b"<html>\n<title> - MORE HIRES, FEWER HACKS: DEVELOPING. THE U.S. CYBERSECURITY WORKFORCE</title>\n<body><pre>[House Hearing, 116 Congress]\n[From the U.S. Government Publishing Office]\n\n\n                  MORE HIRES, FEWER HACKS: DEVELOPING\n                    THE U.S. CYBERSECURITY WORKFORCE\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                SUBCOMMITTEE ON RESEARCH AND TECHNOLOGY\n\n                                 OF THE\n\n                      COMMITTEE ON SCIENCE, SPACE,\n                             AND TECHNOLOGY\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED SIXTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                       Tuesday, February 11, 2020\n\n                               __________\n\n                           Serial No. 116-67\n\n                               __________\n\n Printed for the use of the Committee on Science, Space, and Technology\n \n[GRAPHIC NOT AVAILABLE IN TIFF FORMAT] \n\n\n       Available via the World Wide Web: http://science.house.gov\n       \n                               __________\n                               \n\n                    U.S. GOVERNMENT PUBLISHING OFFICE                    \n39-616PDF                  WASHINGTON : 2021                     \n          \n--------------------------------------------------------------------------------------\n     \n       \n       \n\n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n\n             HON. EDDIE BERNICE JOHNSON, Texas, Chairwoman\nZOE LOFGREN, California              FRANK D. LUCAS, Oklahoma, \nDANIEL LIPINSKI, Illinois                Ranking Member\nSUZANNE BONAMICI, Oregon             MO BROOKS, Alabama\nAMI BERA, California,                BILL POSEY, Florida\n    Vice Chair                       RANDY WEBER, Texas\nLIZZIE FLETCHER, Texas               BRIAN BABIN, Texas\nHALEY STEVENS, Michigan              ANDY BIGGS, Arizona\nKENDRA HORN, Oklahoma                ROGER MARSHALL, Kansas\nMIKIE SHERRILL, New Jersey           RALPH NORMAN, South Carolina\nBRAD SHERMAN, California             MICHAEL CLOUD, Texas\nSTEVE COHEN, Tennessee               TROY BALDERSON, Ohio\nJERRY McNERNEY, California           PETE OLSON, Texas\nED PERLMUTTER, Colorado              ANTHONY GONZALEZ, Ohio\nPAUL TONKO, New York                 MICHAEL WALTZ, Florida\nBILL FOSTER, Illinois                JIM BAIRD, Indiana\nDON BEYER, Virginia                  FRANCIS ROONEY, Florida\nCHARLIE CRIST, Florida               GREGORY F. MURPHY, North Carolina\nSEAN CASTEN, Illinois                VACANCY\nBEN McADAMS, Utah\nJENNIFER WEXTON, Virginia\nCONOR LAMB, Pennsylvania\nVACANCY\n                                 ------                                \n\n                Subcommittee on Research and Technology\n\n                HON. HALEY STEVENS, Michigan, Chairwoman\nDANIEL LIPINSKI, Illinois            JIM BAIRD, Indiana, Ranking Member\nMIKIE SHERRILL, New Jersey           ROGER MARSHALL, Kansas\nBRAD SHERMAN, California             TROY BALDERSON, Ohio\nPAUL TONKO, New York                 ANTHONY GONZALEZ, Ohio\nBEN McADAMS, Utah                    VACANCY\nSTEVE COHEN, Tennessee\nBILL FOSTER, Illinois\n                        \n                        C  O  N  T  E  N  T  S\n\n                           February 11, 2020\n\n                                                                   Page\n\nHearing Charter..................................................     2\n\n                           Opening Statements\n\nStatement by Representative Haley Stevens, Chairwoman, \n  Subcommittee on Research and Technology, Committee on Science, \n  Space, and Technology, U.S. House of Representatives...........     8\n    Written Statement............................................     9\n\nStatement by Representative Jim Baird, Ranking Member, \n  Subcommittee on Research and Technology, Committee on Science, \n  Space, and Technology, U.S. House of Representatives...........    10\n    Written Statement............................................    11\n\nStatement by Representative Eddie Bernice Johnson, Chairwoman, \n  Committee on Science, Space, and Technology, U.S. House of \n  Representatives................................................    12\n    Written Statement............................................    13\n\n                               Witnesses:\n\nMr. Rodney Petersen, Director, National Initiative for \n  Cybersecurity Education, National Institute of Standards and \n  Technology\n    Oral Statement...............................................    15\n    Written Statement............................................    17\n\nDr. Ambareen Siraj, Professor, Computer Science and Director, \n  Cybersecurity Education Research and Outreach Center, Tennessee \n  Tech University\n    Oral Statement...............................................    24\n    Written Statement............................................    26\n\nMr. Joseph Sawasky, President and Chief Executive Officer, Merit \n  Network, Inc.\n    Oral Statement...............................................    56\n    Written Statement............................................    58\n\nMs. Sonya Miller, HR Director, IBM Security and Enterprise & \n  Technology Security\n    Oral Statement...............................................    62\n    Written Statement............................................    64\n\nDiscussion.......................................................    72\n\n \n                  MORE HIRES, FEWER HACKS: DEVELOPING.\n                    THE U.S. CYBERSECURITY WORKFORCE\n\n                              ----------                              \n\n\n                       TUESDAY, FEBRUARY 11, 2020\n\n                  House of Representatives,\n           Subcommittee on Research and Technology,\n               Committee on Science, Space, and Technology,\n                                                   Washington, D.C.\n\n     The Subcommittee met, pursuant to notice, at 10:07 a.m., \nin room 2318 of the Rayburn House Office Building, Hon. Haley \nStevens [Chairwoman of the Subcommittee] presiding.\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n     Chairwoman Stevens. This hearing will come to order. \nWithout objection, the Chair is authorized to declare recess at \nany time.\n     Good morning, and welcome to this hearing of the \nSubcommittee on Research and Technology to explore the major \nchallenges that have led to our national cybersecurity \nworkforce shortage and the programs underway to address that \nshortage. A sincere and very special welcome to our \ndistinguished panel of witnesses for joining us here today, the \neffort and time you took to write your testimony and obviously \nshare your expertise. We're all very much looking forward to \nhearing from you.\n     Almost every day, we hear news about security breaches, \npoor system design, and vulnerabilities disrupting businesses \nand individuals' lives. Part of the reason cybersecurity issues \nare so prevalent is that the demand for skilled cybersecurity \nprofessionals far exceeds the supply of those individuals. \nAccording to CyberSeek, a tool funded by the National \nInitiative for Cybersecurity Education (NICE), as of last month \nthere are over a half a million job openings related to \ncybersecurity in the United States. That's job openings. That \nmeans nearly one in three cybersecurity jobs go unfilled.\n     There are many reasons for this workforce shortfall. \nRelatively few high school students have any exposure to \ncomputer science in the classroom, let alone cybersecurity. \nEven when students graduate from college with a degree in \ncomputer science, they often lack the cybersecurity skills and \nhands-on experience to fill job openings.\n     We also recognize and encourage the multiple pathways to \ncareers in cybersecurity, including certification programs and \napprenticeships. On Saturday, just this past Saturday, I held a \ntown hall back in Michigan on special education. And one of the \nexcellent resources that was highlighted was the Living and \nLearning Enrichment Center, a center for adults with \ndisabilities that has also just recently partnered with Cisco \nand the Michigan Career and Technical Institute, to start a \ncybersecurity certification to train adults with disabilities \nthat traditionally present barriers to employment.\n     In addition, the cybersecurity field as a whole lacks \ndiversity, even more so than many other STEM (science, \ntechnology, engineering, and math) fields. The math is yet \nagain simple. Last year, women accounted for only 20 percent of \nthe global cybersecurity workforce, the global cybersecurity \nworkforce. Women of color in cybersecurity jobs make on average \n$10,000 less than their male counterparts. We cannot address \nour current and future cybersecurity workforce needs without \nrecruiting and retaining more women and minorities into the \nfield.\n     All of our panelists have been leaders in addressing the \ndiversity challenge, and we very much look forward to hearing \nabout your efforts on that front.\n     It should not be a surprise that I'm excited to have NIST \n(National Institute of Standards and Technology) represented on \nthis panel to talk about their leadership in building the \ngovernment's and the Nation's cybersecurity workforce. Truly, \nNIST has been a leader in of course setting the standards, the \nplatform, even reaching out to the Department of Defense and \nforming one of the first MOUs (memorandum of understanding) to \nset cybersecurity standards in the advanced manufacturing \nspace.\n     The National Institute of Standards and Technology is also \nplaying a critical role in cybersecurity workforce development \nacross this National Initiative for Cybersecurity Education, \nNICE. We'll also discuss many of the important Federal programs \nat the National Science Foundation, the Department of Homeland \nSecurity, and other agencies designed to educate and train the \nnext generation of cybersecurity professionals.\n     Finally, we will explore how partnerships between \nacademia, industry, and Federal and State governments are \nworking to improve our cybersecurity workforce, humming and \ncollaborating, and working together. I am so proud to say that \nmy home State of Michigan has helped to lead the way in \ndeveloping education and training programs to equip our State's \nworkforce, Michiganders, with the skills they need to pursue a \ncareer in cybersecurity.\n     Governor Gretchen Whitmer, and even her predecessor \nGovernor Snyder, have implemented programs like the Governor's \nHigh School Cyber Challenge and Girls Go Cyber to give Michigan \nhigh schoolers experience in cybersecurity. We will hear about \nsome of those efforts today.\n     I want to thank the witnesses for being here today to help \nus understand these challenges that organizations face, \ncompanies face to recruit a skilled cybersecurity workforce, \neffective education and workforce development programs designed \nto help these organizations meet cybersecurity workforce needs, \nand how Federal agencies such as NIST are partnering with \nindustry, university, and States to have America lead the way. \nThank you.\n     [The prepared statement of Chairwoman Stevens follows:]\n\n    Good morning and welcome to this hearing of the \nSubcommittee on Research and Technology to explore the major \nchallenges that have led to our national cybersecurity \nworkforce shortage and the programs underway to address that \nshortage. A special welcome to our distinguished panel of \nwitnesses for joining us here today. I'm looking forward to \nhearing your testimony. Almost every day we hear news about \nsecurity breaches, poor system design, and vulnerabilities \ndisrupting businesses and individuals' lives. Part of the \nreason cybersecurity issues are so prevalent is that the demand \nfor skilled cybersecurity professionals far exceeds the supply \nof those individuals.\n    According to CyberSeek, a tool funded by the National \nInitiative for Cybersecurity Education (NICE), as of last month \nthere are over a half a million job openings related to \ncybersecurity in the United States. That means nearly one in \nthree cybersecurity jobs go unfilled.