[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
PUBLIC-PRIVATE SOLUTIONS TO EDUCATING A CYBER WORKFORCE
=======================================================================
JOINT HEARING
before the
SUBCOMMITTEE ON CYBERSECURITY
AND INFRASTRUCTURE PROTECTION
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
and the
SUBCOMMITTEE ON HIGHER EDUCATION
AND WORKFORCE DEVELOPMENT
of the
COMMITTEE ON EDUCATION
AND THE WORKFORCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
FIRST SESSION
__________
OCTOBER 24, 2017
__________
Serial Nos. 115-34 and 115-38
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.govinfo.gov and
http://edworkforce.house.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
28-821 PDF WASHINGTON : 2018
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON HOMELAND SECURITY
Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas Bennie G. Thompson, Mississippi
Peter T. King, New York Sheila Jackson Lee, Texas
Mike Rogers, Alabama James R. Langevin, Rhode Island
Jeff Duncan, South Carolina Cedric L. Richmond, Louisiana
Lou Barletta, Pennsylvania William R. Keating, Massachusetts
Scott Perry, Pennsylvania Donald M. Payne, Jr., New Jersey
John Katko, New York Filemon Vela, Texas
Will Hurd, Texas Bonnie Watson Coleman, New Jersey
Martha McSally, Arizona Kathleen M. Rice, New York
John Ratcliffe, Texas J. Luis Correa, California
Daniel M. Donovan, Jr., New York Val Butler Demings, Florida
Mike Gallagher, Wisconsin Nanette Diaz Barragan, California
Clay Higgins, Louisiana
John H. Rutherford, Florida
Thomas A. Garrett, Jr., Virginia
Brian K. Fitzpatrick, Pennsylvania
Ron Estes, Kansas
Brendan P. Shields, Staff Director
Steven S. Giaier, Deputy Chief Counsel
Michael S. Twinchek, Chief Clerk
Hope Goins, Minority Staff Director
------
SUBCOMMITTEE ON CYBERSECURITY AND INFRASTRUCTURE PROTECTION
John Ratcliffe, Texas, Chairman
John Katko, New York Cedric L. Richmond, Louisiana
Daniel M. Donovan, Jr., New York Sheila Jackson Lee, Texas
Mike Gallagher, Wisconsin James R. Langevin, Rhode Island
Thomas A. Garrett, Jr., Virginia Val Butler Demings, Florida
Brian K. Fitzpatrick, Pennsylvania Bennie G. Thompson, Mississippi
Michael T. McCaul, Texas (ex (ex officio)
officio)
Kristen M. Duncan, Subcommittee Staff Director
COMMITTEE ON EDUCATION AND THE WORKFORCE
Virginia Foxx, North Carolina, Chairwoman
Joe Wilson, South Carolina Robert C. ``Bobby'' Scott,
Duncan Hunter, California Virginia, Ranking Member
David P. Roe, Tennessee Susan A. Davis, California
Glenn ``GT'' Thompson, Pennsylvania Raul M. Grijalva, Arizona
Tim Walberg, Michigan Joe Courtney, Connecticut
Brett Guthrie, Kentucky Marcia L. Fudge, Ohio
Todd Rokita, Indiana Jared Polis, Colorado
Lou Barletta, Pennsylvania Gregorio Kilili Camacho Sablan,
Luke Messer, Indiana Northern Mariana Islands
Bradley Byrne, Alabama Frederica S. Wilson, Florida
David Brat, Virginia Suzanne Bonamici, Oregon
Glenn Grothman, Wisconsin Mark Takano, California
Elise Stefanik, New York Alma S. Adams, North Carolina
Rick W. Allen, Georgia Mark DeSaulnier, California
Jason Lewis, Minnesota Donald Norcross, New Jersey
Francis Rooney, Florida Lisa Blunt Rochester, Delaware
Paul Mitchell, Michigan Raja Krishnamoorthi, Illinois
Tom Garrett, Jr., Virginia Carol Shea-Porter, New Hampshire
Lloyd K. Smucker, Pennsylvania Adriano Espaillat, New York
A. Drew Ferguson, IV, Georgia
Ron Estes, Kansas
Karen Handel, Georgia
Brandon Renz, Staff Director
Denise Forte, Minority Staff Director
------
SUBCOMMITTEE ON HIGHER EDUCATION AND WORKFORCE DEVELOPMENT
Brett Guthrie, Kentucky, Chairman
Glenn ``GT'' Thompson, Pennsylvania Susan A. Davis, California,
Lou Barletta, Pennsylvania Ranking Member
Luke Messer, Indiana Joe Courtney, Connecticut
Bradley Byrne, Alabama Alma S. Adams, North Carolina
Glenn Grothman, Wisconsin Mark DeSaulnier, California
Elise Stefanik, New York Raja Krishnamoorthi, Illinois
Rick W. Allen, Georgia Jared Polis, Colorado
Jason Lewis, Minnesota Gregorio Kilili Camacho Sablan,
Paul Mitchell, Michigan Northern Mariana Islands
Tom Garrett, Jr., Virginia Mark Takano, California
Lloyd K. Smucker, Pennsylvania Lisa Blunt Rochester, Delaware
Ron Estes, Kansas Adriano Espaillat, New York
C O N T E N T S
----------
Page
Statements
The Honorable John Ratcliffe, a Representative in Congress From
the State of Texas, and Chairman, Subcommittee on Cybersecurity
and Infrastructure Protection:
Oral Statement................................................. 1
Prepared Statement............................................. 3
The Honorable Cedric L. Richmond, a Representative in Congress
From the State of Louisiana, and Ranking Member, Subcommittee
on Cybersecurity and Infrastructure Protection:
Oral Statement................................................. 4
Prepared Statement............................................. 5
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Ranking Member, Committee on
Homeland Security:
Prepared Statement............................................. 11
The Honorable Brett Guthrie, a Representative in Congress From
the State of Kentucky, and Chairman, Subcommittee on Higher
Education and Workforce Development:
Oral Statement................................................. 6
Prepared Statement............................................. 7
The Honorable Susan A. Davis, a Representative in Congress From
the State of California, and Ranking Member, Subcommittee on
Higher Education and Workforce Development:
Oral Statement................................................. 8
Prepared Statement............................................. 9
The Honorable Virginia Foxx, a Representative in Congress From
the State of North Carolina, and Chairwoman, Committee on
Education and the Workforce:
Prepared Statement............................................. 11
Witnesses
Mr. Stephen A. Cambone, Associate Vice Chancellor, Texas A&M
University System:
Oral Statement................................................. 12
Prepared Statement............................................. 14
Mr. Douglas C. Rapp, President, Rofori Corporation-DEFCON Cyber,
Testifying on Behalf of the Cyber Leadership Alliance:
Oral Statement................................................. 15
Prepared Statement............................................. 16
Mr. David Jarvis, Security and CIO Lead, IBM Institute for
Business Value:
Oral Statement................................................. 19
Prepared Statement............................................. 20
Mr. R. Scott Ralls, President, Northern Virginia Community
College:
Oral Statement................................................. 28
Prepared Statement............................................. 30
Appendix
Questions From Chairman John Ratcliffe for Stephen A. Cambone.... 61
Questions From Chairman John Ratcliffe for Douglas Rapp.......... 63
Question From Chairman John Ratcliffe for David Jarvis........... 64
Question From Chairwoman Virginia Foxx for David Jarvis.......... 65
Questions From Chairwoman Virginia Foxx for Scott Ralls.......... 66
PUBLIC-PRIVATE SOLUTIONS TO EDUCATING A CYBER WORKFORCE
----------
Tuesday, October 24, 2017
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Cybersecurity and
Infrastructure Protection, joint with the
Committee on Education and Workforce,
Subcommittee on Higher Education
and Workforce Development,
Washington, DC.
The Subcommittee on Cybersecurity and Infrastructure
Protection and Subcommittee on Higher Education and Workforce
Development met, pursuant to notice, at 2:06 p.m., in room 210,
Rayburn House Visitors Center, Hon. John Ratcliffe [Chairman of
the Cybersecurity and Infrastructure subcommittee] presiding.
Present from the Cybersecurity and Infrastructure
Protection subcommittee: Representatives Ratcliffe, Donovan,
and Langevin.
Present from the Education and Workforce Development
subcommittee: Representatives Guthrie, Davis, Thompson,
Smucker, Estes, Courtney, Adams, Takano, Rochester, and Scott.
Mr. Ratcliffe [presiding]. Good afternoon. The Committee on
Homeland Security Subcommittee on Cybersecurity and
Infrastructure Protection and the Committee on Education
Workforce Subcommittee on Higher Education and Workforce
Development will come to order.
The subcommittees are jointly meeting today to receive
testimony regarding the public-private solutions to educating a
cyber work force. I now recognize myself for an opening
statement.
Let me begin by welcoming our witness panel and our guests
today. Thank you all for taking time away from your important
work to testify here and help Congress better understand these
work force issues. I am especially grateful for the opportunity
to collaborate today with the Members of the Higher Education
and Workforce Development Subcommittee to hold this joint
hearing on developing our Nation's cyber work force.
I would like to thank Chairwoman Fox and Chairman Guthrie,
as well as Ranking Members Scott and Davis for their collective
work on this critical issue. It is an important time for
cooperation here on Capitol Hill. It is my sincere hope that
the public will be encouraged that Members on both sides of the
aisle are focused on the important issues that really matter.
Cybersecurity is an issue that affects every sector of our
economy and every sector of our society. The risks are broadly
shared, and this joint hearing shows the need for an integrated
approach to address the challenge of the cyber skills gap.
Cyber attacks are growing in frequency and sophistication,
but the availability of qualified cybersecurity professionals
to deal with these challenges is simply not keeping pace. We
cannot speak to the shortage of workers without recognizing the
importance of the academic pipeline that produces today's work
force, as well as our next generation of experts who will need
to keep pace with the technology and the ever-evolving threats.
The dearth of cybersecurity talent is a major resource
constraint that impacts our ability to protect information and
assets. More than 200,000 cybersecurity jobs in the United
States are unfilled, and the demand for positions, like the
information security professionals, is expected to grow by as
much as 53 percent through 2018. This slow-moving crisis is
very likely only to get worse.
The Cybersecurity and Infrastructure Protection
Subcommittee recently heard testimony that indicated that the
struggle to find qualified personnel to fill these
cybersecurity roles in Government and business is not only a
short-term problem, but is expected to grow and become more
acute in the future. Technology innovation and criminal tactics
move very fast. With each new wirelessly-connected baby monitor
or internet-connected energy-efficient pipeline that comes on-
line, new threats and vulnerabilities emerge to exploit those
technologies.
Just as the connected world expands and new products
improve our quality of life, simplifying many tasks, our
vulnerabilities move in parallel and demand a skilled work
force who can protect the functionality and preserve
confidentiality data. Public and private hiring systems must
likewise shift and adapt to a new way of thinking about hiring
and recruiting. We need intellectual capital that better
reflects the qualifications and skills of a new type of cyber
worker.
For their entire lives, younger Americans entering the work
force have possessed more technology in a single smartphone
than some ever imagined. Consider that the iPhone 7 operates at
1.4 gigahertz and can process instructions at a rate of
approximately 1.2 instructions every cycle in each of its two
cores. Put simply, the iPhone 7s clock is 32,600 times faster
than the best Apollo-era computers and could perform
instructions 120 million times faster. You wouldn't be wrong in
saying that an iPhone could be used to guide 120 million
Apollo-era spacecraft to the moon all at the same time. The
rate of innovation in the information technology sector is
truly astonishing.
I believe that the Federal Government and our cybersecurity
leaders can create more alliances with community groups,
universities, and career and technical schools to better
develop our talent pipeline. The Department of Homeland
Security supports a number of efforts to strengthen its work
force from programs to recruit new cyber talent to those that
allow the private-sector experts the opportunity to share their
knowledge with those working at DHS.
We need to encourage Government, university, employer
collaborations that are meaningful and that are robust.
Demonstrating cyber know-how no longer comes in discrete forms
such as having a bachelor's degree or not or obtaining a cyber
certification. Cyber competitions, bug bounty programs, and
coding camps are all new forms of work force development.
I am looking forward to discussing with our witnesses today
some of the best practices in building public-private
partnerships to expand the cyber work force pipeline. The cyber
capabilities of our work force help support economic strength
and sustain our technological advantage. It is my firm belief
that America will only remain the world's preeminent superpower
so long as it remains the world's cybersecurity leader.
Leadership matters, and if we don't encourage and develop the
talented women and men who lead this work, we will be both
poorer and less safe as a country.
[The statement of Chairman Ratcliffe follows:]
Statement of Chairman John Ratcliffe
October 24, 2017
Let me begin by welcoming our witness panel and our guests today.
Thank you for taking the time away from your important work to testify
and help Congress better understand these work force issues. I am
especially grateful for the opportunity to collaborate with the Members
of the Higher Education and Workforce Development Subcommittee to hold
this joint hearing on developing our Nation's cyber work force. I would
like to thank Chairwoman Foxx and Chairman Guthrie for their work on
this critical issue. It is an important time for cooperation here on
Capitol Hill and it is my sincere hope that the public will be
encouraged that Members on both sides of the aisle are focused on
important issues that really matter.
Cybersecurity is an issue that affects every sector of our economy
and our society. The risks are broadly shared and this joint hearing
shows the need for an integrated approach to address the challenge of
the cyber skills gap. Cyber attacks are growing in frequency and
sophistication, but the availability of qualified cybersecurity
professionals to deal with these challenges is not keeping pace. We
cannot speak to the shortage of workers without recognizing the
importance of the academic pipeline that produces today's work force as
well our next generation of experts who will need to keep pace with
technology and the ever-evolving threats.
The dearth of cybersecurity talent is a major resource constraint
that impacts our ability to protect information and assets. More than
200,000 cybersecurity jobs in the United States are unfilled and the
demand for positions, like information security professionals, is
expected to grow by 53 percent through 2018. This slow-moving crisis is
very likely to only get worse.
The Cybersecurity and Infrastructure Protection subcommittee
recently heard testimony that indicated that the struggle to find
qualified personnel to fill cybersecurity roles in Government and
business is not only a short-term problem, but is expected to grow and
become even more acute in the future. Technology innovation and
criminal tactics move very fast, and with each new wirelessly-connected
baby monitor or interconnected energy-efficient pipeline that comes on-
line, new threats and vulnerabilities emerge to exploit those
technologies. Just as the connected world expands and new products
improve our quality of life, simplifying many tasks, our
vulnerabilities move in parallel and demand a skilled work force who
can protect the functionality and preserve confidential data.
Public and private hiring systems must likewise shift and adapt to
a new way of thinking about hiring and recruiting; we need intellectual
capital that better reflects the qualifications and skills of a new
type of cyber worker. For their entire lives, younger Americans just
entering the work force have possessed more technology in a single
smartphone than some ever imagined. Consider that the iPhone 7 operates
at 1.4 gigahertz and can process instructions at a rate of
approximately 1.2 instructions every cycle in each of its 2 cores. Put
simply, the iPhone 7's clock is 32,600 times faster than the best
Apollo-era computers and could perform instructions 120,000,000 times
faster. You wouldn't be wrong in saying an iPhone could be used to
guide 120,000,000 Apollo-era spacecraft to the moon, all at the same
time. The rate of innovation in the information technology sector is
simply astonishing.
I believe the Federal Government and our cybersecurity leaders can
create more alliances with community groups, universities, and career
and technical schools to better develop our talent pipeline. The
Department of Homeland Security supports a number of efforts to
strengthen its work force, from programs to recruit new cyber talent to
those that allow private-sector experts the opportunity to share their
knowledge working at DHS. We need to encourage Government-university-
employer collaborations that are meaningful and robust. Demonstrating
cyber know how no longer comes in discrete forms such as having a
bachelor's degree or not, or obtaining a cyber certification. Cyber
competitions, bug bounty programs, and coding camps are all new forms
of work force development.
I am looking forward to discussing with our witnesses today some of
the best practices in building public-private partnerships to expand
the cyber work force pipeline.
The cyber capabilities of our work force help support economic
strength and sustain our technological advantage. It is my firm belief
that America will only remain the world's preeminent superpower so long
as it remains the world's cybersecurity leader. Leadership matters, and
if we don't encourage and develop the talented men and women who lead
this work, we will be both poorer and less safe.
Mr. Ratcliffe. The Chair now recognizes the Ranking
Minority Member of the Subcommittee on Cybersecurity and
Infrastructure Protection, the gentleman from Louisiana, Mr.
Richmond, for his opening statement.
Mr. Richmond. Good afternoon, and I would like to thank
Chairman Ratcliffe for holding today's joint hearing to explore
solutions to educating our cyber work force. I would also like
to thank Subcommittee on Higher Education and Workforce
Chairman Guthrie and Ranking Member Davis for participating in
today's hearing and sharing your expertise with us.
Last month, we held a hearing to discuss the challenge
public and private-sector groups encounter as they try to
recruit and retain skilled cybersecurity professionals,
including Federal agencies like DHS. Every expert on the panel
seemed to agree that the real problem is demand. The need for
cybersecurity talent is accelerating at an impossible rate. We
cannot rely on 4-year academic institutions and traditional
educational frameworks to produce a stream of professionals
commensurate with the number of connected devices we now use.
What we learned is that before we can recruit and retain,
we have to start with a more fundamental question--how can we
educate, train, and certify today's students and job applicants
to be tomorrow's cybersecurity experts? How do we inject more
professionals into the job market?
In 2012, Bureau of Labor Statistics projected that by 2020
there would be 400,000 computer scientists available to fill
1.4 million computer science jobs. Recent reports suggest that
that deficit is growing instead of shrinking and may reach 1.8
million by 2022. To overcome this shortage, we need a ``no
stone left unturned'' mentality that allows us to tap into
every segment of the applicant pool.
Unfortunately, that is not the case today. At our hearing
last month, we heard from the International Consortium of
Minority Cybersecurity Professionals, or ICMCP, that women and
minorities are still vastly underrepresented in cybersecurity,
with women making up around 11 percent and African-Americans
and Hispanics making up less than 12 percent of the global
cyber work force combined.
What those numbers say to me is that we are still leaving
talent on the table. ICMCP's testimony went even further,
arguing that in the realm of National statute, having a diverse
cyber work force is mission-critical. To support this, ICMCP
pointed to the 2014 CIA diversity and leadership study, which
found that a lack of diversity in CIA's leadership may have
contributed to past intelligence failures.
We need to be leveraging non-traditional training models,
like apprenticeships or vocational programs, community
colleges, and career development tools. We also need to grow
partnerships at the K-12 level to make sure children are being
introduced to computers at an early age, even the ones who go
to schools that can't afford a specialized tech program.
Some of the skills we need to leverage can't be taught in a
classroom, and we need to think creatively about how we
identify and cultivate traits that lead themselves to
cybersecurity, for example, a natural affinity for problem
solving or an analytical approach to risk. With the risk access
and support, these candidates can easily learn the technical
skills through on-the-job training, industry certifications,
community college courses, and modern vocational programs.
As our world grows more and more connected, we also need a
multidisciplinary approach to cyber education, one that reaches
professionals in the fields like construction, nursing, and
electrical engineering. I look forward to hearing ideas from
our esteemed panel of witnesses today about how we as Federal
policy makers should be thinking about growing and diversifying
our cyber talent pipeline. But ultimately, if we are going to
make a dent in the cyber work force challenge, we need to do
more than talk about it. We cannot pretend to be serious about
right-sizing the cyber work force while at the same time
entertaining the administration's request for massive cuts to
programs like the National Science Foundation's Scholarship for
Service.
Similarly, I cannot fathom what kind of message is being
sent to DACA recipients working to earn tech degrees in fields
like cybersecurity, nor can I understand the logic behind
needlessly sending this home-grown talent abroad.
I will conclude by saying that defending our networks from
cyber attacks requires strong leadership, sustained funding
from Congress, and action. I look forward to hearing the
testimony of our witnesses today and hope we can identify
innovative ways to work together to address cybersecurity work
force challenges. With that, I yield back.
[The statement of Ranking Member Richmond follows:]
Statement of Ranking Member Cedric L. Richmond
October 24, 2017
Last month, we held a hearing to discuss the challenge public and
private-sector groups encounter as they try to recruit and retain
skilled cybersecurity professionals--including Federal agencies like
DHS.
Every expert on the panel seemed to agree that the real problem is
demand: The need for cybersecurity talent is accelerating at an
impossible rate. We cannot rely on 4-year academic institutions and
traditional educational frameworks to produce a stream of professionals
commensurate with the number of connected devices we now use.
What we learned is that, before we can recruit and retain, we have
to start with a more fundamental question--how can we educate, train,
and certify today's students and job applicants to be tomorrow's
cybersecurity experts? How do we inject more professionals into the job
market?
In 2012, the Bureau of Labor Statistics projected that by 2020,
there would be 400,000 computer scientists available to fill 1.4
million computer science jobs. Recent reports suggest that deficit is
growing instead of shrinking, and may reach 1.8 million by 2022. To
overcome this shortage, we need a ``no stone left unturned'' mentality
that allows us to tap into every segment of the applicant pool.
Unfortunately, that is not the case today. At our hearing last
month, we heard from the International Consortium of Minority
Cybersecurity Professionals, or ICMCP, that women and minorities are
still vastly under-represented in cybersecurity--with women making up
around 11 percent, and African Americans and Hispanics making up less
than 12 percent of the global cyber work force combined. What those
numbers say to me is that we are still leaving talent on the table.
ICMCP's testimony went even further, arguing that in the realm of
National security, having a diverse cyber work force is mission-
critical. To support this, ICMCP pointed to the 2014 CIA Diversity in
Leadership Study which found that a lack of diversity in CIA's
leadership may have contributed to past intelligence failures. We need
to be leveraging non-traditional training models like apprenticeships
or vocational programs, community colleges, and career development
tools.
We also need to grow partnerships at the K-12 level to make sure
children are being introduced to computers at an earlier age--even the
ones who go to schools that can't afford a specialized tech program.
Some of the skills we need to leverage can't be taught in a
classroom, and we need to think creatively about how we identify and
cultivate traits that lend themselves to cybersecurity--for example, a
natural affinity for problem solving or an analytical approach to risk.
With the right access and support, these candidates can easily
learn the technical skills through on-the-job training, industry
certifications, community college courses, and modern vocational
programs. As our world grows more and more connected, we also need a
multidisciplinary approach to cyber education--one that reaches
professionals in fields like construction, nursing, and electrical
engineering.
I look forward to hearing ideas from our esteemed panel of
witnesses today about how we, as Federal policy makers, should be
thinking about growing and diversifying our cyber talent pipeline. But
ultimately, if we're going to make a dent in the cyber work force
challenge, we need to do more than talk about it.
We cannot pretend to be serious about right-sizing the cyber work
force while at the same time entertaining the administration's request
for massive cuts to programs like the National Science Foundation's
Scholarship for Service.
Similarly, I cannot fathom what kind of message is being sent to
DACA recipients working to earn tech degrees in fields like
cybersecurity--nor can I understand the logic behind needlessly sending
this home-grown talent abroad.
I'll conclude by saying that defending our networks from cyber
attack requires strong leadership, sustained funding from Congress, and
action. I look forward to hearing the testimony of our witnesses today,
and hope we can identify innovative ways to work together to address
cybersecurity work force challenges.
Mr. Ratcliffe. I thank the gentleman. The Chair now
recognizes the Chairman of the Subcommittee on Higher Education
and Workforce Development, the gentleman from Kentucky, Mr.
Guthrie, for any statement that he has.
Mr. Guthrie. Thank you very much. Good afternoon and
welcome to today's joint subcommittee hearing with colleagues
from the Subcommittee on Cybersecurity and Infrastructure
Protection. I would like to thank our panel of witnesses and
Chairman Ratcliffe, Ranking Member Richmond, Ranking Member
Davis, and the Members of both subcommittees for joining
today's important discussion on apprenticeships and
opportunities for us to grow the Nation's work force.
