex tasks of: (A) 
Identifying a vulnerability in software, (B) creating a fix (or 
``patch'') for that vulnerability and then (C) implementing that patch, 
in real time. These are complex and time-consuming tasks to perform for 
a human cyber defender. The result of this Cyber Grand Challenge 
demonstrated the progress that could be made in automating these tasks. 
This was an important and significant result. Did the technology 
perform at the level of the human experts? No--but the results that 
were achieved are a positive sign about the sorts of advances that 
might be possible over time.
    The technologies of artificial intelligence and machine learning 
have been around for decades now but in recent years we have seen some 
important advances in how these machine learning (deep learning) 
technologies can assist us in everyday tasks (e.g., visual pattern 
recognition, language processing). We will see increasing efforts to 
incorporate these sorts of technologies to assist the human cyber 
defender. At a very general level the idea would be to have computers 
process large data sets in an attempt to detect suspicious behavior in 
the data--in a way that a human might not be able to detect. Its clear 
why techniques like these will be pursued: (A) Limited numbers of human 
cyber defenders, (B) growing amounts of data to analyze, (C) the 
criticality of proactively stopping the attacks before they compromise 
a network or system. The techniques are far from perfect, but important 
progress is being made. We are also seeing these and other sorts of 
technologies being positioned on the inside of networks, again with the 
intent of detecting anomalous behavior and taking action rapidly. At a 
much more general level, I am bullish on human innovation and ingenuity 
in discovering creative ways to harness technology in the aid of human 
cyber defenders.
    Question 1b. What research is being performed in cyber defense 
tools?
    Answer. In the response to the previous question I touched on some 
types of tools that are being developed to assist the human cyber 
defender. Indeed there is a whole industry of researchers, inventors, 
developers, startup companies, large established technology companies 
and Government labs working on R&D in cyber defense and cyber defense 
tools. As mentioned earlier, I remain bullish on how creative solutions 
may be brought to bear on the cyber problem; there are lots of bright 
and motivated people who are working in this space now. With that said, 
the efforts to create effective cyber defense tools, in my view, will 
be improved based on the extent to which they are based on a solid 
scientific foundation, and this foundation--the science of 
cybersecurity--has been elusive. The field remains too reactive and 
after-the-fact. Something bad happens and we have to react afterwards. 
We lack an adequate understanding of how to construct and compose 
systems that are fundamentally resilient and secure, based on first 
principles.\1\ A very recent report \2\ from the National Research 
Council (NRC) captures the sentiment very well: ``Security science has 
the goal of improving understanding of which aspects of a system 
(including its environment and users) create vulnerabilities or enable 
someone or something (inside or outside the system) to exploit them. 
Ideally, security science provides not just predictions for when 
attacks are likely to succeed, but also evidence linking cause and 
effect pointing to solution mechanisms. A science of security would 
develop over time, for example, a body of scientific laws, testable 
explanations, predictions about systems, and confirmation or validation 
of predicted outcomes.'' The NRC report continues: ``A scientific 
approach to cybersecurity challenges could enrich understanding of the 
existing landscape of systems, defenses, attacks, and adversaries. 
Clear and well-substantiated models could help identify potential 
payoffs and support of mission needs while avoiding likely dead ends 
and poor places to invest effort. There are strong and well-developed 
bases in the contributing disciplines. In mathematics and computer 
science, these include work in logic, computational complexity, and 
game theory. In the human sciences, they include work in judgment, 
decision making, interface design, and organizational behavior.''
---------------------------------------------------------------------------
    \1\ Schneider, F.B. (2012). Blueprint for a science of 
cybersecurity. The Next Wave, Vol. 19, No. 2, pp. 47-57, National 
Security Agency, Ft. Meade, MD.
    \2\ Millett, L.I., Fischhoff, B., and Weinberger, P.J., (Editors), 
(2017). Foundational Cybersecurity Research: Improving Science, 
Engineering, and Institutions, National Academies Press, Washington, 
DC.
