[House Hearing, 117 Congress]
[From the U.S. Government Publishing Office]
THE CYBER TALENT PIPELINE: EDUCATING A
WORKFORCE TO MATCH TODAY'S THREATS
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON
CYBERSECURITY, INFRASTRUCTURE
PROTECTION, AND INNOVATION
OF THE
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED SEVENTEENTH CONGRESS
FIRST SESSION
__________
JULY 29, 2021
__________
Serial No. 117-27
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
46-039 PDF WASHINGTON : 2021
-----------------------------------------------------------------------------------
COMMITTEE ON HOMELAND SECURITY
Bennie G. Thompson, Mississippi, Chairman
Sheila Jackson Lee, Texas John Katko, New York
James R. Langevin, Rhode Island Michael T. McCaul, Texas
Donald M. Payne, Jr., New Jersey Clay Higgins, Louisiana
J. Luis Correa, California Michael Guest, Mississippi
Elissa Slotkin, Michigan Dan Bishop, North Carolina
Emanuel Cleaver, Missouri Jefferson Van Drew, New Jersey
Al Green, Texas Ralph Norman, South Carolina
Yvette D. Clarke, New York Mariannette Miller-Meeks, Iowa
Eric Swalwell, California Diana Harshbarger, Tennessee
Dina Titus, Nevada Andrew S. Clyde, Georgia
Bonnie Watson Coleman, New Jersey Carlos A. Gimenez, Florida
Kathleen M. Rice, New York Jake LaTurner, Kansas
Val Butler Demings, Florida Peter Meijer, Michigan
Nanette Diaz Barragan, California Kat Cammack, Florida
Josh Gottheimer, New Jersey August Pfluger, Texas
Elaine G. Luria, Virginia Andrew R. Garbarino, New York
Tom Malinowski, New Jersey
Ritchie Torres, New York
Hope Goins, Staff Director
Daniel Kroese, Minority Staff Director
Natalie Nixon, Clerk
------
SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND
INNOVATION
Yvette D. Clarke, New York, Chairwoman
Sheila Jackson Lee, Texas Andrew R. Garbarino, New York,
James R. Langevin, Rhode Island Ranking Member
Elissa Slotkin, Michigan Ralph Norman, South Carolina
Kathleen M. Rice, New York Diana Harshbarger, Tennessee
Ritchie Torres, New York Andrew Clyde, Georgia
Bennie G. Thompson, Mississippi (ex Jake LaTurner, Kansas
officio) John Katko, New York (ex officio)
Moira Bergin, Subcommittee Staff Director
Austin Agrella, Minority Subcommittee Staff Director
Mariah Harding, Subcommittee Clerk
C O N T E N T S
----------
Page
Statements
The Honorable Yvette D. Clarke, a Representative in Congress From
the State of New York, and Chairwoman, Subcommittee on
Cybersecurity, Infrastructure Protection, and Innovation:
Oral Statement................................................. 1
Prepared Statement............................................. 3
The Honorable Andrew R. Garbarino, a Representative in Congress
From the State of New York, and Ranking Member, Subcommittee on
Cybersecurity, Infrastructure Protection, and Innovation:
Oral Statement................................................. 4
Prepared Statement............................................. 5
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Chairman, Committee on
Homeland Security:
Prepared Statement............................................. 6
Witnesses
Mr. Kevin Nolten, Director of Academic Outreach, Cyber.Org, Cyber
Innovation Center:
Oral Statement................................................. 7
Prepared Statement............................................. 9
Dr. Tony Coulson, Ph.D., Professor and Executive Director,
Cybersecurity Center Lead, National Centers of Academic
Excellence in Cybersecurity Community:
Oral Statement................................................. 15
Prepared Statement............................................. 16
Mr. Ralph F. Ley, Department Manager, Workforce Development and
Training Infrastructure Assurance & Analysis Division, National
& Homeland Security, Idaho National Laboratory:
Oral Statement................................................. 25
Prepared Statement............................................. 26
Mr. Max Stier, President and CEO, Partnership for Public Service:
Oral Statement................................................. 29
Prepared Statement............................................. 31
Appendix
Statement of Bitwise Industries.................................. 59
THE CYBER TALENT PIPELINE: EDUCATING A WORKFORCE TO MATCH TODAY'S
THREATS
----------
Thursday, July 29, 2021
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Cybersecurity,
Infrastructure Protection,
and Innovation,
Washington, DC.