When Americans think of data breaches and cyber attacks,
names like Equifax come to mind. This and other recent high-
profile data breaches have made private and sensitive
information vulnerable to identity theft, as well as other
cyber crimes. Cyber crimes are constantly appearing in the
news, and Americans want to know what is being done to protect
their data, as well as other vulnerable targets that compromise
our National infrastructure.
Organizations in public and private sectors are actively
seeking skilled professionals to fill the numerous jobs
available in the growing cybersecurity field and are coming up
short in the number of Americans able to fill these essential
positions that ensure our American cyber infrastructure is
safe. A recent study by the Intel Security and Center for
Strategic and International Studies, CSIS, examined the global
security, cybersecurity work force shortage and confirmed that
the talent shortage was real and wide-spread. Eighty-two
percent of participation report of a shortage of cybersecurity
skills.
The same report found that more than 209,000 cybersecurity
jobs in the United States are unfilled, and job postings are up
74 percent over the past 5 years. Additionally, the demand for
cybersecurity professionals is expected to grow to over 1.8
million by 2022. This skills gap is not unique to cybersecurity
sector. Many other industries such as manufacturing and
transportation are facing a shortage of skilled workers to fill
good-paying jobs. However, when dealing with the cybersecurity,
the stakes are even higher, because we are dealing with
National security.
Fortunately, today's hearing continues the discussion in
Congress on how to best fill the skills gap. The House
unanimously passed Strengthening Career and Technical Education
for the 21st Century Act, which allows States to dedicate
additional resources toward high-demand fields such as
cybersecurity based on changing economic educational and
National security needs.
Additionally, the Committee on Education and Workforce has
been carefully observing the implementation of Workforce
Innovation and Opportunity Act that was signed into law in
2014. This law streamlined the confusing maze of work force
development programs and increased the amount of funding
available to States that meet specific work force demands based
on conversations with public and private stakeholders in each
State. Today's hearing will examine solutions to filling the
skills gap that currently exists in the cybersecurity field and
how coalitions across Government, academic institutions, and
private industries can pave the way to successfully close the
skills gap and keep our country's cybersecurity infrastructure
safe.
I look forward to hearing from our witnesses about how
Congress can assist, and the conversation is already taking
place between the institutions of higher education and public
and private entities in the cybersecurity field. I yield back.
[The prepared statement of Chairman Guthrie follows:]
Statement of Chairman Brett Guthrie
October 24, 2017
When Americans think of data breaches and cyber attacks, names like
Equifax come to mind. This and other recent high-profile data breaches
have made private and sensitive information vulnerable to identity
theft as well as other cyber crimes.
Cyber crimes are constantly appearing in the news, and Americans
want to know what is being done to protect their data, as well as other
vulnerable targets that comprise our National infrastructure.
Organizations in the public and private sectors are actively
seeking skilled professionals to fill the numerous jobs available in
the growing cybersecurity field, and are coming up short in the number
of Americans able to fill these essential positions that ensure our
American cyber infrastructure is safe.
A recent study by Intel Security and the Center for Strategic and
International Studies (CSIS) examined the global cybersecurity work
force shortage and confirmed that the talent shortage was real and
wide-spread. Eighty-two percent of participants report a shortage of
cybersecurity skills.
The same report found that more than 209,000 cybersecurity jobs in
the United States are unfilled, and job postings are up 74 percent over
the past 5 years. Additionally, the demand for cybersecurity
professionals is expected to continue to grow to over 1.8 million by
2022.
This skills gap is not unique to the cybersecurity sector. Many
other industries such as manufacturing and transportation are facing a
shortage of skilled workers to fill good-paying jobs. However, when
dealing with cybersecurity, the stakes are even higher because we are
dealing with National security.
Fortunately, today's hearing continues the discussion in Congress
on how to best fill the skills gap.
The House unanimously passed the Strengthening Career and Technical
Education for the 21st Century Act, which allows States to dedicate
additional resources toward high-demand fields such as cybersecurity
based on changing economic, educational, or National security needs.
Additionally, the Committee on Education and the Workforce has been
carefully observing the implementation of the Workforce Innovation and
Opportunity Act that was signed into law in 2014.
This law streamlined the confusing maze of work force development
programs, and increased the amount of funding available to the States
to meet specific work force demands based on conversations with public
and private stakeholders in each State.
Today's hearing will examine solutions to filling the skills gap
that currently exists in the cybersecurity field, and how coalitions
across Government, academic institutions, and private industries can
pave the way to successfully close this skills gap and keep our
country's cybersecurity infrastructure safe.
Mr. Ratcliffe. I thank the gentleman. The Chair now
recognizes the Ranking Minority Member of the Subcommittee on
Higher Education and Workforce Development, the gentlelady from
California, Ms. Davis, for her opening statement.
Ms. Davis. Thank you. Thank you, Mr. Chairman. I want to
thank our presenters here this morning or this afternoon for
this timely and important hearing. I am certainly excited to be
joining with the Cybersecurity and Infrastructure Subcommittee,
as well.
So you know, we are holding this hearing today to explore
the critical issue of the cybersecurity work force pipeline. It
is an urgent problem that has serious ramifications for our
National security. As my colleagues have pointed out,
cybersecurity attacks are on the rise, resulting in massive
data breaches and the loss of critical private data, as well.
We know that cybersecurity vulnerabilities extend to
critical infrastructure and even our elections. The need for a
more secure cyber infrastructure is only going to grow as
technology continues to move into even more aspects of our
daily lives. So by tackling this problem, we can create
critical infrastructure and a very important component is to
also create many more high-paying jobs.
The fundamental building block of a strong and durable
cyber infrastructure is highly-skilled cybersecurity workers.
But there is a consensus that we face a critical shortage of
cybersecurity professionals, leaving the Nation especially
vulnerable. So in today's hearing, we will hear from
businesses, as well as higher education institutions on what is
being done, what remains to be done in order to fill our
cybersecurity work force needs.
In order to address these problems, we must ensure that we
are actively recruiting women, African-Americans, Hispanics,
Native Americans into the field. These groups are woefully
underrepresented in the cybersecurity work force. According to
a study, women account for only about 11 percent to 14 percent
of North America's cybersecurity professionals, so we have to
do better. We must not only deepen, but also broaden the pool
of highly-trained individuals in the field.
I look forward to hearing from Dr. Ralls on the many
innovative programs that the Northern Virginia Community
Colleges has developed to rebuild this robust cybersecurity
work force. Really, in response to a burgeoning need, the
college has grown from 50 to 1,500 students in one of his
associate's programs in just 4 years. That is really a
remarkable change and increase. They are using some very
successful proven career development methods like
apprenticeships, that I think we are all going to be talking
about, and career and technical education to bridge the gap.
This is the type of innovation that we should promote and
support, but I do want to raise a point of concern that the
administration is pointing us in the wrong direction. The
administration's budget request proposed to cut funding for the
CyberCorps Scholarship for Service Program by a whopping 27
percent from its fiscal year 2017 levels, so we want to be
looking to expand and not contract our efforts to fill
cybersecurity work force shortages.
Surely Government, educational institutions, and industry
leaders must come together to address the shortage. Government
should be adequately investing in the educational and work
force development infrastructure to grow the talent pool and
raise awareness for cybersecurity careers. I know that there
are innovative ways that the work force system can use Federal
investment to build a strong cybersecurity work force.
In my district, in San Diego, the San Diego Workforce
Partnership is using funding from the Obama administration's
Tech-Hire grants to build cybersecurity training programs. I
also believe that educational institutions must be more
responsive to the shortages by creating an expanding
cybersecurity programs. I know that we are going to have some
great examples here today.
Businesses and industry leaders must also do their part,
and I look forward to hearing as well from IBM. Industry
leaders should be expanding apprenticeship programs, investing
in retraining and upscaling their current work force, as well
as recruiting from a more diverse talent pool. It is certainly
goes without saying that our industry leaders must work
collaborative with educational and training institutions.
Businesses must also take a critical look at their hiring
practices and really look at their credentialing requirements
to ensure that they are not over-specifying credentials that
might create a barrier.
I want to thank all of our chairs, and I look forward to
our witnesses and how we can create more attractive career
pathways in cybersecurity for both the civilian and the
military work force. Thank you very much.
[The statement of Ranking Member Davis follows:]
Statement of Ranking Member Susan A. Davis
October 24, 2017
Thank you Mr. Chairman.
This is a timely and important hearing. I am excited to be working
with our colleagues from the Cybersecurity and Infrastructure
Subcommittee.
We are holding this joint hearing today to explore the critical
issue of the cybersecurity work force pipeline. It is an urgent problem
that has serious ramifications for our National security. As my
colleagues have pointed out today, cybersecurity attacks are on the
rise resulting in massive data breaches and the loss of critical
private data.
And we know that cybersecurity vulnerabilities extend to critical
infrastructure and our elections. The need for a more secure cyber
infrastructure is only going to grow as technology continues to move
into even more aspects of our daily lives. By tackling this problem we
can secure critical information and create many more high-paying jobs.
The fundamental building block of a strong and durable cyber
infrastructure is highly-skilled cybersecurity workers. But there's a
consensus that we face a critical shortage of cybersecurity
professionals, leaving the Nation especially vulnerable. In today's
hearing we will hear from businesses as well as higher education
institutions on what is being done, and what remains to be done in
order to fill our cybersecurity work force needs.
In order to address these problems we must ensure that we are
actively recruiting women, African Americans, Hispanics, and Native
Americans into the field. These groups are woefully underrepresented in
the cybersecurity work force. According to a recent survey, women
account for only 14 percent of North America's cybersecurity
professionals. We must do better than this. We must not only deepen but
also broaden the pool of highly-trained individuals in the field.
I look forward to hearing from Dr. Ralls on the many innovative
programs that the Northern Virginia Community College has developed to
build a robust cybersecurity work force. In response to burgeoning
demand, the Northern Virginia Community College has grown from 50 to
1,500 students in one of its associates programs in just 4 years--
that's a remarkable thirty-fold increase. They are using successful,
proven career development methods like apprenticeships and career and
technical education to bridge the gap.
This is the type of innovation we should promote and support.
However I am concerned that the administration is pointing us in the
wrong direction. The administration's budget request proposed to cut
funding for the CyberCorps Scholarship for Service program by a
whopping 27 percent from its fiscal year levels. We should be looking
to expand, not contract, our efforts to fill cybersecurity work force
shortages.
Government, educational institutions, and industry leaders must
come together to address the shortage. Government should be adequately
investing in the educational and work force development infrastructure
to grow the talent pool and raise awareness for cybersecurity careers.
I know that there are innovative ways that the work force system can
use Federal investment to build a strong cybersecurity work force. In
my district, the San Diego Workforce Partnership is using funding from
the Obama administration's Tech-Hire grants to build cybersecurity
training programs.
I also believe that educational institutions must be more
responsive to the shortages by creating and expanding cybersecurity
programs and I know we have great examples here today.
Businesses and industry leaders must also do their part and I look
forward to hearing today from IBM. Industry leaders should be expanding
apprenticeship programs, investing in retraining and upskilling their
current work force as well as recruiting from a more diverse talent
pool. And it goes without saying, I hope, that our industry leaders
must work collaboratively with educational and training institutions.
Businesses must also take a critical look at their hiring practices and
really look at their credentialing requirements to ensure that they are
not over-specifying credentials that might create a barrier.
I would like to thank Chairs Ratcliffe, McCaul, and Guthrie for
holding this hearing.
I look forward to hearing from the witnesses on how we can create
attractive career pathways in cybersecurity for both the civilian and
military work force.
Mr. Ratcliffe. I thank the gentlelady. Other Members of the
committee are reminded that their own opening statements may be
submitted for the record.
[The statements of Ranking Member Thompson and Chairwoman
Foxx follow:]
Statement of Ranking Member Bennie G. Thompson
October 24, 2017
According to the International Data Corporation, global revenues
for cybersecurity technology and services will grow from $73.7 billion
in 2016 to $101.6 billion in 2020.
Yet, a report by Frost and Sullivan and (ISC)-Squared released
earlier this year predicted that, despite current projections for
steady growth in cybersecurity jobs, there will be 1.5 million unfilled
cybersecurity positions world-wide by 2020.
As policy makers, we have to ask ourselves why we are struggling to
attract people to a field that promises so much growth.
From where I sit, I can see at least three challenges we have to
address.
As a Member of Congress representing the Second Congressional
District of Mississippi, I can tell you that we have to do a better job
cultivating domestic cybersecurity talent.
As Ranking Member of the Committee on Homeland Security, I am
worried that President Trump's immigration policies--particularly
related the Deferred Action for Childhood Arrivals--will result in a
loss of cybersecurity talent that our academic institutions and
businesses have already spent time and money educating and training.
And as a Member of the Congressional Black Caucus, I know that we
have missed opportunities to develop cybersecurity talent in diverse
communities.
I am pleased that the witnesses before us today will be able to
give us their thoughts on how the Federal Government can work with the
private sector to address all three of these issues.
When the Cybersecurity and Infrastructure Protection Subcommittee
held its hearing on cybersecurity work force challenges last month, I
told the panel what my constituents in Mississippi tell me about what
our approach to this problem should be: Invest aggressively in growing
domestic cybersecurity talent.
As a new generation enters the work force and as displaced workers
try to find their way in a changing economy, we must equip American
workers with the skills they need to take advantage of cybersecurity
job opportunities.
Unfortunately, the Trump administration's commitment to helping our
work force gain the skills they need to compete for cybersecurity jobs
is hardly consistent.
Although President Trump congratulated himself last month for
directing the Department of Education to spend at least $200 million
annually on STEM education grants, his fiscal year 2018 budget request
slashed the National Science Foundation's Scholarship for Service
Program.
And I would be remiss if I did not point out that no one knows
where the Department of Education is going to get the $200 million it
is supposed to spend on STEM grants.
The only thing we do know is that the President did not send any
new money with his directive.
President Trump is further undermining efforts to address our
cybersecurity work force challenges with his decision to allow the DACA
Program to expire in March.
If we do not provide ``Dreamers'' a path to citizenship, we run the
risk of hemorrhaging talent across a wide variety of disciplines.
I am pleased that businesses like Google, Facebook, IBM, and many
others have formed the Coalition for the American Dream to advocate for
a path to citizenship for ``Dreamers'' and to keep their talents in the
United States.
I am similarly encouraged by the advocacy of academic leaders who
have urged Congress to act so that the Nation can reap the benefits of
the Dreamers' skills and talents.
Finally, we must do more to promote cybersecurity opportunities in
diverse communities. Today, black and Hispanic people--combined--make
up only 12 percent of the cybersecurity work force. To me, that means
we are missing out on untapped potential.
Despite on-going challenges with a lack of consistent leadership
from the White House, I am pleased that the private sector and our
academic institutions continue to work together to build a robust
cybersecurity work force.
I am eager to learn more about these efforts and how Congress can
help support them.
______
Statement of Chairwoman Virginia Foxx
We are facing a skills gap in this country, and the cybersecurity
sector is not immune from its impact.
Major corporations and Government entities are looking for highly-
skilled professionals to fill important positions that ensure our
country's public institutions, as well as private businesses, remain
safe from the growing number of cyber threats.
According to a report by the Congressional Research Service, the
Department of Defense, and the Department of Homeland Security require
over 4,000 personnel to handle the current cybersecurity threats that
impact the Government.
While this skills gap currently exists in the cybersecurity sector,
conversations are being had between skills-based institutions of
education and employers to better ensure that the skills students are
learning in the classroom match the need for skilled employees in the
cybersecurity filed.
This is encouraging news, and I hope the cybersecurity sector
continues on this positive trend, and can be a model for other
industries to prepare a skilled and equipped work force of the future.
The progress is so encouraging that a study by the RAND Corporation
has indicated that demand will likely be met over time due to an
increased number of cybersecurity apprenticeship and education
programs.
At the Education and Workforce Committee, we are looking for more
ways to raise awareness across all industries for apprenticeship and
other earn-and-learn opportunities. That is why today's hearing is
particularly important, not just what it means for security, but what
it means for future jobs.
Mr. Ratcliffe. We are all very pleased to have a very
distinguished panel of witnesses before us today. Dr. Stephen
Cambone is the associate vice chancellor for the Texas A&M
University System. Good to see you again, Dr. Cambone.
Mr. Douglas Rapp is the president of Rofori Corporation-
DEFCON Cyber and is testifying on behalf of the Cyber
Leadership Alliance. Mr. Rapp, we are glad to have you here, as
well.
Mr. David Jarvis is the security and CIO lead of the IBM
Institute for Business Value. Mr. Jarvis, welcome to our
committees.
Our final witness is Dr. R. Scott Ralls, president of the
Northern Virginia Community College. Dr. Ralls, thank you for
being here, as well.
[Witnesses sworn.]
The witnesses' full written statements will appear in the
record. The Chair now recognizes Dr. Cambone for 5 minutes for
his opening statement.
STATEMENT OF STEPHEN A. CAMBONE, ASSOCIATE VICE CHANCELLOR,
TEXAS A&M UNIVERSITY SYSTEM
Mr. Cambone. Thank you, Mr. Chairman, Chairman Ratcliffe,
Mr. Richmond, and Ms. Davis, it is a pleasure to be here with
you. I am a relatively newly-appointed associate vice
chancellor of the university, but I come to this hearing with a
long background in the field, having spent a good deal of time
in my prior positions dealing with the issues of both the cyber
domain--that is, operations and activities in the cyber domain,
including everything from your wristwatch to robots--and have
spent a fair amount of time in the private sector doing the
same.
A word about Texas A&M. Texas A&M is a land grant
university. As such, it very closely hews to the original
purpose of the land grant college, which is to look after the
development of the work force. The reason I am there is the
vice chancellor for engineering for the system is looking to
build a coherent program in cybersecurity out of the 11
universities and 3 agencies over which she has considerable
influence, because she is, as well, the dean of engineering of
the college at A&M and has some 19,000 engineering students
from which to cull the cybersecurity work force of the future.
We have over the past year-and-a-half been granted three
designations by NSA and the Department of Homeland Security in
cybersecurity. We are quite proud of that fact. It is in cyber
operations, cyber defense education, and cyber defense
research. What does that mean? It means essentially that the
auditors came in from both DHS and NSA and said, do you have a
teaching program? Do you have students? Do you have faculty who
will address the issues that are going to face the country in
cybersecurity in the years to come? The answer was, yes, we
did, and therefore those designations are in place.
We have a minor degree program in cybersecurity for
undergraduates. In the course of the last 2 years, we now have
300 students in that program, and 39 have graduated with
bachelor's degrees with a minor in cybersecurity. In the spring
of 2018, we will begin a master's of engineering in
cybersecurity. It is a multidisciplinary degree intended to
admit any bachelor's of science graduate into the program where
they will learn the essentials of cybersecurity in order to
bring it back to their career fields in aero, mechanical,
civil. Whichever engineering field they may have been in, they
will have the fundamentals in cybersecurity and be able to
bring it to their businesses.
We have worked fairly hard, Mr. Richmond, to make some
arrangements with our friends at Blinn College, which is a very
large 2-year university in the town next to College Station. In
particular, in the field of nursing, where we will work with
them to put together a program to test biomedical devices, to
see that they meet the standards of both users and the
patients.
I wanted to offer two thoughts in closing on how we might
address some of the issues associated with the work force. One
is a bit wonky, I will admit, and that is that the ISACs, which
are functioning better or worse depending on the sector, have a
wealth of data and information within them, which we think if
we could get some of the research faculty from around the
country to engage the material in those ISACs, we might be able
to begin to pull out some of the best practices and some of the
enduring issues that need to be addressed and offer then
recommendations both to the ISAC leadership and the members,
but also into our academic programs as to how we might begin to
address those enduring problems.
The second has to do with really picking up on the notion
of a land grant college. The university is a land grant, sea
grant, and space grant college. We think that it is time maybe
to think about a cyber grant program and model it on the space
and sea grant programs, which are really designed to be
consortium-based and to be outreach-focused in a way to build
up the cybersecurity practices of the people in the various
regions of the country that they serve.
So with that, Mr. Chairman, thank you.
[The prepared statement of Mr. Cambone follows:]
Prepared Statement of Stephen A. Cambone
October 24, 2017
introduction
Chairman Ratcliffe, Chairman Guthrie, Members of the subcommittees,
thank you for the opportunity to testify before you today.
I come before you this afternoon to discuss cybersecurity work
force development, as the recently-appointed associate vice chancellor
for Cyber Security Initiatives for Texas A&M University System.
The system's flagship university, Texas A&M, is a land grant
university. As such it is particularly attuned to meeting the work
force needs of the State and Nation.
My charge is to assist in the development of a multidisciplinary
program in cybersecurity across the 11 universities and 7 State
agencies that comprise the system. I have been asked to engage leaders
across the State and Nation, both in the public and private sector, to
identify the most pressing needs and then look to the resources of the
system to determine whether and in what way we can contribute to
meeting those needs.
Our objective is to develop transformational cybersecurity
capabilities, implemented by a well-educated and trained work force,
that support the United States' mission of protecting against and
combatting large-scale cyber attacks.
I come to the Texas A&M System after a career in both the public
and private sector. During my time in the Pentagon as senior official
from 2001-2006, I was witness to and occasionally helpful in advancing
the National interest and capabilities in the cyber domain. While
serving as the first under secretary of defense, I had oversight of on
behalf of the Secretary of a variety of cyber issues.
My subsequent experience in the private sector included
responsibility for a substantial business unit that supported several
Government customers with interests in the cyber domain. That business
unit also explored as early as 2008 the use of commercial
communications and devices--and their attendant security--to manage
small robots and hand-held drones, controlled through cellular networks
and reporting to the user on wearable devices, for a wide variety of
applications.
Given our increasing reliance on cyber-physical systems--the power
grid and the internet of things being two examples--there is a
compelling need for well-educated professionals to address the
cybersecurity needs of the Nation.
Those needs are felt at the local, Tribal, State, and Federal
level. Some put the need at more than 200,000 professionals, not
including the primary, secondary, or university educators.
Universities across the Nation are experimenting with a variety of
undergraduate and graduate degrees and professional education programs
to meet the demand.
The difficulty faced in meeting the demand is both the shortage of
well-educated instructors and the increasing velocity of change in the
field of cybersecurity.
Within the Texas A&M University System we are addressing both
issues.
background on the texas a&m university system work force activities
The Texas A&M College of Engineering is one of the largest in the
Nation with over 19,000 students and numerous tenure track and
professional faculty conducting research and collaborating outside of
Engineering on a range of cyber-related topics.
The quality of their work, and the education it supports, has
resulted in Texas A&M's designation by the NSA/DHS as a National Center
of Excellence in three distinct areas: Cyber Operations, Cyber Defense
Education, and Cyber Defense Research.
Texas A&M University is one of only eight universities in the
United States, and is the only public university in the American
Association of Universities, with all three designations.
Texas A&M has created a cybersecurity minor field of study. First
implemented in 2016, it is already the largest minor in the College of
Engineering.
Over 300 students in six different university colleges/schools have
enrolled, including 39 who have already graduated.
In the spring of 2018, the University will enroll its first cohort
of students in a distinctive Masters of Engineering in Cybersecurity.
In addition, the Texas A&M Engineering Extension Service (TEEX),
and the Texas A&M Engineering Experiment Station (TEES), two State
agencies which are a part of the Texas A&M University System, have
extensive programs in applied research and emergency response work
force development related to cybersecurity.
TEEX is a leading member of the National Domestic Preparedness
Consortium and the National Cybersecurity Preparedness Consortium. Both
consortia are critical preparedness partners of DHS/FEMA. Its Cyber
Readiness Center provides technical assistance to private and public
organizations with the intent of improving the health and security of
their digital operations. It delivers, at no cost, DHS/FEMA
cybersecurity courses. It provides preparatory classes for professional
certifications in cybersecurity and provides technical assistance to
prepare for cyber events. And, it conducts response exercises to
prepared communities and their officials to take swift, targeted action
to address an attack and limit losses.
TEES, through its EDGE program for professional and continuing
education, supports the deployment of face-to-face, on-line and blended
classes. All of its courses can be made portable. In addition, it has
developed the means of providing similar services for academic
instruction, enabling coursework to be presented throughout the Texas
A&M University System. These assets are being woven into the
cybersecurity initiatives sponsored by the vice chancellor's office.