---------------------------------------------------------------------------
    As the community tasked with developing new cyber defense tools 
works to innovate and create new and better tools, I think it is 
equally important that the research community work to advance the 
scientific foundation that will help to make tomorrow's cyber defense 
tools even more effective. The NSA sponsors a Science of Security (SoS) 
effort currently that is actively engaging the open academic community 
in advancing this foundational research. The activity has defined a set 
of hard problems as a way to focus the effort. The hard problems 
include: (A) Scalability and Composability, (B) Policy-Governed Secure 
Collaboration, (C) Security-Metrics-Driven Evaluation, Design, 
Development, and Deployment, (D) Resilient Architectures, and (E) 
Understanding and Accounting for Human Behavior. More detail on the 
NSA's SoS effort can be found on the NSA website \3\ as well as the 
Science of Security website.\4\
---------------------------------------------------------------------------
    \3\ https://www.nsa.gov/what-we-do/research/science-of-security/.
    \4\ https://cps-vo.org/group/SoS/.
---------------------------------------------------------------------------
    Question 2. You mention that many companies are ``training in 
place'' to educate individuals to fill cybersecurity knowledge or 
skills gaps. While this is a worthy exercise, it takes time. What steps 
can DHS take now to fill the gap, while embarking at the same time on a 
retraining program?
    Answer. In an effort to bring on cyber talent more quickly, 
companies are engaging with students at the high school level. With the 
success of various different cybersecurity competitions at the 
university level (e.g., the National Collegiate Cyber Defense 
Competition), cyber competitions have now expanded to include students 
at the high school level (e.g., Cyber Patriot). One company (and I 
understand that there are others that are pursuing a similar strategy) 
is pursuing a strategy to bring on some high school students--who have 
participated in high school cyber competitions--as summer interns. Upon 
their high-school graduation, some of these students would be offered 
full-time positions in the company and the company would support their 
college education, while they are full-time employees. Perhaps DHS has 
been looking into this, but if not, it might be a way to augment cyber 
capability.
    On a related topic--given that many of these positions will require 
the employee to be granted a security clearance, I can comment on one 
company's thinking about this issue. The company recognizes that the 
time required for their new employee's security clearance processing to 
be completed can sometimes be lengthy. As a result they have given a 
lot of thought about how to ensure that the employee is motivated, 
productive, and contributing during the security clearance processing 
period. Via a combination of relevant Unclassified projects and self-
learning assignments, the company works hard to introduce the new 
employee to the company's culture, working environment, etc. such that 
once the security clearance is granted, the employee can hit the ground 
running to become as productive as possible, as quickly as possible.
    One other thought was triggered by a conversation I had recently 
with a couple of military reservists who are currently employed as 
cybersecurity employees in the private sector--along with an article I 
recently came across.\5\ The article describes that there are large 
numbers of folks who serve in the Reserves or National Guard who have 
cyber skills that could increasingly be brought to bear to expand the 
pool of qualified cyber workers that are available to the Government, 
particularly in times of crisis.
---------------------------------------------------------------------------
    \5\ https://techcrunch.com/2017/04/18/reservists-and-the-national-
guard-offer-untapped-resources-for-cybersecurity/.
---------------------------------------------------------------------------
    One final thought relates to the one above and involves 
volunteerism. During periods of crisis and emergency, many Americans 
generously offer their time--and specialized skills--to assist. An 
example comes from the field of amateur radio (also referred to as 
``ham radio'') where there are many examples of people, who hold an 
amateur radio license, who assist with communications when conventional 
communication systems are temporarily down due to a storm, hurricane, 
or other natural disaster. By analogy, perhaps it would be possible to 
form a civilian voluntary cyber corps to assist DHS during periods of 
crisis. The State of Michigan has implemented this sort of notion and 
describes many benefits.\6\
---------------------------------------------------------------------------
    \6\ http://www.michigan.gov/som/0,4669,7-192-78403_78404_78419---
,00.html.
---------------------------------------------------------------------------
       Question From Chairman John Ratcliffe for Scott Montgomery
    Question. We heard in the hearing that DHS has to overcome a 
perception hurdle. What can DHS offer its prospective cyber work force 
to mitigate this perception besides the importance of its mission?
