[House Hearing, 116 Congress]
[From the U.S. Government Publishing Office]


                  MORE HIRES, FEWER HACKS: DEVELOPING
                    THE U.S. CYBERSECURITY WORKFORCE

=======================================================================

                                HEARING

                               BEFORE THE

                SUBCOMMITTEE ON RESEARCH AND TECHNOLOGY

                                 OF THE

                      COMMITTEE ON SCIENCE, SPACE,
                             AND TECHNOLOGY
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED SIXTEENTH CONGRESS

                             SECOND SESSION

                               __________

                       Tuesday, February 11, 2020

                               __________

                           Serial No. 116-67

                               __________

 Printed for the use of the Committee on Science, Space, and Technology
 
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT] 


       Available via the World Wide Web: http://science.house.gov
       
                               __________
                               

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
39-616PDF                  WASHINGTON : 2021                     
          
--------------------------------------------------------------------------------------
     
       
       

              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY

             HON. EDDIE BERNICE JOHNSON, Texas, Chairwoman
ZOE LOFGREN, California              FRANK D. LUCAS, Oklahoma, 
DANIEL LIPINSKI, Illinois                Ranking Member
SUZANNE BONAMICI, Oregon             MO BROOKS, Alabama
AMI BERA, California,                BILL POSEY, Florida
    Vice Chair                       RANDY WEBER, Texas
LIZZIE FLETCHER, Texas               BRIAN BABIN, Texas
HALEY STEVENS, Michigan              ANDY BIGGS, Arizona
KENDRA HORN, Oklahoma                ROGER MARSHALL, Kansas
MIKIE SHERRILL, New Jersey           RALPH NORMAN, South Carolina
BRAD SHERMAN, California             MICHAEL CLOUD, Texas
STEVE COHEN, Tennessee               TROY BALDERSON, Ohio
JERRY McNERNEY, California           PETE OLSON, Texas
ED PERLMUTTER, Colorado              ANTHONY GONZALEZ, Ohio
PAUL TONKO, New York                 MICHAEL WALTZ, Florida
BILL FOSTER, Illinois                JIM BAIRD, Indiana
DON BEYER, Virginia                  FRANCIS ROONEY, Florida
CHARLIE CRIST, Florida               GREGORY F. MURPHY, North Carolina
SEAN CASTEN, Illinois                VACANCY
BEN McADAMS, Utah
JENNIFER WEXTON, Virginia
CONOR LAMB, Pennsylvania
VACANCY
                                 ------                                

                Subcommittee on Research and Technology

                HON. HALEY STEVENS, Michigan, Chairwoman
DANIEL LIPINSKI, Illinois            JIM BAIRD, Indiana, Ranking Member
MIKIE SHERRILL, New Jersey           ROGER MARSHALL, Kansas
BRAD SHERMAN, California             TROY BALDERSON, Ohio
PAUL TONKO, New York                 ANTHONY GONZALEZ, Ohio
BEN McADAMS, Utah                    VACANCY
STEVE COHEN, Tennessee
BILL FOSTER, Illinois
                        
                        C  O  N  T  E  N  T  S

                           February 11, 2020

                                                                   Page

Hearing Charter..................................................     2

                           Opening Statements

Statement by Representative Haley Stevens, Chairwoman, 
  Subcommittee on Research and Technology, Committee on Science, 
  Space, and Technology, U.S. House of Representatives...........     8
    Written Statement............................................     9

Statement by Representative Jim Baird, Ranking Member, 
  Subcommittee on Research and Technology, Committee on Science, 
  Space, and Technology, U.S. House of Representatives...........    10
    Written Statement............................................    11

Statement by Representative Eddie Bernice Johnson, Chairwoman, 
  Committee on Science, Space, and Technology, U.S. House of 
  Representatives................................................    12
    Written Statement............................................    13

                               Witnesses:

Mr. Rodney Petersen, Director, National Initiative for 
  Cybersecurity Education, National Institute of Standards and 
  Technology
    Oral Statement...............................................    15
    Written Statement............................................    17

Dr. Ambareen Siraj, Professor, Computer Science and Director, 
  Cybersecurity Education Research and Outreach Center, Tennessee 
  Tech University
    Oral Statement...............................................    24
    Written Statement............................................    26

Mr. Joseph Sawasky, President and Chief Executive Officer, Merit 
  Network, Inc.
    Oral Statement...............................................    56
    Written Statement............................................    58

Ms. Sonya Miller, HR Director, IBM Security and Enterprise & 
  Technology Security
    Oral Statement...............................................    62
    Written Statement............................................    64

Discussion.......................................................    72

 
                  MORE HIRES, FEWER HACKS: DEVELOPING.
                    THE U.S. CYBERSECURITY WORKFORCE

                              ----------                              


                       TUESDAY, FEBRUARY 11, 2020

                  House of Representatives,
           Subcommittee on Research and Technology,
               Committee on Science, Space, and Technology,
                                                   Washington, D.C.

     The Subcommittee met, pursuant to notice, at 10:07 a.m., 
in room 2318 of the Rayburn House Office Building, Hon. Haley 
Stevens [Chairwoman of the Subcommittee] presiding.
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

     Chairwoman Stevens. This hearing will come to order. 
Without objection, the Chair is authorized to declare recess at 
any time.
     Good morning, and welcome to this hearing of the 
Subcommittee on Research and Technology to explore the major 
challenges that have led to our national cybersecurity 
workforce shortage and the programs underway to address that 
shortage. A sincere and very special welcome to our 
distinguished panel of witnesses for joining us here today, the 
effort and time you took to write your testimony and obviously 
share your expertise. We're all very much looking forward to 
hearing from you.
     Almost every day, we hear news about security breaches, 
poor system design, and vulnerabilities disrupting businesses 
and individuals' lives. Part of the reason cybersecurity issues 
are so prevalent is that the demand for skilled cybersecurity 
professionals far exceeds the supply of those individuals. 
According to CyberSeek, a tool funded by the National 
Initiative for Cybersecurity Education (NICE), as of last month 
there are over a half a million job openings related to 
cybersecurity in the United States. That's job openings. That 
means nearly one in three cybersecurity jobs go unfilled.
     There are many reasons for this workforce shortfall. 
Relatively few high school students have any exposure to 
computer science in the classroom, let alone cybersecurity. 
Even when students graduate from college with a degree in 
computer science, they often lack the cybersecurity skills and 
hands-on experience to fill job openings.
     We also recognize and encourage the multiple pathways to 
careers in cybersecurity, including certification programs and 
apprenticeships. On Saturday, just this past Saturday, I held a 
town hall back in Michigan on special education. And one of the 
excellent resources that was highlighted was the Living and 
Learning Enrichment Center, a center for adults with 
disabilities that has also just recently partnered with Cisco 
and the Michigan Career and Technical Institute, to start a 
cybersecurity certification to train adults with disabilities 
that traditionally present barriers to employment.
     In addition, the cybersecurity field as a whole lacks 
diversity, even more so than many other STEM (science, 
technology, engineering, and math) fields. The math is yet 
again simple. Last year, women accounted for only 20 percent of 
the global cybersecurity workforce, the global cybersecurity 
workforce. Women of color in cybersecurity jobs make on average 
$10,000 less than their male counterparts. We cannot address 
our current and future cybersecurity workforce needs without 
recruiting and retaining more women and minorities into the 
field.
     All of our panelists have been leaders in addressing the 
diversity challenge, and we very much look forward to hearing 
about your efforts on that front.
     It should not be a surprise that I'm excited to have NIST 
(National Institute of Standards and Technology) represented on 
this panel to talk about their leadership in building the 
government's and the Nation's cybersecurity workforce. Truly, 
NIST has been a leader in of course setting the standards, the 
platform, even reaching out to the Department of Defense and 
forming one of the first MOUs (memorandum of understanding) to 
set cybersecurity standards in the advanced manufacturing 
space.
     The National Institute of Standards and Technology is also 
playing a critical role in cybersecurity workforce development 
across this National Initiative for Cybersecurity Education, 
NICE. We'll also discuss many of the important Federal programs 
at the National Science Foundation, the Department of Homeland 
Security, and other agencies designed to educate and train the 
next generation of cybersecurity professionals.
     Finally, we will explore how partnerships between 
academia, industry, and Federal and State governments are 
working to improve our cybersecurity workforce, humming and 
collaborating, and working together. I am so proud to say that 
my home State of Michigan has helped to lead the way in 
developing education and training programs to equip our State's 
workforce, Michiganders, with the skills they need to pursue a 
career in cybersecurity.
     Governor Gretchen Whitmer, and even her predecessor 
Governor Snyder, have implemented programs like the Governor's 
High School Cyber Challenge and Girls Go Cyber to give Michigan 
high schoolers experience in cybersecurity. We will hear about 
some of those efforts today.
     I want to thank the witnesses for being here today to help 
us understand these challenges that organizations face, 
companies face to recruit a skilled cybersecurity workforce, 
effective education and workforce development programs designed 
to help these organizations meet cybersecurity workforce needs, 
and how Federal agencies such as NIST are partnering with 
industry, university, and States to have America lead the way. 
Thank you.
     [The prepared statement of Chairwoman Stevens follows:]