As impressive and effective as these measures and similar efforts
made in States across the Nation may be, they are not sufficient to
meet the increasing need for a well-educated cybersecurity work force.
recommendations
With your permission, I'd like to offer two suggestions that might
improve the rate at which we educate and increase the cyber work force.
Expand existing information-sharing programs to meet work force needs
DHS might select and invite researchers and educators to affiliate
with each existing ISAC and ISAO, expanding the collaborative benefits
of these public-private partnerships to include cyber work force
development.
Participants from higher education would be exposed to and able to
conduct basic and applied research into each sector's immediate
challenges. This research can benefit each sector and might be shared
across sectors while simultaneously providing material for real-time
updates of course curriculum. This practical knowledge could help our
graduates entering the work force to be ``job ready on Day 1''.
Create a Cyber Grant program to meet work force needs
The Morrill Act recognized that the classical education then
offered by institutions of higher learning were not meeting the
pressing needs of the Nation. It gave rise to the great land grant
universities in the United States. More recently, Congress created Sea
and Space Grant programs to conduct research and extend the benefits of
that education to local populations.
Considering the challenges we face in developing and maintaining
the cybersecurity work force, the creation of a Cyber Grant Program
modeled after the three previous grant programs can be established to
realize similar benefits.
It can facilitate significant advancement of cybersecurity
research, education, and outreach across a broad front, including the
development and delivery of portable course content that addresses all
16 critical infrastructure sectors designated by DHS, and can be used
by industry in professional development.
conclusion
It will take time to build the cyber work force we require. We need
to be intentional and aggressive in our efforts now to yield essential
returns in the future. Time is of the essence and the Texas A&M
University System is ready to serve.
Mr. Ratcliffe. Thank you, Dr. Cambone. The Chair now
recognizes Mr. Rapp for 5 minutes for his opening statement.
STATEMENT OF DOUGLAS C. RAPP, PRESIDENT, ROFORI CORPORATION-
DEFCON CYBER, TESTIFYING ON BEHALF OF THE CYBER LEADERSHIP
ALLIANCE
Mr. Rapp. Thank you, Chairman Ratcliffe, Chairman Guthrie,
Mr. Richmond, and Ms. Davis, for this opportunity to come here
and testify in front of you on this very important topic of
public-private partnerships and work force development. I am
here representing the Cyber Leadership Alliance, which is a
501(c)(6) professional nonprofit organization. It represents
about $20 billion worth of Indiana thought leadership and
industry. So we are dedicated to solving the work force deficit
through public-private partnerships.
I would like to start my testimony by telling a story that
really illustrates the perspective from which we come from, and
that is, my own son, Urban, went to a public school, a great
public school in Indiana. While he was there, he was an average
student. That is much better than I did when I was growing up,
so I was OK with that.
So he was an average student and he came out of that high
school. One day, I came downstairs and he was on the computer,
and I asked him, what are you doing? He said, well, a couple of
friends of mine, we rented some server space and we have taken
a bunch of modules off of Gary's mod and we have programmed
them all together, and right now we are hosting a game for
people all around the world.
So I asked him, well, where in the world did you get
interested in something like that? Where did you learn how to
do it? His answer to me was YouTube University. So--now, that
is by far the cheapest university I have paid for to date.
The point that I am trying to illustrate is that when we
think about solutions to work force and how we learn, we need
to be creative and disruptive when necessary. We need to look
at new concepts such as proposals to use coding as a foreign
language requirement in school, for new approaches, like the
National Minority and Technology Council's concept of resource
centers to reach out to underserved communities. We need to
think about tying our data from our skill-producing
institutions, our higher education directly to the employers.
We do things at Cyber Leadership Alliance, being a
501(c)(6), we positioned ourselves to be kind of a neutral
ground between academia, industry, and Government, where we can
take subject-matter expertise from across different verticals
and bring them together to solve these problems where we are
less threatened by individual motivations or agendas.
We believe that these public-private partnerships have to
provide value to their partners. So it is difficult to ask a
private industry to take part in something that takes them away
from providing value for their shareholders. So we have to be
conscious of what they must do to stay in business.
We also think that it is important to capitalize on each
other's skills and expertise, and that way we can reduce
redundancy, we can operate more efficiently, and we can
capitalize on the subject-matter expertise of the individuals
and the partnership.
So I look forward to answering any questions that you may
have for me today, and thank you for having me.
[The prepared statement of Mr. Rapp follows:]
Prepared Statement of Douglas C. Rapp
October 24, 2017
Thank you, Chairman Ratcliff and Chairman Guthrie and Members of
the Homeland Security Subcommittee on Cybersecurity and Infrastructure
Protection and Subcommittee on Higher Education and Workforce
Development of the Committee on Education and Workforce for holding
today's hearing on the extremely important topic of Public-Private
Solutions to Educating a Cyber Workforce. As technology continues to
connect us in ways that create synergy and solve complex problems more
efficiently, so must we connect our public and private organizations to
do the same. By integrating, understanding, and accepting our
respective capabilities and differences, we can solve the difficult
problem of educating a modern cyber work force quicker and more
efficiently. The Cyber Leadership Alliance, a 501c6 industry non-profit
that represents the cybersecurity thought leadership of more than $20
billion dollars of Indiana industry, is dedicated to finding solutions
to reducing the cybersecurity work force deficit through effective use
of public-private partnerships.
indiana: a case study in cyber partnership
Indiana has long recognized the value of public-private
partnerships. One need only to look at the Office of the Indiana
Secretary of Commerce to see an example of a successful and enduring
public-private partnership. Other successful public-private
partnerships span utilities, emergency response, and other areas.
Indiana is a State of collaboration that has figured out how to
bring stakeholders to the table specifically in cybersecurity. Indiana
has built coalitions across Government, military, and industry to take
a holistic approach to cybersecurity. Five specific examples of
cybersecurity public-private partnerships are illustrated below:
Indiana National Guard Cyber Incident Response Plan.--The Indiana
National Guard Cyber Incident Response Plan was the first integrated
response plan in the State targeted at a State-wide cybersecurity
incident. Through public-private collaboration during development, this
plan was developed to define the role of State military cyber assets
while coordinating the integration of State military, public, and the
private sectors.
Indiana National Guard Cybersecurity Working Group.--The Indiana
National Guard Cyber Security Working group was the State's first
formal public-private group to meet on a consistent basis and share
information regarding significant cybersecurity issues. The group
initially consisted of public entities such as the National Guard,
Indiana Department of Homeland Security, the Indiana Utility Regulatory
Commission, FBI, and others. Private entities followed including Rook
Security, Vespa Group, Pondurance, and Citizens Energy to name a few.
This group no longer exists as three separate initiatives have arisen
to fulfill the functions that were identified in this group.
Crit-Ex (Critical Infrastructure Exercise).--Crit-Ex was sponsored
by the Indiana Department of Homeland Security, Indiana Office of
Technology, the Indiana National Guard and was managed by the Cyber
Leadership Alliance. The event, which is the first of its kind, brought
together 2 Federal agencies, 8 State agencies, and 15 private-sector
organizations. The exercise was formulated to explore the intersection
between critical infrastructure and cybersecurity. Partnerships between
the Government agencies and private organizations made during the
exercise are helping prevent major incidents in our current high-threat
environment. An important footnote is that while Crit-Ex was
groundbreaking and spawned other initiatives, it has not been repeated
in Indiana due to lack of funding and competing demands on Government
resources.
Indiana Cybersecurity Economic Development Plan.--In 2016, the
Secretary of Commerce of the State of Indiana Victor Smith, directed
the creation of a State Cybersecurity Economic Development Plan as a
component of his economic development strategic sector plan. Completed
in early 2018, the plan was created by 19 noted subject-matter experts
with input gathered during 7 cybersecurity town halls around the State
of Indiana. Input from over 200 stakeholders from private industry,
academia, Government, and the military provided the data that shaped
the final report. The plan gives significant attention to cyber work
force development and recognizes it as one of strategic 5 Lines of
Effort. The report has been published and is currently available from
the Indiana Department of Workforce Development (IEDC).
Indiana Executive Council on Cybersecurity.--The Indiana Executive
Council on Cybersecurity can be traced back through the working group
for the Crit-Ex initiative to the Indiana National Guard Cybersecurity
Working Group. The counsel, created by Executive Order under former
Governor Mike Pence and continued by Governor Eric Holcomb is made up
of government (local, State, and Federal), private-sector, military,
research, and academic stakeholders. The mandate of the counsel is to
collaboratively increase Indiana's cybersecurity posture and maturity.
With 28 Council members, 9 subcommittees, and more than 150 advisory
members, the Council's first deliverable is a comprehensive strategy
plan to Governor Holcomb by September 2018. One of the council's focus
areas is cyber work force development.
addressing the cyber workforce crisis
Currently, Indiana is approaching the shortage of cybersecurity
work force professionals like many other States--through its academic
institutions. Indiana currently has 31 higher education institutions
that offer cybersecurity education, 6 R1-R3 Research Centers, and 7
DHS/NSA Cybersecurity Centers of Excellence. However, the Cyber
Leadership Alliance believes that the popular methodology of recruiting
self-selected college-trained graduates to meet the cyber work force
demands is not only flawed but rather that anyone suggesting that as a
solution is at best incapable of simple math. A visit to CyberSeek.org,
an on-line cybersecurity work force development tool created in a
public-private partnership between the National Initiative for
Cybersecurity Education (NICE), Comp-TIA, and Burning Glass will
immediately invalidate that solution.
The partners within the Cyber Leadership Alliance believe that the
most effective way to address the current cybersecurity talent crisis
is by taking a holistic approach. Only by creating and following a
long-term process of ``growing your own'' can you solve this problem.
We have modeled that process and are currently proposing it to the
Indiana Department of Workforce Development in the form of an
application for a SkillUp! grant.
the cyber leadership alliance skillup! solution
The SkillUp! proposal is governed by a public-private partnership
referred to as the Cyber Leadership Alliance Coalition (CLAC) and plans
to inform, educate, grow, and retain an Indiana-based work force, with
jobs awaiting them post-(re)training at the most critical levels of
commerce. The SkillUp! solution is based on the following tenants:
Cybersecurity Workforce Development efforts must be driven by
public-private partnerships.--No one private entity, industry sector,
branch, or level of Government should attempt to ``own'' cybersecurity.
Cyber Public-Private partnerships should be run by or always
include non-profit industry organizations.--These organizations provide
a neutral ground where the direction of the project is more likely to
be driven by the needs of the industry rather than political agenda or
personal profit. Additionally, these organizations attract subject-
matter experts from across many sectors and industries.
Cyber Public-Private Partnerships must provide value to its
partners.--These partnerships must understand and not be threatened by
each other's agendas. Businesses need to understand that Governments
are trying to solve complex problems while competing for limited
resources. Government needs to understand that businesses can only
participate in partnerships if they can afford to work at the rate at
which the Government is willing or able to pay. The allure of an
appointment or invitation to a Government partnership fades quickly
when weighed against the responsibility of creating value for the
shareholders.
Cyber Public-Private Partnership must reduce redundancy and
capitalize on core competencies.--Participants in partnerships should
be vetted for their expertise and ability to produce results. Competing
interests and inclusion for any other reason than expertise is
counterproductive to measurable results.
Cybersecurity public-private partnerships should capitalize on and
use the most accurate data available.--Whenever possible, the creation
of cybersecurity work force should directly correlate to the needs of
the market. Partnerships should receive demand data directly from
employers and match those needs to the programs and institutions that
produce the required skills.
Cybersecurity Public-Private Partnership must be creative and
disruptive when necessary.--The work force deficit in cybersecurity is
showing little signs of getting better. Current methodologies are
routinely failing to produce the required result through the
traditional method of granting block funding to Government-subsidized
higher education. This problem will only be solved with careful
analysis, accurate data, and creative and disruptive ideas. Ideas such
as allowing coding to be utilized to fulfill a foreign language credit
in high school or offering incentives to cybersecurity professionals to
purchase a house within a State's borders could produce unprecedented
results if resources and political support are given.
Thank you for the opportunity to be here today and I look forward
to answering any questions that you may have.
Mr. Ratcliffe. Thank you, Mr. Rapp. The Chair now
recognizes Mr. Jarvis for 5 minutes.
STATEMENT OF DAVID JARVIS, SECURITY AND CIO LEAD, IBM INSTITUTE
FOR BUSINESS VALUE
Mr. Jarvis. Chairman Guthrie, Chairman Ratcliffe, Ranking
Member Davis, Ranking Member Richmond, and distinguished
Members, I am honored to appear before both committees today to
discuss the insufficient supply of cybersecurity skills, to
protect the economic and National security interests of the
United States and the global digital infrastructure.
I work at IBM as part of the IBM Institute for Business
Value, which explores research and reports on emerging business
and technology issues, connecting our clients with leading
practices. I primarily focus on cybersecurity and the various
aspects surrounding the discipline.
To understand IBM's approach to skills and talent for
cybersecurity, it is important to understand the people behind
our security brand. We have roughly 8,000 subject-matter
experts around the world. Since 2015, IBM security has hired
nearly 2,000 into its security business. We must intelligently
manage and struggle for scarce talent daily.
Simply put, cybersecurity professionals are not produced by
the education system in the United States in the quantities or
with the correct hard and soft skills needed. The education
system is not aligned to produce a work force that can defend
us from today's cybersecurity threats.
There are many estimates as to the size of the skills gap
and how long it may take to close. While the size of the gap
certainly indicates the severity of the problem, the bigger
point is, unless we better align our education system with the
core attributes and skills needed in cybersecurity, the Nation
will continue to be at risk.
I would like to start by thanking you for your leadership
with the House passing the Perkins Career and Technical
Education Act twice. The recent letter signed by 59 Senators
gives hope the Senate will soon act, as well. Thank you again
for passing the bill which IBM believes will help students get
the right education for today's jobs.
Second, IBM urges Congress to ease the pathway to jobs for
new-collar workers. This involves tapping professionals who may
not have a traditional college degree but have the necessary
technical skills and aptitudes. To expand new-collar skills,
IBM is pursuing and experimenting with a multitude of
approaches activity the entire supply chain of talent. We are
utilizing the new education model P-TECH. In the United States
and other countries, P-TECH connects high school, college, and
the world of work for historically disadvantaged populations.
P-TECH starts with an employer committing to students that they
will be first in line for a job if the school teaches them the
core and technical skills needed.
The cornerstone for this program is industry partners
articulating the skills needed to be taught. IBM security is
currently partnering with programs specifically for
cybersecurity in New York and Maryland. IBM seeks out military
veterans who are by nature well aligned to cybersecurity
positions. We recently announced we will hire 2,000 U.S.
veterans over the next 4 years across our business. Veterans
are a natural fit for a new-collar approach, bringing their
skills and talents, but not necessarily formal degrees.
IBM is also driving education programs for middle and high
schools. Our IBM Cyber Day for Girls events Nation-wide provide
middle-school-aged girls with the opportunity to learn more
about cybersecurity careers from female leaders in the field,
reaching them at a critical age.
We are also partnering with community colleges to build the
skills of the future through our community college skills
accelerator. With growing numbers of community colleges
offering cybersecurity programs, they are an increasingly
important source of talent and they should be sufficiently
supported and nurtured.
To address the different skill and education needs of new-
collar workers, employers need to build a local cybersecurity
ecosystem that provides a robust support program for new hires
and supports on continuous learning and upscaling. Employers
need to participate in regional partnerships with work force
development programs, secondary schools, and technical and
vocational schools. Examples of partnerships between employers
and educators include joint cybersecurity curriculum
committees, externships for local instructors to keep their
skills fresh and relevant, the sponsorship of cyber teams, and
programs with local middle/high-school students to generate
interest in the field.
The Federal Government should adopt a new-collar approach
to reach into expanded sources of labor. Federal agencies
should explore the P-TECH model for work force development
strategies that they can improper. By indicating what it takes
to be first in line for a job, they can help address their own
cybersecurity work force needs.
IBM believes new-collar workers can be an important
component of the Nation's overall approach to tackling the
cybersecurity skills gap. By not tapping into underutilized
sources of talent across the country and supporting and
nurturing it, we are doing a disservice to everyone and not
securing ourselves as well as we could.
Finally, as Congress looks to reform the Higher Education
Act, a good starting point is to eliminate existing regulatory
obstacles imposed between individuals and cybersecurity
careers. For example, work-based learning is a critical source
of skills, particularly in cybersecurity. However, the Federal
work-study program prohibits more than 25 percent of funds
administered by a college or university from use off-campus for
relevant internships or other work-based learning with private-
sector employers.
Eliminating the restrictions would increase the flexibility
of students and institutions of higher education. Thank you,
Members of both committees, for the opportunity to present
IBM's thoughts, strategies, and activities on improving
cybersecurity education and your consideration of this
testimony. Thank you.
[The prepared statement of Mr. Jarvis follows:]
Prepared Statement of David Jarvis
October 24, 2017
Chairman Guthrie, Chairman Ratcliffe, Ranking Member Davis, Ranking
Member Richmond, and distinguished Members, I am honored to appear
before both committees today to discuss the insufficient supply of
cybersecurity skills and the increased demand to fulfil important
cybersecurity positions to protect the economic and National security
interests of the United States and the global digital infrastructure.
In my testimony, I will describe the cyber threat landscape, the
skills needed to protect against those threats, what IBM is doing to
promote those skills including our ``new-collar'' approach, and
finally, what the Government should do to improve the supply of
cybersecurity skills and jobs.
To set the stage, I work at IBM as part of the Institute for
Business Value, which explores and researches emerging business and
technology issues impacting a variety of industries. We report insights
from that research and provide practical guidance to the market and our
clients. I primarily focus on cybersecurity and the various aspects
surrounding the discipline--whether it be technical, societal, or
economic.
Cybersecurity professionals are not produced by the education
system in the United States in the quantities or skill levels needed.
This is a problem that isn't going away anytime soon. However, with
great challenges come creative solutions that many dedicated
individuals and organizations are pursuing. At IBM, we believe that
some cybersecurity jobs can be filled through a new-collar approach
that involves tapping professionals who may not have a traditional
college degree but do have the needed technical skills and aptitudes.
This approach was outlined by our CEO, Ginni Rometty, at the end of
2016, as a way to address skills gaps across technology-related
sectors.\1\ By better aligning the education system with industry we
can develop the skills needed to fight cyber crime, fill jobs, and
reduce data breaches.
---------------------------------------------------------------------------
\1\ https://www.usatoday.com/story/tech/news/2016/12/13/ibms-
rometty-talk-new-collar-jobs-trump/95370718/.
---------------------------------------------------------------------------
ibm's security capabilities
IBM Security is the largest security vendor selling exclusively to
enterprises. IBM manages 35 billion security events per day for our
clients--one of the largest security intelligence operations in the
world. IBM Security has 17,000 clients in 133 countries, 8,000
employees, including researchers, developers, and subject-matter
experts focused on security, in 36 IBM Security locations around the
globe. In sum, we ``see'' a lot in cyber space and have also dedicated
over $2 billion in research and development to ``out innovate'' the
cyber criminals.
To understand IBM Security, it's important to understand the people
behind the brand. As part of the 8,000 subject-matter experts we have
on board, IBM Security has:
Researchers analyzing software for vulnerabilities.
Incident Response teams (IBM X-Force IRIS) in the wake of a
breach conducting forensic investigations and working with law
enforcement.
Interim CISOs that help organizations scale and address
cybersecurity planning.
Malware, spam, and Dark Web analysts, spending hours
understanding the tactics criminals are using to target and
infiltrate organizations.
Security Intelligence analysts working in and deploying
Security Operation Centers (SOCs) across the globe.
Since 2015, IBM Security has hired nearly 2,000 additional experts
into its Security business, including world-class developers,
consultants, and research professionals.
Additionally, IBM Security is developing and using cognitive
cybersecurity systems like Watson to augment the skills and
capabilities of security teams. With the ability to interpret huge
volumes of structured and unstructured data, staff with cognitive tools
can better reveal patterns and put security events in context. Using
data mining, machine learning, natural language processing, and human
computer interaction, cognitive systems provide evidence-based
recommendations to help cybersecurity experts act with confidence, at
speed and scale.
today's security threats
Today, just about all the breaches we hear and read about involves
the exfiltration of data. A cyber criminal breaks into a system, gets
access to information, downloads that data, and extorts it for profit
or influence.
The IBM X-Force Threat Intelligence Index 2017 found in 2016 more
than 4 billion records were leaked, more than the combined total from
the two previous years, redefining the meaning of the term ``mega
breach.'' In one case, a single source leaked more than 1.5 billion
records. The industries experiencing the highest number of incidents
and reported records breached were information and communications,
Government, and financial services. Mega breaches have continued to
penetrate all sectors with unabated threats in 2017.\2\
---------------------------------------------------------------------------
\2\ https://www.ibm.com/security/xforce/research.html.
---------------------------------------------------------------------------
Additionally, late last year IBM and the Ponemon Institute unveiled
the results of the annual Cyber Resilient Organization study, which
found businesses are continuing to fail when it comes to preparing for
and responding to cyber attacks. Companies are being attacked
successfully more frequently, they cannot keep business operations
going effectively or recover quickly, and most have not done adequate
planning or preparation for an incident.\3\ Considering the vast
digital dependencies for organizations, it is no longer a matter of
``if'' but a matter of ``when'' an incident will happen.
---------------------------------------------------------------------------
\3\ ``The 2016 Cyber Resilient Organization'', Ponemon Institute
and IBM, November 2016.
---------------------------------------------------------------------------
We are seeing security attacks and techniques continue to evolve
across skill level, geography, and sectors. It is now estimated to be
one of the largest illegal economies in the world, costing the global
economy more than $445 billion dollars a year.\4\ To put this in
perspective, $445 billion is greater than the GDP of more than 160
different countries, including Ireland, Malaysia, Finland, Denmark, and
Portugal, among many others.
---------------------------------------------------------------------------
\4\ Net Losses: Estimating the Global Cost of Cyber Crime, Center
for Strategic and International Studies, June 2014.
---------------------------------------------------------------------------
The most sophisticated thieves operate like a well-oiled global
business. They build development tools and collaborate on software.
They share knowledge about targets and vulnerabilities. They recruit,
educate, promote, and reward their work force. In fact, each successful
attack proliferates the skills, tools, and ecosystem because hackers
often reuse malware and other vulnerabilities that they know are proven
to work. Think of it as on-the-job education.
As the threat emanates from a variety of angles, we need to respond
with innovative cyber defenses including a work force with a diverse
set of skills that are constantly updated. Persistent and well-funded
cyber crime organizations are constantly probing a range of
vulnerabilities. They look for simple misconfigurations of installed
software, but also have the capability to carry out sophisticated brute
force, phishing, and malware conflicts. The spread of attacks from
simple to complex requires a broad set of skills and capabilities to
respond--across skill levels, information technology defenses,
organizations, and geographies.
Due to the current lack of skills, cyber crime creates chronic
infections of Government, enterprise, and individual systems that take
months (if not years) to heal, and are corrosive to the economy and
public trust.
the skills challenge and needed capabilities to defend against cyber
threats
An organization is only as good as the people that are part of it.
The challenge of recruiting and retaining the best technical and
business professionals is a constant worry for any organization, even
more so in the cybersecurity field.
The cybersecurity talent issue isn't limited to a few sectors; it
runs across the board from Government to education to health care and
all industries. Strong talent is needed in all communities from rural
farms that increasing rely on information technology to financial
service companies in large urban areas.
There are many estimates as to the size of the shortage of
cybersecurity professionals. Frost & Sullivan predicts that the growing
gap between available qualified cybersecurity professionals and
unfulfilled positions will reach 1.8 million by 2022.\5\ While the size
of the gap certainly indicates the severity of the problem, the bigger
point is that unless we change and improve our approach dramatically,
the gap will be an elusive thing to catch up to and close.
---------------------------------------------------------------------------
\5\ ``The 2017 Global Information Security Workforce Study: Women
in Cybersecurity.'' Frost & Sullivan. March 2017. https://
iamcybersafe.org/wp-content/uploads/2017/03/WomensReport.pdf.