The subcommittee met, pursuant to notice, at 10 a.m., via
Webex, Hon. Yvette D. Clarke [Chairwoman of the subcommittee]
presiding.
Present: Representatives Clarke, Langevin, Slotkin, Rice,
Torres, Garbarino, Harshbarger, and Clyde.
Chairwoman Clarke. The Subcommittee on Cybersecurity
Infrastructure Protection and Innovation will come to order.
Without objection, the Chair is authorized to declare the
subcommittee in recess at any point.
Good morning and thank you to our witnesses for joining us
today for this hearing on strengthening our Nation's
cybersecurity work force.
A recent report by the cybersecurity firm Sonicwall found
that ransomware attacks in North America increased 158 percent
between 2019 and 2020. Another report by Comparitech found that
cyber attacks against U.S. Government organizations affected 71
million Americans and cost over $18 billion in down time and
recovery.
The surge in cyber attacks against State and local
governments, hospitals, and school districts, coupled with
recent headlines about SolarWinds, Colonial Pipeline, and
Kaseya have galvanized new calls to action to better defend the
internet ecosystem. I am encouraged by the momentum, and I am
committed to putting more resources in the hands of State and
local governments and improving CISA's awareness of malicious
cyber activity through cyber incident reporting.
But without a capable cyber work force, all of our
investments in tools and data will be in vain. The number of
high-profile cyber incidents over the past year has emphasized
just how essential cybersecurity has become. The truth is the
number of trained cybersecurity professionals has not increased
to the levels necessary to meet the demand from industry and
Government. In fact, recent data show a deficit of over 460,000
trained cybersecurity professionals in the United States,
relative to our current needs.
While the Federal Government has undertaken several
initiatives in recent years to expand and better train our
Nation's cybersecurity work force, we must do more. This
hearing will give us an opportunity to hear from experts in the
field who are working to educate the next generation of
cybersecurity workers, so we can learn more about the programs
that are currently in place and where greater investment is
needed. There is no silver bullet. We will need a multi-pronged
approach that focuses on training the cybersecurity work force
of the future in schools and universities, re-skilling existing
workers for the jobs that are currently available, and making
sure we have the right training in place to address the
disparate cybersecurity challenges in information technology
and operational technology.
During my 15 years in Congress working on cybersecurity
issues, I have heard consistently about the importance of
prioritizing K-12 cyber education to grow and diversify the
talent pipeline. Over that time, an entire generation of
students has graduated high school and entered higher education
or the work force, and we still are behind where we need to be
in including cyber education at the elementary and secondary
level. However, CISA's Cybersecurity Education and Training
Assistance Program, CETAP, has begun to show meaningful
results. I am glad Congress demonstrated support for CETAP by
formally authorizing the program in last year's National
Defense Authorization Act, and it is essential that Congress
continues to provide it with the resources necessary to carry
out its mission.
I look forward to hearing today from the CETAP grant
recipient, cyber.org, to learn more about their progress in
developing curriculums for K-12 educators and what more can be
done to both expand resources to teachers and build awareness
of existing programs. Reaching children in the K-12 environment
is an important step in making sure we don't leave talent
untapped. Just as important, however, is that we reach students
in college, contemplating college, or mid-career who may not
have considered a career in cybersecurity to be a viable
option. That is is where bringing cybersecurity work force
programs to overlooked communities and re-skilling programs
come in, and I look forward to hearing from California State
University at San Bernardino on its important work in this
space.
Finally, as we look for new opportunities to redouble our
efforts to grow our Nation's cyber talent, I want to be mindful
that cybersecurity training is not one size fits all. The
recent Colonial Pipeline ransomware attack highlighted the
significant impact any incident involving critical
infrastructure can have. While the attack only affected the
information technology systems of the pipeline company, the
precautionary decision to shut off operational technology
systems reflected the vulnerability of our industrial control
systems.
As we work to address our cyber work force shortage, we
must remain cognizant of the different skills and positions
involved in securing industrial control systems and ensure that
our training programs fully reflect the broad range of
cybersecurity threats we face.