    Good morning and welcome to this hearing of the 
Subcommittee on Research and Technology to explore the major 
challenges that have led to our national cybersecurity 
workforce shortage and the programs underway to address that 
shortage. A special welcome to our distinguished panel of 
witnesses for joining us here today. I'm looking forward to 
hearing your testimony. Almost every day we hear news about 
security breaches, poor system design, and vulnerabilities 
disrupting businesses and individuals' lives. Part of the 
reason cybersecurity issues are so prevalent is that the demand 
for skilled cybersecurity professionals far exceeds the supply 
of those individuals.
    According to CyberSeek, a tool funded by the National 
Initiative for Cybersecurity Education (NICE), as of last month 
there are over a half a million job openings related to 
cybersecurity in the United States. That means nearly one in 
three cybersecurity jobs go unfilled.
    There are many reasons for this workforce shortfall. 
Relatively few high school students have any exposure to 
computer science in the classroom, let alone cybersecurity. 
Even when students graduate from college with a degree in 
computer science, they often lack the cybersecurity skills and 
hands-on experience to fill job openings.
    We must also recognize and encourage the multiple pathways 
to careers in cybersecurity, including certification programs 
and apprenticeships. On Saturday, I held a town hall on special 
education in my district. One of the excellent resources we 
highlighted is the Living & Learning Enrichment Center, a 
center for adults with disabilities that has just partnered 
with Cisco and the Michigan Career & Technical Institute to 
start a cybersecurity certification to train adults with 
disabilities that traditionally present barriers to employment.
    In addition, the cybersecurity field as a whole lacks 
diversity, even more so than many other STEM fields. The math 
is simple: Last year, women accounted for only 20 percent of 
the global cybersecurity workforce. Women of color in 
cybersecurity jobs make on average $10,000 less than their male 
counterparts. We cannot address our current and future 
cybersecurity workforce needs without recruiting and retaining 
more women and minorities into the field. All of our panelists 
have been leaders in addressing the diversity challenge, and I 
look forward to hearing about your efforts on that front.
    It should not be a surprise that I am excited to have NIST 
represented on this panel to talk about their leadership in 
building the government's and the nation's cybersecurity 
workforce. The National Institute of Standards and Technology 
is playing a critical role in cybersecurity workforce 
development across the country through the National Initiative 
for Cybersecurity Education. We will also discuss many of the 
important federal programs at the National Science Foundation, 
the Department of Homeland Security, and other agencies 
designed to educate and train the next generation of 
cybersecurity professionals.
    Finally, we will explore how partnerships between academia, 
industry, and Federal and state governments are working to 
improve our cybersecurity workforce.
    I am proud to say that my home state of Michigan has led 
the way in developing education and training programs to equip 
Michiganders with the skills they need to pursue a career in 
cybersecurity. Governor Gretchen Whitmer, and her predecessor 
Governor Snyder, have implemented programs like the Governor's 
High School Cyber Challenge and Girls Go Cyber to give Michigan 
high schoolers experiences in cybersecurity. We will hear about 
some of those efforts today.
    I want to again thank the witnesses for being here today to 
help us understand the challenges that organizations face to 
recruit a skilled cybersecurity workforce, effective education 
and workforce programs designed to help organizations meet 
cybersecurity workforce needs, and how Federal agencies, such 
as NIST, are partnering with industry, universities, and states 
to lead the way.

     Chairwoman Stevens. At this time, the Chair is now going 
to recognize Dr. Baird for an opening statement.
     Mr. Baird. Good morning, Chairwoman Stevens, and thank you 
for holding this hearing today and giving us the opportunity to 
examine the challenges both public and private that we're 
facing in recruiting and training cybersecurity professionals. 
And I do very much appreciate and we all appreciate all of you 
witnesses being here today and taking the time out of your 
schedule to do that.
     But with advances in technology and the growth in the 
Internet of Things come the new methods that foreign countries 
and cybercriminals can use to attack and access our networks. 
So Americans' information is vulnerable, and we will hear today 
there is a demand for trained cybersecurity experts to identify 
and defend against cyber attacks.
     According to the data derived from job posting, the number 
of unfilled security jobs has grown by more than 50 percent 
since 2015. And by 2022, the global cybersecurity workforce 
shortage is projected to reach upwards of 1.8 million. That's 
just 2 years away, so it kind of gives us a clue how fast and 
how demand is increasing.
     So well-trained professionals are essential to our ability 
to implement proven security techniques. Institutions of higher 
education are working to create and improve cyber education and 
training programs focused on ensuring that there are enough 
professionals to meet our needs.
     I am very proud to say that Indiana--did you catch that? 
Indiana has several universities that are leading the way in 
cyber education and training. Purdue University, which is the 
home to the Nation's first computer science department, hosts 
the Center for Education and Research in Information Assurance 
and Security, which is CERIAS. CERIAS is one of the seven 
original programs designed as a National Center of Academic 
Excellence in Cyber Defense, sponsored by the Department of 
Homeland Security and the National Security Agency.
     The Purdue program has produced 215 graduates with 
doctoral degrees in cybersecurity and 329 graduates with 
master's degrees in cybersecurity. Purdue University Northwest 
is home to another Center for Academic Excellence for 
information assurance and cyber defense education. As of this 
fall, Purdue Northwest has more than 200 students enrolled in 
its cybersecurity major.
     Indiana is also very lucky to have two Centers of Academic 
Excellence designed and designated as 2-year institutions: 
Moraine Valley Community College and Ivy Tech Community 
College. These programs help us meet the growing demand 
nationwide for cybersecurity professionals at all skill levels.
     The Science Committee has an important role in supporting 
programs that are providing the skills and expertise needed to 
defend and support our systems from cyberthreats. I'm an 
original co-sponsor to the Securing American Leadership in 
Science and Technology Act. This legislation takes important 
steps to improve America's cybersecurity capabilities. It makes 
strategic investments in cybersecurity research and development 
across Federal science agencies. And it supports building up 
the NSF (National Science Foundation) Scholarship for Service 
program, CyberCorps, to grow and improve the quality of 
America's cybersecurity workforce. Protecting America's cyber-
systems is critical to our economic and national security.
     While these Federal programs play an important role, 
industry has really stepped up and developed some initiative 
and innovative programs to address the cybersecurity skills gap 
that we are currently facing, such as IBM's New Collar program.
     I would like to thank each of the witnesses for taking the 
time to be here, and we really appreciate your efforts and 
expertise. I look forward to hearing from each of you and 
provide an overview of the state of the cybersecurity workforce 
and recommend how the Federal Government can best work with 
industry and academia to meet this challenge.
     Thank you, and I yield back the balance of my time.
     [The prepared statement of Mr. Baird follows:]

    Good morning Chairwoman Stevens and thank you for holding 
today's hearing to examine the challenges both the public and 
private sectors are facing in recruiting and training 
cybersecurity professionals.
    With advances in technology and the growth of the 
``internet of things'' come new methods that foreign countries 
and cybercriminals can use to attack and access our networks.
    Americans' information is vulnerable and, as we will hear 
today, there is a demand for trained cybersecurity experts to 
identify and defend against cyber-attacks.
    According to data derived from job postings, the number of 
unfilled cybersecurity jobs has grown by more than 50 percent 
since 2015. By 2022, the global cybersecurity workforce 
shortage is projected to reach upwards of 1.8 million unfilled 
positions.
    Well-trained professionals are essential to our ability to 
implement proven security techniques. Institutions of higher 
education are working to create and improve cyber education and 
training programs focused on ensuring there are enough 
professionals to meet our needs.
    I am very proud to say that Indiana has several 
universities that are leading the way in cyber education and 
training. Purdue University, which is home to the nation's 
first computer science department, hosts the Center for 
Education and Research in Information Assurance and Security 
(CERIAS).
    CERIAS is one of the seven original programs designed as a 
National Center of Academic Excellence in Cyber Defense, 
sponsored by the Department of Homeland Security (DHS) and the 
National Security Agency (NSA).
    The Purdue program has produced 215 graduates with doctoral 
degrees in Cybersecurity and 329 graduates with master's 
degrees in Cybersecurity. Purdue University Northwest is home 
to another Center of Academic Excellence for Information 
Assurance and Cyber Defense Education. As of this fall, Purdue 
Northwest has more than 200 students enrolled in its 
Cybersecurity major.
    Indiana is also very lucky to have two Centers of Academic 
Excellence designated two-year institutions: Moraine Valley 
Community College and Ivy Tech Community College. These 
programs help us meet the growing demand nationwide for 
cybersecurity professionals at all skill levels.
    The Science Committee has an important role in supporting 
programs that are providing the skills and expertise needed to 
defend and support our systems from cyberthreats.
    I am an original co-sponsor of the Securing American 
Leadership in Science and Technology Act. This legislation 
takes important steps to improve America's cybersecurity 
capabilities. It makes strategic investments in cybersecurity 
research and development across federal science agencies. And 
it supports building up the NSF scholarship for service 
program, Cybercorps, to grow and improve the quality of 
America's cybersecurity workforce.
    Protecting America's cyber-systems is critical to our 
economic and national security.
    While these federal programs play an important role, 
industry has really stepped up and developed some innovative 
programs to address the cybersecurity skills gap we are 
currently facing, such as IBM's New Collar program.
    I would like to thank each of our witnesses for taking the 
time to be here with us this morning. I look forward to hearing 
from you as you provide an overview of the state of the 
cybersecurity workforce and recommend how the federal 
government can best work with industry and academia to meet 
this challenge.
    Thank you and I yield back the balance of my time.