---------------------------------------------------------------------------
Many leaders believe that not enough is being done about the
shortage. According to a report by the Center for Strategic and
International Studies and Intel Security, three out of four security
professionals surveyed believe their Government is not investing enough
in cybersecurity talent.\6\
---------------------------------------------------------------------------
\6\ ``Hacking the Skills Shortage: A study of the international
shortage in cybersecurity skills.'' Center for Strategic and
International Studies and Intel Security. 2016. https://www.mcafee.com/
ca/resources/reports/.
---------------------------------------------------------------------------
The inherent complexities that make cybersecurity challenging have
created this severe skills shortage. Even though Government, industry,
and education are attempting to address the problem through many
different initiatives, the entire supply chain of talent is stressed.
Industry is facing a shortage of qualified candidates with the
necessary hands-on skills and product experience. Those working as
security professionals today are under constant pressure, as they need
continuous education and professional development to keep up with
evolving technologies and the threat landscape. They are also
challenged to find time to properly mentor and educate new hires.
Academic institutions want to meet industry needs, but they are
struggling to evolve and develop curriculum to keep pace with industry
shifts and technological advances. There is also a shortage of
qualified teachers and professors at both the university and community
college levels, as many are lured away to industry by competitive
salaries. Finally, students interested in pursuing the cybersecurity
field are faced with defining their own career path from a myriad of
options and then obtain the significant education and experience
required.
At the most basic level, employers must ensure that software,
networks, and cyber defenses are correctly installed and configured.
Skills for these broadly-needed services are low to middle but required
throughout the economy in large numbers.
At the other extreme, chief information security officers (CISOs)
for large enterprises and Government agencies are required to
orchestrate a broad set of defensive capabilities and respond to a
bewildering array of breaches. CISOs are highly-skilled positions with
significant education and experience who must balance managing their
own security operations with advising, guiding, and educating their C-
suites and boards of directors.
What skills should new cybersecurity professionals focus on? No
matter the educational background of the professional, there are some
essential elements. These elements can be classified into two groups:
Core attributes and skills.
Core attributes can be considered a general disposition beneficial
to security professionals--a set of common personality traits and
learned behaviors. This includes being investigative, methodical,
analytical, ethical, reliable, constantly learning, a good
communicator, and able to team with others to solve challenging
problems. Skills include both technical and workplace-related
abilities. A new security professional may not have all these skills at
first, but focusing on them over time will provide greater career path
flexibility and the foundation for technical or business-focused
security leadership positions.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
developing cybersecurity skills: the ibm new-collar approach
IBM's new-collar approach focuses on skills--not degrees earned--
and emphasizes work-based learning and core skills like teaming and
adaptability.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
The cornerstone of a new-collar approach and a major component of
the overall strategy necessary to address the cybersecurity skills gap
is to seek new sources of skills that may not have been pursued in the
past, due to a lack of traditional academic credentials.
A new-collar approach is used at IBM to fill both technical and
non-technical jobs. We have identified some specific cybersecurity jobs
as suitable places to start. This includes ``builders'' such as
integration engineers and cybersecurity developers, ``operators'' such
as threat monitoring analysts and security operations center analysts,
and ``communicators'' such as technical writers and security awareness
educators.
A new-collar approach focuses on skills--not degrees earned--as a
prerequisite to find and attract nontraditional candidates with diverse
backgrounds and skill sets. Once hired, these new employees are
expected to strive for continuous learning and professional growth. A
new-collar approach recognizes there are alternative ways to learn the
skills needed. For example, respondents from a CSIS and Intel Security
study ranked hands-on experience and professional certifications as
better ways to acquire cybersecurity skills than a degree.\7\
---------------------------------------------------------------------------
\7\ ``Hacking the Skills Shortage: A study of the international
shortage in cybersecurity skills.'' Center for Strategic and
International Studies and Intel Security. 2016. https://www.mcafee.com/
ca/resources/reports/rp-hacking-skills-shortage.pdf
---------------------------------------------------------------------------
To expand new-collar skills, IBM is experimenting with a multitude
of approaches to educate and develop the next generation of
cybersecurity professionals. These include creating and developing new
education programs, going beyond the traditional classroom and making
new connections and sharing information.
IBM is utilizing the new education model Pathways in Technology
Early College High School (P-TECH) in the United States and other
countries specifically for cybersecurity. Currently, we are working
with Excelsior Academy at Newburgh Free Academy in New York (a
partnership between the Newburgh Enlarged City School District, IBM,
and SUNY Orange Community College) and P-TECH@Carver in Baltimore,
Maryland (a partnership between Carver Vocational Technical High
School, IBM, and Baltimore City Community College) on cybersecurity-
specific pathway programs.
The P-TECH model of schools has four key elements:
Alignment of the Program of Study for grades 9-14 with the
skills needed by an employer.
Mentors for all students from the employer.
Internships for students from the employer.
A commitment that graduating students will be first in line
for a job with the employer.
P-TECH model could be adopted by Federal agencies to create job
opportunities for students, and as an approach for their work force
needs. Over 60 P-TECH schools exist throughout the United States
including in my home State of Rhode Island and there are many more on
the way.
We are partnering with community colleges to build the skills of
the future through our Community College Skills Accelerator. This
program provides access to documented skills roadmaps, access to free
IBM tools, including platforms, services, and software, access to IBM
mentorship and subject-matter expertise, including collaboration on
curriculum review and creation and pathways to employment, including
internships and apprenticeships.
With growing numbers offering cybersecurity programs, community
colleges are an important source of talent. However, fewer than 30
percent of the roughly 1,100 public and independent community colleges
across the United States offer a cybersecurity degree, certificate, or
course.\8\ Those that offer cybersecurity classes have difficulty
updating the content and finding the needed teaching staff. The
additional demands of accreditation, distributional requirements, and
financial aid requirements make cybersecurity education very
challenging for educators.
---------------------------------------------------------------------------
\8\ ``2016 Fact Sheet.'' American Association of Community
Colleges. http://www.aacc.nche.edu/AboutCC/Documents/
AACCFactSheetsR2.pdf; IBM Institute for Business Value interview with
Casey O'Brien, Executive Director & Principal Investigator, National
CyberWatch Center. February 21, 2017.
---------------------------------------------------------------------------
Programs like the National Security Agency and the Department of
Homeland Security sponsored National Centers of Academic Excellence and
the National Science Foundation's Advanced Technological Education
program that supports regional cybersecurity programs at 2-year
colleges, are very important resources for these community college
programs.
IBM is also driving education programs for middle and high schools.
This includes an initiative with ISECOM, a non-profit organization
which produces the Hacker High School project--open cybersecurity
courses designed specifically for teenagers to develop critical
thinking and hands-on, technical skills. As part of this collaboration,
IBM is providing sponsorship, expert guidance, and IBM Security tools
for new Hacker High School lessons focused on the skills needed for an
entry-level security operation center (SOC) analyst--a position that is
in demand. IBM also hosts ``Cyber Day for Girls'' events Nation-wide to
provide middle school-aged girls with the opportunity to learn more
about cybersecurity careers, reaching them at a critical age.
IBM partners with hundreds of universities and colleges world-wide
to develop the next generation of cyber talent. Through our Academic
Initiative program, we provide access to skills and software at no
charge. We also sponsor and recruit at key university cyber-
competitions, including ones at the Rochester Institute of Technology,
New York University, and the National Collegiate Cyber Defense
Competition.
Military veterans bring unique talents, mindset, and skills that
are attractive to the technology industry, and even more so to
cybersecurity positions. The mission focus mentality and
professionalism are attributes needed to protect and defend networks.
IBM recently announced it will hire 2,000 U.S. veterans over the next 4
years as part of the company's broader pledge to hire 25,000 workers by
2020. Veterans are a natural fit for the new-collar approach. We
developed the IBM Veterans Employment Accelerator to focus on education
and certification programs for military veterans and participate in
Veteran recruiting events and transition summits.\9\
---------------------------------------------------------------------------
\9\ ``Citizen IBM Blog--Veterans Employment Accelerator.'' IBM
website, accessed March 19, 2017. https://www.ibm.com/blogs/citizen-
ibm/tag/ibm-veterans-employment-accelerator.
---------------------------------------------------------------------------
Women are globally underrepresented in the cybersecurity profession
at 11 percent, much lower than the representation of women in the
overall global work force. In 2016, women in cybersecurity earned less
than men at every level.\10\ IBM is actively recruiting
underrepresented groups through conferences and organizations like the
International Consortium of Minority Cybersecurity Professionals
(ICMCP), the Grace Hopper Celebration and Women in CyberSecurity
(WiCyS).\11\ Additionally, we have an internal network called Women in
Security Excelling (WISE), an IBM professional development group that
also sponsors external events like the ``Cyber Day for Girls'' programs
in middle schools and provides scholarships to attend security
conferences.\12\
---------------------------------------------------------------------------
\10\ https://iamcybersafe.org/wp-content/uploads/2017/03/
WomensReport.pdf.
\11\ International Consortium of Minority Cybersecurity
Professionals website, accessed April 3, 2017. https://icmcp.org/;
Women in CyberSecurity website, accessed April 3, 2017 https://
www.csc.tntech.edu/wicys/.
\12\ ``How IBM Supports Women Building their Careers in Cyber
Security.'' IBM Jobs Blog, November 7, 2016 https://blog.ibm.jobs/2016/
11/07/how-ibm-supports-women-building-their-careers-in-cyber-security/.
---------------------------------------------------------------------------
IBM's efforts to build a cybersecurity work force prove to be
working--as mentioned, we have built a business of over 8,000 experts
including an additional 2,000 since 2015--although job openings at IBM
Security are still plentiful. That work force is a result of reaching
new sources through our new-collar recruitment--in fact, nearly 20
percent of our security hires since 2015 have fit into this ``new-
collar'' category.
Our success provides some guidance to efforts to create policies
around building a cybersecurity work force, but in many ways, is
dependent on the willingness to address the overall challenges in the
education system.
what should the government do to address cybersecurity skills and
capabilities?
IBM urges the committees to examine four areas for changed
Government activity that will improve the cybersecurity work force.
Those four areas are listed below and then discussed in more detail:
Reauthorize Perkins CTE.--The Government needs to improve
the alignment between the education system and the skills
needed for today's jobs through reauthorization of the Perkins
Career and Technical Education Act and the Higher Education
Act.
Explore P-TECH Model.--Federal agencies should explore the
P-TECH model for work force development strategies they can
implement.
Remove Obstacles to Cybersecurity Skills.--Broad reforms to
higher education appear necessary due to poor performance on
inclusion, graduation rates, defaults, and alignment with
today's jobs. A good starting point is to eliminate existing
regulatory obstacles imposed between individuals and
cybersecurity careers.
Expand New-Collar Hiring.--The Federal Government should
adopt a new-collar approach to reach and expand sources of
labor.
Alignment through Reauthorization of Perkins Career and Technical
Education.--The education system is poorly connected to the job market.
Schools and colleges often do not offer students relevant classes in
emerging areas such as cybersecurity and do not emphasize core
attributes like teaming and communication in a program of study.
Aligning the education system with the skills needed for today's jobs
would more effectively spend Federal dollars to help our Nation's
students acquire the skills that they need and employers are demanding.
Recently, the House passed a reauthorization of the Perkins Career
and Technical Education Act. Although the Senate has failed to take up
the legislation, recently 59 Senators sent a letter to the Chair and
Ranking Member of the Senate HELP Committee urging action. The letter
called for:
Align CTE programs to the needs of the regional, State, and
local labor market;
Support effective and meaningful collaboration between
secondary and post-secondary institutions and employers;
Increase student participation in work-based learning
opportunities; and
Promote the use of industry-recognized credentials and other
recognized post-secondary credentials.
IBM urges the Senate to move forward on reauthorization of the
Perkins Career and Technical Education Act, and to incorporate these
principles into its reauthorization of the Higher Education Act.
Explore P-TECH Model Participation by Federal Agencies.--The P-TECH
model is based on a collaboration between employers and educators to
improve alignment of the existing education system with needed job
skills. Developing programs of study and educational materials is the
responsibility of our Nation's educators, but P-TECH employers play a
vital role by telling what skills are necessary ``to be first in line
for a job''. Defining skills needs, providing mentors, internships, and
committing that graduates will be ``first in line for a job'' are all
employer responsibilities in the P-TECH model.
Federal agencies are major employers and should explore the work
force development strategies developed and tested by the private sector
through the P-TECH model schools. Federal agencies could join other P-
TECH employers that provide information to work force boards and
educators on needed job skills. Federal agencies could provide work-
based learning opportunities including mentors and internships. Both
student and potential Federal employers benefit from enhancing skills
learned through improved alignment and work-based learning.
Eliminate Obstacles on the Critical Pathway to Cybersecurity
Skills.--The education system has appalling key performance metrics in
areas relevant to cybersecurity work force development--first-
generation entrants into higher education are scarce, completion rates
are low, misalignment of skills and jobs is high, and default rates on
student loans are astronomical.
Adopting the critical pathway approach used in health care to
improve quality can help improve the cybersecurity work force by
highlighting the most problematic steps in the education process.
For example, work-based learning is a critical source of skills--
particularly in cybersecurity. However, the Federal work-study program
prohibits more than 25 percent of funds administered by a college or
university from use for off-campus for relevant internships or other
work-based learning with private-sector employers.
Eliminating the restrictions would increase the flexibility of
students and institutions of higher education to use their Federal work
study allocations for part- and full-time off-campus cooperative
education and other work-study purposes. Rather than forcing work-study
grants to be used for dining hall jobs, students could get internships
that were relevant to their majors and provided critical work
experience and skills.
IBM urges Congress to return flexibility to students and higher-
education institutions in their use of work-study funds.
New-Collar Approaches.--Finally, IBM recommends that organizations
expand their recruitment of the new-collar cybersecurity work force.
For a more robust new-collar approach, employers need to create new-
collar career pathways in their work force strategy with five
components:
Skill Maps
Broader Recruitment
Education Ecosystem
Work-based Learning
Retention
Document the skills and experience that are essential today and in
the future. Use that skill map to help design clear career paths for
security functions, focusing on what skills are needed in different
cybersecurity roles at each level. In recruiting, substitute the skill
map for degrees as prerequisites. The skill map should determine when
academic degrees are included in hiring requirements. Do all security
hires really need 4-year university degrees? Do not miss a potential
star by imposing arbitrary degree requirements before job candidates
they get a chance to prove themselves--realize that skills and
experience can come from a variety of places.
Recruit new-collar workers from sources beyond traditional higher-
education sources. Seek students who are earning cybersecurity
certificates, AAS, and Associate degrees at community colleges; don't
limit efforts to a select set of 4-year and research universities. As
mentioned earlier, veterans and separating service personnel are
another new-collar work force that has critical skill attributes such
as leadership, teaming, and adaptability. IBM has specific recruitment
programs for veterans and separating armed services personnel that
allow their skills to be mapped against IBM job roles.
To address the different skill and education needs of new-collar
workers, employers need to build a local cybersecurity ecosystem that
provides a robust support program for new hires and focuses on
continuous learning and upskilling. Employers need to participate in
regional partnerships--with work force development organizations,
secondary schools, and technical and vocational schools. Examples of
partnerships between employers and educators include joint
cybersecurity curriculum committees, externships for local instructors
to keep their skills fresh and relevant, the sponsorship of cyber
teams, and programs with local middle and high schools to generate
interest in the field. These groups are always looking for subject-
matter experts and mentors that employers can provide to improve the
cybersecurity pipeline.
Work-based learning and ``earn and learn'' strategies are critical
for new-collar career pathways. Employ techniques like mentorships,
internships, rotational assignments, shadowing, and other opportunities
for new cybersecurity hires to gain experience and learn. Allow them to
explore their options and opportunities--not everyone knows what they
want to do right away.
With an expanded recruiting aperture bringing new talent in, there
must be comparable efforts to work to retain the talent. Keep employees
engaged by providing opportunities for them to advance and keep skills
up-to-date through classes, certifications, conferences. Cybersecurity
is a highly dynamic field, which requires a constant refreshing of
skills. Additionally, support existing new-collar employees from other
functions who want to move into cybersecurity as a new career.
conclusion
With the five approaches above, IBM believes new-collar workers can
add an important component of the Nation's overall approach to tackling
the cybersecurity skills gap. It is applicable across industry and
Government and has tangible benefits for both employers and potential
employees. By not tapping into underutilized sources of talent across
the country and supporting and nurturing it, we are doing a disservice
to everyone and not securing ourselves as well as we could. There are
many innovative approaches to improving cybersecurity education
happening all across the country, but to truly address the
cybersecurity skills gap we need to scale these approaches, including
new-collar ones.
Thank you Members of both committees for the opportunity to present
IBM's thoughts, strategy, and activities on improving cybersecurity
education and your consideration of this testimony.
Mr. Ratcliffe. Thank you, Mr. Jarvis. Chair now recognizes
Dr. Ralls for 5 minutes.
STATEMENT OF R. SCOTT RALLS, PRESIDENT, NORTHERN VIRGINIA
COMMUNITY COLLEGE
Mr. Ralls. Thank you, Chairman Ratcliffe, Chairman Guthrie,
Chairman Richmond and Davis, and Members of the committee.
Thank you for the population to testify the afternoon.
The road to economic recovery from the Great Recession has
run right through the middle of America's community colleges.
As we emerge into a new era of net job growth, community
colleges again stand at the forefront in addressing talent and
skills gaps. Because we are overrepresented by students from
first-generation, low-income, and minority backgrounds,
community colleges are uniquely situated to provide a gateway
to economic opportunity that must draw--for fields like
cybersecurity that must draw from a wider population to address
overall talent gaps.
An era where these gaps are keenly felt is the field of
cybersecurity, a skill set where jobs are growing three times
faster than for IT jobs in general, which are growing at a rate
much faster than other occupational areas. In the greater
Washington region, where my college is located, cybersecurity
job postings have grown 74 percent since 2014, and we have had
the most new job postings over the past year--more than twice
as many as any region of the country for the past year.
Filling this gap, meeting this challenge, and in turn
providing a great economic opportunity for our students is our
most pressing work force priority. Consequently, we are not
just pursuing a unidimensional strategy, but moving
simultaneously down multiple fronts. These include scaling.
Four years ago, as was mentioned, we grew a cybersecurity
certificate program into a separate applied associate's degree,
growing from an initial 50 students to approximately 1,500
today. We were one of the early certified academic excellence
programs with the National Security Agency, and today we share
our experience with other colleges as one of four National
resource centers.
Ours is a practical program that emphasizes application,
certifications, and participation in meaningful competition. We
are constantly looking for ways to scale to meet our growth
challenges by hiring new faculty, pursuing opportunities to
endow faculty to overcome the gap between what is top faculty
pay and average industry pay, and leasing, purchasing, and
renovating multiple facilities.
We articulate--which means that we seamlessly connect to
eight senior higher education partners so students can complete
a bachelor's degree, which is typically a minimal requirement
for cybersecurity employment. At two of our six campuses,
students can complete their bachelor's degree on-site,
including at our new regional work force center in Woodbridge,
which houses our cyber range and our on-site degree completion
program with George Washington University.
We aggressively draw from the rich talent pool of
transitioning military veterans at our college and in our
community. We have partnered closely with Marine Corps
University to provide concentrated surge educational
opportunities, developed a unique technology boot camp for
veterans called Uncommon Coders, articulated military
occupational specialty credit into our cyber degree program,
and worked with our State legislators to gain the ability to
charge lower tuition rates for our active-duty military in
these programs.
We reach into high schools, underserved communities, and
untapped populations. We have a team called sySTEMic that
specifically reaches into public schools to provide STEM
outreach, including cyber, where we partner with Northrop
Grumman, who helps us to fund and support training high school
educators who can provide instruction and dual enrollment
through our programs.
We have a very unique, complementary, and mutually
beneficial partnership with the great work force development
agency Year Up, who recruits, develops internship
opportunities, financially supports students who are enrolled
in our cyber and IT programs. This year, we have dedicated all
of our Federal Perkins funding to draw female students through
our cyber and IT programs.
Because as you have heard, the cyber work force population
is only 11 percent female, 12 percent minority. To meet the
skills gap, that has to increase.
Now, quickly in moving on, we apprentice and aggressively
seek out internship opportunities with our cyber students. We
do this through Year Up, with special employer relationships
like we have with the U.S. Senate Sergeant-at-Arms, also a
special new relationship with Amazon Web Services, where we
support and sponsored the first AWS apprenticeship program for
the hardest-to-fill jobs that are out there right now in cloud
security.
We certify with the assistance of our unique Virginia Fast
Forward program, which is the first performance-funded work
force certification program in the Nation. It allows us to
provide valuable certifications in areas like CompTIA
Security+, Certified Ethical Hacker, at only one-third of the
actual cost. Cybersecurity job postings typically require
certifications more so than IT in general.
Finally, key to all this is working very aggressively to
learn and seek feedback and react to the information we receive
from our valuable employer community, our rich cybersecurity
employers in our region. A secret weapon for us is the Northern
Virginia Technology Council, which is the largest employer
group of its type in the Nation. We are very proud to be their
first academic partner and with them sponsored the skills
talent assessment for our region just last year.
In sum, we are taking a multi-faceted approach to address
the cybersecurity work force challenge in our region. We do so
not only because it meets the needs of our employers, but most
importantly it provides such great opportunity for our
students. Last year, our college was recognized by the research
of Stanford economist Raj Chetty as having one of the highest
percentages of students who grew up in the bottom 20 percent of
income but emerged into the top 20 percent as adults after
attending a college such as ours.
We are very fortunate to support a region where the
economic opportunities which include cybersecurity job
opportunities make that possible. We are also humbled to be an
institution that provides that educational ladder to help
students of all backgrounds to be able to grasp those
opportunities. Thank you.
[The prepared statement of Dr. Ralls follows:]
Prepared Statement of R. Scott Ralls
October 23, 2017
To the Chairs and Members of the committees: Thank you for the
opportunity to testify this afternoon.
The road to economic recovery from the Great Recession ran through
the middle of America's community colleges, and as we emerge into a new
era of net job growth, community colleges are again at the forefront in
addressing talent and skills gaps. We are positioned to serve students
from lower income, first generation, and minority backgrounds.
Accordingly, we are uniquely capable of providing a gateway to economic
opportunity and careers that must attract a wider population to fill
job needs.
An area where these needs are keenly felt is in the field of
cybersecurity. Information technology jobs are growing at a rate much
faster than most other occupational areas. Faster still is the growth
in jobs in cybersecurity, a field growing three times more rapidly than
information technology jobs in general.
My name is Scott Ralls and I am president of Northern Virginia
Community College, or NOVA as we are known in the region we serve, a
region which has the highest concentration of cybersecurity jobs in the
United States. In the greater Washington region, cybersecurity job
postings have grown 74% since 2014. Our area has more than twice as
many overall new job postings than any other area in the country.
Filling this gap and meeting this challenge is an economic
opportunity for the students at our college. Last year, our college was
ranked in the social mobility research of Stanford economist Raj
Chetty, as having one of the highest percentages of students who grew
up in the bottom 20% of income brackets as children, but emerged in the
top 20% of income earners as adults. We are very fortunate to serve a
region that has the economic opportunities to make that possible. We
are humbled to be the institution providing the educational ladder to
help our students get there.
Taking this challenge on requires more than a one-dimensional
program approach. It requires that we pursue a multi-faceted strategy
that includes:
Scaling.--Four years ago we grew a cybersecurity certificate
program into a separate, applied associates degree, and have expanded
the program from an initial 50 students to nearly 1,500 today. We began
as one of the early Certified Academic Excellence programs with the
National Security Agency. Today we share our experience with and guide
other colleges as one of four National rsource centers. Ours is a
practical, work force-focused program that emphasizes application,
acquisition of certifications, and participation in meaningful
competition. To meet the challenges of growth we are hiring new
faculty. To overcome the gap between top community college faculty pay
and average industry pay, we announced the first-ever endowed chair in
the State community college system and are pursuing other opportunities
to attract top talent. To meet our capital needs we are leasing,
purchasing, and renovating multiple facilities.