\n    There are many reasons for this workforce shortfall. \nRelatively few high school students have any exposure to \ncomputer science in the classroom, let alone cybersecurity. \nEven when students graduate from college with a degree in \ncomputer science, they often lack the cybersecurity skills and \nhands-on experience to fill job openings.\n    We must also recognize and encourage the multiple pathways \nto careers in cybersecurity, including certification programs \nand apprenticeships. On Saturday, I held a town hall on special \neducation in my district. One of the excellent resources we \nhighlighted is the Living & Learning Enrichment Center, a \ncenter for adults with disabilities that has just partnered \nwith Cisco and the Michigan Career & Technical Institute to \nstart a cybersecurity certification to train adults with \ndisabilities that traditionally present barriers to employment.\n    In addition, the cybersecurity field as a whole lacks \ndiversity, even more so than many other STEM fields. The math \nis simple: Last year, women accounted for only 20 percent of \nthe global cybersecurity workforce. Women of color in \ncybersecurity jobs make on average $10,000 less than their male \ncounterparts. We cannot address our current and future \ncybersecurity workforce needs without recruiting and retaining \nmore women and minorities into the field. All of our panelists \nhave been leaders in addressing the diversity challenge, and I \nlook forward to hearing about your efforts on that front.\n    It should not be a surprise that I am excited to have NIST \nrepresented on this panel to talk about their leadership in \nbuilding the government's and the nation's cybersecurity \nworkforce. The National Institute of Standards and Technology \nis playing a critical role in cybersecurity workforce \ndevelopment across the country through the National Initiative \nfor Cybersecurity Education. We will also discuss many of the \nimportant federal programs at the National Science Foundation, \nthe Department of Homeland Security, and other agencies \ndesigned to educate and train the next generation of \ncybersecurity professionals.\n    Finally, we will explore how partnerships between academia, \nindustry, and Federal and state governments are working to \nimprove our cybersecurity workforce.\n    I am proud to say that my home state of Michigan has led \nthe way in developing education and training programs to equip \nMichiganders with the skills they need to pursue a career in \ncybersecurity. Governor Gretchen Whitmer, and her predecessor \nGovernor Snyder, have implemented programs like the Governor's \nHigh School Cyber Challenge and Girls Go Cyber to give Michigan \nhigh schoolers experiences in cybersecurity. We will hear about \nsome of those efforts today.\n    I want to again thank the witnesses for being here today to \nhelp us understand the challenges that organizations face to \nrecruit a skilled cybersecurity workforce, effective education \nand workforce programs designed to help organizations meet \ncybersecurity workforce needs, and how Federal agencies, such \nas NIST, are partnering with industry, universities, and states \nto lead the way.\n\n     Chairwoman Stevens. At this time, the Chair is now going \nto recognize Dr. Baird for an opening statement.\n     Mr. Baird. Good morning, Chairwoman Stevens, and thank you \nfor holding this hearing today and giving us the opportunity to \nexamine the challenges both public and private that we're \nfacing in recruiting and training cybersecurity professionals. \nAnd I do very much appreciate and we all appreciate all of you \nwitnesses being here today and taking the time out of your \nschedule to do that.\n     But with advances in technology and the growth in the \nInternet of Things come the new methods that foreign countries \nand cybercriminals can use to attack and access our networks. \nSo Americans' information is vulnerable, and we will hear today \nthere is a demand for trained cybersecurity experts to identify \nand defend against cyber attacks.\n     According to the data derived from job posting, the number \nof unfilled security jobs has grown by more than 50 percent \nsince 2015. And by 2022, the global cybersecurity workforce \nshortage is projected to reach upwards of 1.8 million. That's \njust 2 years away, so it kind of gives us a clue how fast and \nhow demand is increasing.\n     So well-trained professionals are essential to our ability \nto implement proven security techniques. Institutions of higher \neducation are working to create and improve cyber education and \ntraining programs focused on ensuring that there are enough \nprofessionals to meet our needs.\n     I am very proud to say that Indiana--did you catch that? \nIndiana has several universities that are leading the way in \ncyber education and training. Purdue University, which is the \nhome to the Nation's first computer science department, hosts \nthe Center for Education and Research in Information Assurance \nand Security, which is CERIAS. CERIAS is one of the seven \noriginal programs designed as a National Center of Academic \nExcellence in Cyber Defense, sponsored by the Department of \nHomeland Security and the National Security Agency.\n     The Purdue program has produced 215 graduates with \ndoctoral degrees in cybersecurity and 329 graduates with \nmaster's degrees in cybersecurity. Purdue University Northwest \nis home to another Center for Academic Excellence for \ninformation assurance and cyber defense education. As of this \nfall, Purdue Northwest has more than 200 students enrolled in \nits cybersecurity major.\n     Indiana is also very lucky to have two Centers of Academic \nExcellence designed and designated as 2-year institutions: \nMoraine Valley Community College and Ivy Tech Community \nCollege. These programs help us meet the growing demand \nnationwide for cybersecurity professionals at all skill levels.\n     The Science Committee has an important role in supporting \nprograms that are providing the skills and expertise needed to \ndefend and support our systems from cyberthreats. I'm an \noriginal co-sponsor to the Securing American Leadership in \nScience and Technology Act. This legislation takes important \nsteps to improve America's cybersecurity capabilities. It makes \nstrategic investments in cybersecurity research and development \nacross Federal science agencies. And it supports building up \nthe NSF (National Science Foundation) Scholarship for Service \nprogram, CyberCorps, to grow and improve the quality of \nAmerica's cybersecurity workforce. Protecting America's cyber-\nsystems is critical to our economic and national security.\n     While these Federal programs play an important role, \nindustry has really stepped up and developed some initiative \nand innovative programs to address the cybersecurity skills gap \nthat we are currently facing, such as IBM's New Collar program.\n     I would like to thank each of the witnesses for taking the \ntime to be here, and we really appreciate your efforts and \nexpertise. I look forward to hearing from each of you and \nprovide an overview of the state of the cybersecurity workforce \nand recommend how the Federal Government can best work with \nindustry and academia to meet this challenge.\n     Thank you, and I yield back the balance of my time.\n     [The prepared statement of Mr. Baird follows:]\n\n    Good morning Chairwoman Stevens and thank you for holding \ntoday's hearing to examine the challenges both the public and \nprivate sectors are facing in recruiting and training \ncybersecurity professionals.\n    With advances in technology and the growth of the \n``internet of things'' come new methods that foreign countries \nand cybercriminals can use to attack and access our networks.\n    Americans' information is vulnerable and, as we will hear \ntoday, there is a demand for trained cybersecurity experts to \nidentify and defend against cyber-attacks.\n    According to data derived from job postings, the number of \nunfilled cybersecurity jobs has grown by more than 50 percent \nsince 2015. By 2022, the global cybersecurity workforce \nshortage is projected to reach upwards of 1.8 million unfilled \npositions.\n    Well-trained professionals are essential to our ability to \nimplement proven security techniques. Institutions of higher \neducation are working to create and improve cyber education and \ntraining programs focused on ensuring there are enough \nprofessionals to meet our needs.\n    I am very proud to say that Indiana has several \nuniversities that are leading the way in cyber education and \ntraining. Purdue University, which is home to the nation's \nfirst computer science department, hosts the Center for \nEducation and Research in Information Assurance and Security \n(CERIAS).\n    CERIAS is one of the seven original programs designed as a \nNational Center of Academic Excellence in Cyber Defense, \nsponsored by the Department of Homeland Security (DHS) and the \nNational Security Agency (NSA).\n    The Purdue program has produced 215 graduates with doctoral \ndegrees in Cybersecurity and 329 graduates with master's \ndegrees in Cybersecurity. Purdue University Northwest is home \nto another Center of Academic Excellence for Information \nAssurance and Cyber Defense Education. As of this fall, Purdue \nNorthwest has more than 200 students enrolled in its \nCybersecurity major.\n    Indiana is also very lucky to have two Centers of Academic \nExcellence designated two-year institutions: Moraine Valley \nCommunity College and Ivy Tech Community College. These \nprograms help us meet the growing demand nationwide for \ncybersecurity professionals at all skill levels.\n    The Science Committee has an important role in supporting \nprograms that are providing the skills and expertise needed to \ndefend and support our systems from cyberthreats.\n    I am an original co-sponsor of the Securing American \nLeadership in Science and Technology Act. This legislation \ntakes important steps to improve America's cybersecurity \ncapabilities. It makes strategic investments in cybersecurity \nresearch and development across federal science agencies. And \nit supports building up the NSF scholarship for service \nprogram, Cybercorps, to grow and improve the quality of \nAmerica's cybersecurity workforce.\n    Protecting America's cyber-systems is critical to our \neconomic and national security.\n    While these federal programs play an important role, \nindustry has really stepped up and developed some innovative \nprograms to address the cybersecurity skills gap we are \ncurrently facing, such as IBM's New Collar program.\n    I would like to thank each of our witnesses for taking the \ntime to be here with us this morning. I look forward to hearing \nfrom you as you provide an overview of the state of the \ncybersecurity workforce and recommend how the federal \ngovernment can best work with industry and academia to meet \nthis challenge.\n    Thank you and I yield back the balance of my time.\n\n     Chairwoman Stevens. Thank you. And at this time the Chair \nnow recognizes our Chairwoman, Chairwoman Johnson of the full \nScience Committee, for an opening statement.\n     Chairwoman Johnson. Thank you very much, Chairwoman \nStevens and Ranking Member Baird, for holding this morning's \nhearing on developing our Nation's cybersecurity workforce, and \nI want to welcome and thank our expert witnesses for their \ntestimony as well.\n     We spend a lot of time in the Science, Space, and \nTechnology Committee focusing on the challenges in developing a \nskilled STEM workforce for the 21st Century, and on exploring \nthe ways in the which the Federal Government can best address \nthese challenges. While we need to develop the STEM pipeline \nacross all fields, there are particular fields in which the gap \nbetween the supply and demand is especially acute. \nCybersecurity is one of those.\n     Technology alone will not mitigate the many risks that \nindividuals, businesses, and governments face in cyberspace. We \nneed researchers who understand the risks as they evolve and \ncan build new defensive tools. We need executives who \nunderstand what is needed to defend their own organizations. We \nneed technicians monitoring the systems on a daily basis. And \nwe need many other types of cybersecurity jobs in between.