Before I close, I want to commend Secretary Mayorkas for
making enhancing the cyber work force the second of DHS's 60-
day cyber sprints. By prioritizing this aggressive approach,
Secretary Mayorkas has made meaningful progress in reducing the
significant number of cyber vacancies at the Department while
taking additional steps to address the shortage of cyber
professionals nationally. A diverse and skilled work force has
always been a competitive advantage for our Nation against our
adversaries, but with constantly evolving cyber threats, we
must continuously be looking to enhance our cyber education to
stay ahead.
I look forward to the testimony of our witnesses and the
discussion today so this subcommittee can continue working to
enhance our Nation's cyber work force.
[The statement of Chairwoman Clarke follows:]
Statement of Chairwoman Yvette D. Clarke
July 29, 2021
A recent report by the cybersecurity firm Sonicwall found that
ransomware attacks in North America increased 158 percent between 2019
and 2020. Another report by Comparitech found that cyber attacks
against U.S. Government organizations affected 71 million Americans and
cost over $18 billion in downtime and recovery. The surge in cyber
attacks against State and local governments, hospitals, and school
districts, coupled with recent headlines about SolarWinds, Colonial
Pipeline, and Kaseya have galvanized new calls to action to better
defend the internet ecosystem.
I am encouraged by the momentum, and I am committed to putting more
resources in the hands of State and local governments and improving
CISA's awareness of malicious cyber activity through cyber incident
reporting. But without a capable cyber workforce, all of our
investments in tools and data will be in vain. The number of high-
profile cyber incidents over the past year has emphasized just how
essential cybersecurity has become. And the truth is the number of
trained cybersecurity professionals has not increased to the levels
necessary to meet the demand from industry and Government. In fact,
recent data show a deficit of over 460,000 trained cybersecurity
professionals in the United States, relative to our current needs.
While the Federal Government has undertaken several initiatives in
recent years to expand and better train our Nation's cybersecurity
workforce, we must do more. This hearing will give us an opportunity to
hear from experts in the field who are working to educate the next
generation of cybersecurity workers, so we can learn more about the
programs that are currently in place and where greater investment is
needed.
There is no silver bullet. We will need a multi-pronged approach
that focuses on training the cybersecurity workforce of the future in
schools and universities, re-skilling existing workers for the jobs
that are currently available, and making sure we have the right
training in place to address the disparate cybersecurity challenges in
Information Technology and Operational Technology.
During my 15 years in Congress working on cybersecurity issues, I
have heard consistently about the importance of prioritizing K-12 cyber
education to grow and diversify the talent pipeline. Over that time, an
entire generation of students has graduated high school and entered
higher education or the workforce, and we still are behind where we
need to be in including cyber education at the elementary and secondary
level. However, CISA's Cybersecurity Education and Training Assistance
Program, or CETAP has begun to show meaningful results.
I am glad Congress demonstrated support for CETAP by formally
authorizing the program in last year's National Defense Authorization
Act, and it is essential that Congress continues to provide it with the
resources necessary to carry out its mission. I look forward to hearing
today from the CETAP grant recipient, CYBER.ORG, to learn more about
their progress in developing curriculums for K-12 educators and what
more can be done to both expand resources to teachers and build
awareness of existing programs. Reaching children in the K-12
environment is an important step in making sure we don't leave talent
untapped.
Just as important, however, is that we reach students in college,
contemplating college, or mid-career who may not have considered a
career in cybersecurity to be a viable option. That is where bringing
cybersecurity workforce programs to overlooked communities and
reskilling programs come in, and I look forward to hearing from
California State University, San Bernardino on its important work in
this space.
Finally, as we look for new opportunities to redouble our efforts
to grow our Nation's cyber talent, I want to be mindful that
cybersecurity training is not one size fits all. The recent Colonial
Pipeline ransomware attack highlighted the significant impact any
incident involving critical infrastructure can have. While the attack
only affected the information technology systems of the pipeline
company, the precautionary decision to shut off operational technology
systems reflected the vulnerability of our industrial control systems.
As we work to address our cyber workforce shortage, we must remain
cognizant of the different skills and positions involved in securing
industrial control systems and ensure that our training programs fully
reflect the broad range of cybersecurity threats we face.
Before I close, I want to commend Secretary Mayorkas for making
enhancing the cyber workforce the second of DHS's 60-day cyber sprints.