We articulate, meaning that we seamlessly connect to nine great
university partners so students can complete a bachelosr degree. This
is important as it is typically a minimum requirement for employment in
cybersecurity with Federal agencies and contractors. At two of our six
campuses, students can complete their bachelor degree on-site including
at our new Regional Workforce Center in Woodbridge. This center houses
our cyber range and the on-site completion program with George
Washington University.
We aggressively draw from the rich talent pool of transitioning
military and Veterans at our college and within our community.
Currently active-duty service members and veterans make up 15% of our
student body. Four years ago, we partnered with the United States
Marine Corps and Marine Corps University to provide concentrated
``surge'' educational opportunities. We have developed a unique
technology boot camp for Veterans called Uncommon Coders and worked
with our State legislators to offer our courses at a discount to
service members around the globe. We have made it possible for Marines
with technology-related military occupational specialties to receive up
to 23 credit hours upon entering our cyber program.
We reach into high schools, underserved communities, and untapped
populations. We have a team called SySTEMic that specifically connects
with local schools to provide STEM hands-on STEM experiences, including
experiential learning in cybersecurity. With a generous grant from
Northrup Grumman, we partner with school systems to certify instructors
to become NOVA adjunct faculty delivering dual enrollment cybersecurity
programs directly in our high schools. We have a unique and mutually
beneficial partnership with the Nationally-recognized work force
development organization, Year Up. Year Up recruits, develops
internship opportunities, financially supports and provides
supplemental education to underprivileged youth enrolled in our IT and
cyber programs. And this year, we have dedicated all of our Federal
CTE/Perkins funding to efforts to attract female students into
information technology and cybersecurity fields. We recognize that the
best opportunity to grow the cybersecurity work force is to address the
underrepresentation of minorities and women in the cyber work force.
Specifically, the cybersecurity work force is reported to be only 11%
female and 12% minority. By launching a new awareness campaign
highlighting successful local women in IT and cyber and by providing
new summer camps and clearer education pathways we hope to move the
needle on retaining more women in the critical needs area.
In addition, we aggressively seek apprenticeship and internship
opportunities for our cyber students. We create these opportunities
through our Year Up collaboration and special partnerships we have made
with multiple groups. To help meet the need for cloud security talent,
judged to be the most difficult skillset for employers to find today,
we recently initiated a partnership with our local Workforce Board,
Apprenti, and Amazon Web Services to create Amazon Web Services' first
East Coast apprenticeship program. This consists of a Veterans
Associate Cloud Consultant Apprenticeship Program and a new Incumbent
Cloud Support Associate Apprentice program to assist fulfillment and
data center employees moving into technology opportunities. At its
core, this is a program to move current Amazon employees into higher
paying positions that Amazon could not otherwise fill.
We certify. Recently our State launched Virginia Fast Forward
Program, the first performance-funded work force certification program
in the Nation. This enables us to provide education and certifications
such as COMPTIA Security+ and Certified Ethical Hacker at only a third
of the market cost. This is key to job opportunity in cyber, as
cybersecurity job postings are more likely to require certifications
than information technology jobs in general.
Finally, and key to supporting all of our efforts, we aggressively
learn and seek feedback from the cybersecurity employers in our region.
A vital resource for us is the Northern Virginia Technology Council,
the largest employer group of its type in the Nation. We are honored to
be their first academic partner. Last year, we collaborated with NVTC
to conduct the Greater Washington Technology Needs Assessment. This
assessment identified cybersecurity skills as the second-most in demand
technical skill in our region behind only computer programming skills.
We are taking a multi-faceted strategy to address the cybersecurity
work force challenge in our region. We do so not only because it meets
employer needs, but most importantly, it helps our students understand
the needs of northern Virginia employers like General Dynamics, Booz
Allen, and CACI. But to solve this problem requires an even deeper
engagement between industry, education, and State and Federal partners
all working toward a common goal of increase awareness, making cyber
pathways clear and easy to navigate and providing work-learn
opportunities in greater numbers.
Mr. Ratcliffe. Thank you, Dr. Ralls, and thanks again to
all of our witnesses today for your testimoneys. I now
recognize myself for 5 minutes of questions.
Dr. Cambone, I want to start with you. First of all, do you
agree with the premise that the cyber skills gap is getting
worse? If so, with so much focus in recent years about
expanding cyber educational opportunities, why do you think
that is the case?
Mr. Cambone. Yes, the gap is growing. Second, in part, the
difficulty I believe is not just with the number of students we
have coming through the system, but the number of qualified
faculty to teach, reaching back into high schools and even into
grade schools. So as a way of addressing that, our
cybersecurity center is actually holding what amounts to boot
camps for high school teachers to try to begin to teach them
the essentials.
Mr. Ratcliffe. So let's set aside for a second displaced
workers and others that can really help build and allow us to
develop a cyber work force and focus on the kind of students
that go to Texas A&M or some of the other universities. Is
there any type of private-sector involvement in setting the
cybersecurity courses that Texas A&M offers? Are there specific
skill needs that either the private sector or the Government is
telling you that need to be addressed?
Mr. Cambone. Yes to both. We are fairly tightly coupled
with our colleagues over at NSA who have taken in over 20
students over the last 3 years in direct response to their
demand pull, if you will. On the private side, as an example,
we were told two semesters ago that we needed to do more secure
coding.
For an institution of our size, we turned around a secure
coding course in the following spring. So, yes, there is a
feedback loop. I will be with our academic advisory committee,
which is mostly private sector, Friday afternoon for just this
purpose.
Mr. Ratcliffe. So that sort-of leads into the question I
had for Mr. Rapp. With respect to the cyber leadership
alliance, does it play any role, can it play any role in
advising--be a matchmaker, if you will, between businesses and
schools?
Mr. Rapp. Absolutely. We work very closely with Purdue
University and a new program that they have called CAREER
Makers. Right now, we are submitting a proposal with several
private companies to actually place a CAREER Makers in an
underserved community in downtown Indianapolis. The Cyber
Leadership Alliance with take that information directly from
the employers and play matchmaker with the cohorts of students
that are in Purdue and the other universities, such as Ivy Tech
and Indiana University. So absolutely, that is primarily our
function.
Mr. Ratcliffe. Mr. Jarvis, let me shift to you. IBM is a
very large company. How does IBM go about finding and
recruiting cyber workers that may not have, say, a traditional
educational background, a bachelor's degree or relevant
certifications?
Mr. Jarvis. Sure, sure. So, I mean, obviously,
traditionally, you know, we partner with and work with hundreds
of universities around the world to get our talent globally.
But when you look at kind-of these new sources, these, you
know, new-collar workers, as well, this recently just--we just
basically recently announced this earlier in the year, but, you
know, we are beginning to work more with community colleges. We
recruit at a lot of different security conferences and
organizations, whether it is women in cybersecurity or the
ICMCP, as well, that Mr. Richmond talked about before.
So, I mean, it is basically with those partnerships kind-of
building our skills, building our talent pipeline, and with P-
TECH, as well. I mean, we are trying to address the issue
really at all elements of the game from high school all the way
through community college through veterans programs, if we are
recruiting at military bases, things like that. Those are all
standard things that we typically do. We are looking to expand
to do more, as well.
Mr. Ratcliffe. Terrific. So there are a lot of folks that
are going to ask a lot of questions today, but the bottom line
I think for a lot of us is, you know, exactly how does the
Government and the private sector best create an environment to
incentivize both traditional students, and displaced workers,
to make a career in cybersecurity? What as Members of Congress
can we do to facilitate that? Very quickly, let me start left
to right and give you all a chance to answer.
Mr. Cambone. Well, sir, it is a combination of funding
always. But in this case, I don't think it is merely dollars. I
think we have really got to extend from the universities
backward into the high schools. We have to look after the
education of the next cohort of educators. So we need to focus,
as well, on students who are going to go on to take their PhDs
so that they, in turn, can do the teaching we are going to
need.
Mr. Ratcliffe. Very quickly, Mr. Rapp, anything you want to
add to that?
Mr. Rapp. I just think that we need to reduce some
barriers, relook at OPM's requirements for hiring cybersecurity
professionals, and where they fall on the GS level to increase
that, security clearances and nationality issues.
Mr. Ratcliffe. Terrific. Mr. Jarvis.
Mr. Jarvis. Yes, just in addition to what I said in my
testimony, I think those are the primary things. But really, we
are looking for just better alignment between the education
system and the demands that we have.
Mr. Ratcliffe. Terrific. Finally, Dr. Ralls, give you a
quick chance to weigh in on that.
Mr. Ralls. We have benefited greatly from the NSA programs,
the CIE programs, also the National Science Foundation Cyber
Watch, which is at Montgomery College. Just as we have to scale
to meet needs, those programs have to scale, as well, to meet
our needs to be able to provide the training and education that
is needed.
Mr. Ratcliffe. Terrific. Chair now recognizes my friend
from Louisiana, Mr. Richmond.
Mr. Richmond. Let me start with Dr. Ralls and Mr. Cambone.
Let me just start with a basic question. Because you all deal
with students, when they come out, is the private sector or
public sector more attractive for them to go to? I would assume
it is the private sector.
Mr. Cambone. Yes, sir.
Mr. Ralls. Our students are interested in jobs wherever
they are. They also know that when they go into one area,
public or private, they are going to have opportunities both
ways because of the demand that is out there. So I don't see
them really picking and choosing too much in that regard. They
are interested in getting their foot in the door.
Mr. Richmond. Well, my experience with the people with the
skills in cyber really have a choice where they want to go,
because of the demand. Government is so rigid--I mean, we still
operate with this, you know, traditional office setting-type
area, and if you go to a lot of the private-sector companies
that are employing cyber professionals, they have a different
workplace and workspace.
So the question is, what can we do as Government to make
Government more attractive for people coming out of school? So
one idea would be, could you--could we become the industry
standard in terms of offering continuing education or other
ways for them to boost their skills while working for the
Federal Government? What incentives can we give them to make
the Federal Government more attractive, besides money, if you
are telling me we are going to have a shortage of in-between
1.4 million and 1.8 million?
Mr. Cambone. Right. So the civil service arrangements, as
you point out, are Teddy Roosevelt in their origins. They need
to be updated. Among the things that we ought to take a look at
is the career progression. These students, the people coming
into the work force are not going to stay in a job for more
than 5 years. While they are in that job, they need to be given
important and interesting things to do.
If there is added the professional training--education, as
you are talking about, that could be an incentive. But I
wouldn't expect them to stay more than 5 years. Then you want
to bring back the people who are out 10 years and bring them
back at the proper level of the Government and not force them
back into that civil service arrangement. Then you get the best
of both worlds.
Mr. Richmond. Any ideas, Dr. Ralls.
Mr. Ralls. Yes, one is internship opportunities. I think as
I mentioned, we have a unique internship with the U.S. Senate
Sergeant at Arms scholarship for service, expanding that
program. Right now, that program is limited to 4-year students.
Community college students can get in through a backdoor
through partnering with 4-year institutions, but expanding
that, such as the 2017 Cyber Scholarship Act that is been
suggested.
Another area that is not necessarily private or public, but
cuts across both is the requirements for Federal contracting.
So certain things can limit students who are coming out of
colleges, whether 4-year or 2-year, particularly for 2-year
students into roles because of those either experience
requirements that kind-of put them in a double-edged sword that
they may not have the years of experience that are required,
and so--but they have to be able to get that experience, or
also many of the Federal contracting requirements are very
degree-based, require 4-year credentials and are not as skills-
based. So that can limit students who may be coming out of a
community college, looking at a foothold in a job role, and
then going back and getting their bachelor's degree. So looking
at contracting requirements is another area to pay attention
to.
Mr. Richmond. Mr. Jarvis, very quickly, what are the
challenges associated with setting aside the conventional
wisdom that degrees equals skills and integrating these
strategies into work force development plans?
Mr. Jarvis. Yes, no, that is an excellent question. I mean,
I think there is a transition that needs to happen. I think
that is what at IBM have been advocating for here in the past
year is really trying to shine a light on the issue to look
past degrees and to look at skills to help us with our most
challenging and pressing information technology skills gaps,
you know, not only in cybersecurity in particular.
I do think it is a bit of a culture change, and I do think
it will take a little bit of time, but that is why we are
trying to advocate for our clients and for others in the field
that are--you know, that are suffering from the same gaps to
expand the aperture and to look at new sources of talent.
Mr. Richmond. Very quickly, Dr. Ralls, what can we do to
increase the number of minorities and women and African-
Americans in the cyber space?
Mr. Ralls. Well, I think all of us--and that includes what
we are doing at our community college--we have to be very
aggressive in our approaches to pull students through. I mean,
in areas like computer programming and cybersecurity, we do not
see as many female students and you don't see as many female
students in the work force. So that is where we have to work
closely with our public schools. We have to change our
marketing materials. We have to have different forms of
outreach in that regard.
We also have to have role models in our programs so that we
have to make sure that we are recruiting and aggressive about
recruiting female and minority teachers. The leader of our
cybersecurity program is female, and I do think that makes a
difference, as well. So I think we each have to be aggressive
in our own ways to make sure that students, regardless of
gender or regardless of background, know that the opportunities
are there, but also know that the ladder is there to be able to
get there. That is why I think community colleges are so
important in this role, to help provide a front end for that
ladder to those opportunities, which many students may not
think is possible for them.
Mr. Ratcliffe. I thank the gentleman. Chair now recognizes
the Chairman of the Subcommittee on Higher Education and
Workforce Development, Mr. Guthrie.
Mr. Guthrie. Thanks. It is interesting what Mr. Jarvis just
said. The Ranking Member, Ms. Davis, and I have been looking at
programs that don't necessarily--education systems that allow
people to have careers that don't necessarily require degrees
if the skills needed don't require degrees. I think it would be
very helpful, even not just for people in high schools moving
forward, but also people trying to get relocated, understanding
there is a skills gap. They are in--maybe even have a degree,
but not in the right program, not in the degree to take
advantage of the opportunities that are out there, and then
being able to plug back in is something we really want to look
at.
Mr. Rapp, I was just kind-of--as I was looking preparing
for this hearing, my son did information technology, computer
science and so forth. What are the skills--and there is a
shortage there, too. As that, that worked out, because he was
able to get a good job, but it is not good for the country, so
we got to fill that in. So I guess the question is: What is the
difference between somebody in information technology, the
skills, and cybersecurity? I know they overlap, but what just
kind of distinct differences?
Mr. Rapp. They do. You know, in conversations with the CSOs
that represent our membership, the foundation for both tend to
root itself in that analytical side and the coding side,
awesome. The biggest skills that our members look forward, that
our membership looks forward is the problem-solving and the
critical thinking skills.
What our CSOs say is that they can teach somebody the
environment that they are working in. Certainly a foundation in
risk and risk mitigation, but what is mostly lacking as a skill
set from the students that are being produced today is that
critical thinking and problem-solving ability.
Mr. Guthrie. So you can teach someone to code. The question
is, can you teach someone to figure out how somebody is going
to undo their code or try to get into their code and think
through that----
Mr. Rapp. That is correct.
Mr. Guthrie. Is that the way to put it? So, Dr. Cambone,
last week, the Education Department urged schools and colleges
to strengthen their cybersecurity measures in response to all-
on attacks in which cyber criminals have sought to extort money
from educational institutions on the threat of releasing
sensitive data from student records. These records contain
sensitive information and must be protected with stronger
security.
What additional steps do you think institutions with
cybersecurity programs can take to ensure they are developing a
robust cybersecurity work force that can help prevent these
types of intrusions?
Mr. Cambone. Well, first, we need to make sure that the--
that which we teach we actually do.
Mr. Guthrie. Is that----
Mr. Cambone. Right? So it is not enough to teach these
things. We have to do them. I am happy to say that I have had
over the last 3 weeks a number of conversations with the
university system-level CSOs, as well as the folks at the A&M
level, and they are quite attentive to the need. So they are
doing the things that you would expect them to do.
Mr. Guthrie. So what would be some of the examples of
things that they are----
Mr. Cambone. Well, you know, we have moved past merely
watching the firewalls, and we are now very attentive, for
example, not just to the presence of odd e-mail in the system,
but we are actually now capable of putting out the alerts very
quickly on the phishing attacks that one gets--I just had one
today, as a matter of fact, describing in detail precisely what
that attack looks like, what you are supposed to do in response
and the like. So there is a very active set of measures in
place.
Mr. Guthrie. OK, thank you. Thank you for that. Mr. Jarvis,
in your testimony and when you wrote and you discussed that the
fact that the House has passed the Strengthening Career and
Technical Education for the 21st Century Act, what we calmly
call here the Perkins Act, the bill is now awaiting Senate
action. If Perkins CTE is reauthorized, how do you think it
will help employers more effectively address their
cybersecurity work force needs?
Mr. Jarvis. Yes, certainly, certainly. Well, I mean, simply
put, you know, education needs to produce the people that we
need to hire. I think we believe that in passing CTE, you know,
that is going to build the pipeline for us in the long term and
it is going to support that pipeline in the long term for us,
because we just can't look at it in terms of a--you know, it is
just not a point problem, right? We need to do this for many,
many years, and I think it is going to keep and expand the pool
of applicants and the pool of experts that we need.
Mr. Guthrie. I think you are right. Been really looking at
this with Ranking Member Davis and I in discussing a lot of it
is, a generation ago, back when I was in high school, a
generation ago, that was 30-something years ago, we really got
away from technical and pushing training, and we are paying for
it now. So we can't just take a short-term view, which we
absolutely need. We also need to take a long-term view about
what is good for the overall system, so a generation from now,
we are not saying, well, we should have addressed, done more.
So that is important.
Mr. Jarvis. Exactly.
Mr. Guthrie. Well, thank you very much. My time is about to
expire, but I will yield back.
Mr. Ratcliffe. Thank the gentleman. Chair now recognizes
the Ranking Minority Member of the Subcommittee on Higher
Education and Workforce Development, Ms. Davis, for 5 minutes.
Ms. Davis. Thank you. Thank you very much, Mr. Chairman. I
want to relate to the comments of my colleague, Mr. Guthrie,
because I think if we could open our minds and our hearts in
many ways on this issue of how do you create better pathways
for young people, not necessarily relying on a more traditional
college track, and doing something I think in Switzerland they
call it permeable, so that you have young people moving from
certification to--into the colleges and back, and
certification. I think there is a different route that is
possible out there. That is also attributable to the issue that
I think we are dealing with right now.
How do you create that better for young people so they
aspire to those areas, but there is also a lot of prestige in
their moving forward so that you get a lot more community
acceptance? I think it all sort of fits together. Dr. Ralls, I
wondered if you could speak a little bit to the NOVA program
for a second, because I think you were able to do some work
particularly in helping to transition veterans and students
more seamlessly into the job market there. What--are there some
surprises in trying to do that? How do you see being able to
scale more of those efforts as you look at other programs
connected so strongly to the community college system?
Mr. Ralls. Well, I will start first with high schools and
working with the high schools. So one of the things that many
people do not realize is one of the fastest-growing areas of
community college enrollment is dual enrollment with high
school students. Essentially--when Mr. Jarvis is talking about
P-TECH, that is a dual enrollment strategy. So what we have to
do a better job of is taking our pathways into programs into
high schools.
So one of the challenges for us is that--as challenging as
it is for us to employ cybersecurity professionals at the
community-college level, you can imagine at the high-school
level. So what we really have to do--and I think this is
important around how we collaborate through Perkins funding and
other things--is to make sure our pathways connect with each
other so that students can start in high school and finish and
move through community colleges and move on through
universities. I think paying attention to that is very
important.
We pay very, very close attention to our veterans'
population, because we see that is such a rich resource for the
cybersecurity work force in our region. We have over 7,000
veterans at our college, one of the largest populations of
veterans in the United States. They bring with--well, you know,
all the marvelous attributes.
We have then similarly with public schools, we are working
to reach in to particularly our partners with the Marine Corps,
working with military before they transition out, first making
sure that they articulate, because they pick up technical
skills along the way in terms of military occupational
specialties, being very aggressive about that, being very
nimble about how we provide education to them over very
concentrated short periods of time, what we call surge
programs, and then making sure that the education they are
receiving in the military transitions through us, as well.
So again, this is much about not just waiting for students
to come to us, but to reach into those valuable pools to make
sure students are starting along a valuable pathway as they
move forward.
Ms. Davis. Yes, thank you. I appreciate that, because in
some ways, I think what you are suggesting is there may be
opportunities that maybe for someone who has been trained in a
number of the industries within the military to shorten their
training period when it comes to cybersecurity. You are talking
about months, not years, and maybe there are other programs
that have done something similar.
If I may just, Mr. Jarvis, going to you quickly, because I
know that one of the needs you have in finding trained
personnel is sometimes going to other countries where you have
an easier time doing that. Is it fair to say that if we don't
answer the need with our own students that a number of
companies will continue to do, as you have to do today, to look
elsewhere?
Mr. Jarvis. I am not really expert on that particular area
for IBM, but, I mean, you know, we are going to look for the
talent where we need to find the talent. We want to develop it
wherever we can. We have a global business, so we are obviously
looking all across the globe for that talent, wherever it may
be.
Ms. Davis. Yes. Well, we want to make sure that companies
like IBM find those resources in our own country. Yes. One or
two--well, I think my time is up, Mr. Chairman, so perhaps I
know I am going to hear everybody else asking the same
questions. Thank you very much.
Mr. Ratcliffe. Thank the gentlelady. The Chair now
recognizes the Chairwoman of the full committee of Education
and Workforce, the gentlelady from North Carolina, Ms. Foxx.
Ms. Foxx. Thank you very much. I do have some questions,
but I have to first make a comment about Mr. Rapp's talking
about the fact that we need people who have problem-solving and
critical thinking skills and say to all of my colleagues and
all of the panelists, if we continue to use that train word,
which I hate so much, you are not going to encourage critical
thinking. So I want to ask you all, Dr. Ralls, to take it out
of your vocabulary and all of us.
Honestly, there is no better example of what I am talking
about than his just saying that. You remember, you train
animals and you educate people. So if you want critical
thinking, you have got to be in the education business.
Mr. Rapp, I will come back to you. Indiana included the
SkillUp! grant program in the combined State work force
development plan the State developed to implement the changes
passed as part of WIOA. In your experience, how has the
SkillUp! program been integrated with Indiana's broader work
force development efforts?
Mr. Rapp. Indiana has done an outstanding job, working
particularly with the Department of Workforce Development under
the last commissioner, Steve Braun, who spent a lot of time
taking data and ensuring that the data was correct so it
accurately reflected what the needs were of the State.
In accordance with what he found through that, the SkillUp!
program now is driven by the demand of the employers as that
data was collected directly from the employers. So that goes to
my point earlier that--in public-private partnerships, we have
to get as close to the source of data as possible to make it
accurate, and then we must tailor with the resources that we
have currently--we must tailor those limited resources to the
demand so that we can have the best effectiveness of those
programs.
Ms. Foxx. So would you say a little bit more about how you
are measuring the success?
Mr. Rapp. Right now, the success that we measure is
literally by both the unemployment rate specifically for
cybersecurity. We do rely heavily on a public-private
partnership from NICE, CompTIA, and Fireglass, I believe, the
Cyberseek program. What that program does is it surveys all the
States for the job listings and then the number of jobs that
are filled. So that is fairly accurate data, so that is how we
are able to measure that, particularly within that area.
I will say with 32 universities in Indiana that offer
cybersecurity curriculum with seven different centers of
excellence, DHS, NSA, and six R1 through R3 research
institutions, we are very proud of all of those things. But we
are still not yet gaining ground.
Ms. Foxx. Mr. Jarvis, I am a strong advocate for earn and
learn programs that provide students and job seekers the
opportunity to learn on the job. Nobody knows better than
employers what skills are needed to succeed in a particular
career. So what suggestions do you have to better align our
academic programs with potential on-the-job learning
opportunities?
Mr. Jarvis. Certainly, certainly. I think that one of the
things that we look for in terms of learning--we were talking
about critical thinking a little bit earlier--is we look across
the board, and especially in cybersecurity, to make sure that
our candidates are explorers, they are consultants, they are
students, they are guardians, and they are also problem
solvers. I think those are all things that that can come
through earn and learn.