\n     The fact is we need to educate and train individuals in \ncybersecurity at all levels, and it requires not just degrees \nbut different types of certifications, as well as continuing \neducation for those already in the workforce. And finally, we \nneed the general public to be well-educated about cyber \nhygiene, starting in our elementary schools.\n     The National Initiative for Cybersecurity Education, or \nNICE, was created under the Obama Administration to coordinate \nand expand Federal investments in a skilled cybersecurity \nworkforce and a cybersecurity-savvy public. Congress, led by \nthis Committee, certified NICE in the Cybersecurity Enhancement \nAct of 2013.\n     The National Institute of Standards and Technology is \ntasked with leading NICE. NIST is not traditionally an agency \nthat leads on workforce issues. It is, however, an agency that \nleads on cybersecurity standards for both the public and \nprivate sectors. With its unique understanding and unsurpassed \nexpertise in cybersecurity, NIST is the right agency to \ncoordinate to lead efforts to develop a cybersecurity workforce \nfor the Nation.\n     The Science, Space, and Technology Committee has been \nenacting cybersecurity-focused legislation since 2002, and we \nare planning to move additional legislation this year. I look \nforward to continuing to collaborate across the aisle and \nacross Committee lines to take a whole-of-government approach \nto cybersecurity, starting with the workforce.\n     In that regard, I look forward to hearing from today's \nwitnesses in how the activities carried out under NICE can \ncontinue to be strengthened.\n     Thank you, and I yield back.\n     [The prepared statement of Chairwoman Johnson follows:]\n\n    Thank you Chairwoman Stevens and Ranking Member Baird for \nholding this morning's hearing on developing our nation's \ncybersecurity workforce and I want to welcome and thank the \nexpert witnesses for their testimony.\n    We spend a lot of time in the Science, Space, and \nTechnology Committee focusing on the challenges in developing a \nskilled STEM workforce for the 21st Century, and on exploring \nthe ways in the which the Federal government can best address \nthose challenges. While we need to develop the STEM pipeline \nacross all fields, there are particular fields for which the \ngap between supply and demand is especially acute. \nCybersecurity is one such field.\n    Technology alone will not mitigate the many risks that \nindividuals, businesses, and governments face in cyber space. \nWe need researchers who understand the risks as they evolve and \ncan build new defensive tools. We need executives who \nunderstand what is needed to defend their own organizations. We \nneed technicians monitoring the systems on a daily basis. And \nwe need many other types of cybersecurity jobs in between. The \nfact is we need to educate and train individuals in \ncybersecurity at all levels, and it requires not just degrees \nbut different types of certifications as well as continuing \neducation for those already in the workforce. Finally, we need \nthe general public to be well educated about cyber hygiene, \nstarting in our elementary schools.\n    The National Initiative for Cybersecurity Education, or \nNICE, was created under the Obama Administration to coordinate \nand expand Federal investments in a skilled cybersecurity \nworkforce and a cybersecurity savvy public. Congress, led by \nthis Committee, codified NICE in the Cybersecurity Enhancement \nAct of 2013. The National Institute of Standards and Technology \nis tasked with leading NICE. NIST is not traditionally an \nagency that leads on workforce issues. It is, however, an \nagency that leads on cybersecurity standards for both the \npublic and private sectors. With its unique and unsurpassed \nexpertise in cybersecurity, NIST is the right agency to \ncontinue to lead efforts to develop a cybersecurity workforce \nfor the nation.\n    The Science, Space, and Technology Committee has been \nenacting cybersecurity-focused legislation since 2002, and we \nare planning to move additional legislation this year. I look \nforward to continuing to collaborate across the aisle and \nacross Committee lines to take a whole-of-government approach \nto cybersecurity, starting with the workforce.\n    In that regard, I look forward to hearing from today's \nwitnesses how the activities carried out under NICE can \ncontinue to be strengthened.\n\n     Chairwoman Stevens. Great, thank you, Madam Chair.\n     If there are Members who wish to submit additional opening \nstatements, your statements will be added to the record at this \npoint.\n     And at this time I'd like to introduce our witnesses. Our \nfirst witness is Mr. Rodney Petersen. Mr. Petersen is the \nDirector of the National Initiative for Cybersecurity \nEducation, NICE, at the National Institute of Standards and \nTechnology. Prior to his position at NICE, Mr. Petersen served \nas the Managing Director of the EDUCAUSE Washington office and \nSenior Government Relations Officer. He founded and directed \nthe EDUCAUSE Cybersecurity Initiative and was the staff liaison \nfor the Higher Education Information Security Council. Prior to \njoining EDUCAUSE, he worked two different times for the \nUniversity of Maryland first as Chief Compliance Officer in the \nOffice of the President and later as the Director of IT Policy \nand Planning in the Office of the Vice President and Chief \nInformation Officer. Mr. Petersen is also the co-editor of a \nbook entitled ``Computer and Network Security in Higher \nEducation.''\n     Our next witness is Dr. Ambareen Siraj. Dr. Siraj is a \nProfessor of Computer Science and the founding Director of \nTennessee Tech University's Cybersecurity Education Research \nand Outreach Center, and has served as the leader on several \nNSF and NSA (National Security Agency) education and workforce \ndevelopment grants. Dr. Siraj is also the founder of the Women \nin Cybersecurity organization, an NSF-funded initiative to \nrecruit, retain, and advance women in cybersecurity. Dr. \nSiraj's research focus is on security in cyber physical \nsystems, Internet of Things, situation assessment and network \nsecurity, security education and workforce development. She was \na 2018 recipient of the Colloquium for Information System \nSecurity Education Exceptional Leadership in Education Award.\n     After Dr. Siraj is Mr. Joseph Sawasky. Mr. Sawasky is \ncurrently the President and CEO of Merit Network, a nonprofit \ncorporation governed by Michigan's public universities. Merit \nowns and operates the Nation's longest-running regional \nresearch and education network, having been formed in 1966 by \nthe University of Michigan, Michigan State University, and \nWayne State University. Mr. Sawasky and his team at Merit also \nrun the Michigan Cyber Range, the Nation's largest unclassified \nnetwork-accessible cybersecurity training platform. Prior to \nhis role at Merit, Mr. Sawasky was the Chief Information \nOfficer at Wayne State University, doing this from 2007 to \n2015, during which time he also served on the boards of the \nMerit Network, the Detroit CIO Executive Summit, and Michigan \nTechnology Leaders. He also worked at the University of Toledo \nfor 22 years and in his last position served as CIO. We are \ndelighted we recruited him to Michigan.\n     Our fourth witness is Ms. Sonya Miller. Ms. Miller is the \nIBM H.R. Director for both IBM Security and Enterprise and \nTechnology Security, two distinct divisions within IBM that \nrequire workers who have the skills and experience in \ncybersecurity to protect IBM and IBM clients. IBM Security has \n8,000 employees, including researchers, developers, and subject \nmatter experts focused on security and more than 10,000 \nsecurity-related patents. Wow. Since 2015, IBM Security has \nhired nearly 4,400 additional experts into its security \nbusiness. In her position, Ms. Miller is charged with ensuring \nboth divisions have the skilled staff necessary to fulfill \ntheir missions. Wow. Just an absolute fantastic panel.\n     As our witnesses should know, each of you will have 5 \nminutes for your spoken testimony. Be sure to put your mic on. \nYour written testimony will be included in the record for the \nhearing. And when you've completed your spoken testimony, we'll \nbegin with questions. Each Member will have 5 minutes to \nquestion the panel. And for testimony, we're going to start \nwith Mr. Petersen.\n\n           TESTIMONY OF MR. RODNEY PETERSEN, DIRECTOR,\n\n        NATIONAL INITIATIVE FOR CYBERSECURITY EDUCATION,\n\n         NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY\n\n     Mr. Petersen. Thank you, Chairwoman Stevens, Ranking \nMember Baird, and Members of the Subcommittee. I am Rodney \nPetersen, the Director of the National Initiative for \nCybersecurity Education, or NICE, at the Department of \nCommerce's National Institute of Standards and Technology known \nas NIST. Thank you for the opportunity to appear before you \ntoday to discuss the role that NICE plays in interagency \ncoordination for cybersecurity education workforce issues, and \nthe challenges the Federal Government faces in recruiting and \nretaining skilled cybersecurity practitioners.\n     NICE is a partnership between government, academia, and \nthe private sector. Our program is focused on promoting and \nenergizing a robust network and ecosystem of cybersecurity \neducation, training, and workforce development. NICE fulfills \nthis mission by coordinating with its partners to build on \nexisting successful programs, facilitating change and \ninnovation, and bringing leadership and vision to increase the \nnumber of skilled cybersecurity workers to keep our Nation \nsecure.\n     To coordinate at the Federal level, NICE Interagency \nCoordinating Council convenes our Federal Government partners \nfor consultation, communication, policy, and strategic \ndirection. This coordination provides an opportunity for the \nNIST-led NICE program office to communicate program updates \nwith key partners in the Federal Government, as well as to \nlearn about other Federal Government activities in support of \nNICE. The group also identifies and discusses policy issues and \nprovides input into the strategic directions for NICE.\n     Another means of coordination is the NICE working group. \nThis working group has been established to provide a mechanism \nin which the public and private sector participants can develop \nconcepts, design strategies, pursue actions that advance \ncybersecurity education, training, and workforce development.\n     Let me share a couple of accomplishments from our current \nNICE strategic plan. First, NICE issued six awards to pilot \nRegional Alliances and Multi-stakeholder Partnerships \nStimulating Cybersecurity Education and Workforce Development. \nThese regional communities, known as RAMPS for cybersecurity \nworkforce, were designed to stimulate local economic \ncommunities to work together to rally education and training \nproviders to meet local workforce needs.\n     Second, NICE also awarded a grant to develop a website \nknown as CyberSeek that was cited earlier today, which includes \nboth an interactive jobs heat map, as well as a career pathway \nportal. The jobs heat map shows that there are over 500,000 \nopen jobs in cybersecurity today across the United States. It \nfurther indicates that there are almost a million people \nemployed in cybersecurity today. The map can be used to search \nfor demand by State. For example, there are 8,760 open \npositions in Michigan alone, 5,603 in Tennessee, and 4,533 in \nIndiana. You can also use that website to search by major \nmetropolitan areas either within a State or across State lines. \nSo, for example, the D.C. metropolitan area in which we \ncurrently reside has 64,089 open jobs.