     Chairwoman Stevens. Thank you. And at this time the Chair 
now recognizes our Chairwoman, Chairwoman Johnson of the full 
Science Committee, for an opening statement.
     Chairwoman Johnson. Thank you very much, Chairwoman 
Stevens and Ranking Member Baird, for holding this morning's 
hearing on developing our Nation's cybersecurity workforce, and 
I want to welcome and thank our expert witnesses for their 
testimony as well.
     We spend a lot of time in the Science, Space, and 
Technology Committee focusing on the challenges in developing a 
skilled STEM workforce for the 21st Century, and on exploring 
the ways in the which the Federal Government can best address 
these challenges. While we need to develop the STEM pipeline 
across all fields, there are particular fields in which the gap 
between the supply and demand is especially acute. 
Cybersecurity is one of those.
     Technology alone will not mitigate the many risks that 
individuals, businesses, and governments face in cyberspace. We 
need researchers who understand the risks as they evolve and 
can build new defensive tools. We need executives who 
understand what is needed to defend their own organizations. We 
need technicians monitoring the systems on a daily basis. And 
we need many other types of cybersecurity jobs in between.
     The fact is we need to educate and train individuals in 
cybersecurity at all levels, and it requires not just degrees 
but different types of certifications, as well as continuing 
education for those already in the workforce. And finally, we 
need the general public to be well-educated about cyber 
hygiene, starting in our elementary schools.
     The National Initiative for Cybersecurity Education, or 
NICE, was created under the Obama Administration to coordinate 
and expand Federal investments in a skilled cybersecurity 
workforce and a cybersecurity-savvy public. Congress, led by 
this Committee, certified NICE in the Cybersecurity Enhancement 
Act of 2013.
     The National Institute of Standards and Technology is 
tasked with leading NICE. NIST is not traditionally an agency 
that leads on workforce issues. It is, however, an agency that 
leads on cybersecurity standards for both the public and 
private sectors. With its unique understanding and unsurpassed 
expertise in cybersecurity, NIST is the right agency to 
coordinate to lead efforts to develop a cybersecurity workforce 
for the Nation.
     The Science, Space, and Technology Committee has been 
enacting cybersecurity-focused legislation since 2002, and we 
are planning to move additional legislation this year. I look 
forward to continuing to collaborate across the aisle and 
across Committee lines to take a whole-of-government approach 
to cybersecurity, starting with the workforce.
     In that regard, I look forward to hearing from today's 
witnesses in how the activities carried out under NICE can 
continue to be strengthened.
     Thank you, and I yield back.
     [The prepared statement of Chairwoman Johnson follows:]

    Thank you Chairwoman Stevens and Ranking Member Baird for 
holding this morning's hearing on developing our nation's 
cybersecurity workforce and I want to welcome and thank the 
expert witnesses for their testimony.
    We spend a lot of time in the Science, Space, and 
Technology Committee focusing on the challenges in developing a 
skilled STEM workforce for the 21st Century, and on exploring 
the ways in the which the Federal government can best address 
those challenges. While we need to develop the STEM pipeline 
across all fields, there are particular fields for which the 
gap between supply and demand is especially acute. 
Cybersecurity is one such field.
    Technology alone will not mitigate the many risks that 
individuals, businesses, and governments face in cyber space. 
We need researchers who understand the risks as they evolve and 
can build new defensive tools. We need executives who 
understand what is needed to defend their own organizations. We 
need technicians monitoring the systems on a daily basis. And 
we need many other types of cybersecurity jobs in between. The 
fact is we need to educate and train individuals in 
cybersecurity at all levels, and it requires not just degrees 
but different types of certifications as well as continuing 
education for those already in the workforce. Finally, we need 
the general public to be well educated about cyber hygiene, 
starting in our elementary schools.
    The National Initiative for Cybersecurity Education, or 
NICE, was created under the Obama Administration to coordinate 
and expand Federal investments in a skilled cybersecurity 
workforce and a cybersecurity savvy public. Congress, led by 
this Committee, codified NICE in the Cybersecurity Enhancement 
Act of 2013. The National Institute of Standards and Technology 
is tasked with leading NICE. NIST is not traditionally an 
agency that leads on workforce issues. It is, however, an 
agency that leads on cybersecurity standards for both the 
public and private sectors. With its unique and unsurpassed 
expertise in cybersecurity, NIST is the right agency to 
continue to lead efforts to develop a cybersecurity workforce 
for the nation.
    The Science, Space, and Technology Committee has been 
enacting cybersecurity-focused legislation since 2002, and we 
are planning to move additional legislation this year. I look 
forward to continuing to collaborate across the aisle and 
across Committee lines to take a whole-of-government approach 
to cybersecurity, starting with the workforce.
    In that regard, I look forward to hearing from today's 
witnesses how the activities carried out under NICE can 
continue to be strengthened.

     Chairwoman Stevens. Great, thank you, Madam Chair.
     If there are Members who wish to submit additional opening 
statements, your statements will be added to the record at this 
point.
     And at this time I'd like to introduce our witnesses. Our 
first witness is Mr. Rodney Petersen. Mr. Petersen is the 
Director of the National Initiative for Cybersecurity 
Education, NICE, at the National Institute of Standards and 
Technology. Prior to his position at NICE, Mr. Petersen served 
as the Managing Director of the EDUCAUSE Washington office and 
Senior Government Relations Officer. He founded and directed 
the EDUCAUSE Cybersecurity Initiative and was the staff liaison 
for the Higher Education Information Security Council. Prior to 
joining EDUCAUSE, he worked two different times for the 
University of Maryland first as Chief Compliance Officer in the 
Office of the President and later as the Director of IT Policy 
and Planning in the Office of the Vice President and Chief 
Information Officer. Mr. Petersen is also the co-editor of a 
book entitled ``Computer and Network Security in Higher 
Education.''
     Our next witness is Dr. Ambareen Siraj. Dr. Siraj is a 
Professor of Computer Science and the founding Director of 
Tennessee Tech University's Cybersecurity Education Research 
and Outreach Center, and has served as the leader on several 
NSF and NSA (National Security Agency) education and workforce 
development grants. Dr. Siraj is also the founder of the Women 
in Cybersecurity organization, an NSF-funded initiative to 
recruit, retain, and advance women in cybersecurity. Dr. 
Siraj's research focus is on security in cyber physical 
systems, Internet of Things, situation assessment and network 
security, security education and workforce development. She was 
a 2018 recipient of the Colloquium for Information System 
Security Education Exceptional Leadership in Education Award.
     After Dr. Siraj is Mr. Joseph Sawasky. Mr. Sawasky is 
currently the President and CEO of Merit Network, a nonprofit 
corporation governed by Michigan's public universities. Merit 
owns and operates the Nation's longest-running regional 
research and education network, having been formed in 1966 by 
the University of Michigan, Michigan State University, and 
Wayne State University. Mr. Sawasky and his team at Merit also 
run the Michigan Cyber Range, the Nation's largest unclassified 
network-accessible cybersecurity training platform. Prior to 
his role at Merit, Mr. Sawasky was the Chief Information 
Officer at Wayne State University, doing this from 2007 to 
2015, during which time he also served on the boards of the 
Merit Network, the Detroit CIO Executive Summit, and Michigan 
Technology Leaders. He also worked at the University of Toledo 
for 22 years and in his last position served as CIO. We are 
delighted we recruited him to Michigan.
     Our fourth witness is Ms. Sonya Miller. Ms. Miller is the 
IBM H.R. Director for both IBM Security and Enterprise and 
Technology Security, two distinct divisions within IBM that 
require workers who have the skills and experience in 
cybersecurity to protect IBM and IBM clients. IBM Security has 
8,000 employees, including researchers, developers, and subject 
matter experts focused on security and more than 10,000 
security-related patents. Wow. Since 2015, IBM Security has 
hired nearly 4,400 additional experts into its security 
business. In her position, Ms. Miller is charged with ensuring 
both divisions have the skilled staff necessary to fulfill 
their missions. Wow. Just an absolute fantastic panel.
     As our witnesses should know, each of you will have 5 
minutes for your spoken testimony. Be sure to put your mic on. 
Your written testimony will be included in the record for the 
hearing. And when you've completed your spoken testimony, we'll 
begin with questions. Each Member will have 5 minutes to 
question the panel. And for testimony, we're going to start 
with Mr. Petersen.

           TESTIMONY OF MR. RODNEY PETERSEN, DIRECTOR,

        NATIONAL INITIATIVE FOR CYBERSECURITY EDUCATION,

         NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

     Mr. Petersen. Thank you, Chairwoman Stevens, Ranking 
Member Baird, and Members of the Subcommittee. I am Rodney 
Petersen, the Director of the National Initiative for 
Cybersecurity Education, or NICE, at the Department of 
Commerce's National Institute of Standards and Technology known 
as NIST. Thank you for the opportunity to appear before you 
today to discuss the role that NICE plays in interagency 
coordination for cybersecurity education workforce issues, and 
the challenges the Federal Government faces in recruiting and 
retaining skilled cybersecurity practitioners.
     NICE is a partnership between government, academia, and 
the private sector. Our program is focused on promoting and 
energizing a robust network and ecosystem of cybersecurity 
education, training, and workforce development. NICE fulfills 
this mission by coordinating with its partners to build on 
existing successful programs, facilitating change and 
innovation, and bringing leadership and vision to increase the 
number of skilled cybersecurity workers to keep our Nation 
secure.
     To coordinate at the Federal level, NICE Interagency 
Coordinating Council convenes our Federal Government partners 
for consultation, communication, policy, and strategic 
direction. This coordination provides an opportunity for the 
NIST-led NICE program office to communicate program updates 
with key partners in the Federal Government, as well as to 
learn about other Federal Government activities in support of 
NICE. The group also identifies and discusses policy issues and 
provides input into the strategic directions for NICE.
     Another means of coordination is the NICE working group. 
This working group has been established to provide a mechanism 
in which the public and private sector participants can develop 
concepts, design strategies, pursue actions that advance 
cybersecurity education, training, and workforce development.
     Let me share a couple of accomplishments from our current 
NICE strategic plan. First, NICE issued six awards to pilot 
Regional Alliances and Multi-stakeholder Partnerships 
Stimulating Cybersecurity Education and Workforce Development. 
These regional communities, known as RAMPS for cybersecurity 
workforce, were designed to stimulate local economic 
communities to work together to rally education and training 
providers to meet local workforce needs.
     Second, NICE also awarded a grant to develop a website 
known as CyberSeek that was cited earlier today, which includes 
both an interactive jobs heat map, as well as a career pathway 
portal. The jobs heat map shows that there are over 500,000 
open jobs in cybersecurity today across the United States. It 
further indicates that there are almost a million people 
employed in cybersecurity today. The map can be used to search 
for demand by State. For example, there are 8,760 open 
positions in Michigan alone, 5,603 in Tennessee, and 4,533 in 
Indiana. You can also use that website to search by major 
metropolitan areas either within a State or across State lines. 
So, for example, the D.C. metropolitan area in which we 
currently reside has 64,089 open jobs.
     One of the challenges in cybersecurity education training 
and workforce development is having a common language. To meet 
this need, NIST published the NICE Cybersecurity Workforce 
Framework. The common taxonomy in the NICE framework can be 
used by employers to structure their workforce, develop 
position descriptions, or craft employee development plans. The 
NICE framework begins to demystify a career in cybersecurity by 
showing the variety of types of work roles that exist and the 
multiple career pathways for entering and advancing in a 
cybersecurity career. An update to that NICE framework is 
happening this year.
     During 2020, NICE is embarking upon a consultative process 
that will result in a new 5-year strategic plan, as required by 
the Cybersecurity Enhancement Act, and that plan will be 
informed by the community that we serve.
     As NICE develops its next strategic plan, a few trends are 
beginning to emerge. First, the need to enhance cybersecurity 
career discovery for learners of all ages. Second, the need to 
transform the learning process to emphasize the 
multidisciplinary nature of cybersecurity and the multiple 
pathways to enter into a cybersecurity career. And third, the 
need to modernize the talent acquisition process to facilitate 
skills-based hiring that enables career mobility.
     All of these trends and current activities of NICE 
directly support the goals of the National Council for the 
American Worker. Established under Executive Order, the 
National Council is creating the first-ever national workforce 
strategy. This strategy is promoting the importance of multiple 
pathways to careers, the central role that employers play as 
part of our national education and workforce system, the need 
for companies to employ skill-based hiring, the need for 
greater transparency in the skills that companies need, and the 
return on investment of different learning pathways.
     NIST is excited about the accomplishments of the NICE 
program in addressing the future of cybersecurity education in 
the United States in order to increase the number of skilled 
cybersecurity practitioners that are helping to keep our Nation 
secure. NIST looks forward to continuing to support the 
Nation's ability to address current and future challenges 
through standards and best practices.
     Thank you for the opportunity to testify today, and I 
would be happy to answer any questions that you may have.
     [The prepared statement of Mr. Petersen follows:]
     