Whether it is through the P-TECH model, where we have
students basically guaranteed internships as part of their
education program, so they are both learning and earning and
learning some more as part of the process, or if it is through
internships or apprenticeships or other programs that we have,
and we think those are all important and are part of the
solution.
Ms. Foxx. Well, thank you all very much. In my clips
today--I haven't had a chance to read it--there is an article
that says United States needs to move past its fixation on the
bachelor's degree, studies say. It is in Education Week by
Catherine Gewertz. I am going to get a copy of it and see,
because I know this is an issue that is come up several times
here this morning.
Thank you all very much. I yield back, Mr. Chairman.
Mr. Ratcliffe. Thank the Chairwoman. Chair now recognizes
the Ranking Member of the full committee on Education and
Workforce, Mr. Scott, the gentleman from Virginia.
Mr. Scott. Thank you, Mr. Chairman. I thank the witnesses
for being with us today.
Mr. Cambone, you went to great lengths to say how you
fashion your curriculum to address the needs of the industry.
Is there value in making sure that what is in your curriculum
in Texas is the same that is in the curriculum in Virginia, so
that people who present with a cybersecurity degree will be
presenting the same credentials?
Mr. Cambone. Hmm, it is an interesting question. My
instincts say yes. But my respect for the academic integrity of
the various institutions leads me to think and to expect that
there will be some differences. That is not bad. So what we
have--one of our members is very active in a National
curriculum consortium. What they do is share both best
practices and where the leading edge of education is going to
answer, in part, what you are suggesting, which is there needs
to be some conforming of the knowledge that is being imparted.
Mr. Scott. Well, who would put together the standard?
Mr. Cambone. You know, I think that is best left to the
educators. I think that, as I say----
Mr. Scott. A consortium, as you have suggested, so that you
would have some kind of independent judge?
Mr. Cambone. I think that would be very helpful. If we did
the cyber grant arrangement, that would be a mechanism for
doing that kind of conforming.
Mr. Scott. Thank you. Mr. Jarvis, last year, the EEOC
issued a report on diversity in the tech industry. The findings
were that racial discrimination and ethnic discrimination was
wide-spread in the tech industry, such that if they stopped
discriminating, there would not be a shortage of workers in the
tech industry. Is the cybersecurity part of the tech industry
plagued with that problem?
Mr. Jarvis. I don't know specifically in terms of--I mean,
I couldn't speak to specifics in terms of the problem. I mean,
I do think we need to do a lot more outreach. I do think we
need to do a lot more recruitment. I do think that IBM does a
fairly good job at reaching out to underserved groups
traditionally and reaching for that. I think for cybersecurity,
it is just as important, talking about some of the professional
organizations that are out there that we recruit at. I think
that is one thing that can be done, but I think there is other
things, as well.
Mr. Scott. I understand that there is a net downsizing at
IBM, yet you still import thousands of H-1B guest workers. Can
you explain the apparent discrepancy?
Mr. Jarvis. That is not really my area of expertise, but we
could probably get more information for you if you need it.
Mr. Scott. OK, that would be good. Dr. Ralls, can you tell
us what barriers there are to apprenticeship and internships in
the cybersecurity area?
Mr. Ralls. Well, to have internship and apprenticeships,
you have to have a strong commitment from the employer
community. Many employers do step up. That is one of the great
things for us is our partnership with Year Up, which has
managed I think across the country, is doing a remarkable job
in cultivating internships for deserving young people that are
moving into IT and cyber and finance areas. So that is been a
great partnership for us, working with companies like Amazon,
now that is sponsoring its first apprenticeship.
Apprenticeship is new to IT. So I think it is evolving in
that regard. It does take a great deal of employer commitment.
One of the things with our apprenticeship programs, for
instance, if you look at our apprenticeship with Amazon Web
Services, which is focused around cloud security, that is
primarily based around certifications. It is a 16-week program
where we provide the related training, so it is security plus,
Linux plus, plus they get the AWS architect certification.
One of the things that Congress can do is look at the
opening up the notion of what certifications mean in the
workplace as a workplace credential, areas like Pell Grants for
short-term certifications that are meaningful and have rigor--I
think can open up more opportunities for apprenticeship
opportunities and for those kinds of certification programs
that we find are important with apprenticeship.
Mr. Scott. Are you able to leverage the WIOA and CTE funds
for those programs?
Mr. Ralls. We are, for those students who are eligible, so
with, for instance, our AWS apprenticeship program, some of
those students are able to be supported through WIOA, because
they qualify. A few are also supported through a group called
Apprenti, which is I think supported through apprenticeship
funding. Then we also support some ourselves. So looking at how
those opportunities are available, certainly they are all
employees of the company and they will move into new career
ladders or new job payment ladders as a result of their
involvement in apprenticeships.
So I do think apprenticeship is something that there are
many ways to open up the doors much more than we have those
opportunities. IT and cyber I think are rich for that because
of the connections with particularly certification
opportunities that can tie into some of these program areas.
Mr. Ratcliffe. I thank the gentleman. Chair now recognizes
the gentleman from Pennsylvania, Mr. Thompson, for 5 minutes.
Mr. Thompson. Chairman, thank you. Gentlemen and panel,
thank you for bringing your experience and expertise. I want to
start with Mr. Rapp. You know, I am proud of two institutions
of learning I have. I have a number of them in the district,
but in terms of cybersecurity, you know, Penn State and also in
the northwestern part of the district, Mercyhurst, we have got
the Tom Ridge School of Cybersecurity there in Erie County.
Mr. Rapp, the degrees required for many cybersecurity
programs are only 2 years in length. What advantage does a 2-
year cybersecurity credential offer over a 4-year-plus program?
Plus, any thoughts on--for lack of a better word--micro-
degrees, less than 2-year type certification programs?
Mr. Rapp. Well, that is a great question. What we found is
there is different skills that are required for different
functionalities in cybersecurity. Not every single person in
cybersecurity needs to have a 4-year degree. That is true. So
the rise of applied 2-year cybersecurity degrees have been
directed toward a gap of applied entry-level cybersecurity jobs
that are out there.
Certifications are useful for, again, specific types of
jobs. So I think there is a need across the spectrum for all of
these degrees, and none of them should be discounted. I also
believe that even beyond these degrees and certification, you
know, when we look at what NICE has done to describe what
skills are necessary to take part in work force development in
cybersecurity, that we shouldn't discount aptitude testing
outside of degrees.
Mr. Thompson. Well, thank you. Mr. Cambone, I understand
Texas A&M believes work force development to be a core
component of the institution mission. How does this affect the
education experience you provide to your students?
Mr. Cambone. Well, sir, a very large fraction--and maybe my
colleagues behind me can remind me--but a very large fraction
of our incoming freshmen are first-time university students. So
the focus is on retention of those students, bringing them all
the way through to their graduation, because it is not helpful
to start and not finish.
So you begin there. Then we have talked about the
apprenticeship programs. We have talked about the internships.
We have talked about the hack for defense programs. All of
those kinds of things are intimately connected with their
development. In the engineering school, they have to at the end
participate in what amounts to a capstone project, where a
number of them have to get together and figure out how to
produce an outcome.
So all of that is part of the development of the student as
a productive member of society and a member of the work force.
With respect to the cyber business in particular, there are any
number of--and I can give you a list of the extracurriculars
that are in place--that the students, while they are not
required to engage, find themselves wanting to engage because
it doesn't bring them an experience that they are not going to
get just in the classroom. So it gives them the opportunity to
apply what they have learned as they go forward.
So all of that, you roll all that up and you do some of the
placement work that is necessary, then for those students to
find jobs when they are finished, and that is how you take
someone who is first-time university and their families to a
position in the work force.
Mr. Thompson. Thank you. Dr. Ralls, from your written
testimony, I saw cybersecurity job posting growth 74 percent
since 2014. That is amazing. At the Northern Virginia area, two
times as likely given job opportunities here for positions,
position opportunities. Is your program currently at capacity
for enrollment? What specific strategies do you use for
recruitment?
Mr. Ralls. Well, we are not at capacity, but we do struggle
primarily to make sure that we can acquire the instructors that
we need. We are moving down multiple strategies in terms of
facilities. We also have to make sure that we can look for
strategies to pay our instructors higher rates so that we can
keep them.
One of the things--having the highest concentration of
cybersecurity jobs in the country, which also means we have the
highest concentration of valuable adjunct faculty in our
region, and so we tap into that very aggressively. But we also
share. We work very closely with all our partners around the
country. I think that is the value of, for instance, like the
NSA-CAE programs. Austin Community College was with us
yesterday. We worked with the other 22 community colleges in
our State, in terms of acquiring that CAE designation, and we
also provide much of the instruction on-line--we operate the
shared services backbone for the on-line instruction in our
State, so many students are--at other parts of our State, in
rural southwest Virginia, and taking cybersecurity programs
through their institutions, but acquiring some of the classwork
through us on-line because we have the valuable instructional
resource in our region. We just have to look for strategies to
get those resources out broadly into areas where they may not
actually naturally exist.
Mr. Ratcliffe. I thank the gentleman. The Chair now
recognizes the gentleman from Connecticut, Mr. Courtney, for 5
minutes.
Mr. Courtney. Thank you, Mr. Chairman, and thank both
subcommittees for holding this hearing and to all the witnesses
that are here. You know, listening to the sort-of to-do list in
terms of where Congress can help, I was struck by the fact that
as someone who sits on the Armed Services Committee, the last
defense authorization bill that was just signed in December by
President Obama actually raised the Cyber Command to parity
with the full other combatant commands, which is saying
something, you know, in terms of the fact that, you know, we
have got to sort-of be more agile in terms of how we think
about this issue and address it.
Again, the nice thing about this hearing is, again, we are
talking about pathways other than just 4-year degrees. Dr.
Ralls, you talked about the Amazon apprenticeship program. I
mean, Amazon is almost as big as the Pentagon it seems like
these days. So, I mean, they obviously have a lot more
capability in terms of taking on an apprenticeship program with
a work force of tens of thousands of people. The challenge that
I am hearing out there for a lot of smaller firms who are--
whether it is a small community bank that is, you know,
terrified about cyber attacks or small defense suppliers that
are as much a back door to cyber attacks as the large OEMs.
It is just that, you know, they don't think in terms of
their human resources or apprenticeship sort-of models. How we
can sort-of get them engaged, I guess, is--you know, the
question I was going to ask. I mean, it sounds like a really
impressive program that you have with Amazon, but, I mean, have
you been able to sort-of break through to smaller employers in
terms of getting them engaged in apprenticeships?
Mr. Ralls. Well, first, I think it is important to keep in
mind, you know, the Amazon program is a cloud security program.
In fact, you have to thread a pretty good needle to get into,
for instance, the veterans program. You already have to have a
bachelor's degree, a network plus certification, and be a
veteran. So it is--you know, you are going to a certain place.
But one thing that I think that is important to keep in
mind with cybersecurity is, it is broad. Cybersecurity is
broad. So I think all institutions are having to take a cyber
mentality. So even though students coming out may not--for
instance, we graduate more information technology associate's
degree graduates of any community college in the country. IT
graduates, networking students who are going in have a cyber
mentality, and that is also a foothold for them to move up and
actually gain the credentials to be technically cybersecurity.
I think there are other places, too, that community
colleges, if I may, are naturally inclined to help. A lot of
times we think about attacks that are only coming through
computers, but we are--there are more network devices now than
there are people in the world. So technicians, facility
maintenance have to take on new mentalities around
cybersecurity.
There is an OT side to cybersecurity. So, for instance, we
are working on programs, programs that when I was in North
Carolina we developed and here we are working--we have, for
instance, the largest data center work force and employment in
the country. Well, a technician today has to be able to know,
is something a maintenance failure? Or is your HVAC system
being hacked? Is your PLC being hacked? So I think cyber is
really much broader than the narrow term of specific IT
cybersecurity programs. We have to make sure we make the
linkages in terms of that breadth.
Mr. Courtney. I guess my point--in terms of trying to get
employers to think about apprenticeships, just as a model----
Mr. Ralls. Apprenticeship.
Mr. Courtney. Yes, just, you know--I mean, so to bring it
back to Congress, there is a Department of Labor apprenticeship
grant program which President Trump's budget actually called
for funding at last year's level. It was eliminated in the
House appropriations bill. The Senate actually fully funded it.
So those funds in Connecticut, I can just tell you, have been a
really good enticement to get companies that never really sort-
of thought about getting involved in apprenticeships to
actually do it, you know, to make that job and to doing it.
I guess that is the question is: How do we entice small
guys to get into the business of apprenticeships?
Mr. Ralls. Yes, apprenticeship is not easy. Apprenticeship
takes a great commitment. I worked with Siemens and Bosch--and
I know how much investment they put in per student. So IT is
moving more that direction, I think primarily because of the
gaps they see. I think IT is naturally inclined that way, but I
do think we do have to do more than just talk about
apprenticeship. We have to have meaningful programs for
apprenticeship. I think we also have to look broadly at being
very aggressive around just meaningful work-based learning.
Sometimes we have programs that aren't formal
apprenticeship, but they are very much important because of
that work-based learning. Because for many students coming out
of our colleges and universities now, many of them, unlike when
I was a student, they didn't work in high school. They didn't
have some of those opportunities. So apprenticeship becomes
even more important, I believe, for today's students,
apprenticeship and meaningful work-based learning than it is
ever had before. So I do think that is a very important area
for us to collectively pay attention to.
Mr. Courtney. Thank you, Mr. Chairman.
Mr. Ratcliffe. Thank the gentleman. The Chair now
recognizes the gentleman from Pennsylvania, Mr. Smucker, for 5
minutes.
Mr. Smucker. Thank you, Mr. Chairman. Dr. Ralls, two things
you mentioned in your testimony I would like to follow up on.
You had mentioned Year Up, and I would be interested in
understanding--I wonder if you could elaborate a little more on
the partnership that you have with Year Up. Do Year Up recruits
attend class at your school? Or are they recruited from the
school? If you would just elaborate on that, I would appreciate
it.
Mr. Ralls. Yes, Year Up is a National work force
development organization. Started in the Northeast. A model has
emerged--our college has been a lead in working with Europe
because of such a complementary relationship. Essentially what
Year Up does is it provides a 1-year experience for students,
and it is where they gain professional workplace skills through
supplemental instruction. They have meaningful internships.
They receive financial support. What we provide is the
technical instruction through our education programs through
the community college.
Perhaps maybe I could give you an example, though, because
I will tell you of a student example which I think explains why
it is such a natural fit with community colleges. One of our
students is a great student named Darwin who last year was
served on our community college board as the student
representative. Darwin grew up in foster youth homes, four
foster youth homes. He came to our college in high school
through our outreach programs in the high school, found about
Year Up, and became involved in the Year Up program.
So his experience last semester, he was describing it to me
recently, he worked 5 days a week in an internship with Freddie
Mac. He would take special supplemental classes that help him
in terms of making sure he has the critical thinking, the
workplace skills that add to the value. He took two cyber
classes with us at night at our Reston Center, and then he took
two classes on-line.
Then on Saturdays, he would go to our Woodbridge campus and
work in a program that we have called--not work, we have many
students that come and meet with our instructors on Saturdays
to do competitions and other types of things called CyberAll.
So Darwin is an example of the kind of individual that without
the doors that can reach out through programs like our
community colleges, like Year Up, it is an example of how you
can go from the bottom 20 percent to the top 20 percent, as
long as you have got that ladder and that work opportunity to
get there, and Year Up is key to us as a complementary partner
in that regard.
Mr. Smucker. Yes, it sounds like a great program. I would
like to follow up, as well, on the discussion on
apprenticeships. I will go to Dr. Cambone and potentially come
back to you, Dr. Ralls, if we have time. But I am very
interested in apprenticeship programs, as well. One of the
models that I have seen is a partnership with a college, a
community college or another institution where there is an
ability for an apprenticeship to both work on a job site and
get a degree, whether it is an associate degree, or even a
bachelor's.
I guess that is my question to you. Are you doing that? Is
there a possibility of apprentices earning a bachelor's degree
at the same time that they would earn a certificate, some sort
of work certificate, as well?
Mr. Cambone. I am not precisely sure of whether that
particular thing can be done. But this is what I do know. I
mentioned earlier that A&M has a very close relationship with
Blinn College. Blinn College is a very large, 2-year
institution in the next city. We have a relationship with them
that does take their students through apprenticeship programs,
through the accreditation on the 2-year school matriculating to
A&M and get your degree. So there is a ladder, as was described
here, that can allow students to do that.
Not all students want to do it, right? So they are happy to
take the off-ramps and pursue their lives in the way that they
would like. But that ladder has been built.
Mr. Smucker. Yes, Dr. Ralls, would you like to respond to
that, as well?
Mr. Ralls. I think the important thing for apprenticeship
is that we have to make sure we structure it into our programs.
So when students go through related training, that means that
we have to make sure, for instance, if we are offering
certifications through a related training, that we also
structure so that we can give that credit as it comes through.
So I think more and more what we collectively have to do as
educators is not look for the either/ors, but to make sure that
those types of experiences, apprenticeship, particularly if it
leads to certification and how we can give credit, military in
terms of military occupational specialty, I think there are--
you know, I think we get used to the either/ors.
Many of the students who come to us as a community college
already have 4-year degrees. So they are looking to get
specific skill sets on top of their 4-year degrees that allow
them to enter into the workplace. So one of the things that is
incumbent on educators is to make sure that we can structure
our programs such that students can gain skills through things
like apprenticeship, but make sure that they stack, if you
will, or become a part of a program so that they can keep
moving forward. I think that is very important in how we think
about our educational curriculum structures.
Mr. Smucker. Very much agree. Thank you.
Mr. Ratcliffe. I thank the gentleman. The Chair now
recognizes the gentlelady from North Carolina, Ms. Adams, for 5
minutes.
Ms. Adams. Thank you, Mr. Chairman. I want to thank the
Chairs and the Ranking Members of both subcommittees for coming
together to convene this hearing today. Thank you for your
testimony, gentlemen.
Dr. Ralls, in your testimony, you mentioned the great work
of NOVA to fill the shortage of talent in the cybersecurity
work force. You mentioned efforts to reach into underserved and
untapped populations, speaking specifically of your campaign to
encourage women, to explore careers. So have you explored ways
to accomplish the same success with minority candidates?
Mr. Ralls. Well, I may sound like I am repeating myself,
but I do think Year Up is a key factor for us in that regard.
So if you look at the Year Up student population, it is
primarily minority. So students from--as we refer to as
opportunity youth through Year Up, and so I think that is a key
strategy for us, because it is particularly focused on IT
careers, also finance careers, and so that is an example.
For us, NOVA is a majority-minority institution. Diversity
is kind-of in our core, it is in our being. So the chances are
for most of our students, they are going to be from minority
backgrounds. Where we have struggled is not having--is not so
much around minority students coming through our programs, but
in terms of female students. So that is why we have this year
very deliberate outreach strategies with respect to female
students.
But certainly I think our Year Up partnership is a key in
terms of our reaching more minority students both male and
female. For us at NOVA, that is a natural for us in terms of
who we are.
Ms. Adams. OK, you say that NOVA has nine university
partners where students can complete their degrees. Do you have
any figures on how many of your graduates have transitioned to
minority-serving institutions?
Mr. Ralls. I would have to get those to you in terms of
HBCUs. I can't tell you specifically right now. I do know we
are working right now on a partnership among universities and
community colleges, actually with our veterans population, and
one of the partners is Norfolk State, who has been a close
partner in terms of working with one of our largest partners,
which is George Mason University. So there is a collaborative
of which Norfolk State is involved in that regard. So we
certainly have had many students that have gone to HBCU
programs. There are some cyber programs out there, as well,
that would allow them to move forward with HBCUs.
Ms. Adams. Thank you. One of the ways to, I think, fix the
lack of diversity in this industry is to encourage women and
minorities to become entrepreneurs. Does NOVA have any special
programs that encourage entrepreneurship?
Mr. Ralls. Yes, we do. In fact, at our Alexandria campus,
we have a very unique program that is really--I have to give
credit to our students and some really unique faculty there.
They call themselves the Start Up Club. They actually--they are
technology tinkerers. They meet with faculty in a small,
little--I think it was probably a closet at one time, but they
have multiple different tools there that they use. Last year,
we sent them off to Cornell, and they came home with a second
place cybersecurity competition award.
So we don't have as many resources around entrepreneurship,
so we are partnering very closely right now with George Mason
University around all aspects of tight connections. One of the
areas that we are working and talking with them about is how we
tap into their entrepreneurship programs.
One of the things that we don't always have to do is
recreate the wheel when we can look for valuable partners. I do
think our--and our university partners provide us a lot of
opportunity to partner, to bring opportunities to community
college students that they typically don't naturally have that
you would find in terms of entrepreneurship programs that you
see at universities.
Ms. Adams. Thank you. Quickly, Mr. Jarvis, do you have any
figures on how successful your efforts have been in retaining
female talent and how many women cybersecurity professionals at
IBM remain after 3 years on the job?
Mr. Jarvis. Sure. I don't have the demographics in front of
me at the moment. But, I mean, what I can do say is, you know,
we do push very hard. In fact, the last three chief information
security officers at IBM have been women. I think what is
important is they provide being role models and mentors. We
also have a very strong support network or professional
organization within the company called Women and Security
Excelling. That is a professional development and support
organization for women in our cybersecurity group, providing
role models, and they do host those cyber day for girls
programs, as well.
So I think being able to have those professional support
mechanisms, once we get the talent, helps us retain the talent.
Ms. Adams. Thank you very much. I am out of time. Mr.
Chair, I yield back.
Mr. Ratcliffe. Thank the gentlelady. Chair now recognizes
my friend, the gentleman from Georgia, Mr. Allen.
Mr. Allen. Thank you, Mr. Chairman. It is great to be with
you today. I am very interested in this education process. In
fact, in my 12th Congressional District of Georgia, we have--
are moving the U.S. Army Cyber Command. It is moving to Fort
Gordon, and it has been a big--a lot of noise as far as my home
town in the district, which is going to create about 12,000
cyber jobs in that district.
Our area has come together to embrace this opportunity.
Public-private solutions have been critical to the success of
the Army Cyber Command's relocation, and I am proud of my
community coming together to forge a path for success. I would
highlight two examples. Augusta University created a cyber
institute to educate a local cyber work force, and our Governor
Deal has just committed $50 million for a Georgia cyber
innovation and training center dedicated to public-private
partnerships and a cyber work force.
We also have the technical tinkerers club, and I have a
robot on my desk that some elementary school children coded and
built, and they didn't even know they did it. If you would have
asked them to code them, they probably would have said--or if
you were to ask a middle-schooler or a high-schooler, you know,
we need you to code this, they would say, well, I can't do
that. But these young people really embrace this.
To the extent that what I found in serving on the Education
and Workforce Committee, one is there is a huge disconnect
between the business community and the education community.
Second is that, for example, in Dublin, Georgia, we have an
inner city school system that went to two charter elementary
schools. One is on leadership. It is teaching Stephen Covey's
seven habits. The other one is a STEM school. We now have a 96
percent graduation rate in an inner city school system. This
career direction idea is extremely important.
We also note, if you are not reading at a third-grade level
when you get to the fourth grade, you are likely you are not
going to graduate. For some reason, when they get to middle
school, we lose them. I mean, middle school the teachers say is
just a real issue here with keeping focus on education.
So with those challenges, you know, we are talking about
college, we are talking about high school. I am not sure we
don't need to go back to the elementary school and really try
to help these young people understand exactly why they are
getting an education. Because I asked them what their dreams
are every time I go. They have great dreams. They just don't
know what they are doing there.
So I would just like to go down the entire panel there and
just get your ideas on--do we need to kind-of get thinking out
of the box here and figure out what in the heck is wrong?
Because the United States is not where we need to be as far as
education. We are losing a lot of young people. They are not
focused. They don't know where they want to go.
So, Mr. Cambone.
Mr. Cambone. Yes, sir. Well, I am happy to say that I was
just in Augusta not 10 days ago----
Mr. Allen. It is exciting, isn't it?