\n     One of the challenges in cybersecurity education training \nand workforce development is having a common language. To meet \nthis need, NIST published the NICE Cybersecurity Workforce \nFramework. The common taxonomy in the NICE framework can be \nused by employers to structure their workforce, develop \nposition descriptions, or craft employee development plans. The \nNICE framework begins to demystify a career in cybersecurity by \nshowing the variety of types of work roles that exist and the \nmultiple career pathways for entering and advancing in a \ncybersecurity career. An update to that NICE framework is \nhappening this year.\n     During 2020, NICE is embarking upon a consultative process \nthat will result in a new 5-year strategic plan, as required by \nthe Cybersecurity Enhancement Act, and that plan will be \ninformed by the community that we serve.\n     As NICE develops its next strategic plan, a few trends are \nbeginning to emerge. First, the need to enhance cybersecurity \ncareer discovery for learners of all ages. Second, the need to \ntransform the learning process to emphasize the \nmultidisciplinary nature of cybersecurity and the multiple \npathways to enter into a cybersecurity career. And third, the \nneed to modernize the talent acquisition process to facilitate \nskills-based hiring that enables career mobility.\n     All of these trends and current activities of NICE \ndirectly support the goals of the National Council for the \nAmerican Worker. Established under Executive Order, the \nNational Council is creating the first-ever national workforce \nstrategy. This strategy is promoting the importance of multiple \npathways to careers, the central role that employers play as \npart of our national education and workforce system, the need \nfor companies to employ skill-based hiring, the need for \ngreater transparency in the skills that companies need, and the \nreturn on investment of different learning pathways.\n     NIST is excited about the accomplishments of the NICE \nprogram in addressing the future of cybersecurity education in \nthe United States in order to increase the number of skilled \ncybersecurity practitioners that are helping to keep our Nation \nsecure. NIST looks forward to continuing to support the \nNation's ability to address current and future challenges \nthrough standards and best practices.\n     Thank you for the opportunity to testify today, and I \nwould be happy to answer any questions that you may have.\n     [The prepared statement of Mr. Petersen follows:]\n     \n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n           TESTIMONY OF DR. AMBAREEN SIRAJ, PROFESSOR,\n\n         COMPUTER SCIENCE, AND DIRECTOR, CYBERSECURITY\n\n            EDUCATION RESEARCH AND OUTREACH CENTER,\n\n                   TENNESSEE TECH UNIVERSITY\n\n     Dr. Siraj. Chairwoman Stevens, Ranking Member Baird, and \nthe Members of the Committee and Subcommittee, thank you for \ninviting me today in this very important discussion. My name is \nAmbareen Siraj. I was born and raised in Bangladesh where my \ndad taught me two simple things: working hard and serving \nothers. I'm blessed that this Nation has provided me, an \nunderrepresented immigrant, with an opportunity to serve as an \neducator, a researcher, and a leader.\n     I'm honored to share with you today how we at Tennessee \nTech are contributing to the development of the U.S. \ncybersecurity workforce. Reputed statewide for its \nundergraduate engineering education, Tennessee Tech is located \nin the city of Cookeville in middle Tennessee with a student \npopulation of a little over 10,000. Our computer science, C.S., \nenrollment is increasing at a higher rate than any College of \nEngineering programs. Among the three focus areas in C.S., \ncybersecurity has the majority of students, around 500, and its \nenrollment quadrupled in the last 4 years since it started.\n     Operating since 2016, CEROC (Cybersecurity Education, \nResearch and Outreach Center) is a Center of Academic \nExcellence in cyber defense education accredited by the \nNational Security Agency and the Department of Homeland \nSecurity. At CEROC our cybersecurity students, we facilitated \nan integrated experience in informal education, research, and \noutreach activities alongside their formal cybersecurity \neducation as part of the C.S. curriculum. With the mantra of \ncontinuous learning, crowd-sourced learning, and playing it \nforward, our students are constantly challenged to immerse \nthemselves into educational experiences that enrich self and \nthose around them.\n     Over the last few years multiple CEROC projects funded \nthrough the National Science Foundation and the Department of \nDefense have impacted thousands of secondary and postsecondary \nstudents and hundreds of educators in Tennessee and beyond. \nScholarship for Service (SFS), DOD CySP, and GenCyber are among \nthese.\n     One of our programs with great impact is the Women in \nCybersecurity (WiCyS) initiative. At the time when female \nrepresentation of cybersecurity was only 11 percent, our \njourney began in 2013 with funding from National Science \nFoundation. Today, I'm proud to let you know that over 7 years \nand $3.5 million funding from industry support WiCyS has \nprovided approximately 3,000 student scholarships, 340 faculty \nscholarships, and 6,400 in attendance. Not only the flagship \nconference for women in cyber, WiCyS has become, regardless of \ngender, the largest security conference in the Nation that \nensures comparable representation of students and professionals \nin the audience both from public and private sectors.\n     Operating as a nonprofit organization since late 2017, \nWiCyS is more than 6,000 members strong with 89 student \nchapters across 35 States, 15 professional affiliates across 20 \nStates, and a suite of services to its community that includes \nstudents, professionals, educators, and veterans.\n     There is yet a lot to be done. The current 20 percent \nfemale representation in cybersecurity is not just a threat to \ndiversity and inclusion but also a threat to the cybersecurity \nworkforce pipeline. To bolster the cybersecurity workforce, I \nencourage Congress to invest in Federal programs such as CAE \n(Center for Academic Excellence), SFS (Scholarship for \nService), CySP, GenCyber, and commission more of such programs \nthat enable educational and nonprofit programs to support \ndiverse populations in cyber, community college pathways, \npreparation and pipeline of educators, and nontraditional \npathways for workers. The support opportunities and resources \nprovided by these Federal grants are central to enable smaller \nschools like us to contribute in the Nation's cyber agenda in \nour own ways with our own strength and through our own \ncommunity and beyond.\n     As we continue to do our part, I would like to end with a \nquote from one of our many students at Tennessee Tech who are \nhardworking, humble, and optimistic about their future and \ntheir country. M. writes, ``This program has given me the \ncourage to dream big, to continue seeking knowledge, and to \nmake a difference in the world.''\n     I sincerely appreciate the opportunity to speak today. I \nhope that Tennessee Tech, CEROC, and I can continue to be a \nresource for Congress. I look forward to our discussion. Thank \nyou.\n     [The prepared statement of Dr. Siraj follows:]\n [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n \n                TESTIMONY OF MR. JOSEPH SAWASKY,\n\n             PRESIDENT AND CHIEF EXECUTIVE OFFICER,\n\n                      MERIT NETWORK, INC.\n\n     Mr. Sawasky. Honorable Chairwoman Stevens, Ranking Member \nBaird, and Members of the Subcommittee, thank you for the \ninvitation to present Michigan perspectives on the critical \nissue of cybersecurity workforce development. My organization, \nMerit Network, provides advanced networking, security, and \ncommunity solutions to higher ed, K-12, libraries, and other \nnonprofits in Michigan. Given our mission-critical work across \nthe State, we see firsthand the ever-increasing importance of \ncybersecurity and the desperate need to expand that workforce.\n     Our country faces threats constantly from adversarial \norganizations but quietly and diligently on the frontlines are \nour Nation's thin ranks of dedicated cybersecurity \nprofessionals. According to estimates, the United States has a \nshortfall of over a half million security professionals. In \nMichigan alone we have nearly 9,000 vacant positions now. These \ngaps are projected to widen.\n     Over the last several years, Michigan has developed a \nunique approach to developing a cybersecurity training \necosystem and a powerful tech platform for practicing skills. \nThe Michigan Cyber Range was created through collaboration \nbetween the State, industry, and Merit beginning in 2012. The \nCyber Range is one of the Nation's largest unclassified \npracticum environments for security professionals to test their \nskills in cyber defense.\n     The Range features a simulated city called Alphaville that \ncontains a virtual city hall, school, library, and factory, \namong other things. In our game of five practice environments, \nMerit has engaged nearly 4,000 participants from Michigan and \nother States and even other countries in cyber exercises.\n     Additionally, with the support of the Michigan Economic \nDevelopment Corporation, we've cultivated a statewide ecosystem \nof training partners called Cyber Range Hubs helping them train \nand certify students in a variety of cybersecurity courses \nusing the Cyber Range platform in its course curriculum. This \nprogram represents a novel augmentation of traditional higher \ned and K-12 courses in the State.\n     There are real challenges faced by our partner \norganizations in the education, government, and nonprofit \nsectors in recruiting a skilled cybersecurity workforce. The \nprimary challenge facing nonprofits is an extremely low supply \nof available talent. This low supply results in high demand for \nemployees, higher market salaries, and longer-than-average \ntimes to fill vacancies. Yet nonprofits support a vast array of \nessential societal services and are still charged with \nprotecting enormous amounts of confidential data. They face the \nvery same cyber threats as other sectors, but their ability to \nattract cyber talent is constrained. Compounding this problem, \nfinding qualified teachers and trainers for cybersecurity \ncourses is really difficult, exacerbating the situation for \nnonprofits in the industry overall.\n     There's consensus in Michigan that K-12 is the first key \nto improving the security talent pipeline. That pipeline starts \nin K-12, and it's essential that skill development and \nawareness of cybersecurity career opportunities begin at early \nages. Given that this field is fairly new and rapidly evolving, \nthere has not been a pervasive focus on it for K-12 students or \nteachers. It's imperative that we demystify and de-nerdify \ncyber career opportunities to broaden the appeal of this career \npath.\n     Additionally, we should expand student interest by \nproviding more opportunities for underrepresented groups, \nincluding females and minorities whose participation in the \ncyber workforce has been historically low.\n     To help promote K-12 enthusiasm in cyber, Merit runs the \nGovernor's High School Cyber Challenge. Last year, we had over \n600 students and over 200 high school teams participate with \nthe top 10 teams being invited to the final contest at the \nGovernor's Cyber Summit in Detroit and the top three teams \nbeing awarded trophies personally by the Governor herself. \nThrough this exciting event, Michigan has celebrated K-12 cyber \ntalent in every corner of our great State.\n     Considering all this, State and Federal Governments have a \ncritical role to play in bolstering the cybersecurity workforce \npipeline. One, they should increase support to programs aimed \nat improving K-12 awareness and skill development for both \nstudents and teachers. Two, they should increase support for \neducation, training, and certification, including early \ncredentialing in both high school and college. Three, they \nshould increase support for skill development for \nunderrepresented groups to grow that pool. And, four, they \nshould incentivize coordinated efforts between academia, \nindustry, and government.