By prioritizing this aggressive approach, Secretary Mayorkas has made
meaningful progress in reducing the significant number of cyber
vacancies at the Department while taking additional steps to address
the shortage of cyber professionals Nationally. A diverse and skilled
workforce has always been a competitive advantage for our Nation
against our adversaries, but with constantly-evolving cyber threats, we
must continuously be looking to enhance our cyber education to stay
ahead.
Chairwoman Clarke. The Chair now recognizes the Ranking
Member of the subcommittee, the gentleman from New York, Mr.
Garbarino, for an opening statement.
Mr. Garbarino. Thank you, Chairwoman. Thank you very much.
This is a great hearing. Thank you for holding this critical
conversation regarding our cyber talent pipeline and our shared
efforts to develop a robust cyber work force.
I would like to thank our witnesses for being here today. I
look forward to a constructive dialog on this important issue.
Is it not working?
Chairwoman Clarke. Mr. Garbarino, I think for some reason
we are not hearing you. Try unmuting once again. We still
aren't hearing you.
Ms. Slotkin. Madam Chair? I could hear him the first time.
I heard him loud and----
Mr. Garbarino. Can you hear me now?
Ms. Slotkin. I can.
Mr. Garbarino. It worked? So now it is working? OK. Thank
you.
All right. Thank you, Madam Chair, for holding this
critical conversation regarding our cyber talent pipeline and
our shared efforts to develop a robust cyber work force.
I would like to thank our witnesses for being here today. I
look forward to a constructive dialog on this important issue.
Everyone in this hearing should understand the multitude of
issues contributing to our cyber work force shortage, which is
particularly acute in the Federal sector. Lack of exposure,
uneven education, and issues with Federal agency on-boarding
all contribute to the problem. Fortunately, President Biden's
choices for the top three cyber professionals in the
administration are real professionals and there is a wealth of
private and Federal sector experience among them. I am
confident that Jen Easterly, Anne Neuberger, and Chris Inglis
will have the experience, the talent, and drive to address the
issue, as well as the many others facing our Nation in the
space.
The administration's work has already been seen in CISA's
deployment of Stopransomware.gov, the U.S. Government's
official one-stop location for resources to tackle ransomware
more effectively.
But their work is not done. CISA has been plagued by hiring
delays, elongated on-boarding processes, a lack of professional
human resources specialists, and duplicative and arbitrarily
onerous vetting requirements. It is important that we continue
to hold CISA and the Department accountable when it comes to
these troubling issues. I appreciate the Chairwoman working
with me on our oversight of the cyber talent management system
roll-out. I am pleased that CISA director Jen Easterly has said
this will be a top priority during her tenure.
Our concerns are particularly relevant to today's hearing
because no matter how much education we provide to our
students, no matter how much interest we cultivate, none of it
matters if we can't bring qualified and interested individuals
into the Government service in a professional and timely
manner. Quite simply, we will continue shouting into the wind
until we fix these issues.
I look forward to exploring all these issues with our
witnesses today and I hope to hear about concrete proposals for
oversight in legislation, not just broad stroke ideas, which
have been the output of similar hearings in the past and have
proven ineffective.
Again, I thank the Chairwoman for holding this timely and
important hearing today.
Thank you.
[The statement of Ranking Member Garbarino follows:]
Statement of Ranking Member Andrew R. Garbarino
Thank you, Madam Chair, for holding this critical conversation
regarding our cyber talent pipeline and our shared efforts to develop a
robust cyber workforce. I'd like to thank our witnesses for being here
today. I look forward to a constructive dialog on this important issue.
Everyone in this hearing should understand the multitude of issues
contributing to our cyber workforce shortage, which is particularly
acute in the Federal sector. Lack of exposure, uneven education, and
Federal agency on-boarding issues all contribute to the problem.
Fortunately, President Biden's choices for the top three cyber
professionals in the administration are real professionals, and there
is a wealth of private and Federal sector experience among them. I am
confident that Jen Easterly, Anne Neuberger, and Chris Inglis have the
experience, the talent, and drive to address this issue as well as the
many others facing our Nation in the space.
The administration's work has already been seen in CISA's
deployment of stopransomware.gov, the U.S. Government's official one-
stop location for resources to tackle ransomware more effectively.
But their work is not done. CISA has been plagued by hiring delays,
elongated on-boarding processes, a lack of professional human resource
specialists, and duplicative and arbitrarily onerous vetting
requirements.