Mr. Cambone [continuing]. Talking with Dr. Sexton. She has
got a terrific crew of people there. We are hoping we are going
to partner with them moving forward. So I wanted to let you
know that.
Second, on the education, I couldn't agree with you more.
My wife is a grade school teacher of now nigh on to 40 years.
She would give you one answer: Read. They have to be read to at
home.
Mr. Allen. Yes, we have mentors, a program now, mentor
program where we have mentors go into the schools and read what
these kids are interested in. It is amazing, a light bulb just
goes off. Mr. Rapp.
Mr. Rapp. I would like to say, too, then that I am a
graduate of Fort Gordon. I spent 34 years in the Army, the last
3 in Army Cyber, and our CPT right now is on mission.
Mr. Allen. Thank you for your service.
Mr. Rapp. Absolutely. I would have to agree with reading. I
think the other thing is teaching good cyber hygiene habits
early, so teaching children safety and how to utilize
technology.
Mr. Allen. Mr. Jarvis.
Mr. Jarvis. Yes, I definitely think--mentors that can
provide some positive relatable examples I think are extremely
important. Instilling digital literacy at an early age I think
is just going to help in the long run. Just as kind-of an aside
for the mentorship program, in one of the P-TECH schools that
we sponsor in Baltimore, right, there are so many interested
IBM'ers in helping mentor these kids that a lot of them have
two mentors, which is great, I mean, because they can ask them
questions and things like that, so I think that is essential.
Mr. Allen. That is important for the business community. I
am out of time. Mr. Ralls, you can comment on that on the next
question. But I will tell you that there are two college
dropouts that made a big difference in this world, Bill Gates
and Steve Jobs. So with that, thank you for being here today.
Mr. Ratcliffe. Thank the gentleman. Chair now recognizes
the gentleman from California, Mr. Takano, for 5 minutes.
Mr. Takano. Thank you, Mr. Chairman. I am glad to be here
this afternoon to engage in this timely discussion on how to
address the growing need for a strong and diverse cybersecurity
work force. As the Vice Ranking Member of the House Veterans
Affairs Committee and as a Member of its subcommittee on the
economic opportunity, I understand the importance of providing
the resources needed to allow our talented and skilled veterans
to pursue cybersecurity opportunities after their service.
My first question is for Mr. Ralls. Mr. Ralls, you pointed
to NOVA's efforts to support veterans in pursuit of a
cybersecurity career. In particular, you mentioned a
partnership with the United States Marines and Marine Corps
University to provide surge educational opportunities. Can you
share a bit more about the partnership surge educational
opportunities?
Mr. Ralls. Yes, sir. What surge refers to is essentially
our--collectively with the Marine Corps University and the
Marine Corps--is to be nimble in how we provide concentrated
instruction at times when military members are available and
can be scheduled to receive that. So, for instance, short-week
classes--or multi-week classes that are shorter than an average
semester or even mini-semester. Same number of hours, but in a
very concentrated way, so being able to do that.
Then also being able to, first, recognize military
occupational specialties, so there is about 10 MOSs within the
Marines that will lead between to 3 to 23 credit hours in terms
of credit that can be received, depending on what that previous
technical background is, making our programs flexible through
distance education and other opportunities, as I mentioned, and
then making sure they ladder so that Marines can complete our
programs.
That is one of the reasons our State government and general
assembly worked with us to--or led efforts to reduce tuition,
so when Marines leave--may be deployed or go to other places,
they don't have to pay out-of-State tuition.
A couple other things, too. One thing that we are working
toward, boot camps--and I know boot camps have been mentioned--
programming skills are key to cyber. We created a special boot
camp just for veterans. It is a different model. We are still
struggling and working our way through it, but to make it free
of charge to veterans, that is a concentrated, almost 50- to
60-hour-week boot camp. So we are looking at different models
because military members when they are in, they have periods of
time for education. We have got to make that work. When they
are out, they need to get into employment very quickly and to
certain roles.
Mr. Takano. I note that you have active-duty service
members in your program. Does tuition assistance from the
Department of Defense help pay for their education?
Mr. Ralls. Absolutely, absolutely. Partly we want to make
sure, too, when students leave and they may be classified as
out-of-State, that was an effort to----
Mr. Takano. Has there been thought about how you coordinate
the--well, counsel these service members on using their tuition
assistance in combination with their G.I. Bill, how they can
strategize to use that to their best benefit? My thought is
that many service members, if they--once they leave the
service, if they have already acquired a great deal of
expertise and credit hours, they can try to bank their G.I.
Bill and use it for a graduate degree. I mean, that kind of
thinking, that kind of strategizing.
Do you--how do you identify your--the Marines, for example,
that can go to your program? Do you self-identify? Do you
market to----
Mr. Ralls. You are talking about in terms of active-duty
Marines?
Mr. Takano. Yes.
Mr. Ralls. Primarily through our relationships with
Quantico. So, you know, the relationship--on base, we have
people stationed in base, but we also have such a strong
relationship with Marine Corps University and others that this
partnered--so those Marines who are there are aware of our
programs. We are working to scale those programs with Marine
Corps University beyond just cyber and other opportunities, as
well.
Mr. Takano. This is really interesting to me, because we
have a huge problem with the TAPS program being considered
inadequate. As a teacher, former teacher, I have always thought
that to be really, really--I don't know, not accurate, but to
be true to the G.I. Bill, the promise of the G.I. Bill, what we
use to pull people into the service, that we should assess the
students on Day 1, set educational goals for them while they
are in the service, encourage them to use tuition assistance to
bring their skills up or, in this case, they are actually
acquiring a major set of skills. Then the separation wouldn't
be so traumatic or aimless or people--there is a much more
seamless transition to civilian life.
Mr. Ralls. Yes. I would say, too, the partnership with--I
have to give a lot of credit to our Marine partners. The
Marines are very focused now, the commandant and others, in
terms of the--making sure that all Marines have a credential,
have a degree. So I think community colleges and these
partnerships are key in that regard.
Mr. Takano. So my time is up. I want to explore--I hope we
can get your information. I want to have our committee on the
veterans side explore more about what you are doing. Thanks. I
yield back, sir.
Mr. Ratcliffe. Thank the gentleman. The Chair now
recognizes the gentlelady from Delaware, Ms. Blunt Rochester,
for 5 minutes.
Ms. Blunt Rochester. Thank you, Mr. Chairman. I want to
thank the panel. Mr. Rapp, when you first talked about your
son, that was really an interesting moment for me, because I
sat here thinking about the fact that the battery on my phone
is about to die, and I feel so vulnerable. I thought about the
vulnerability of us as individuals with autonomous vehicles,
internet of things, machine learning, artificial intelligence,
blockchain, cloud computing, biotech.
I started running through all of these things that I had
not thought about years back that are now before us. As a
Nation, as businesspeople, as individuals, this conversation is
vital. I have two perspectives to bring. One, I served as a
State personnel director in the State of Delaware, and we had a
shortage of IT professionals. One of the things that we had to
look at is, what attracts them to the job and, also, how to
retain them.
So one of my questions is really about, is there any
research to suggest what would attract people to the field?
That is the first question. Then the second is really around--
because I met at NSA a young guy who came from a great school,
and it wasn't the things that I would think would attract
somebody to the job. It was something as simple as parking.
Like, there were things that, you know, NSA needs parking.
But I am just curious, is there any research on what
attracts people to the job? Also, the marketing aspect. Is
there any marketing that is happening? Because some of these
fields are things we never even heard about before, so a parent
is not saying go be a cyber technician. They are saying go be
an engineer or a doctor or a lawyer. Anybody, any advice on
those?
Mr. Rapp. You know, I think, first of all, we have to break
down some barriers. When we look at the romanticized version of
working in the Valley, it seems very attractive until you get
out there and you are sharing an 1,100-square-foot apartment
with four other people.
But, you know, we also have to embrace change. As
governments look toward attracting that type of talent, you
know, there is some hard work that has to be done. You know,
simple things like the scholarship for service, expanding that
to State and local governments, you know, because we are as
vulnerable from those aspects as we are from the Federal
Government, because we all work together and our systems all
interact. So we have got to get out of these verticals that we
put ourselves in.
The other thing is, is we have to look at--you know, great
example of a soldier who was trained by the United States Army,
went to the CPT in Indiana, left the State of Indiana to go do
this training, came back with more certifications than I can
possibly remember, and then went back to the Government, and
they told him that they couldn't hire him back in because he
had come in at a much higher level and there was a rule that he
couldn't make more money coming back in--that much more money
coming back in.
We look at GS levels and things like that and the
qualifications for jobs, those things were written decades ago
and they need to be updated. So if you want to attract people
to it, you have to speak a common language and a more modern
language. Those are just a few observations there.
Security clearances, you know, higher education produces a
lot of degrees, and it is--you know, it is lucrative to attract
out-of-State, out-of-country tuition. So we are training people
and sending them back to our competition. You know, and we in
CLA like to work with the community colleges because they are
more likely to have U.S. citizens. So when they go to find--go
to get security clearances, if they can get one in a year or 18
months, then they have a better chance at doing that. Much of
the work that is done in cybersecurity in the State of Indiana
is defense-oriented.
Ms. Blunt Rochester. I have, like, less than a minute left.
It is not your fault, mine. But, Dr. Cambone and Dr. Ralls,
maybe afterwards, I was just curious about your relationships
with the work force development systems. To me, I was around
for WIA and WIOA, and I am just curious if the relationships
have been good, strong, better, worse?
Mr. Ralls. Our apprenticeship opportunity started with our
work force board. Our chair of our college is also chair of our
regional work force board, so we have a very unique synergy.
Ms. Blunt Rochester. Excellent.
Mr. Cambone. Yes, ma'am. It is very strong. We have got two
agencies, actually, who spend a lot of time doing work force
development across the entire spectrum. So the answer is yes.
Ms. Blunt Rochester. Got you. Then my last quick question,
which we don't have time for, but I was just curious if
background checks and security clearances limit the folks that
are entering the field, and if that is a challenge,
particularly with a lot of things that people are into these
days, like marijuana?
Mr. Cambone. If I may, Mr. Chairman--yes.
[Laughter.]
Mr. Cambone. I had some experience with this back in my
earlier career. The answer is two-fold. In certain respects, it
has gotten less--your life is less a prohibition to your being
granted a clearance, provided that you are straightforward in
your testimony, if you will, in the forms that you fill out. If
you live abroad, it is a little more complicated. But that has
gotten a little easier.
The difficulty is we have a massive backlog. Getting the
clearance is oftentimes the barrier to being able to do certain
kinds of work. So we really do need to go back and rethink why
we classify things the way we do and then how do we put the
clearance process in place to match the kind of work that needs
to be done. So not everything is Top Secret. So not everybody
needs a Top-Secret clearance.
Ms. Blunt Rochester. Thank you.
Mr. Cambone. So can we start to vary these things over
time? That is a tough one, but one we got to tackle.
Ms. Blunt Rochester. Thank you. My time is expired.
Mr. Ratcliffe. I thank the gentlelady. The Chair now
recognizes the gentlelady from Texas, Ms. Jackson Lee, for 5
minutes.
Ms. Jackson Lee. I would like to thank the Chairman and the
Ranking Member and the collaborators on the House Committee on
Education for a very important collaboration, if you will, on a
very important issue.
I want to take a moment of personal privilege to
acknowledge Dr. Stephen Cambone for his representing a Texas
institution, Texas A&M, and as well to thank him for hosting
the Hurricane Harvey event in collaboration with the George
H.W. Bush Library and to historically host five of our living
presidents. So it was a monumental and much-needed event for
all of the people that are suffering, and it is well-known in
my community that we are still in dire straits and are in
certainly need of restoration and resources to do so.
I was speaking to some people in the power industry, and
they were trying to explain the Achilles' heels in Puerto Rico
in particular, and certainly I think the same kind of Achilles'
heel would be present in the U.S. Virgin Islands. One of the
issues, of course, is the lack of power and the long journey of
having that power back on.
I connect it to the extent of what we are trying to do here
is--our committee, that is in collaboration is the
cybersecurity and infrastructure. We certainly need the talent
that can relate to those aspects of our Governmental
responsibilities and private-sector responsibilities, and we
need the personnel to be able to do so. So I may have just two
questions, and I will frame it in that way.
Puerto Rico needs not only people who know how to work with
hardware, engineers, and those who work with the Army Corps of
Engineers, but we need ideas, we need to understand how we can
protect the infrastructure or the cyber infrastructure that
also is a victim of Hurricane Maria and Hurricane Irma, as
well.
So as you answer the question, I think I would like to hear
you talk about the pervasiveness, the wide breadth and depth of
cyber, and the need for human resources in that area to be
creative in so many of the obstacles that we may face, whether
it is man-made or, God forbid, man-made, we hope not, but
natural disasters that we are facing and seemingly are going to
face for a long period of time. We have not yet been able to
assess what the fires in California in terms of infrastructure,
cyber will do.
The second part of my question is--and I serve as the
Ranking Member on the crime terrorism and Homeland Security
Committee, and when we are really at our best in Judiciary, we
are working on ways to prevent crime, to intervene in that, and
to find alternatives for those individuals whose lives are
somewhat ruined for a good period of their life, if they are
not rehabilitated. We find in these incarcerated State and
Federal prisons very bright people.
So I would like you to comment on that broad expanse of how
this idea of the work force and building the work force and
finding people to be in the work force, whether it is DACA
young people or otherwise, is crucial to the future of this
Nation. I commend for your reading H.R. 935, which is a bill
that I introduced that I am trying to hopefully draw the
attention of the Ranking and the Chairperson of all of the
committees involved here, cybersecurity education and the
Workforce Enhancement Act to prepare in particular minority
students and professionals for the jobs of this century.
It goes on to talk about recruiting, providing grants for
training programs, supporting guest lecturer programs. We are
using Department of Homeland Security cyber personnel to go out
and really get their hands around this issue. So if you would,
all of the witnesses, Dr. Cambone--is it ``Camboney'' or
``Cambone''?
Mr. Cambone. ``Cambone.''
Ms. Jackson Lee. Pardon me?
Mr. Cambone. ``Cambone.''
Ms. Jackson Lee. Cambone. Dr. Rapp, Mr. Rapp, Mr. Jarvis,
and Mr. Ralls, if you could comment on those points, broad
points.
Mr. Cambone. Well, thank you, ma'am. I will convey to the
chancellor your compliments. As you know, he been assigned the
responsibility by the Governor to lead the recovery efforts in
the State. He has done that in coordination with industry, with
the other universities, and brought to bear, because I see them
every day, the two institutions I have made mention of, both
TEES and TEEX. So there is a ready-made force there that we
were able to bring to bear. We need to be able to replicate
that around the country.
Ms. Jackson Lee. Just each one go down and answer the
question.
Mr. Rapp. I believe that, you know, as we address
cybersecurity and infrastructure that we need to take a look at
private partnerships, public-private partnerships like the
Battery Innovation Center, working on stored energy and
microgrids, so that when we see a natural disaster that takes
place or we have a natural disaster, something that takes
place, then the grid is not only protected, but segmented and
able to come up quicker.
So my point to that is, there is existing technology and
partnerships that are working on those types of things out
there right now that certainly can be leveraged.
To your other point, I absolutely agree and some of the
discussions that we have had in the cyber leadership
allowances, how do we reach people who have--are part of the
criminal--have been indoctrinated in the criminal justice
system that have valuable skills that they can be re-educated
and apply themselves to? I think a lot of that can come from
great programs into--that are interjected to our places where
people are incarcerated.
Ms. Jackson Lee. Thank you.
Mr. Jarvis. Yes, I don't have anything else to add.
Mr. Ralls. I would add, we have been batting around
numbers, statistics related to the already huge gap that we
have in terms of demand, supply, in terms of workers, but that
has primarily been traditional cybersecurity. When you are
talking about infrastructure, I think it brings to mind--or
something I indicated a little earlier, but I think we are
going to see a great acceleration of one of the largest skill
gaps, talent gaps, work force gaps we have right now is in
terms of the role of maintenance technicians.
Already, industries and facilities, buildings are already
struggling in those regards, but I think what's happening with
connection and networking devices and facilities and--where
your refrigerator is connected, your HVAC system, your PLCs,
technicians' roles I think are going to be even more important.
So that is why I think also programs like mission-critical
operations certifications that were started within community
colleges in North Carolina, opportunities to really look at
these areas of critical infrastructure, which will provide a
lot of job opportunities for folks who wouldn't traditionally
see themselves in the traditional IT cyber role, and to meet
those needs, I think we are going to have to have the
educational resources, but also the breadth to be able to open
up the resources to as many talented people as we can possibly
find. I think the demands are going to be huge and accelerating
because of that.
Ms. Jackson Lee. Thank you very much. Thank you, Mr.
Chairman. Thank you, Ranking Member. I yield back.
Mr. Ratcliffe. Thank the gentlelady. The Chair now
recognizes the gentleman from Virginia, Mr. Garrett, for 5
minutes.
Mr. Garrett. Thank you, Mr. Chairman. Thanks to the members
of the panel. Thanks to my colleague from Texas for going a
little bit over, because that let me get my thoughts together.
I appreciate it.
It is great to have you all in front of us. Actually, I was
out of the room speaking ironically enough with the commander
of TRADOC, Training and Doctrine for the military, and
specifically about cyber and the threat they are in. So while I
am honored to serve on both the Education and Workforce
Committee and the Homeland Security Committee, I am going to
come at it from a homeland perspective here in my time.
The paradigm that we face as a Nation has changed in a
manner more dramatic than any that I can think of in history as
it relates to the threat that we face as a Nation. The reason I
say that is, throughout history, whether we are mounted cavalry
or dreadnaughts or fighter aircraft or nuclear submarines, we
could quantify a threat based on a number of platforms,
instruments by which an entity might threaten another, and
usually then assess the existential nature of the threat or the
lack thereof. We can't anymore.
The reason, obviously, is that one individual with the
proper training, located remotely, perhaps in their basement,
and that might be in Tehran and it might be in Portland, can
wreak havoc uncontemplatable perhaps in human history by virtue
of the interconnectivity of everything.
We have seen in the Baltic States, as well as in the
Ukraine, the impacts of real aggressive cyber attacks. So as we
discussed public-private partnerships to prepare our young
people for opportunities moving forward, I think it is
important to also understand the Government role in this
endeavor because of the fact that the threat of the 21st
Century really will manifest itself, I think, at a keyboard and
not in the cockpit of an aircraft or the driver's cupola of a
main battle tank.
So it is particularly, No. 1, Dr. Ralls, I think we might
have bumped into one another when I was back in the Virginia
General Assembly, so great to see you here. Thanks for the good
work you do at Northern Virginia Community College. A little
bit biased. Even if you are from Texas A&M, you are awesome,
but we have wonderful community colleges in Virginia, where we
try to tailor the training that you all give to the employers
in the area and the futures of the young people.
But IBM, DEFCON, what DEFCON does is really the private
version of what I think we need to do better as a Nation, and
that is sort of a constant, perpetual threat and updating of
black-and-white lists, et cetera. But the problem is this. When
your pay scale is a Government pay scale and the marketplace
drives talent based on the ability to receive a financial
reward, then we can be assured that the great cyber minds might
be working at Deutsche Bank or Honda International, that they
might be working at IBM or at DEFCON, but it is hard to
envision them in the wonderful Army green that I wore for 6
years, by virtue of the fact that $55,000 a year doesn't drive
the best talent.
So how do we engage young people, (A), to enter this growth
industry, and then, (B), how do we--understanding market
forces--specifically the payment that you receive for being
amongst the elite in your skill set, capitalize on the
investment in training these young people to protect this
country? That is a riddle that I haven't solved yet.
One thing that we have done is try to collocate cyber units
in the military near, you know, technology hubs, you know,
Seattle, we might have a cyber unit. Northern Virginia, we have
National Guard units that are cyber, so that we might have
somebody who works for a wonderful corporation that does IT and
then gets a pittance 1 weekend a month to come do that. But I
would invite specifically Mr. Rapp and Mr. Jarvis to speak to
how we integrate the educational opportunities to the National
defense needs that I think we have been slow to identify and
certainly don't want to identify too late.
Mr. Rapp. I didn't know if it was appropriate to raise my
hand and say ``pick me, pick me,'' but I----
Mr. Garrett. That is--I already picked you.
Mr. Rapp. That is awesome.
Mr. Garrett. I was in another room watching you. ``This
guy.''
Mr. Rapp. So I live that story. You know, some of the
recommendations we made early on to get cyber integrated into
the military, first of all, the United States Army--or, I am
sorry, the military needs to look at direct commissions, so for
skilled professionals. We do the same with doctors. We do it
with lawyers. Why wouldn't we do it with cyber professionals?
The second thing is, is we have increased physical fitness
standards for special operations groups. Well, why would we
expect cybersecurity professionals to have--why do we not have
a physical fitness tests that takes into account the MOSs or
the job skills that each one of those soldiers have? We have
long since judged people across the board on a single standard.
That is just not the reality that we live in today.
There is no shortage of patriotic cybersecurity people out
there. But age limitations, the commitments of joining the
military, those things all become barriers to entry for
cybersecurity professionals. The National Guard is a great way
to leverage patriotic Americans that do things on the day and
then can bring those skills on the weekends. So I would say
those are some ways that we can do it.
I don't think there is a shortage of attracting people to
those jobs. I think it is a barrier to entry. I----
Mr. Garrett. So I am over, but I would beg the Chairman's
indulgence. So essentially an MOS waiver program to recruit the
best and brightest in specialized fields?
Mr. Rapp. I absolutely think that we should. I will give
you another personal story. My son was disqualified from
military intelligence service because he was colorblind. So now
he is studying cybersecurity and psychology on the civilian
side, and he will be hired back by the U.S. Government as a
contractor, I am sure.
Mr. Garrett. Thank you, Mr. Chairman.
Mr. Ratcliffe. I thank the gentleman.
Mr. Garrett. I apologize to Mr. Jarvis, but I would
welcome, if you want to reach out to our office, I would
welcome to hear your thoughts.
Mr. Ratcliffe. Thank the gentleman. Chair now recognizes
the gentleman from Illinois, Mr. Krishnamoorthi, for 5 minutes
for questions.
Mr. Krishnamoorthi. Thank you, Chairman Guthrie, Chairman
Ratcliffe, Ranking Member Davis, and Ranking Member Richmond,
for calling this very important joint subcommittee hearing.
Thank you to all the witnesses for coming in today. I really
enjoyed your testimony.
I think it is fair to say nowhere is the skills gap or the
work force skills gap more evident than in cybersecurity. A
recent report by Forbes and the University of Pennsylvania
estimates that there are 1.4 million unfilled jobs in this
field alone. That is why work force development organizations,
community colleges, and CTE program administrators need to work
together to strengthen our cybersecurity work force pipeline.
Americans' safety and economic prosperity depend on it.
I have a few questions. Dr. Ralls, I was very interested to
learn that you have successfully expanded your cybersecurity
associate's degree program from 50 to 1,500 people in just 4
years. Could you explain the effect this has had on your
school's financial standing?
Mr. Ralls. Well, it explains where we are putting many
resources. What we have to do in an age of zero sum is, as
resources become available, particularly instructional
resources but also facilities, so, you know, we have just
purchased a new facility in Manassas. We are renovating a
facility in Alexandria. We have a new tech center in Reston. So
certainly it is a prioritization of resources, because that is
where the work force needs are and because we are not growing
overall, even though our cyber program is growing. That means
shifting resources. So that is a challenge.
Obviously for us, tapping into the rich pool of adjuncts is
important. I have to applaud the NSA for helping us with that.
Last year, we had 18 faculty members who were able to receive
education in certified ethical hacking to gain the
certification. They already had the skills, but they need the
certification so they can teach people how to get the
certification as part of the program.
So those programs that support those efforts are key. Just
yesterday, representatives of colleges around the country were
meeting with NSA and brainstorming ideas. One of the ideas was
about a virtual job fair, really tapping into recent PhDs and
others coming out of programs and trying to draw them into
programs like ours.