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
           TESTIMONY OF DR. AMBAREEN SIRAJ, PROFESSOR,

         COMPUTER SCIENCE, AND DIRECTOR, CYBERSECURITY

            EDUCATION RESEARCH AND OUTREACH CENTER,

                   TENNESSEE TECH UNIVERSITY

     Dr. Siraj. Chairwoman Stevens, Ranking Member Baird, and 
the Members of the Committee and Subcommittee, thank you for 
inviting me today in this very important discussion. My name is 
Ambareen Siraj. I was born and raised in Bangladesh where my 
dad taught me two simple things: working hard and serving 
others. I'm blessed that this Nation has provided me, an 
underrepresented immigrant, with an opportunity to serve as an 
educator, a researcher, and a leader.
     I'm honored to share with you today how we at Tennessee 
Tech are contributing to the development of the U.S. 
cybersecurity workforce. Reputed statewide for its 
undergraduate engineering education, Tennessee Tech is located 
in the city of Cookeville in middle Tennessee with a student 
population of a little over 10,000. Our computer science, C.S., 
enrollment is increasing at a higher rate than any College of 
Engineering programs. Among the three focus areas in C.S., 
cybersecurity has the majority of students, around 500, and its 
enrollment quadrupled in the last 4 years since it started.
     Operating since 2016, CEROC (Cybersecurity Education, 
Research and Outreach Center) is a Center of Academic 
Excellence in cyber defense education accredited by the 
National Security Agency and the Department of Homeland 
Security. At CEROC our cybersecurity students, we facilitated 
an integrated experience in informal education, research, and 
outreach activities alongside their formal cybersecurity 
education as part of the C.S. curriculum. With the mantra of 
continuous learning, crowd-sourced learning, and playing it 
forward, our students are constantly challenged to immerse 
themselves into educational experiences that enrich self and 
those around them.
     Over the last few years multiple CEROC projects funded 
through the National Science Foundation and the Department of 
Defense have impacted thousands of secondary and postsecondary 
students and hundreds of educators in Tennessee and beyond. 
Scholarship for Service (SFS), DOD CySP, and GenCyber are among 
these.
     One of our programs with great impact is the Women in 
Cybersecurity (WiCyS) initiative. At the time when female 
representation of cybersecurity was only 11 percent, our 
journey began in 2013 with funding from National Science 
Foundation. Today, I'm proud to let you know that over 7 years 
and $3.5 million funding from industry support WiCyS has 
provided approximately 3,000 student scholarships, 340 faculty 
scholarships, and 6,400 in attendance. Not only the flagship 
conference for women in cyber, WiCyS has become, regardless of 
gender, the largest security conference in the Nation that 
ensures comparable representation of students and professionals 
in the audience both from public and private sectors.
     Operating as a nonprofit organization since late 2017, 
WiCyS is more than 6,000 members strong with 89 student 
chapters across 35 States, 15 professional affiliates across 20 
States, and a suite of services to its community that includes 
students, professionals, educators, and veterans.
     There is yet a lot to be done. The current 20 percent 
female representation in cybersecurity is not just a threat to 
diversity and inclusion but also a threat to the cybersecurity 
workforce pipeline. To bolster the cybersecurity workforce, I 
encourage Congress to invest in Federal programs such as CAE 
(Center for Academic Excellence), SFS (Scholarship for 
Service), CySP, GenCyber, and commission more of such programs 
that enable educational and nonprofit programs to support 
diverse populations in cyber, community college pathways, 
preparation and pipeline of educators, and nontraditional 
pathways for workers. The support opportunities and resources 
provided by these Federal grants are central to enable smaller 
schools like us to contribute in the Nation's cyber agenda in 
our own ways with our own strength and through our own 
community and beyond.
     As we continue to do our part, I would like to end with a 
quote from one of our many students at Tennessee Tech who are 
hardworking, humble, and optimistic about their future and 
their country. M. writes, ``This program has given me the 
courage to dream big, to continue seeking knowledge, and to 
make a difference in the world.''
     I sincerely appreciate the opportunity to speak today. I 
hope that Tennessee Tech, CEROC, and I can continue to be a 
resource for Congress. I look forward to our discussion. Thank 
you.
     [The prepared statement of Dr. Siraj follows:]
 [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
 
                TESTIMONY OF MR. JOSEPH SAWASKY,

             PRESIDENT AND CHIEF EXECUTIVE OFFICER,

                      MERIT NETWORK, INC.

     Mr. Sawasky. Honorable Chairwoman Stevens, Ranking Member 
Baird, and Members of the Subcommittee, thank you for the 
invitation to present Michigan perspectives on the critical 
issue of cybersecurity workforce development. My organization, 
Merit Network, provides advanced networking, security, and 
community solutions to higher ed, K-12, libraries, and other 
nonprofits in Michigan. Given our mission-critical work across 
the State, we see firsthand the ever-increasing importance of 
cybersecurity and the desperate need to expand that workforce.
     Our country faces threats constantly from adversarial 
organizations but quietly and diligently on the frontlines are 
our Nation's thin ranks of dedicated cybersecurity 
professionals. According to estimates, the United States has a 
shortfall of over a half million security professionals. In 
Michigan alone we have nearly 9,000 vacant positions now. These 
gaps are projected to widen.
     Over the last several years, Michigan has developed a 
unique approach to developing a cybersecurity training 
ecosystem and a powerful tech platform for practicing skills. 
The Michigan Cyber Range was created through collaboration 
between the State, industry, and Merit beginning in 2012. The 
Cyber Range is one of the Nation's largest unclassified 
practicum environments for security professionals to test their 
skills in cyber defense.
     The Range features a simulated city called Alphaville that 
contains a virtual city hall, school, library, and factory, 
among other things. In our game of five practice environments, 
Merit has engaged nearly 4,000 participants from Michigan and 
other States and even other countries in cyber exercises.
     Additionally, with the support of the Michigan Economic 
Development Corporation, we've cultivated a statewide ecosystem 
of training partners called Cyber Range Hubs helping them train 
and certify students in a variety of cybersecurity courses 
using the Cyber Range platform in its course curriculum. This 
program represents a novel augmentation of traditional higher 
ed and K-12 courses in the State.
     There are real challenges faced by our partner 
organizations in the education, government, and nonprofit 
sectors in recruiting a skilled cybersecurity workforce. The 
primary challenge facing nonprofits is an extremely low supply 
of available talent. This low supply results in high demand for 
employees, higher market salaries, and longer-than-average 
times to fill vacancies. Yet nonprofits support a vast array of 
essential societal services and are still charged with 
protecting enormous amounts of confidential data. They face the 
very same cyber threats as other sectors, but their ability to 
attract cyber talent is constrained. Compounding this problem, 
finding qualified teachers and trainers for cybersecurity 
courses is really difficult, exacerbating the situation for 
nonprofits in the industry overall.
     There's consensus in Michigan that K-12 is the first key 
to improving the security talent pipeline. That pipeline starts 
in K-12, and it's essential that skill development and 
awareness of cybersecurity career opportunities begin at early 
ages. Given that this field is fairly new and rapidly evolving, 
there has not been a pervasive focus on it for K-12 students or 
teachers. It's imperative that we demystify and de-nerdify 
cyber career opportunities to broaden the appeal of this career 
path.
     Additionally, we should expand student interest by 
providing more opportunities for underrepresented groups, 
including females and minorities whose participation in the 
cyber workforce has been historically low.
     To help promote K-12 enthusiasm in cyber, Merit runs the 
Governor's High School Cyber Challenge. Last year, we had over 
600 students and over 200 high school teams participate with 
the top 10 teams being invited to the final contest at the 
Governor's Cyber Summit in Detroit and the top three teams 
being awarded trophies personally by the Governor herself. 
Through this exciting event, Michigan has celebrated K-12 cyber 
talent in every corner of our great State.
     Considering all this, State and Federal Governments have a 
critical role to play in bolstering the cybersecurity workforce 
pipeline. One, they should increase support to programs aimed 
at improving K-12 awareness and skill development for both 
students and teachers. Two, they should increase support for 
education, training, and certification, including early 
credentialing in both high school and college. Three, they 
should increase support for skill development for 
underrepresented groups to grow that pool. And, four, they 
should incentivize coordinated efforts between academia, 
industry, and government.
     And to wrap up, I'd like to say that many organizations 
are only one cybersecurity position away from a major disaster, 
and it's essential that we all work together to develop and 
grow this now-critical part of the U.S. workforce. Thank you 
for the opportunity to provide Michigan perspectives.
     [The prepared statement of Mr. Sawasky follows:]
     