\n     And to wrap up, I'd like to say that many organizations \nare only one cybersecurity position away from a major disaster, \nand it's essential that we all work together to develop and \ngrow this now-critical part of the U.S. workforce. Thank you \nfor the opportunity to provide Michigan perspectives.\n     [The prepared statement of Mr. Sawasky follows:]\n     \n [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n                 TESTIMONY OF MS. SONYA MILLER,\n\n           H.R. DIRECTOR, IBM SECURITY AND ENTERPRISE\n\n                     & TECHNOLOGY SECURITY\n\n     Ms. Miller. Chairman Stevens, Ranking Member Baird, and \ndistinguished Members, I'm the H.R. Director for both our \ninternal security and for our division that helps clients to \nprotect against cyber attacks. IBM Security is the largest \nsecurity vendor in the world. IBM manages over 70 billion \nsecurity events per day for our clients, one of the largest \nsecurity intelligence operations in the world. We have 17,500 \nclients in more than 130 countries, 8,000 employees, including \nresearchers, developers, and subject matter experts focused on \nsecurity, and more than 10,000 security-related patents. Since \n2015, IBM Security has hired nearly 4,400 additional experts \ninto the security business and invested more than $2 billion in \ndedicated R&D (research and development).\n     Although today's hearing focuses on cybersecurity, the \nworkforce challenges for research are similar. Inclusion, \nalignment, and attainment are obstacles of both cybersecurity \nand the research workforce pipeline.\n     To this end, I would also like to take this opportunity to \nthank the Committee for its very strong leadership and support \nof the National Quantum Initiatives Act.\n     Now, to understand IBM Security, it's important to \nunderstand the people behind the brand. Our cybersecurity \nexperts have a broad range of skills, including researchers \nanalyzing software for vulnerabilities, incident response \nteams, analysts who spend hours studying the tactics of cyber \ncriminals, and a security operation center staff who guards us \nin real time from threats around the globe.\n     New-collar workers with skills, experience, and diversity \nbut lacking degrees are a strategic opportunity for the \ncybersecurity workforce. Around 2/3 of the U.S. working-age \npopulation doesn't have a bachelor's degree. IBM new-collar \napproach emphasizes work-based learning and core skills like \nteaming and adaptability. It is a pathway to finding and \nattracting nontraditional candidates with diverse backgrounds \nand skill sets.\n     To expand new-collar pathways into our cybersecurity jobs, \nIBM is experimenting with a multitude of approaches to educate \nand develop the next generation of cybersecurity professionals. \nOver 220 pathways in technology early college high schools, so \nP-TECHs, are educating students in 24 countries with the \nparticipation of over 600 companies. Through P-TECH, public \nhigh school students can earn both a high school diploma and an \nindustry-recognized 2 year postsecondary degree at no cost to \nthem or their families, while working with industry partners \nlike IBM on skills mapping, mentorship, and workplace \nexperiences and internships. IBM launched our apprenticeship \nprogram in October 2017. Apprentices are paid while in the \nprogram, avoiding that student loan debt and earning skills to \nwork in the tech industry right away.\n     Finally, IBM is trying to tap into sources of talent that \nhave been underrepresented in cybersecurity. As others \nmentioned, for example, women are globally underrepresented in \nthe cybersecurity profession at 24 percent, even lower than the \nIT industry overall. IBM is actively recruiting \nunderrepresented groups through programs that seek \nunderrepresented talent for a more inclusive workforce.\n     IBM's effort to build a cybersecurity workforce proves to \nbe working. Nearly 20 percent of our security hires since 2015 \nwere new-collar workers. IBM urges the Committee to examine the \nfollowing areas for change, government activity that will \nimprove the cybersecurity workforce. One, introduce and enact \ncompanion legislation to S. 2775, the HACKED Act of 2019, as \npassed by the Senate Commerce Committee, and work closely with \nyour colleagues in the Senate to pass a bipartisan proposal \nthat will strengthen Americans' cybersecurity workforce and \nalign education and training with the cybersecurity workforce \nneeds.\n     Second, higher education act reforms, including passage of \nH.R. 3497, the JOBS Act of 2019, to extend Federal Pell Grant \neligibility of short-term programs, removal of restrictions \nthat prevent students from using their Federal work-study with \ncybersecurity-related internships in private sector, and \nsupport additional pathways to careers.\n     And third, explore P-TECH models. Federal agencies should \nexplore the P-TECH models for workforce development strategies \nthey can implement and expanding new-collar hiring. The Federal \nGovernment should adopt a new-collar approach to real and \nexpanded sources of labor.\n     So thank you, Members of the Committee, for the \nopportunity to present IBM's approach to improving \ncybersecurity education and your consideration of this \ntestimony. I'm looking forward to your questions.\n     [The prepared statement of Ms. Miller follows:]\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n     Chairwoman Stevens. Well, we've done a few things in this \nspace, and you all touched on some great points.\n     At this time, we'd like to open up for 5 minutes of \nquestioning. And the Chair is going to recognize herself for 5 \nminutes of questioning, so we can start the clock now.\n     You know, certainly we've taken some steps just in the \nlast couple of weeks with Chairwoman Johnson's support. We \nlaunched the first-ever Women in STEM Caucus in Congress. Dr. \nBaird and I got a bill signed into law at the end of last year, \nthe Building Blocks of STEM Act, which is, again, supporting \nthose early childhood investments in educational programming \nfor science, technology, engineering, and mathematics. And that \ncontinuity, as we all know, is so important, right, that \nonramp, the pathways. Your testimonies all specifically touch \non that.\n     Mr. Petersen, I just wanted to--let's understand a little \nbit about--more about NICE here, NICE within NIST within the \nDepartment of Commerce. How big is your department?\n     Mr. Petersen. So we are a small team of five full-time \nemployees, and we have an approximate $4 million budget \nappropriated by Congress, so a relatively small organization.\n     Chairwoman Stevens. OK. Great. Well, we'll be going \nthrough the budget reauthorization and taking a look at that \nand making sure--so the--just the--half--less than half a dozen \nof you developed the CyberSeek tool or did you contract out for \nthat?\n     Mr. Petersen. So that was a grant given to----\n     Chairwoman Stevens. OK.\n     Mr. Petersen. [continuing]. CompTIA and Burning Glass to \nactually----\n     Chairwoman Stevens. Oh, Burning Glass.\n     Mr. Petersen [continuing]. Develop the tool. Yes.\n     Chairwoman Stevens. OK. Burning Glass. Oh, they're great. \nThey're fabulous. Well, that's a big accomplishment. And we're \nglad to share that today, and we'll continue to share that.\n     And is that on the NICE website? Is that----\n     Mr. Petersen. There's a link to it, but it's----\n     Chairwoman Stevens. OK.\n     Mr. Petersen. [continuing]. CyberSeek.org----\n     Chairwoman Stevens. CyberSeek----\n     Mr. Petersen [continuing]. You can find it.\n     Chairwoman Stevens. CyberSeek.org. OK, great.\n     And as part of that heat-mapping process and, you know, as \nwe look to get in front of this, we--and, Ms. Miller, you \nprobably know this all too well, which is that the job profiles \nare always changing, right? So we're seeking to hire for \ncertain roles. We know we have an emphasis on cybersecurity, \nbut with IOT (internet of things), other advancements, you \nmentioned quantum, the nature of the work is changing. Have any \nof you explored or seen how job profiling, taxonomy work, maybe \nin--you know, with some of the big placement agencies, \nManpower, Kelly Services in Michigan, has that impacted this \ncybersecurity workforce skills gap that we're experiencing? I \ndon't know if, Ms. Miller, you wanted to chime in there.\n     Ms. Miller. Well, IBM, we provide several assessments to \ncandidates around personality, so it's testing for the softer \nskills, as well as learning agility, so a propensity toward \nlifelong learning. So instead of testing for a specific job, \nwe're really looking for these kind of softer skills, as well \nas some level of technical capability. So, you know, jobs--\nthere's jobs now that didn't exist 10 years ago. Therefore, you \nhave to have that agility in how your assessing people. You \ncan't just assess them for the job at hand.\n     Chairwoman Stevens. Yes. And, Mr. Sawasky, are you seeing \nthis, you know, the talent qualifications as described--you're \nworking hand-in-hand with the universities and have this great \ncareer in this space, but the job profiling here I also think \nis something that we want to kind of match up so that, you \nknow, when we're entering into the workforce, we've got that \npipeline and access.\n     Mr. Sawasky. Yes, absolutely. You know, I think what we're \nlooking for are problem-solvers and pattern-finders here, \nregardless of sort of academic discipline. Some of the finest \nIT professionals I've ever worked with were anthropologists and \npsychologists and others.\n     Chairwoman Stevens. Yes.\n     Mr. Sawasky. So it's not absolutely necessary that \ncomputer science is, you know, the first part of the background \nfor a successful career in cyber.\n     Chairwoman Stevens. Great. Dr. Siraj?\n     Dr. Siraj. So, you know, if you go to the CyberSeek \nwebsite, there is also an interactive pathways tab. And if you \nclick on that, it shows that in reality most of the data shows \nthat the top jobs are all based on computer science. But, you \nknow, it is absolutely true that cyber is very \nmultidisciplinary. And then we can have people coming from all \nwalks of life to have something--I mean, everyone can \ncontribute to solve a problem in cyber because cyber is so \nvast.\n     Plus, also, you know, the NIST/NICE workforce framework \nalso helps with that because in that framework Department of \nHomeland Security actually gave out a tool where someone can go \nin and say, OK, I'm interested in data base, and it will show \nthat student or that person, you know, where in the NIST \nframework that this person can contribute to in what way.\n     Chairwoman Stevens. Yes.\n     Dr. Siraj. Again, cyber is something that anyone can \ncontribute to with their own skills.\n     Chairwoman Stevens. Right. And so, Mr. Petersen, I'm sure \nsome of this is resonant with you. Do you see NICE being able \nto work with every one of our witnesses and their portfolio of \nwork? And would our witnesses also agree that you get a lot out \nof working with NICE and that department? So this five-person \ndepartment in the, you know, Department of Commerce, NIST----\n     Mr. Petersen. Yes, I was going to comment even though we \nhave five team members, the NICE community is vast and \neverybody----\n     Chairwoman Stevens. Yes.\n     Mr. Petersen [continuing]. On the stage, every \norganization represented here has worked directly with NIST and \nNICE in the past in our national efforts. So our----\n     Chairwoman Stevens. Leveraged partnerships.\n     Mr. Petersen. Absolutely.\n     Chairwoman Stevens. Great. Thank you. I'm slightly over. \nI'm going to yield back the rest of my time and recognize my \ncolleague Dr. Baird for 5 minutes of questioning.\n     Mr. Baird. Thank you, Madam Chair. And, you know, I've \ngained a great deal of insight just having you here today, and \nI'm sure those that are listening and read the reports will \nalso feel the same way.\n     But, Ms. Miller, I see in your testimony you said you \nhandle 70 billion security events per day for your clients? I \nmean, that----\n     Ms. Miller. Well, not me personally, yes. IBM Security \ndoes.