So I think there are programs out there, certainly NSF
Cyber Watch, NSA-CAE programs that are helping colleges like
ours, and particularly even not so much colleges like ours, but
others that are just getting into the cybersecurity game that
are important, but as I mentioned before, those efforts have to
scale just as we are having to scale to go from the number of
students we are providing.
Mr. Krishnamoorthi. Do you find the funding that you
receive at NOVA at the Federal, State, and local level
sufficient to meet the demand in the classroom?
Mr. Ralls. Oh, absolutely not. I mean, that is----
Mr. Krishnamoorthi. How much does it need to go up?
Mr. Ralls. Well, I can't tell you. I mean, obviously the--
well, I should be able to tell you. But, for instance, just
think in terms of our cyber program. So we have 1,500 program-
placed students, but we are an open-door admissions. So we
don't really say to students, ``You can't come into our
program.'' It is just that they will run into challenges as we
run into challenges in providing their needs.
So that is an ultimate challenge for us. But I will just
give you an example. This year, I mentioned, you know, our
Perkins funding. We are the 14th-largest college or university
in the country. We have a $270 million annual budget, and our
Perkins funding that we get for our college this year is
$417,000. You know, that is why we are putting all of it, you
know, down on--just recruiting women students, female students
through IT, because it is--I truly believe this, that I think
technical education is one of the biggest gaps between rhetoric
and investment across multiple areas is technical education. We
have to get more serious about it.
Mr. Krishnamoorthi. Well, thank you for bringing that up. I
am the Democratic lead, along with Republican Glenn Thompson,
on the renewal of the Perkins career technical education
program that unanimously passed through the House. We are
hoping that it passes the Senate. It does provide for more
funding. We would ask you to urge your Senators to take this
up.
The CyberCorps Scholarship for Service Program at the
Federal level today only provides stipends to students at 4-
year colleges and universities. How can Congress expand current
programs to ensure that community college students have access
to these critical funds? Dr. Ralls, do you want to comment on
that?
Mr. Ralls. Well, there is the--I think it was introduced in
the Senate, a bipartisan legislation, the 2017 Cyber
Scholarship Act, which actually would expand those efforts to
include community college students. So that is a very specific
thing that is out there right now.
We have been able to get some students in the programs
through our partnerships with like Marymount University and
others who have reached with us, so there are some doors that
you can go through, through articulation. But it needs to be
expanded to include certainly community college students, and
that particular legislation does that or proposal does that.
Mr. Krishnamoorthi. Last question. I know I am out of time.
But I did want to ask this. Are there any other countries that
do a good job of training their cybersecurity work force or,
you know, adequately providing for a cybersecurity work force
in their countries? We can take answers from any of you.
Mr. Rapp. I would say a leader in that area would be
Israel, and that is through a close cooperation between the
educational universities, the educational institutions, private
industry, and the military. So they have less barriers between
those three sectors, and they have very successfully been able
to produce the work force to bat about 35 times above their
weight, second only to the United States in cybersecurity
product exports.
Mr. Krishnamoorthi. Any others?
Mr. Jarvis. I wouldn't say that maybe some examples of
people that are doing a good job, but I think we can look to
other countries for examples of how they are trying to address
their own cyber skills gap, because they do have them. Whether
it is in the United Kingdom, where they are setting up a
National college for cybersecurity in Bletchley Park, or if it
is looking at Singapore, where they are trying to take a look
at various vocational models to help bolster their
cybersecurity work force. I think we can look to some examples
in other countries to help augment what we are trying to do
here.
Mr. Krishnamoorthi. Thank you. Thank you.
Mr. Ratcliffe. Thank the gentleman. I thank all of the
witnesses for your insightful and valuable testimony and
answers today. I thank the Members for some very thoughtful
questions. It is possible that some Members may have additional
questions for our witnesses, and if so, we will ask you to
respond to those in writing. Pursuant to committee rule VII(D),
the hearing record will remain open for a period of 10 days.
Without objection, the subcommittees stand adjourned.
[Whereupon, at 4:21 p.m., the subcommittees were
adjourned.]
A P P E N D I X
----------
Questions From Chairman John Ratcliffe for Stephen A. Cambone
Question 1a. Given the mission of Texas A&M University System's
land grant mandate including its combination of academic instruction,
education in emerging technologies, and the engineering extension, how
is A&M working to address needs in the public and private sectors?
What strategies is A&M utilizing to implement those approaches?
Answer. The mission of The Texas A&M University System is to
provide education, conduct research, commercialize technology, offer
training, and deliver services for the people of Texas and beyond
through its universities and State agencies. Since its establishment as
a land-grant through the Morrill Act, Texas A&M has fulfilled the
legislation's time-honored tradition by conducting high-impact research
at all levels and bringing forth practical research applications to
citizens in Texas and the Nation.
The original principles set forth in the Morrill Act were to teach
agriculture, military tactics, and the mechanical arts as well as
classical studies so that members of the working classes could obtain a
practical education. As technology has advanced and infused into almost
every part of our lives, this mission has evolved to include fields
such as engineering, public safety, infrastructure and technology.
Cybersecurity is a common thread through these areas and demands to be
addressed in the public and private sectors in order to support growth
and protect systems.
Increasing the resilience of cyber systems found in both the public
and private sectors will require a more skillful work force, ground-
breaking new capabilities, and innovative policies. Fortuitously, and
consistent with its land grant mandate, the Texas A&M University System
has undertaken a series of broad-ranging cybersecurity initiatives
that, in combination, address all three areas.
Workforce Development
On the educational front of work force development, A&M System
faculty and staff are actively engaged in the development of high-
impact education and training opportunities for our students. The
overarching goal of these efforts is to ensure that the graduates of
our programs are properly equipped to address the many ever-evolving
cybersecurity challenges they face in their professional lives.
In recent years A&M faculty and staff have developed a wide array
of cybersecurity courses and broader cybersecurity curriculum
offerings. For instance, over the past 3 years the number of graduate
and undergraduate cybersecurity courses offered at the System's
flagship institution in College Station has more than doubled from 17
to 35. Additionally, the University's new Cybersecurity minor field of
study, first introduced in February 2016, has already attracted nearly
350 students from across the University. It has already become the
highest enrollment minor in College of Engineering. This spring, A&M
will enroll its initial cohort of students in a first-of-its-kind
Master's Degree program that will further the education of
undergraduate engineering students with an advanced degree in
cybersecurity expertise that they will use to design and build a more
secure next generation of smart, interconnected systems.
Early this year, personnel affiliated with the Texas A&M
Cybersecurity Center provided cybersecurity instruction to A&M IT and
security staff. This instruction was conducted on the prototype for the
Texas A&M-based Texas Cyber Range. This range, now near completion,
will serve as a vitalized laboratory to support hands-on educational
and training experiences for students and employees across the A&M
System, and beyond.
Acknowledging that only a portion of a student's learning takes
place in traditional classroom settings, A&M faculty have developed a
large number of extracurricular and co-curricular activities that
complement, reinforce, and build upon the knowledge and skills our
students acquire in the lecture hall. No less than four student-led
organizations, focusing on cybersecurity topics, have been formed at
A&M in the past 2 years. Students in these organizations have not only
learned a great deal but many participate in teams that have competed,
with great success, in dozens of regional, National, and international
cyber competitions. Finally, A&M faculty and staff have also worked
closely with both public and private-sector organizations to ensure
that our students have the opportunity to gain valuable experience
through their participation in high-impact cybersecurity internships
and co-ops. Our students have consistently identified these real-world
opportunities as some of their most valuable learning experiences.
To encourage students to pursue cybersecurity studies, Texas A&M
University faculty has acquired grant funding for a variety of
cybersecurity scholarship opportunities for our students. To date,
nearly 25 students have received full or partial scholarships under
these programs. The Texas A&M Cybersecurity Center currently has a
proposal under review for an NSF Service-for-Scholarships grant. If
approved, it will provide full scholarships for up to 40 students
beginning fall 2018.
Over the course of the next year calendar year, building on the
above described highly successful educational initiatives, the faculty
and staff at the College Station campus will increase their engagement
with their counterparts the other 10 universities within the A&M
system. The goal of these engagements will be to share course
materials, curriculum initiatives, and other educational best
practices.
Texas A&M also employs two threads that cross-cut the professional
and continuing education of (PCE) of cybersecurity work force
development. The first includes certifications (which can also be
referred to as badges, credentials, or programs) that are typically
multiple courses or modules that can be completed either for continuing
education or academic credit. Once the designated course/modules are
satisfactorily completed (some may require third-party examinations) a
certificate will be awarded. These programs may be accredited by States
and/or industry associations. Regardless of any external accreditation,
industry must have input into the content and delivery platforms in
order for the work force development activities to contribute to
effective implementation in the public and private sectors.
The second thread is to ensure that all workers, from novice to the
cybersecurity professional, possess the required level of knowledge and
competency for their specific roles. PCE can also provide preparation
for certification testing that entails the study of a prescribed body
of knowledge or technical curriculum and may require to be supplemented
by on-the-job experience. PCE is applicable to those with and without a
degree from an institute of higher education.
It should be noted that PCE work force development in cybersecurity
calls for content and delivery methodologies to be developed and
delivered based on adult learning models. These tactics require a
different, but complementary approach when compared to traditional
undergraduate and graduate teaching methods.
Capabilities
On the capabilities front, A&M researchers have long engaged in a
wide array of high-impact cybersecurity research projects. With a
primary focus on applied research, A&M scholars have developed
capabilities that address some of the many cyber threats that target
both traditional IT systems, as well as those that target Cyber
Physical Systems (including Industrial Control Systems and other
internet of things components). A&M scholars have developed a large
suite of tools for malware and Advanced Persistent Threat (APT)
analysis, which have been used in hundreds of organizations around the
world. A&M researchers have also developed innovative malicious cyber
infrastructure (botnet) detection and analysis tools, as well as tools
that perform Malicious Social Media analysis. These tools have also
been used in scores of organizations, in both the public and private
sectors.
Notably, the level of cybersecurity research at A&M has increased
dramatically over the past 2 years. There has been a three-fold
increase in the average number of grants awarded to A&M faculty and an
eight-fold increase in the average amount of research funds awarded to
these scholars. This year alone A&M University expects to receive
awards of no less than $11.5 million for up 8-10 research projects.
Innovative Policies
On the policy front, a proposal, currently under review, would
create a System-level agency, the Institute for National Security &
Cyber Security Education & Research (INCSER). This institute will be
comprised of the Texas A&M Cybersecurity Center, the Texas A&M Nuclear
Security Science and Policy Institute, and a yet-to-be-named Cyber
Policy Center, associated with the Bush School of Government and Public
Service. In addition to facilitating ground-breaking research and
innovative security education, training, and work force development,
the INCSER will engage in research that will lead to the formulation of
high-impact, forward-looking security policies for organizations in
both the public and private sector, across the spectrum from local to
international. This year the Bush School of Government and Public
Service will introduce a graduate certificate in cybersecurity policy,
as a complement to their existing certificate offerings in Advanced
International Affairs and in Homeland Security.
Question 1b. What metrics has A&M identified or does A&M use to
evaluate the effectiveness of these approaches?
Answer. The Texas A&M Engineering Experiment Station (TEES) and the
Texas A&M Engineering Extension Service (TEEX), agencies within the
Texas A&M University System, have robust student management systems
that provide for registration, program completion tracking,
distribution, and an educational records repository. This allows
individuals and organizations to manage their work force development
efforts as well as track overall performance metrics. It is also
critical that work force development efforts are evaluated on several
levels. Typically, near-term assessments of courses, modules, and/or
programs/certifications are completed immediately following the
activity. These assessments are useful, but additional content and
application evaluations will inform the overall cybersecurity work
force continuum. There are several methods of accomplishing this type
of detailed analysis. Surveying individual participants to assess far-
term effectiveness can offer specific data about how that person
applied the content. Additionally, the TEES EDGE (engineering's
professional and continuing education management group) can perform
more detailed quantitative and qualitative analyses for individual
activities and programs as well as private and public organization
impact. This type of analysis would contribute to the life-cycle of
work force development including informing original market research
along with development and deployment.
The Texas A&M University System is uniquely positioned to provide
work force development across the cybersecurity continuum with its
university components and agencies. These system members have developed
and delivered work force development through the following:
Undergraduate and graduate programs
Military and veterans
University and student organizations
Customized contracts with organizations and industry
associations
Federal and State-funded grants
Open-enrollment delivery
Local, State, National, and international deliveries.
Additionally, systems components have worked with public and
private-sector organizations to provide research and technical
assistance including risk assessments. This experience informs the work
force development continuum by contributing current knowledge in real-
time.
Questions From Chairman John Ratcliffe for Douglas Rapp
Question 1a. When the Cyber Leadership Alliance (CLA) approaches a
community college to strengthen or create a cyber studies program, what
parameters or identifiers help the Alliance pick the schools to
approach?
Answer. The Cyber Leadership Alliance has partnerships with
numerous colleges. When CLA evaluates a college for partnership, there
are several criteria that we evaluate.
does the college understand the cybersecurity ecosystem and
where they fit?
Demand analysis.--It is important for education institutions to
understand the demand for cybersecurity work force. This is their
market research prior to developing a cybersecurity program. It is
important to understand if the college is using industry studies such
as the PWC Global State of Information Security Survey, using data from
the National Institute of Standards in Technology (NIST), using tools
such as CyberSeek, and other valid academic and industry data.
Core competencies alignment.--Understanding their own core
competencies will better determine the type and level of programming
they should pursue. If a college is best known for culinary arts, then
shifting to a highly technical advanced cybersecurity degree program
may not be a good fit. Additionally, a 2-year community college may
want to analyze whether a 2-year cybersecurity degree that teaches the
philosophical concepts of cybersecurity is a better fit than teaching a
2-year applied degree, certificate, or industry certifications.
Goals and standards.--Colleges considering cybersecurity
programming should have clearly-defined goals and standards. When
considering partnerships, CLA places great weight on those institutions
that seek to become NSA/DHS-designated Centers of Academic Excellence
and those institutions who have or intend to map their curriculum to
the National Initiative for Cybersecurity Education (NICE)
Cybersecurity Workforce Framework.
Question 1b. What are some of the issues holding a school back
offering these courses already?
Answer. Community colleges wishing to offer cybersecurity
programming suffer from several barriers to entry.
Talent shortage.--Colleges suffer from the very malady that they
are seeking to treat; a lack of cybersecurity talent. With the
significant cybersecurity work force shortage and the premium paid for
talent, community colleges are in stiff competition for qualified
instructors. Community colleges can achieve success in this area by
leveraging working professionals in the cybersecurity field as adjunct
faculty.
Knowledge shortage.--There is a common misconception that
cybersecurity is an extension or subset of computer science or
information technology. Colleges can use 7 functional areas and 32
specific specialty areas identified in NIST Special Publication 800-181
to determine programming that best fit their market and competencies.
Difficulty measuring aptitude.--Since cybersecurity has only been
recently recognized as an independent vocational area, the traditional
methodologies of measuring aptitude are only now incorporating the KSA
associated with the field. As an example, a student that exhibits
aptitude for coding may not have the aptitude for risk analysis or
intelligence gathering--both specialty areas in cybersecurity. This is
complicated by the demographics of community colleges that are
comprised a much higher percentage of non-traditional students such as
adult learners and displaced workers seeking quick pathways to reenter
the work force.
Question 2. How can small businesses, or businesses that do not
have the resources, for instance to sponsor cyber competitions,
participating the cyber work force pipeline?
Answer. There are two areas where CLA encourages entities with
limited resources to participate in the development of a cybersecurity
work force pipeline.
Sponsoring/Mentoring cybersecurity clubs.--The cost in both time
and resources to sponsor and/or mentor cybersecurity clubs and
competitions is low. The annual cost of registering a middle or high
school CyberPatriot Club is $205 annually and the elementary schools
are free. Clubs and competitions also exist at the collegiate level.
Participation in professional cybersecurity-oriented
organizations.--Individuals and small businesses with limited resources
can become engaged in numerous organizations with a cybersecurity
focus. These organizations include the Cyber Leadership Alliance,
Infragard (partnership between the FBI and members of the private
sector), EC-Council, ISACA, the Information Systems Security
Association (ISSA), and the International Association of Privacy
Professionals (IAPP).
Question From Chairman John Ratcliffe for David Jarvis
Question. What type of partnerships does IBM have with universities
and community colleges?
IBM has a National footprint; how are schools chosen to become
partners?
Answer. IBM partners with universities and community colleges in
many areas. Our focus on cybersecurity is typically with schools that
have established, successful cybersecurity programs or that have a
desire to build and/or create cybersecurity programs. IBM is committed
to investing in our local communities and has partnered with
universities and community colleges in locations where we are growing
our company, to collaboratively focus on skills development and better
linking education and employment in key technical roles, including
cybersecurity.
Listed below are some of our current cybersecurity-related
partnerships/programs:
P-TECH Model and cybersecurity degrees
IBM is utilizing the new education model Pathways in Technology
Early College High School (P-TECH) in the United States and other
countries specifically for cybersecurity and other technology areas.
The model has expanded to over 60 U.S. schools and 300 industry
partners, with the goal of expanding to 80-plus schools in 2017. P-TECH
connects high school, college, and the world of work to prepare
students for STEM jobs of the future.
Designed to serve historically disadvantaged populations, the P-
TECH 9-14 School Model provides U.S. public school students in grades
9-14 a clear path to post-graduate opportunities that might not
otherwise be available. IBM, along with the New York City Department of
Education and The City University of New York, created the first P-TECH
school in Brooklyn, New York, in 2011. Through P-TECH, students, who
are not screened for admission, earn both a high school diploma and an
industry-recognized 2-year post-secondary degree at no cost to them or
their families. The students are also first in line for jobs with their
industry partner.
On the cybersecurity front, IBM is currently working with Excelsior
Academy at Newburgh Free Academy in New York (a partnership between the
Newburgh Enlarged City School District, IBM and SUNY Orange Community
College) and P-TECH@Carver in Baltimore, Maryland (a partnership
between Carver Vocational Technical High School, IBM and Baltimore City
Community College) on cybersecurity specific pathway programs.
Community College Skills Accelerator (CCSA)
IBM is partnering with community colleges to build the skills of
the future through our Community College Skills Accelerator. This
program provides access to documented skills roadmaps, access to free
IBM tools (including platforms, services, and software), access to IBM
mentorship and subject-matter expertise, including collaboration on
curriculum review and creation and pathways to employment (including
internships and apprenticeships).
Competitions, Symposiums, Career Fairs
IBM supports numerous university-affiliated cybersecurity
competitions, conferences, and career-related events by providing IBM
cybersecurity experts as keynote speakers, panelists, product
demonstrations, and mentors for students in addition to financial
sponsorship. Recent sponsorships include:
CalPoly Pomona Cyber Security & Awareness Fair: http://
www.cpp.edu/cyberfair/
HackCU Boulder Hackathon: https://2017.hackcu.org/
National and Regional Collegiate Cyber Defense Competitions
(CCDC): http://www.nationalccdc.org/
NYU Cyber Security Awareness Week (CSAW): https://
csaw.engineering.nyu.edu/
RIT Collegiate Penetration Testing Competition (CPTC):
http://www.nationalcptc.org/
Watson for Cybersecurity--University Program
Last year, IBM announced plans to work with leading universities
and their students to further train Watson on the language of
cybersecurity, including: California State Polytechnic University,
Pomona; Pennsylvania State University; Massachusetts Institute of
Technology; New York University; the University of Maryland, Baltimore
County (UMBC); the University of New Brunswick; the University of
Ottawa and the University of Waterloo. Students working on building
Watson's corpus of knowledge in cybersecurity will be gaining hands on
experience in cognitive security. http://www-03.ibm.com/press/us/en/
pressrelease/49683.wss#release
Question From Chairwoman Virginia Foxx for David Jarvis
Question. The Federal Work Study program helps students finance
their postsecondary education, and it is my view that a student's work-
study employment should also contribute to his or her career readiness.
What barriers currently exist that hinder work-study students from
gaining cybersecurity skills through employment at IBM?
Answer. The Federal Work Study program helps students finance their
postsecondary education, but barriers hinder work-study students from
career readiness such as gaining cybersecurity skills at IBM.
Background: The FWS Program provides funds for part-time employment to
help needy students to finance the costs of postsecondary education.
Students can receive FWS funds at approximately 3,400 participating
postsecondary institutions. Hourly wages must not be less than the
Federal minimum wage. Average grants are approximately $1,642.
The work that the student performs must be academically relevant to
the student's educational program if the position is at a private for-
profit employer. The student's work may not displace employees, impair
existing service contracts, nor fill jobs that are vacant due to
strikes.
Barriers: Due to statutory and regulatory barriers and
inflexibility, students are denied the opportunity to use their work-
study grants to further their career readiness. The barriers include:
Low and Career-Hindering Caps on use of grants for paid
internships with private-sector employers in a student's area
of study (such as cybersecurity internships with IBM and other
private-sector employers)
Restrictions to part-time internships that interfere with
full-time placement such as co-operative learning arrangements.
Arbitrary Federally-imposed diversions of work-study funds
for non-career work-based learning purposes that meet the
definition of ``community service''.
Limitations on funding authorization levels for Federal Work
Study and funding allocation based on outdated formulas
unrelated to current needs and goals (such as completion rates,
costs of attendance, and job location and development
programs).
Question From Chairwoman Virginia Foxx for Scott Ralls
Question. Since 2010, the National Centers of Academic Excellence
in Cyber Operations designation has been open to community colleges.
However, only 54 community colleges have been recognized by the
Department of Homeland Security or the National Security Agency
compared to more than 170 baccalaureate institutions. What
recommendations would you have for NSA and DHS as they work to improve
their outreach and engagement with community colleges?
Answer. Since 2010, the National Centers of Academic Excellence in
Cyber Operations designation has been open to community colleges.
However, only 54 community colleges have been recognized by the
Department of Homeland Security or the National Security Agency
compared to more than 170 baccalaureate institutions. What
recommendations would you have for NSA and DHS as they work to improve
their outreach and engagement with community colleges?
Specifically, because only 54 community colleges have been
recognized by DHS as certified programs relative to 170 baccalaureate
institutions, you asked for recommendations to improve outreach and
engagement by NAS and DHS.
My reply is that I have a general sense that you will begin to see
more community colleges become eligible for CAE designation as the
program matures and as community college programs mature. The process
is very rigorous, as it needs to be, and requires multiple years of
program data before colleges are eligible to apply. Because most
college cybersecurity programs are relatively young in their program
existence, they would just be reaching the threshold for eligibility
for the data requirements necessary to attain certification. So in
other words, I think that the issue is not as much about outreach,
awareness, and engagement, but more the need for programs to ``mature''
before they can attain the requirements for eligibility. I think it is
good to keep the standards high, and as I indicated in my testimony,
provide resources as much as possible to DHS and NSA to assist colleges
in attaining the certification requirements.
Beside the issue of program maturity of existing community college
cybersecurity programs for reaching the program standards, there may be
other issues for community colleges in attaining certification
standards relative to baccalaureate degree granting institutions: These
include:
1. Articulation.--Articulation (i.e. transfer of cybersecurity
credits to senior instutions) may be problematic as many
community colleges focus on articulating transfer degrees (AS)
to partner institutions as opposed to Applied Associate (AAS)
degrees. These transfer degrees are often heavy on general
education requirements, light on technical courses--too light
to accommodate the comprehensive curriculum requirements in the
CAE2Y. Unfortunately, many of these programs at the senior
institution level then tend to fall down on the job with
respect to instilling the hard skills that may be better
obtained at the community college level (more training,
industry certification-focused). Senior institutions should be
encouraged to build applied cybersecurity degree programs into
which AAS degrees can be transferred from the community
college, but that can be challenging with respect to
accreditation issues.
2. Community Need.--Community colleges serve local communities.
Many State systems and districts will require the college to
demonstrate for new degree programs that they have a local work
force market before a program is approved. [sic] is difficult,
if not impossible, for rural communities where there are not IT
or Cyber companies.
3. Resources.--More resources are needed to provide for faculty
professional development. This is especially important for
areas that aren't located near large cyber areas as they have
difficulty finding full-time and adjunct faculty.
[all]