 [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
                 TESTIMONY OF MS. SONYA MILLER,

           H.R. DIRECTOR, IBM SECURITY AND ENTERPRISE

                     & TECHNOLOGY SECURITY

     Ms. Miller. Chairman Stevens, Ranking Member Baird, and 
distinguished Members, I'm the H.R. Director for both our 
internal security and for our division that helps clients to 
protect against cyber attacks. IBM Security is the largest 
security vendor in the world. IBM manages over 70 billion 
security events per day for our clients, one of the largest 
security intelligence operations in the world. We have 17,500 
clients in more than 130 countries, 8,000 employees, including 
researchers, developers, and subject matter experts focused on 
security, and more than 10,000 security-related patents. Since 
2015, IBM Security has hired nearly 4,400 additional experts 
into the security business and invested more than $2 billion in 
dedicated R&D (research and development).
     Although today's hearing focuses on cybersecurity, the 
workforce challenges for research are similar. Inclusion, 
alignment, and attainment are obstacles of both cybersecurity 
and the research workforce pipeline.
     To this end, I would also like to take this opportunity to 
thank the Committee for its very strong leadership and support 
of the National Quantum Initiatives Act.
     Now, to understand IBM Security, it's important to 
understand the people behind the brand. Our cybersecurity 
experts have a broad range of skills, including researchers 
analyzing software for vulnerabilities, incident response 
teams, analysts who spend hours studying the tactics of cyber 
criminals, and a security operation center staff who guards us 
in real time from threats around the globe.
     New-collar workers with skills, experience, and diversity 
but lacking degrees are a strategic opportunity for the 
cybersecurity workforce. Around 2/3 of the U.S. working-age 
population doesn't have a bachelor's degree. IBM new-collar 
approach emphasizes work-based learning and core skills like 
teaming and adaptability. It is a pathway to finding and 
attracting nontraditional candidates with diverse backgrounds 
and skill sets.
     To expand new-collar pathways into our cybersecurity jobs, 
IBM is experimenting with a multitude of approaches to educate 
and develop the next generation of cybersecurity professionals. 
Over 220 pathways in technology early college high schools, so 
P-TECHs, are educating students in 24 countries with the 
participation of over 600 companies. Through P-TECH, public 
high school students can earn both a high school diploma and an 
industry-recognized 2 year postsecondary degree at no cost to 
them or their families, while working with industry partners 
like IBM on skills mapping, mentorship, and workplace 
experiences and internships. IBM launched our apprenticeship 
program in October 2017. Apprentices are paid while in the 
program, avoiding that student loan debt and earning skills to 
work in the tech industry right away.
     Finally, IBM is trying to tap into sources of talent that 
have been underrepresented in cybersecurity. As others 
mentioned, for example, women are globally underrepresented in 
the cybersecurity profession at 24 percent, even lower than the 
IT industry overall. IBM is actively recruiting 
underrepresented groups through programs that seek 
underrepresented talent for a more inclusive workforce.
     IBM's effort to build a cybersecurity workforce proves to 
be working. Nearly 20 percent of our security hires since 2015 
were new-collar workers. IBM urges the Committee to examine the 
following areas for change, government activity that will 
improve the cybersecurity workforce. One, introduce and enact 
companion legislation to S. 2775, the HACKED Act of 2019, as 
passed by the Senate Commerce Committee, and work closely with 
your colleagues in the Senate to pass a bipartisan proposal 
that will strengthen Americans' cybersecurity workforce and 
align education and training with the cybersecurity workforce 
needs.
     Second, higher education act reforms, including passage of 
H.R. 3497, the JOBS Act of 2019, to extend Federal Pell Grant 
eligibility of short-term programs, removal of restrictions 
that prevent students from using their Federal work-study with 
cybersecurity-related internships in private sector, and 
support additional pathways to careers.
     And third, explore P-TECH models. Federal agencies should 
explore the P-TECH models for workforce development strategies 
they can implement and expanding new-collar hiring. The Federal 
Government should adopt a new-collar approach to real and 
expanded sources of labor.
     So thank you, Members of the Committee, for the 
opportunity to present IBM's approach to improving 
cybersecurity education and your consideration of this 
testimony. I'm looking forward to your questions.
     [The prepared statement of Ms. Miller follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
     Chairwoman Stevens. Well, we've done a few things in this 
space, and you all touched on some great points.
     At this time, we'd like to open up for 5 minutes of 
questioning. And the Chair is going to recognize herself for 5 
minutes of questioning, so we can start the clock now.
     You know, certainly we've taken some steps just in the 
last couple of weeks with Chairwoman Johnson's support. We 
launched the first-ever Women in STEM Caucus in Congress. Dr. 
Baird and I got a bill signed into law at the end of last year, 
the Building Blocks of STEM Act, which is, again, supporting 
those early childhood investments in educational programming 
for science, technology, engineering, and mathematics. And that 
continuity, as we all know, is so important, right, that 
onramp, the pathways. Your testimonies all specifically touch 
on that.
     Mr. Petersen, I just wanted to--let's understand a little 
bit about--more about NICE here, NICE within NIST within the 
Department of Commerce. How big is your department?
     Mr. Petersen. So we are a small team of five full-time 
employees, and we have an approximate $4 million budget 
appropriated by Congress, so a relatively small organization.
     Chairwoman Stevens. OK. Great. Well, we'll be going 
through the budget reauthorization and taking a look at that 
and making sure--so the--just the--half--less than half a dozen 
of you developed the CyberSeek tool or did you contract out for 
that?
     Mr. Petersen. So that was a grant given to----
     Chairwoman Stevens. OK.
     Mr. Petersen. [continuing]. CompTIA and Burning Glass to 
actually----
     Chairwoman Stevens. Oh, Burning Glass.
     Mr. Petersen [continuing]. Develop the tool. Yes.
     Chairwoman Stevens. OK. Burning Glass. Oh, they're great. 
They're fabulous. Well, that's a big accomplishment. And we're 
glad to share that today, and we'll continue to share that.
     And is that on the NICE website? Is that----
     Mr. Petersen. There's a link to it, but it's----
     Chairwoman Stevens. OK.
     Mr. Petersen. [continuing]. CyberSeek.org----
     Chairwoman Stevens. CyberSeek----
     Mr. Petersen [continuing]. You can find it.
     Chairwoman Stevens. CyberSeek.org. OK, great.
     And as part of that heat-mapping process and, you know, as 
we look to get in front of this, we--and, Ms. Miller, you 
probably know this all too well, which is that the job profiles 
are always changing, right? So we're seeking to hire for 
certain roles. We know we have an emphasis on cybersecurity, 
but with IOT (internet of things), other advancements, you 
mentioned quantum, the nature of the work is changing. Have any 
of you explored or seen how job profiling, taxonomy work, maybe 
in--you know, with some of the big placement agencies, 
Manpower, Kelly Services in Michigan, has that impacted this 
cybersecurity workforce skills gap that we're experiencing? I 
don't know if, Ms. Miller, you wanted to chime in there.
     Ms. Miller. Well, IBM, we provide several assessments to 
candidates around personality, so it's testing for the softer 
skills, as well as learning agility, so a propensity toward 
lifelong learning. So instead of testing for a specific job, 
we're really looking for these kind of softer skills, as well 
as some level of technical capability. So, you know, jobs--
there's jobs now that didn't exist 10 years ago. Therefore, you 
have to have that agility in how your assessing people. You 
can't just assess them for the job at hand.
     Chairwoman Stevens. Yes. And, Mr. Sawasky, are you seeing 
this, you know, the talent qualifications as described--you're 
working hand-in-hand with the universities and have this great 
career in this space, but the job profiling here I also think 
is something that we want to kind of match up so that, you 
know, when we're entering into the workforce, we've got that 
pipeline and access.
     Mr. Sawasky. Yes, absolutely. You know, I think what we're 
looking for are problem-solvers and pattern-finders here, 
regardless of sort of academic discipline. Some of the finest 
IT professionals I've ever worked with were anthropologists and 
psychologists and others.
     Chairwoman Stevens. Yes.
     Mr. Sawasky. So it's not absolutely necessary that 
computer science is, you know, the first part of the background 
for a successful career in cyber.
     Chairwoman Stevens. Great. Dr. Siraj?
     Dr. Siraj. So, you know, if you go to the CyberSeek 
website, there is also an interactive pathways tab. And if you 
click on that, it shows that in reality most of the data shows 
that the top jobs are all based on computer science. But, you 
know, it is absolutely true that cyber is very 
multidisciplinary. And then we can have people coming from all 
walks of life to have something--I mean, everyone can 
contribute to solve a problem in cyber because cyber is so 
vast.
     Plus, also, you know, the NIST/NICE workforce framework 
also helps with that because in that framework Department of 
Homeland Security actually gave out a tool where someone can go 
in and say, OK, I'm interested in data base, and it will show 
that student or that person, you know, where in the NIST 
framework that this person can contribute to in what way.
     Chairwoman Stevens. Yes.
     Dr. Siraj. Again, cyber is something that anyone can 
contribute to with their own skills.
     Chairwoman Stevens. Right. And so, Mr. Petersen, I'm sure 
some of this is resonant with you. Do you see NICE being able 
to work with every one of our witnesses and their portfolio of 
work? And would our witnesses also agree that you get a lot out 
of working with NICE and that department? So this five-person 
department in the, you know, Department of Commerce, NIST----
     Mr. Petersen. Yes, I was going to comment even though we 
have five team members, the NICE community is vast and 
everybody----
     Chairwoman Stevens. Yes.
     Mr. Petersen [continuing]. On the stage, every 
organization represented here has worked directly with NIST and 
NICE in the past in our national efforts. So our----
     Chairwoman Stevens. Leveraged partnerships.
     Mr. Petersen. Absolutely.
     Chairwoman Stevens. Great. Thank you. I'm slightly over. 
I'm going to yield back the rest of my time and recognize my 
colleague Dr. Baird for 5 minutes of questioning.
     Mr. Baird. Thank you, Madam Chair. And, you know, I've 
gained a great deal of insight just having you here today, and 
I'm sure those that are listening and read the reports will 
also feel the same way.
     But, Ms. Miller, I see in your testimony you said you 
handle 70 billion security events per day for your clients? I 
mean, that----
     Ms. Miller. Well, not me personally, yes. IBM Security 
does.
     Mr. Baird. I understand. So then I have an interest in 
veterans, and so they bring a wealth of skills from their 
military training and then they got a lot of hands-on 
experience. Sometimes they're not able to transfer their 