    Answer. DHS needs to think and act more strategically when 
recruiting cybersecurity talent. It all starts back at DHS--DHS needs 
to upgrade cybersecurity compensation at all levels to attract the best 
and the brightest and ensure that these professionals, when they earn 
it, are fast-tracked to more senior levels. DHS needs to ensure that 
those professionals that want to stay on the technical track, rather 
than moving up the management ladder, are likewise given real 
opportunities for career advancement. DHS needs to customize 
cybersecurity training and continue to invest in its talented cyber 
work force to ensure that DHS is seen as an agency that values and 
trains its people. Finally, DHS needs to stream line its decision 
making as much as possible to ensure that cybersecurity professionals 
can work in a fast-paced, exciting environment.
        Questions From Chairman John Ratcliffe for Michael Papay
    Question 1. We heard in the hearing that DHS has to overcome a 
perception hurdle. What can DHS offer its prospective cyber work force 
to mitigate this perception besides the importance of its mission?
    Answer. The Department of Homeland Security (DHS) plays an 
absolutely essential role in providing cyber protection for our 
critical infrastructure, Government systems, and our way of life. We 
need to do a better job in communicating the criticality of DHS's cyber 
responsibilities. I think if the public (and DHS employees) better 
understood the importance of DHS, it could help ensure that the 
organization was more respected/ appreciated and subsequently instill a 
stronger sense of service within its work force.
    An additional way to help DHS enhance its ability to attract talent 
is to build an even more positive campaign around Cyber Grants and the 
National Science Foundation Scholarship for Service program. Students 
get college tuition paid in exchange for service after graduation. 
Since students have a choice of which Federal agency to work, DHS can 
stand-out among the other agencies by advertising among key target 
audiences the importance of their mission, their work environment, the 
enormous opportunities, and professional development programs that make 
it a great place to work. Cyber Grants is frequently offered at 
universities with high minority population, DHS could effectively build 
an even stronger, more diverse, and qualified work force (especially if 
they focus on institutions ((2-year and 4-year)) with those who have 
achieved the DHS/NSA Certification of Academic Excellence in 
Information Assurance Education ((CAE)) ). Additionally, if DHS hires 
students out of the CAE2Y program (community college) they could 
develop an energized, qualified, diverse, and committed work force.
    Beyond the importance of its mission, in many ways DHS is on the 
cutting edge of technology. The Science and Technology, Cyber Division 
is focused on developing innovative solutions for a wide range of 
challenges. It might be useful to leverage the exciting work of this 
organization as a tool to energize the Department's cyber work force.
    DHS does unjustly suffer from a perception challenge. However, by 
doing more to communicate the importance of DHS's role in protecting 
our National security, strengthening the college recruitment and 
highlighting the exciting technologies that DHS is involved in, I am 
hopeful that we can help embolden its cyber work force.
    Question 2. What do you think is the main reason that CyberPatriot 
programs have a 23 percent participation rate for females with 12 
percent for the average STEM programs?
    Answer. CyberPatriot has higher participation of girls than most 
programs because, quite simply, it is a focus for both Northrop Grumman 
and the Air Force Association.
    CyberPatriot has grown from 9% female participation in 2009 to 23% 
girls in 2017. The program offers a fun, team environment that makes it 
easy for girls to get involved. We encourage all girl teams and provide 
them registration free of charge. Another reason CyberPatriot has 
higher female participation is because we recognize that children are 
determining/considering future academic and career choices by about 
grade 5-7, if we wait 'til high school, it is too late. That's one 
critical reason CyberPatriot added the middle school division in the 
competition--girls have not self-selected out of STEM/cyber fields. In 
order to open minds even earlier, we created the cyber awareness 
program (Elementary School Cyber Education Initiative (ESCEI)) for 
grades K-6. We've sent out more than 6,000 free-of-charge ESCEI 
packages to academic and other young children's programs, so young 
girls are getting great exposure to the topic--they think it's a 
perfectly acceptable and normal academic and career choice.
    Lastly, many of Northrop Grumman's women employees spend time 
volunteering in classrooms and coaching CyberPatriot teams. These women 
are fantastic role models and help inspire future generations of girls 
to get involved in cyber. Also, we're targeting women's professional 
associations (Women in Cybersecurity, Women in Technology, Society of 
Women Engineers, and others) to not only speak at their conferences 
about the need for girls in Cyber/STEM but also give them another 
opportunity for their own outreach.
    Getting more girls involved in STEM programs is critical to not 
only helping girls reach their full potential, but diversity in the 
cyber field also strengthens our long-term economic and National 
security.