\n     Mr. Baird. I understand. So then I have an interest in \nveterans, and so they bring a wealth of skills from their \nmilitary training and then they got a lot of hands-on \nexperience. Sometimes they're not able to transfer their \nmilitary training over into various programs. So I guess my \nquestion is what's IBM doing in their new-collar program? Is \nthat applicable to veterans? And then the second part of the, \nhave veterans participated in this program?\n     Ms. Miller. Yes, absolutely. So we have a variety of \nprograms targeted to veterans because they tend to actually be \na very good fit for cybersecurity roles, whether they've worked \nin cybersecurity while in the military or they got requisite \ntraining once they've left the military. We have a Veterans \nEmployment Initiative, so that's free training on IBM software. \nAnd it comes with a certificate at the end. We touch over 100 \nveterans per year with that program using IBMers donating their \ntime.\n     We also have a corporate partnership with the USC Marshall \nSchool Masters of Business for veterans, so we have IBM \nmentors, advisors, and SMEs (small and mid-size enterprise) \ndonating their time to work with the veterans on capstone \nprojects, so basically developing innovative solutions to real-\nworld issues.\n     And, finally, we're also hiring veterans at all levels in \nthe company and in the security organization. I actually in \nJanuary was down in Austin, and we have a cohort of apprentices \nthat started in the first quarter of last year. Fifty percent \nof those apprentices are veterans. One actually worked in \ncybersecurity while in the military, and then applied through \nthe apprenticeship program what's going private sector. Another \none actually left the military. He worked for 10 years as a \ncorrections officer, decided to use some of his military \nbenefits, and now he's in our apprenticeship program. They're \nhardware hackers and they're doing excellent.\n     Mr. Baird. Super. Then my next question goes to all of \nyou. You know, I mentioned earlier that Indiana has got four \nCybersecurity Centers for Academic Excellence, and I'm having \nfun with the Chair about Indiana and Michigan, but in reality \nI'm just using them because I'm familiar with it. So the \nquestion comes down to how the Federal Government can further \nbuild on programs like they have at Purdue, and someone \nmentioned more like a 2-year program and so on. So I guess I'm \njust asking how we as the Federal Government giving you the \nopportunity to expand on how you think we can be helpful in \nthat area and to fill the half million jobs we have?\n     And so this is going to be ladies first. Dr. Siraj, you go \nfirst, and then Ms. Miller and then back to Mr. Petersen.\n     Dr. Siraj. So, you know, as I said in my testimony that \nprograms like the CAE program that is NSA DHS program--\nprograms, NSF programs like CyberCorps, DOD (Department of \nDefense) program like Cybersecurity Scholarship, GenCyber \nprogram, I mean, all of these programs have been so impactful \nto--I think the best thing about these programs is that it \nenables smaller schools to have resources to build an army on \nthe ground. And then, you know, once we have all these \ninstitutions making change in their own community, then \ncollectively we are going to see so much in the Nation.\n     So, you know, empowering these programs, again, NIST/NICE \nhas been extremely crucial for universities to get the momentum \ngoing and also commissioning more programs like this that looks \nat how to train educators in cybersecurity because that is the \nbiggest challenge. In 2018 there were 114 Ph.D.s in \ncybersecurity, and only 14 of them went to universities as \nfaculty. So if we want to build pipeline in universities for \nstudents, we have to find some ways to train and prepare and \nallow educators to go into universities.\n     Mr. Baird. I see I'm over on time. Is it all right if----\n     Chairwoman Stevens. Yes, of course.\n     Mr. Baird [continuing]. They go ahead? Go ahead.\n     Ms. Miller. OK. I'll be quick. The Higher Education Act I \ntalked about reforms there, really removing the obstacles on \nhow people can use the funding students so that they're not \npushed into having to go through a 4-year degree. So I talked \nabout work-study programs and using their benefits to work in \nthe private sector in the field that's relevant for their \ncareer aspirations, as well as using Pell Grants for shorter \neducation, you know, certifications and things like that versus \nthe 4-year degree I think is really important where we really \ncould use some help there to help students.\n     Mr. Petersen. So I think what NICE and NIST is best at is \nconvening communities, and so a lot of our work is at the \nnational level. We actually convene an annual K-12 conference \nto bring together K-12 educators and administrators from across \nthe Nation. We do our own annual NICE conference that brings \ntogether industry, academia, as well as government. We also \ncollaborate internationally. There's quite a few other \ncountries that are interested in adopting the NICE \nCybersecurity Workforce Framework as a standard not only for \ntheir country but because of the global nature of work.\n     But we fundamentally believe that a lot of the solutions \nand the answers are in the local communities, whether it be a \nState like Michigan and the ecosystem that Mr. Sawasky \ndescribed is exactly what we promote in Indiana and all of your \ndifferent States, or at the local level, regional level, \nhowever that might be defined. So when I earlier described that \nRAMPS for Cybersecurity Workforce Development, that's really \nabout regional alliances, getting the K-12 higher education \ntraining ecosystem working together to meet local workforce \nneeds.\n     Mr. Sawasky. I think fundamentally we need more funding to \ngrow the, you know, cybersecurity workforce than we have now. I \nlistened to my colleagues talk about, you know, graduating \nhundreds of cyber pros at a time. And really we need to be \nlooking growing them at thousands at a time.\n     And the notion of early credentialing, building on what \nMs. Miller said, is really important. I will let you know that \nmy son Jerrod was pursuing his bachelor's degree in computer \nscience, and I strongly urged him to obtain a professional \ncybersecurity certification in his sophomore year, and he did \nthat. And he got a job, and he's actually paying for his own \nschool now. He's out of the house, which is nice as well. And \nhe is becoming very successful with that early credentialing \nprogram, and allowing students to support that early \ncredentialing in formal--in normal degree pathways I think is \nreally important.\n     Mr. Baird. Thank you. And I yield back.\n     Chairwoman Stevens. Great. And at this time we're going to \nrecognize Ms. Johnson for 5 minutes of questioning.\n     Chairwoman Johnson. Thank you very much.\n     I guess I can direct this to each of you. What are the \nmajor challenges that have led to the cybersecurity workforce \nshortfall? And what should Congress focus its future efforts on \nto bolster the cybersecurity workforce?\n     Dr. Siraj. OK. So I will start. I think K-12 is the, you \nknow, most impactful because there is really not so much \nactivity in cybersecurity at K-12 and computer science. There \nare only 33 States now that have started to have some \nprogramming in computer science, and cybersecurity is much, \nmuch behind that. So preparing teachers in K-12, you know, \nprovide opportunities to students like high school students, \ngiving them internships in cybersecurity, doing partnership \nwith educational institutions, giving infrastructure to K-12 so \nthat--you know, there is a trend right now that K-12 schools \nare being hacked, so they need to also, you know, strengthen \ntheir infrastructure.\n     And, again--so that's K-12. And in postsecondary there is \nso much to do. Not many schools offer cybersecurity courses. I \nthink the key thing is to--not to treat cybersecurity as a silo \nbut integrate in computer science education, in STEM education. \nIn fact, make it a general education course in universities.\n     Mr. Sawasky. I think awareness is really important. A lot \nof children in K through 12 aren't even aware that \ncybersecurity is an option for careers. And I think in Michigan \nwith our Governor's Cyber Challenge, that's really helped \npromote that awareness, too. And it's been fun to watch people \nwho traditionally haven't thought about career opportunities in \nthat field really dig in and work with their teachers and local \ncoaches.\n     And Merit being a network provider offers as a cloud-based \nservice so that we can reach every corner of our State into \nunderserved areas like Detroit and to rural areas like \nMarquette, Michigan. We've seen talent emerge from those \nprograms.\n     Ms. Miller. So just to kind of build off of that, so 2/3 \nof high school students said the idea of a career in \ncybersecurity had never been mentioned to them by, you know, \nteachers and guidance counselors, so there's one of our \nproblems is that, you know, again, it's not being mentioned. \nIt's not being thought about while they're in school.\n     One of the things IBM is doing focusing on this is we \nactually have something called IBM Cyber Day for Girls where we \nhave some of our professionals in cybersecurity at IBM go out \nand meet with middle school girls to tell them about careers in \ncybersecurity, as well as go through kind of a workshopping day \nwhere they, you know, teach them about IOT, cybersecurity \nhygiene, and those types of things to hopefully get them more \nexcited about cybersecurity. So we're trying to, you know, kind \nof kill a couple birds with the same stone by getting women or \ngirls more interested in cybersecurity, as well as educating \nabout cybersecurity.\n     I also mentioned was we do need more curriculum--strong \ncurriculum in community colleges and 4-year colleges around \ncybersecurity. Many do not have majors, minors, or any kind of \nprogram study and certificate that they can get in those areas, \nand I think that's going to be important as we continue to move \non and focus on the skill set.\n     Mr. Petersen. And while NICE would certainly agree with \neverything that's been said and career discovery being \ncritical, I would say in addition to young people, we need to \nfocus on working adults. We need to focus on the transitioning \nveterans, veterans' spouses, military spouses, adults that are \nunderemployed, unemployed, opportunity youth who are in that 18 \nto 25 age group who aren't currently getting an education or \nworking in a job because that's going to be the long-term \nsolution. But we have an immediate shortage today, and we have \nto focus on adults as well as young children to have both a \nnear-term as well as a long-term solution.\n     Dr. Siraj. Also if I may add, community college is a big \npart of the conversation because they represent the most \ndiverse body of students, so we must find effective ways to \ncreate pathways from community college to 4-year universities \nor find ways to get this community college students into \nindustry because there are--you know, there aren't many jobs \nthat will accept community college students with associate \ndegrees in cyber.\n     Chairwoman Johnson. Thank you very much. My time is \nexpired.\n     Chairwoman Stevens. At this time we're going to recognize \nDr. Foster for 5 minutes of questioning.\n     Mr. Foster. Well, thank you. I'd like to speak about--the \nDepartment of Homeland Security oversees a program called \nCybersecurity Education and Training Assistance Program, or \nCETAP, that's run by the National Integrated Cyber Education \nResearch Center pronounced NICERC. Now, CETAP promotes \ncybersecurity education at multiple grade levels in multiple \nStates, including Illinois. It provides Federal financial \nassistance toward community-based efforts to increase knowledge \nof cybersecurity topics and to encourage interest in \ncybersecurity as an academic pursuit and as a professional \ncareer.