military training over into various programs. So I guess my 
question is what's IBM doing in their new-collar program? Is 
that applicable to veterans? And then the second part of the, 
have veterans participated in this program?
     Ms. Miller. Yes, absolutely. So we have a variety of 
programs targeted to veterans because they tend to actually be 
a very good fit for cybersecurity roles, whether they've worked 
in cybersecurity while in the military or they got requisite 
training once they've left the military. We have a Veterans 
Employment Initiative, so that's free training on IBM software. 
And it comes with a certificate at the end. We touch over 100 
veterans per year with that program using IBMers donating their 
time.
     We also have a corporate partnership with the USC Marshall 
School Masters of Business for veterans, so we have IBM 
mentors, advisors, and SMEs (small and mid-size enterprise) 
donating their time to work with the veterans on capstone 
projects, so basically developing innovative solutions to real-
world issues.
     And, finally, we're also hiring veterans at all levels in 
the company and in the security organization. I actually in 
January was down in Austin, and we have a cohort of apprentices 
that started in the first quarter of last year. Fifty percent 
of those apprentices are veterans. One actually worked in 
cybersecurity while in the military, and then applied through 
the apprenticeship program what's going private sector. Another 
one actually left the military. He worked for 10 years as a 
corrections officer, decided to use some of his military 
benefits, and now he's in our apprenticeship program. They're 
hardware hackers and they're doing excellent.
     Mr. Baird. Super. Then my next question goes to all of 
you. You know, I mentioned earlier that Indiana has got four 
Cybersecurity Centers for Academic Excellence, and I'm having 
fun with the Chair about Indiana and Michigan, but in reality 
I'm just using them because I'm familiar with it. So the 
question comes down to how the Federal Government can further 
build on programs like they have at Purdue, and someone 
mentioned more like a 2-year program and so on. So I guess I'm 
just asking how we as the Federal Government giving you the 
opportunity to expand on how you think we can be helpful in 
that area and to fill the half million jobs we have?
     And so this is going to be ladies first. Dr. Siraj, you go 
first, and then Ms. Miller and then back to Mr. Petersen.
     Dr. Siraj. So, you know, as I said in my testimony that 
programs like the CAE program that is NSA DHS program--
programs, NSF programs like CyberCorps, DOD (Department of 
Defense) program like Cybersecurity Scholarship, GenCyber 
program, I mean, all of these programs have been so impactful 
to--I think the best thing about these programs is that it 
enables smaller schools to have resources to build an army on 
the ground. And then, you know, once we have all these 
institutions making change in their own community, then 
collectively we are going to see so much in the Nation.
     So, you know, empowering these programs, again, NIST/NICE 
has been extremely crucial for universities to get the momentum 
going and also commissioning more programs like this that looks 
at how to train educators in cybersecurity because that is the 
biggest challenge. In 2018 there were 114 Ph.D.s in 
cybersecurity, and only 14 of them went to universities as 
faculty. So if we want to build pipeline in universities for 
students, we have to find some ways to train and prepare and 
allow educators to go into universities.
     Mr. Baird. I see I'm over on time. Is it all right if----
     Chairwoman Stevens. Yes, of course.
     Mr. Baird [continuing]. They go ahead? Go ahead.
     Ms. Miller. OK. I'll be quick. The Higher Education Act I 
talked about reforms there, really removing the obstacles on 
how people can use the funding students so that they're not 
pushed into having to go through a 4-year degree. So I talked 
about work-study programs and using their benefits to work in 
the private sector in the field that's relevant for their 
career aspirations, as well as using Pell Grants for shorter 
education, you know, certifications and things like that versus 
the 4-year degree I think is really important where we really 
could use some help there to help students.
     Mr. Petersen. So I think what NICE and NIST is best at is 
convening communities, and so a lot of our work is at the 
national level. We actually convene an annual K-12 conference 
to bring together K-12 educators and administrators from across 
the Nation. We do our own annual NICE conference that brings 
together industry, academia, as well as government. We also 
collaborate internationally. There's quite a few other 
countries that are interested in adopting the NICE 
Cybersecurity Workforce Framework as a standard not only for 
their country but because of the global nature of work.
     But we fundamentally believe that a lot of the solutions 
and the answers are in the local communities, whether it be a 
State like Michigan and the ecosystem that Mr. Sawasky 
described is exactly what we promote in Indiana and all of your 
different States, or at the local level, regional level, 
however that might be defined. So when I earlier described that 
RAMPS for Cybersecurity Workforce Development, that's really 
about regional alliances, getting the K-12 higher education 
training ecosystem working together to meet local workforce 
needs.
     Mr. Sawasky. I think fundamentally we need more funding to 
grow the, you know, cybersecurity workforce than we have now. I 
listened to my colleagues talk about, you know, graduating 
hundreds of cyber pros at a time. And really we need to be 
looking growing them at thousands at a time.
     And the notion of early credentialing, building on what 
Ms. Miller said, is really important. I will let you know that 
my son Jerrod was pursuing his bachelor's degree in computer 
science, and I strongly urged him to obtain a professional 
cybersecurity certification in his sophomore year, and he did 
that. And he got a job, and he's actually paying for his own 
school now. He's out of the house, which is nice as well. And 
he is becoming very successful with that early credentialing 
program, and allowing students to support that early 
credentialing in formal--in normal degree pathways I think is 
really important.
     Mr. Baird. Thank you. And I yield back.
     Chairwoman Stevens. Great. And at this time we're going to 
recognize Ms. Johnson for 5 minutes of questioning.
     Chairwoman Johnson. Thank you very much.
     I guess I can direct this to each of you. What are the 
major challenges that have led to the cybersecurity workforce 
shortfall? And what should Congress focus its future efforts on 
to bolster the cybersecurity workforce?
     Dr. Siraj. OK. So I will start. I think K-12 is the, you 
know, most impactful because there is really not so much 
activity in cybersecurity at K-12 and computer science. There 
are only 33 States now that have started to have some 
programming in computer science, and cybersecurity is much, 
much behind that. So preparing teachers in K-12, you know, 
provide opportunities to students like high school students, 
giving them internships in cybersecurity, doing partnership 
with educational institutions, giving infrastructure to K-12 so 
that--you know, there is a trend right now that K-12 schools 
are being hacked, so they need to also, you know, strengthen 
their infrastructure.
     And, again--so that's K-12. And in postsecondary there is 
so much to do. Not many schools offer cybersecurity courses. I 
think the key thing is to--not to treat cybersecurity as a silo 
but integrate in computer science education, in STEM education. 
In fact, make it a general education course in universities.
     Mr. Sawasky. I think awareness is really important. A lot 
of children in K through 12 aren't even aware that 
cybersecurity is an option for careers. And I think in Michigan 
with our Governor's Cyber Challenge, that's really helped 
promote that awareness, too. And it's been fun to watch people 
who traditionally haven't thought about career opportunities in 
that field really dig in and work with their teachers and local 
coaches.
     And Merit being a network provider offers as a cloud-based 
service so that we can reach every corner of our State into 
underserved areas like Detroit and to rural areas like 
Marquette, Michigan. We've seen talent emerge from those 
programs.
     Ms. Miller. So just to kind of build off of that, so 2/3 
of high school students said the idea of a career in 
cybersecurity had never been mentioned to them by, you know, 
teachers and guidance counselors, so there's one of our 
problems is that, you know, again, it's not being mentioned. 
It's not being thought about while they're in school.
     One of the things IBM is doing focusing on this is we 
actually have something called IBM Cyber Day for Girls where we 
have some of our professionals in cybersecurity at IBM go out 
and meet with middle school girls to tell them about careers in 
cybersecurity, as well as go through kind of a workshopping day 
where they, you know, teach them about IOT, cybersecurity 
hygiene, and those types of things to hopefully get them more 
excited about cybersecurity. So we're trying to, you know, kind 
of kill a couple birds with the same stone by getting women or 
girls more interested in cybersecurity, as well as educating 
about cybersecurity.
     I also mentioned was we do need more curriculum--strong 
curriculum in community colleges and 4-year colleges around 
cybersecurity. Many do not have majors, minors, or any kind of 
program study and certificate that they can get in those areas, 
and I think that's going to be important as we continue to move 
on and focus on the skill set.
     Mr. Petersen. And while NICE would certainly agree with 
everything that's been said and career discovery being 
critical, I would say in addition to young people, we need to 
focus on working adults. We need to focus on the transitioning 
veterans, veterans' spouses, military spouses, adults that are 
underemployed, unemployed, opportunity youth who are in that 18 
to 25 age group who aren't currently getting an education or 
working in a job because that's going to be the long-term 
solution. But we have an immediate shortage today, and we have 
to focus on adults as well as young children to have both a 
near-term as well as a long-term solution.
     Dr. Siraj. Also if I may add, community college is a big 
part of the conversation because they represent the most 
diverse body of students, so we must find effective ways to 
create pathways from community college to 4-year universities 
or find ways to get this community college students into 
industry because there are--you know, there aren't many jobs 
that will accept community college students with associate 
degrees in cyber.
     Chairwoman Johnson. Thank you very much. My time is 
expired.
     Chairwoman Stevens. At this time we're going to recognize 
Dr. Foster for 5 minutes of questioning.
     Mr. Foster. Well, thank you. I'd like to speak about--the 
Department of Homeland Security oversees a program called 
Cybersecurity Education and Training Assistance Program, or 
CETAP, that's run by the National Integrated Cyber Education 
Research Center pronounced NICERC. Now, CETAP promotes 
cybersecurity education at multiple grade levels in multiple 
States, including Illinois. It provides Federal financial 
assistance toward community-based efforts to increase knowledge 
of cybersecurity topics and to encourage interest in 
cybersecurity as an academic pursuit and as a professional 
career.
     CETAP has hosted professional development workshops in 
both Joliet and Aurora in my district, and Joliet and Aurora 
teachers have attended professional development workshops 
hosted by Chicago State University. Unfortunately, it's my 
understanding that the latest President's budget has zeroed out 
this program once again.
     Now, Mr. Petersen or anyone else on the panel, could you 
describe the CETAP program and curricula and what makes it 
successful?
     Mr. Petersen. So I am directly familiar with the NICERC 
program, as you describe. And as I just said earlier, we 
support a pretty broad, vast community and I'm proud to say 
NICERC is very actively engaged with us and us with them as 
well. For example, they are regular participants and sponsors 
at our K-12 Cybersecurity Education Conference, which brings 
together educators and administrators from across the Nation. 
And, as you described, many States, many school districts, and 
many State Departments of Education are using their curriculum. 
And it's a way to get cybersecurity, as we heard described 
earlier, into the schools at a younger and younger age. So we 
certainly appreciate the effort they've done to both raise 
awareness and the need to integrate cybersecurity across the 
curriculum in our K-12 schools and the way to kind of 
distribute the work that needs to be done across the United 
States by developing a common curriculum that they're trying to 
introduce in multiple States.
     Mr. Foster. Yes. So are there many other curricular--
curricula-based programs for K-12, or are they mainly boot 
camps?
     Mr. Petersen. So curriculum happens in a lot of different 
ways. I mean, for example, at the high school level there's 
career technical education programs or CTE programs, and 
there's career technical student organizations, as well as 
other nonprofits that are partnering with the schools to both 
develop curriculum, as well as to develop programs of study 
that the students can pursue to become specialized or more 
aware of cybersecurity curriculum.
     I would say it's an emerging area, which is why NICERC has 
certainly made an impact in both the number of teachers, as 
well as number of students reached, but it is an emerging area 
of opportunity for curriculum development at the K-12 level, as 
I think we heard Ms. Miller describe.
     Dr. Siraj. So if I may add, the--I have seen firsthand the 
impact of NICERC, and what NICERC does, it trains the teachers 
and not just, you know, computer science teachers but teachers 
teaching math, arts, sciences, STEM subjects, and it gives them 
resources so that they can talk about and teach security in 
their classes. So programs like that, I mean, I think they're 
crucial for the success of K-12 cybersecurity education and, 
you know, I cannot say more better things about that program.
     Mr. Foster. We have an interesting situation in just STEM 
generally that young women are outperforming young men all the 
way through the end of high school in STEM fields, and then in 
the first couple years of college, participation is dropping 
off dramatically. I just--you know, when I go to robotics 
competitions in my district, which I do all the time, what I--
what I'm told is that all the way through junior high schools 
the--girls and boys are well-integrated, and then when you hit 
high school for some reason the gender disparity emerges. 
What--where--what's the situation in cybersecurity?
     Dr. Siraj. So, as I stated before, in a couple of years 
back it was 11 percent. Now, it's 20 percent. It needs to be 50 
percent because, as we all know, diverse groups are--outperform 
any homogenous groups.
     But I think what's happening is, as young girls are 
getting into high schools and colleges, what's preventing them 
to be in cyber is the stereotypical image that cyber portrays. 
You know, when you tell a young girl that, you know, if you go 
into cyber, you're just going to work in a dungeon. That 
doesn't, you know, sound very promising. But if you tell the 
young girl that if you work in cyber, you're going to keep 
peace in cyberspace, you're going to prevent chaotic situations 
in our modern-day technological lives, that's speaks a lot. So 
I think the lack of community, the lack of inclusive 
environment, the lack of role models----
     Mr. Foster. Yes, the role models is something I've been 
told repeatedly in things like robotics competitions. For some 
reason most of the coaches in robotics teams in junior high 
school tend to be women, and then that's not true in high 
schools. And so the role models may be difficult to calculate, 
but it may be a huge effect.
     Anyway, Madam Chair, if it's possible if--to have a second 
round of questions, I would--I would appreciate it if that's 
feasible.
     Chairwoman Stevens. So we were going to have the--before 
we brought the hearing to a close, we were going to have the 
witnesses, as we're here in Congress, share a couple of 
minutes. But what we can do, Dr. Foster, is open it up for a 
second round. I'll claim my 5 minutes and cede them to you.
     Mr. Foster. Very well. So you've done so?
     Chairwoman Stevens. Yes.
     Mr. Foster. All right.
     Chairwoman Stevens. So I've yielded my time----
     Mr. Foster. Well, thank you.
     Chairwoman Stevens [continuing]. To my colleague.
     Mr. Foster. I appreciate it.
     I'd like to raise the issue of foreign workers in 
cybersecurity. In 1980 just 7.1 percent of American computer 
science jobs were occupied by foreign-born workers. That grew 
to about almost 30 percent by 2010 because of the breakneck 
growth in the tech sector, which became increasingly reliant on 
high-skilled visa-holding immigrants. And, unfortunately, 
President Trump's immigration policies have made it harder for 
tech companies to bring highly skilled workers into the United 
States. For example, in March 2017 the USCIS (United States 
Citizenship and Immigration Services) announced that entry-
level computer programmers would no longer automatically 
qualify to apply for the visa programs and--but instead of this 
meaning that more jobs will actually be filled by Americans, it 
has turned out that it's just more likely now that companies 
will send the work overseas where there are, you know, 
employees that are eligible to work. The problem is that there 
just are not enough trained Americans to fill the growing 
demand of computer jobs generally.
     So in response to this, last year, I introduced the Keep 
STEM Talent Act to provide permanent resident status to 
international students who completed advanced STEM degrees in 
the U.S. institutions and they're interested in continuing 
their research in the United States. I believe we should be 
encouraging these young scientists to remain in the United 
States and join the American scientific and cybersecurity 
workforces.
     So, Ms. Miller, how reliant is IBM on foreign talent and 
computer scientists, and are there instances when you've 
actually had to move work offshore simply because of the 
shortage of cyber talent in the United States?
     Ms. Miller. Well, IBM Security specifically is operating 
in over 130 countries, so we have talent all over the world. We 
do rely to some degree on bringing talent into the United 
States, but it could be everything from the experience, you 
know, so cross-training or the experience that they bring from 
someplace else to train people here, or we're grooming them and 
we're--you know, they go back to their home country. So there's 
a variety of reasons why we may rely on it.
     I don't think we have an overabundance of reliance on 
that, but that's one of the reasons why in the United States 
we're so focused on the skills-first approach to really 
bringing in more cybersecurity professionals from here, 
grooming that talent, providing a lot of resources to help--
free resources, curriculums on badges, external digital badges, 
and the people can--people can attain to demonstrate their 
proficiency and other tools so that we have the talent here and 
we're continuing to groom that talent. So that's our main 
focus. It's not to bring the talent from other countries 
necessarily but to grow the talent here. And the new-collar 
approach that we're taking is helping us do that.
     Mr. Foster. Now, if you look at future needs in 
cybersecurity, you know, something like half of all 
cybersecurity instances have to do with someone impersonating 
someone else online. And so then a lot of the reason that 
you're focusing on soft skills is to train people simply to 
operate their authentication properly. And there are 
interesting proposals out there that the Federal Government 
allows citizens who wants a means to digitally authenticate 
themselves online--so this would--in its simplest form would be 
simply, you know, if you get a Real ID card, you're also given 
a digital means to assert that ID.
     And so that is something that I know a lot of industries 
are enthusiastic about being able to add onto as part of the 
way of making sure that you don't have identity fraud, which 
is, you know, the biggest single component of cyber insecurity 
in our country. And so this is going to have a big impact if 
people have good technical means to authenticate themselves. 
And is that going to really change the nature of the 
cybersecurity workforce so that you'll be more focused on, you 
know, device security, program security rather than training 
people to feed the systems properly?
     Ms. Miller. I'm not sure I'm qualified to actually comment 
on that. What I will tell you is that in the cybersecurity 
space cyber criminals, they continue to evolve, and it's hard 
to keep up with them. We were kind of joking yesterday that we 
wished we understood the workforce strategy of these threat 
actors and how they're findings such, you know, great talent 
that's out there making us have to keep up, making us have to 
continue to chase and understand what they're doing. But I 
can't comment specifically on what technology and the effects--
--
     Mr. Foster. Well, that's what makes it so tough for STEM 
training generally. You know, I think 15 years ago we were 
trying to teach all kids to learn HTML so they could, you know, 
maintain their own webpages, and now, you know, we've got 3 
billion webpage maintainers who maintain their Facebook page, 
and it's--the nature of technology is that the training is when 
you're planning 15 years out.
     Now, just a last point if I could about the national labs. 
You know, as I mentioned a few times on this Committee, I'm a 
proud Co-Chair of the National Labs Caucus, and we're visiting 
all 17 of the DOE (Department of Energy) labs. We just finished 
visiting Oak Ridge National Lab. So, Dr. Siraj, in your 
testimony you highlighted that Tennessee Tech University 
faculty and graduate students have been conducting research 
with the scientists and engineers at Oak Ridge National Lab and 
on various DOE-funded research projects. Could you just say a 
few words about that?
     Dr. Siraj. So the way it came about because, you know, Oak 
Ridge National Lab is just 1 hour away from us, and so we have 
a couple of faculty in computer science who are working with a 
couple of groups in Oak Ridge National Lab to work on security 
research projects that I mentioned in my testimony. Plus, we 
also have partnership where professionals there who don't have 
a Ph.D. degree, they're working, they're going into doctoral 
studies at our school, and our faculty are also going there to 
teach security classes. There are professionals also coming to 
our campus to teach security classes.
     But, you know, this partnership is, you know--it's a win-
win situation for both entities, for the national lab and for 
us for our students. It provides, you know, big opportunity to 
speak to the scientist and the role models and learn from them 
because, you know, what professors know, so----
     Mr. Foster. Yes. Well, you know, one of my favorite events 
of the year is to go to Argonne National Lab in my district, 
which hosts the DOE-sponsored cybersecurity contest where the--