\n     CETAP has hosted professional development workshops in \nboth Joliet and Aurora in my district, and Joliet and Aurora \nteachers have attended professional development workshops \nhosted by Chicago State University. Unfortunately, it's my \nunderstanding that the latest President's budget has zeroed out \nthis program once again.\n     Now, Mr. Petersen or anyone else on the panel, could you \ndescribe the CETAP program and curricula and what makes it \nsuccessful?\n     Mr. Petersen. So I am directly familiar with the NICERC \nprogram, as you describe. And as I just said earlier, we \nsupport a pretty broad, vast community and I'm proud to say \nNICERC is very actively engaged with us and us with them as \nwell. For example, they are regular participants and sponsors \nat our K-12 Cybersecurity Education Conference, which brings \ntogether educators and administrators from across the Nation. \nAnd, as you described, many States, many school districts, and \nmany State Departments of Education are using their curriculum. \nAnd it's a way to get cybersecurity, as we heard described \nearlier, into the schools at a younger and younger age. So we \ncertainly appreciate the effort they've done to both raise \nawareness and the need to integrate cybersecurity across the \ncurriculum in our K-12 schools and the way to kind of \ndistribute the work that needs to be done across the United \nStates by developing a common curriculum that they're trying to \nintroduce in multiple States.\n     Mr. Foster. Yes. So are there many other curricular--\ncurricula-based programs for K-12, or are they mainly boot \ncamps?\n     Mr. Petersen. So curriculum happens in a lot of different \nways. I mean, for example, at the high school level there's \ncareer technical education programs or CTE programs, and \nthere's career technical student organizations, as well as \nother nonprofits that are partnering with the schools to both \ndevelop curriculum, as well as to develop programs of study \nthat the students can pursue to become specialized or more \naware of cybersecurity curriculum.\n     I would say it's an emerging area, which is why NICERC has \ncertainly made an impact in both the number of teachers, as \nwell as number of students reached, but it is an emerging area \nof opportunity for curriculum development at the K-12 level, as \nI think we heard Ms. Miller describe.\n     Dr. Siraj. So if I may add, the--I have seen firsthand the \nimpact of NICERC, and what NICERC does, it trains the teachers \nand not just, you know, computer science teachers but teachers \nteaching math, arts, sciences, STEM subjects, and it gives them \nresources so that they can talk about and teach security in \ntheir classes. So programs like that, I mean, I think they're \ncrucial for the success of K-12 cybersecurity education and, \nyou know, I cannot say more better things about that program.\n     Mr. Foster. We have an interesting situation in just STEM \ngenerally that young women are outperforming young men all the \nway through the end of high school in STEM fields, and then in \nthe first couple years of college, participation is dropping \noff dramatically. I just--you know, when I go to robotics \ncompetitions in my district, which I do all the time, what I--\nwhat I'm told is that all the way through junior high schools \nthe--girls and boys are well-integrated, and then when you hit \nhigh school for some reason the gender disparity emerges. \nWhat--where--what's the situation in cybersecurity?\n     Dr. Siraj. So, as I stated before, in a couple of years \nback it was 11 percent. Now, it's 20 percent. It needs to be 50 \npercent because, as we all know, diverse groups are--outperform \nany homogenous groups.\n     But I think what's happening is, as young girls are \ngetting into high schools and colleges, what's preventing them \nto be in cyber is the stereotypical image that cyber portrays. \nYou know, when you tell a young girl that, you know, if you go \ninto cyber, you're just going to work in a dungeon. That \ndoesn't, you know, sound very promising. But if you tell the \nyoung girl that if you work in cyber, you're going to keep \npeace in cyberspace, you're going to prevent chaotic situations \nin our modern-day technological lives, that's speaks a lot. So \nI think the lack of community, the lack of inclusive \nenvironment, the lack of role models----\n     Mr. Foster. Yes, the role models is something I've been \ntold repeatedly in things like robotics competitions. For some \nreason most of the coaches in robotics teams in junior high \nschool tend to be women, and then that's not true in high \nschools. And so the role models may be difficult to calculate, \nbut it may be a huge effect.\n     Anyway, Madam Chair, if it's possible if--to have a second \nround of questions, I would--I would appreciate it if that's \nfeasible.\n     Chairwoman Stevens. So we were going to have the--before \nwe brought the hearing to a close, we were going to have the \nwitnesses, as we're here in Congress, share a couple of \nminutes. But what we can do, Dr. Foster, is open it up for a \nsecond round. I'll claim my 5 minutes and cede them to you.\n     Mr. Foster. Very well. So you've done so?\n     Chairwoman Stevens. Yes.\n     Mr. Foster. All right.\n     Chairwoman Stevens. So I've yielded my time----\n     Mr. Foster. Well, thank you.\n     Chairwoman Stevens [continuing]. To my colleague.\n     Mr. Foster. I appreciate it.\n     I'd like to raise the issue of foreign workers in \ncybersecurity. In 1980 just 7.1 percent of American computer \nscience jobs were occupied by foreign-born workers. That grew \nto about almost 30 percent by 2010 because of the breakneck \ngrowth in the tech sector, which became increasingly reliant on \nhigh-skilled visa-holding immigrants. And, unfortunately, \nPresident Trump's immigration policies have made it harder for \ntech companies to bring highly skilled workers into the United \nStates. For example, in March 2017 the USCIS (United States \nCitizenship and Immigration Services) announced that entry-\nlevel computer programmers would no longer automatically \nqualify to apply for the visa programs and--but instead of this \nmeaning that more jobs will actually be filled by Americans, it \nhas turned out that it's just more likely now that companies \nwill send the work overseas where there are, you know, \nemployees that are eligible to work. The problem is that there \njust are not enough trained Americans to fill the growing \ndemand of computer jobs generally.\n     So in response to this, last year, I introduced the Keep \nSTEM Talent Act to provide permanent resident status to \ninternational students who completed advanced STEM degrees in \nthe U.S. institutions and they're interested in continuing \ntheir research in the United States. I believe we should be \nencouraging these young scientists to remain in the United \nStates and join the American scientific and cybersecurity \nworkforces.\n     So, Ms. Miller, how reliant is IBM on foreign talent and \ncomputer scientists, and are there instances when you've \nactually had to move work offshore simply because of the \nshortage of cyber talent in the United States?\n     Ms. Miller. Well, IBM Security specifically is operating \nin over 130 countries, so we have talent all over the world. We \ndo rely to some degree on bringing talent into the United \nStates, but it could be everything from the experience, you \nknow, so cross-training or the experience that they bring from \nsomeplace else to train people here, or we're grooming them and \nwe're--you know, they go back to their home country. So there's \na variety of reasons why we may rely on it.\n     I don't think we have an overabundance of reliance on \nthat, but that's one of the reasons why in the United States \nwe're so focused on the skills-first approach to really \nbringing in more cybersecurity professionals from here, \ngrooming that talent, providing a lot of resources to help--\nfree resources, curriculums on badges, external digital badges, \nand the people can--people can attain to demonstrate their \nproficiency and other tools so that we have the talent here and \nwe're continuing to groom that talent. So that's our main \nfocus. It's not to bring the talent from other countries \nnecessarily but to grow the talent here. And the new-collar \napproach that we're taking is helping us do that.\n     Mr. Foster. Now, if you look at future needs in \ncybersecurity, you know, something like half of all \ncybersecurity instances have to do with someone impersonating \nsomeone else online. And so then a lot of the reason that \nyou're focusing on soft skills is to train people simply to \noperate their authentication properly. And there are \ninteresting proposals out there that the Federal Government \nallows citizens who wants a means to digitally authenticate \nthemselves online--so this would--in its simplest form would be \nsimply, you know, if you get a Real ID card, you're also given \na digital means to assert that ID.\n     And so that is something that I know a lot of industries \nare enthusiastic about being able to add onto as part of the \nway of making sure that you don't have identity fraud, which \nis, you know, the biggest single component of cyber insecurity \nin our country. And so this is going to have a big impact if \npeople have good technical means to authenticate themselves. \nAnd is that going to really change the nature of the \ncybersecurity workforce so that you'll be more focused on, you \nknow, device security, program security rather than training \npeople to feed the systems properly?\n     Ms. Miller. I'm not sure I'm qualified to actually comment \non that. What I will tell you is that in the cybersecurity \nspace cyber criminals, they continue to evolve, and it's hard \nto keep up with them. We were kind of joking yesterday that we \nwished we understood the workforce strategy of these threat \nactors and how they're findings such, you know, great talent \nthat's out there making us have to keep up, making us have to \ncontinue to chase and understand what they're doing. But I \ncan't comment specifically on what technology and the effects--\n--\n     Mr. Foster. Well, that's what makes it so tough for STEM \ntraining generally. You know, I think 15 years ago we were \ntrying to teach all kids to learn HTML so they could, you know, \nmaintain their own webpages, and now, you know, we've got 3 \nbillion webpage maintainers who maintain their Facebook page, \nand it's--the nature of technology is that the training is when \nyou're planning 15 years out.\n     Now, just a last point if I could about the national labs. \nYou know, as I mentioned a few times on this Committee, I'm a \nproud Co-Chair of the National Labs Caucus, and we're visiting \nall 17 of the DOE (Department of Energy) labs. We just finished \nvisiting Oak Ridge National Lab. So, Dr. Siraj, in your \ntestimony you highlighted that Tennessee Tech University \nfaculty and graduate students have been conducting research \nwith the scientists and engineers at Oak Ridge National Lab and \non various DOE-funded research projects. Could you just say a \nfew words about that?\n     Dr. Siraj. So the way it came about because, you know, Oak \nRidge National Lab is just 1 hour away from us, and so we have \na couple of faculty in computer science who are working with a \ncouple of groups in Oak Ridge National Lab to work on security \nresearch projects that I mentioned in my testimony. Plus, we \nalso have partnership where professionals there who don't have \na Ph.D. degree, they're working, they're going into doctoral \nstudies at our school, and our faculty are also going there to \nteach security classes. There are professionals also coming to \nour campus to teach security classes.\n     But, you know, this partnership is, you know--it's a win-\nwin situation for both entities, for the national lab and for \nus for our students. It provides, you know, big opportunity to \nspeak to the scientist and the role models and learn from them \nbecause, you know, what professors know, so----\n     Mr. Foster. Yes. Well, you know, one of my favorite events \nof the year is to go to Argonne National Lab in my district, \nwhich hosts the DOE-sponsored cybersecurity contest where the--\n--\n     Dr. Siraj. Yes, CyberForce competition.