--
     Dr. Siraj. Yes, CyberForce competition.
     Mr. Foster. CyberForce competitions where college teams 
come in from all over the country and try to hack each 
other's----
     Dr. Siraj. Yes.
     Mr. Foster [continuing]. Equipment and it's----
     Dr. Siraj. So----
     Mr. Foster. It's a lot of fun. And, you're right, they do 
enjoy interacting with the----
     Dr. Siraj. Yes, so----
     Mr. Foster [continuing]. Scientists there. Anyway, my----
     Dr. Siraj [continuing]. Our students do that, too.
     Mr. Foster. I think my time is expired, so I will yield 
back.
     Chairwoman Stevens. OK. Dr. Baird, you'll be recognized 
for 5 more minutes of questioning.
     Mr. Baird. Mr. Petersen, last May, President Trump issued 
America Cybersecurity Workforce Executive Order, which directed 
the Secretary of Commerce and the Secretary of Homeland 
Security, along with the heads of other appropriate agencies, 
to implement the recommendations from their 2017 report on how 
to support growth and sustainment of the Nation's cybersecurity 
workforce in both the public and the private sectors. So could 
you tell us if you're involved in implementing these 
recommendations, and if so, how? And are these recommendations 
informing the development of NICE's strategic plan for the next 
five years?
     Mr. Petersen. Yes, thank you for that question. We are 
absolutely involved, as we were in both the development of the 
recommendations, as well as the implementation. There were five 
imperatives, multiple recommendations and actions, and we are 
beginning by prioritizing some of them. So, for example, the 
first one spoke to having a national call for action to make 
sure that both the public and private sector were recognizing 
the importance of cybersecurity.
     And by way of example, another reason that I've worked 
closely with IBM is several companies have come together as 
part of the Aspen Cybersecurity Group to issue a set of 
principles that they want companies to follow. And one of those 
principles is to use the NICE Cybersecurity Workforce 
Framework, but other principles are things like career 
discovery or doing skills-based hiring and the like. And so 
working collaboratively with the private sector and industry in 
this case to raise the importance and elevate this is one way 
that we are implementing it.
     When I talked earlier about transforming the learning 
process, including more of a focus on skills and less than just 
traditional credentials, that's another example of an emerging 
theme in our next strategic plan. We're learning, as many of 
you have described, it includes not only the K through 12, the 
high school diploma, the community college, college degree, but 
also certifications or apprenticeships or the other multiple 
pathways to a career in cybersecurity.
     And finally, as I indicated, the Workforce Policy Advisory 
Board, which is part of that President's National Council on 
America's Workforce, will be talking more about the multiple 
pathways to all types of careers but cybersecurity especially 
where it could be that transitioning veteran that you described 
earlier that after a 20-year military career, then enters 
cybersecurity, or it could be an IT worker who's going to 
transition to a cybersecurity role. So we are actively working 
on both prioritizing and implementing them to the extent that 
we can.
     Mr. Baird. Thank you. Ms. Miller, one last question. 
Maybe, could you elaborate on how IBM has utilized their 
apprenticeship program and how you use that to recruit and 
retain cybersecurity workforce?
     Ms. Miller. Sure. So we started the apprenticeship program 
about four years ago, and what we do is we've actually--
especially in the security--the cybersecurity organizations 
have really looked at what are the right roles that we can 
really bring in talent without the 4-year degrees, so looking 
at the soft skills, making sure that they have those right 
critical skills, and leading with skills first and the 
capabilities over the credentials, right? And then looking at 
what are the right roles to bring them in, so a security 
operations center analyst is one, pen testers, another example, 
technical writers.
     We've been bringing people in into those types of 
positions as a way to, one, test them, make sure that they 
can--that they have the technical capabilities as we continue 
to train them up, sponsor them for certifications, et cetera. 
So as they come in, there is a curriculum that's built out for 
the first year for them that they go through and dedicated 
resources to support them. So it's really looking at this from 
a skills-first basis, and it allows us to get the--you know, 
those that have 4-year degrees, they tend to not be 
representative of the overall U.S. population demographically, 
right? So if we're able to bring in and really leverage the P-
TECH programs, the apprenticeship programs, et cetera, we're 
able to get into--tap into that underrepresented talent, 
whether it be based on race, gender, even veterans, et cetera.
     So this is definitely a way that--and the question was 
asked earlier. This is a way that in the future people will be 
able to look up and see people that look like them at the top 
of the house. So it's very important to us.
     Mr. Baird. Thank you. And I see I'm out of time. I yield 
back.
     Chairwoman Stevens. Thank you. And now we'll recognize Dr. 
Lipinski for 5 minutes of questions.
     Mr. Lipinski. Thank you, Chairwoman. Thank you for holding 
this hearing. We all know how important this issue is. And, 
unfortunately, it doesn't receive nearly as much attention as 
it should.
     I'm happy to follow the Democrat before me, Bill Foster. 
We share Argonne National Lab, and appreciate the great work 
that's being done there on cybersecurity.
     One particular issue I have is how medium and small 
manufacturers struggle to keep up with the rapid evolution of 
cyber attacks. It's something I hear about all the time from 
these manufacturers in my district.
     I was the Democratic lead on the NIST Small Business 
Cybersecurity Act, which was signed into law in 2018. The bill 
directed NIST to develop voluntary guidelines to help small 
businesses identify, manage, and reduce cybersecurity risks. 
NIST has since developed the Small Business Cybersecurity 
Corner to provide resources on this topic to small businesses. 
So I want to ask Mr. Petersen. Can you describe the National 
Initiative for Cybersecurity Education's contributions to these 
resources for small businesses?
     Mr. Petersen. Thank you for that question. So we actually 
have one of our team members, from our small team, that is 
assigned part-time to help support the small and medium 
business outreach. One is because her regular role with NICE is 
to do industry engagement. And again, we want to be sensitive 
to both the needs of large enterprises, as well as small and 
medium businesses. So she can bring both that expertise, as 
well as kind of introduce workforce and education-related 
topics into that small and medium business outreach.
     The reality is we talk about a small team like my own, the 
small and medium businesses have smaller teams especially 
devoted to IT and cybersecurity and are often reliant on third-
party providers, service providers as well, so making sure 
that, for example, our NICE Cybersecurity Workforce Framework 
doesn't just speak to the kind of workforce they need but the 
kind of workforce that service providers need to bring to them 
as well as a way we try to translate that for small to medium 
businesses.
     Mr. Lipinski. Thank you. I wanted to follow up on that. 
Looking more generally at both for cybersecurity education and 
manufacturing, in 2018 the Administration put out the Strategy 
for American Leadership in Advanced Manufacturing. This was the 
result of a bill that I had written, that this Committee had 
passed, and it was passed into law. And so it--that strategy 
talks specifically about bolstering cybersecurity education and 
manufacturing.
     So in response, the Department of Defense launched a 
National Center for Cybersecurity Manufacturing in 2018 at MxD 
(Manufacturing times Digital), which is in Chicago. The center 
focuses on ensuring small- and medium-size manufacturers are 
taking the necessary precautions to protect themselves from 
cyber attacks and subsequent data breaches and IP (Internet 
Protocol) theft.
     So, Mr. Petersen, I wanted to ask, as you've discussed in 
your testimony the National Initiative for Cybersecurity 
Education is beginning the process of updating their 5-year 
strategic plan, so how will the framework leverage work done in 
manufacturing institutes like the cybersecurity center at MxD 
to accelerate and enhance NIST cybersecurity workforce 
development?
     Mr. Petersen. So one of the roles that NICE plays is being 
aware of the ecosystem that's happening across the United 
States, not only geographically but by critical infrastructure 
sectors. There are other economic sectors. And NIST also, as 
you know, is home to the Manufacturing Extension Partnership 
that helps to administer some of the manufacturing programs 
across the United States.
     And so, fortunately, in the context of my relationship 
with the NIST MEP (Manufacturing Extension Partnership) office, 
they brought the workforce program of MxD to our attention, and 
we have engaged with them directly. Primarily, as they go down 
a path of developing a workforce framework for manufacturing to 
create a skilled cybersecurity workforce to recognize that the 
NICE Cybersecurity Workforce Framework is a resource to them, 
it's a reference resource upon which all the critical 
infrastructure sectors can leverage and modify and adapt to 
meet their needs. But also we're trying to create a 
standardized environment across the Nation for cybersecurity 
work that can help education and training providers, as well as 
employers, to have that common taxonomy. So I'm glad to say 
we've worked with them very collaboratively and try and 
encourage them to use our existing framework as the foundation 
for what they do.
     But second, as you indicate, both as we update our NICE 
framework and our next strategic plan, that any feedback or 
input that they have to provide to us, that we're more than 
happy to receive that as well. We did just complete a request 
for comment period and are going to be looking at the comments 
received as a way to collect that public input.
     Mr. Lipinski. Thank you. And I want to thank you, Mr. 
Petersen, and all of our witnesses today for your testimony but 
also for your continued work on this very, very critical issue. 
I yield back.
     Chairwoman Stevens. Thank you, Dr. Lipinski. And I second 
your comments of gratitude. So many amazing things that we 
touched on in just this 90-minute period. Dr. Siraj, your 
statements of anyone can be in cybersecurity, anyone can solve 
these problems in this cross-functionality and this real place 
of opportunity for growth.
     Obviously, a lot going on in Congress today, but this is 
submitted for the official record. And our record is going to 
remain open for a couple of weeks for additional statements 
from Members or questions that they might have, so those might 
come your way as well. And we're going to keep the conversation 
rolling, as well as the commitment that Congress will continue 
to serve as an effective steward and partner in filling our 
workforce needs, getting rid of the mistrust and obviously the 
risk that not only impacts our national security, our financial 
security, for individuals and our overall economy. And it's a 
job opportunity for us as well to promote the cybersecurity 
workforce.
     So thank you all so much. The witnesses are now excused, 
and the hearing is adjourned.
     [Whereupon, at 11:40 a.m., the Subcommittee was 
adjourned.]

                                 [all]