\n     Mr. Foster. CyberForce competitions where college teams \ncome in from all over the country and try to hack each \nother's----\n     Dr. Siraj. Yes.\n     Mr. Foster [continuing]. Equipment and it's----\n     Dr. Siraj. So----\n     Mr. Foster. It's a lot of fun. And, you're right, they do \nenjoy interacting with the----\n     Dr. Siraj. Yes, so----\n     Mr. Foster [continuing]. Scientists there. Anyway, my----\n     Dr. Siraj [continuing]. Our students do that, too.\n     Mr. Foster. I think my time is expired, so I will yield \nback.\n     Chairwoman Stevens. OK. Dr. Baird, you'll be recognized \nfor 5 more minutes of questioning.\n     Mr. Baird. Mr. Petersen, last May, President Trump issued \nAmerica Cybersecurity Workforce Executive Order, which directed \nthe Secretary of Commerce and the Secretary of Homeland \nSecurity, along with the heads of other appropriate agencies, \nto implement the recommendations from their 2017 report on how \nto support growth and sustainment of the Nation's cybersecurity \nworkforce in both the public and the private sectors. So could \nyou tell us if you're involved in implementing these \nrecommendations, and if so, how? And are these recommendations \ninforming the development of NICE's strategic plan for the next \nfive years?\n     Mr. Petersen. Yes, thank you for that question. We are \nabsolutely involved, as we were in both the development of the \nrecommendations, as well as the implementation. There were five \nimperatives, multiple recommendations and actions, and we are \nbeginning by prioritizing some of them. So, for example, the \nfirst one spoke to having a national call for action to make \nsure that both the public and private sector were recognizing \nthe importance of cybersecurity.\n     And by way of example, another reason that I've worked \nclosely with IBM is several companies have come together as \npart of the Aspen Cybersecurity Group to issue a set of \nprinciples that they want companies to follow. And one of those \nprinciples is to use the NICE Cybersecurity Workforce \nFramework, but other principles are things like career \ndiscovery or doing skills-based hiring and the like. And so \nworking collaboratively with the private sector and industry in \nthis case to raise the importance and elevate this is one way \nthat we are implementing it.\n     When I talked earlier about transforming the learning \nprocess, including more of a focus on skills and less than just \ntraditional credentials, that's another example of an emerging \ntheme in our next strategic plan. We're learning, as many of \nyou have described, it includes not only the K through 12, the \nhigh school diploma, the community college, college degree, but \nalso certifications or apprenticeships or the other multiple \npathways to a career in cybersecurity.\n     And finally, as I indicated, the Workforce Policy Advisory \nBoard, which is part of that President's National Council on \nAmerica's Workforce, will be talking more about the multiple \npathways to all types of careers but cybersecurity especially \nwhere it could be that transitioning veteran that you described \nearlier that after a 20-year military career, then enters \ncybersecurity, or it could be an IT worker who's going to \ntransition to a cybersecurity role. So we are actively working \non both prioritizing and implementing them to the extent that \nwe can.\n     Mr. Baird. Thank you. Ms. Miller, one last question. \nMaybe, could you elaborate on how IBM has utilized their \napprenticeship program and how you use that to recruit and \nretain cybersecurity workforce?\n     Ms. Miller. Sure. So we started the apprenticeship program \nabout four years ago, and what we do is we've actually--\nespecially in the security--the cybersecurity organizations \nhave really looked at what are the right roles that we can \nreally bring in talent without the 4-year degrees, so looking \nat the soft skills, making sure that they have those right \ncritical skills, and leading with skills first and the \ncapabilities over the credentials, right? And then looking at \nwhat are the right roles to bring them in, so a security \noperations center analyst is one, pen testers, another example, \ntechnical writers.\n     We've been bringing people in into those types of \npositions as a way to, one, test them, make sure that they \ncan--that they have the technical capabilities as we continue \nto train them up, sponsor them for certifications, et cetera. \nSo as they come in, there is a curriculum that's built out for \nthe first year for them that they go through and dedicated \nresources to support them. So it's really looking at this from \na skills-first basis, and it allows us to get the--you know, \nthose that have 4-year degrees, they tend to not be \nrepresentative of the overall U.S. population demographically, \nright? So if we're able to bring in and really leverage the P-\nTECH programs, the apprenticeship programs, et cetera, we're \nable to get into--tap into that underrepresented talent, \nwhether it be based on race, gender, even veterans, et cetera.\n     So this is definitely a way that--and the question was \nasked earlier. This is a way that in the future people will be \nable to look up and see people that look like them at the top \nof the house. So it's very important to us.\n     Mr. Baird. Thank you. And I see I'm out of time. I yield \nback.\n     Chairwoman Stevens. Thank you. And now we'll recognize Dr. \nLipinski for 5 minutes of questions.\n     Mr. Lipinski. Thank you, Chairwoman. Thank you for holding \nthis hearing. We all know how important this issue is. And, \nunfortunately, it doesn't receive nearly as much attention as \nit should.\n     I'm happy to follow the Democrat before me, Bill Foster. \nWe share Argonne National Lab, and appreciate the great work \nthat's being done there on cybersecurity.\n     One particular issue I have is how medium and small \nmanufacturers struggle to keep up with the rapid evolution of \ncyber attacks. It's something I hear about all the time from \nthese manufacturers in my district.\n     I was the Democratic lead on the NIST Small Business \nCybersecurity Act, which was signed into law in 2018. The bill \ndirected NIST to develop voluntary guidelines to help small \nbusinesses identify, manage, and reduce cybersecurity risks. \nNIST has since developed the Small Business Cybersecurity \nCorner to provide resources on this topic to small businesses. \nSo I want to ask Mr. Petersen. Can you describe the National \nInitiative for Cybersecurity Education's contributions to these \nresources for small businesses?\n     Mr. Petersen. Thank you for that question. So we actually \nhave one of our team members, from our small team, that is \nassigned part-time to help support the small and medium \nbusiness outreach. One is because her regular role with NICE is \nto do industry engagement. And again, we want to be sensitive \nto both the needs of large enterprises, as well as small and \nmedium businesses. So she can bring both that expertise, as \nwell as kind of introduce workforce and education-related \ntopics into that small and medium business outreach.\n     The reality is we talk about a small team like my own, the \nsmall and medium businesses have smaller teams especially \ndevoted to IT and cybersecurity and are often reliant on third-\nparty providers, service providers as well, so making sure \nthat, for example, our NICE Cybersecurity Workforce Framework \ndoesn't just speak to the kind of workforce they need but the \nkind of workforce that service providers need to bring to them \nas well as a way we try to translate that for small to medium \nbusinesses.\n     Mr. Lipinski. Thank you. I wanted to follow up on that. \nLooking more generally at both for cybersecurity education and \nmanufacturing, in 2018 the Administration put out the Strategy \nfor American Leadership in Advanced Manufacturing. This was the \nresult of a bill that I had written, that this Committee had \npassed, and it was passed into law. And so it--that strategy \ntalks specifically about bolstering cybersecurity education and \nmanufacturing.\n     So in response, the Department of Defense launched a \nNational Center for Cybersecurity Manufacturing in 2018 at MxD \n(Manufacturing times Digital), which is in Chicago. The center \nfocuses on ensuring small- and medium-size manufacturers are \ntaking the necessary precautions to protect themselves from \ncyber attacks and subsequent data breaches and IP (Internet \nProtocol) theft.\n     So, Mr. Petersen, I wanted to ask, as you've discussed in \nyour testimony the National Initiative for Cybersecurity \nEducation is beginning the process of updating their 5-year \nstrategic plan, so how will the framework leverage work done in \nmanufacturing institutes like the cybersecurity center at MxD \nto accelerate and enhance NIST cybersecurity workforce \ndevelopment?\n     Mr. Petersen. So one of the roles that NICE plays is being \naware of the ecosystem that's happening across the United \nStates, not only geographically but by critical infrastructure \nsectors. There are other economic sectors. And NIST also, as \nyou know, is home to the Manufacturing Extension Partnership \nthat helps to administer some of the manufacturing programs \nacross the United States.\n     And so, fortunately, in the context of my relationship \nwith the NIST MEP (Manufacturing Extension Partnership) office, \nthey brought the workforce program of MxD to our attention, and \nwe have engaged with them directly. Primarily, as they go down \na path of developing a workforce framework for manufacturing to \ncreate a skilled cybersecurity workforce to recognize that the \nNICE Cybersecurity Workforce Framework is a resource to them, \nit's a reference resource upon which all the critical \ninfrastructure sectors can leverage and modify and adapt to \nmeet their needs. But also we're trying to create a \nstandardized environment across the Nation for cybersecurity \nwork that can help education and training providers, as well as \nemployers, to have that common taxonomy. So I'm glad to say \nwe've worked with them very collaboratively and try and \nencourage them to use our existing framework as the foundation \nfor what they do.\n     But second, as you indicate, both as we update our NICE \nframework and our next strategic plan, that any feedback or \ninput that they have to provide to us, that we're more than \nhappy to receive that as well. We did just complete a request \nfor comment period and are going to be looking at the comments \nreceived as a way to collect that public input.\n     Mr. Lipinski. Thank you. And I want to thank you, Mr. \nPetersen, and all of our witnesses today for your testimony but \nalso for your continued work on this very, very critical issue. \nI yield back.\n     Chairwoman Stevens. Thank you, Dr. Lipinski. And I second \nyour comments of gratitude. So many amazing things that we \ntouched on in just this 90-minute period. Dr. Siraj, your \nstatements of anyone can be in cybersecurity, anyone can solve \nthese problems in this cross-functionality and this real place \nof opportunity for growth.\n     Obviously, a lot going on in Congress today, but this is \nsubmitted for the official record. And our record is going to \nremain open for a couple of weeks for additional statements \nfrom Members or questions that they might have, so those might \ncome your way as well. And we're going to keep the conversation \nrolling, as well as the commitment that Congress will continue \nto serve as an effective steward and partner in filling our \nworkforce needs, getting rid of the mistrust and obviously the \nrisk that not only impacts our national security, our financial \nsecurity, for individuals and our overall economy. And it's a \njob opportunity for us as well to promote the cybersecurity \nworkforce.\n     So thank you all so much. The witnesses are now excused, \nand the hearing is adjourned.\n     [Whereupon, at 11:40 a.m., the Subcommittee was \nadjourned.]\n\n                                 [all]\n</pre></body></html>\n"