It is important that we continue to hold CISA and the Department
accountable when it comes to these troubling issues, and I appreciate
the Chairwoman working with me on our oversight of the Cyber Talent
Management System rollout. I am pleased that CISA Director Jen Easterly
has said this will be a top priority during her tenure.
Our concerns are particularly relevant to today's hearing, because
no matter how much education we provide to our students, no matter how
much interest we cultivate, none of it matters if we can't bring
qualified and interested individuals into Government service in a
professional and timely manner. Quite simply, we will continue shouting
into the wind until we fix these issues.
I look forward to exploring all of these issues with our witnesses
today and I hope to hear about concrete proposals for oversight and
legislation, not just broad strokes ideas, which have been the output
of similar hearings in the past and have proven ineffective.
I again thank the Chairwoman for holding this timely and important
hearing today.
Chairwoman Clarke. I thank the Ranking Member.
Members of the committee are reminded that the committee
will operate according to the guidelines laid out by the
Chairman and Ranking Member in their February 3 colloquy
regarding remote procedures.
I am looking to see whether our Chairman or Ranking Member
have joined us today. They are not present yet, so let me move
forward. Statements may be submitted for the record.
[The statement of Chairman Thompson follows:]
Statement of Chairman Bennie G. Thompson
July 29, 2021
Today's hearing builds on a long-standing priority for the Homeland
Security Committee--addressing the shortage of skilled cybersecurity
professionals. This problem is not new, but the urgency is greater than
ever in light of the increasing number of ransomware attacks and other
significant cyber incidents.
Fortunately, the Biden administration has made addressing
cybersecurity workforce issues a priority, with Secretary Mayorkas
launching a 60-day sprint on strengthening the cyber workforce earlier
this year. This decision reflects an understanding that investments in
technology are not sufficient on their own--we must also have a well-
trained workforce.
In today's digital age, a basic cybersecurity education is
essential for everyone, not just cybersecurity professionals.
Individuals are vulnerable to cyber criminals, and an employee clicking
on a link in a phishing email can expose a company's networks to
intruders.
By investing in K-12 cyber education, we improve cyber literacy
across the board, while developing a pipeline of young people who can
move into more advanced training and join the cybersecurity workforce.
Unfortunately, many students currently receive limited cybersecurity
education in school today, and the evidence suggests rural and low-
income schools with fewer resources are less likely to offer this
important training.
The Federal Government can help address this gap by providing
resources to schools across the country, offering trainings to
teachers, and developing cybersecurity curriculum that can be used
nationally. Additionally, by starting education early, we can help
address a long-standing concern of mine regarding the cybersecurity
workforce--the low number of women and minorities in the field,
particularly in senior roles.
I am glad DHS is taking steps to address this through a partnership
with the Girl Scouts that will help to educate school-aged girls in
cybersecurity and that CYBER.ORG is partnering with HBCUs to help
develop a pipeline of Black high school students into cybersecurity
programs. These actions demonstrate the important role DHS can and
should play in encouraging cyber education. These are important
programs, but we'll need a lot more of them to make up for the current
gaps. Many cybersecurity jobs are high-paying, and they required a
variety of education levels, but many young people may not know about
them or may not believe they are attainable.
Federal investment in K-12 cyber education can raise awareness of
these career opportunities to more students, increase the diversity of
our workforce, and strengthen our National security. Additionally,
programs supporting cyber education must continue at higher education
institutions and in trainings that can provide cyber skills education
to those already in the workforce. DHS's support for the National
Centers for Academic Excellence in Cybersecurity and partnerships with
other entities like the National labs are important examples of how
Government, researchers, and teachers can work collaboratively to
address our cyber workforce shortage. DHS must continue to strengthen
these partnerships--particularly in collaboration with HBCUs and MSIs--
in order to develop the workforce we need to address the varied cyber
threats we face today.
I thank Chairwoman Clarke for her leadership in holding this
hearing and for prioritizing this critical issue. The excellent
witnesses here today have a broad range of expertise in the field of
cybersecurity education and their insights will be valuable as we
continue our work in defending the homeland from cyber threats.
Chairwoman Clarke. I now welcome our panel of witnesses.
First, I welcome Mr. Kevin Nolten, the director of academic
outreach for the Cyber Innovation Center at cyber.org. At
cyber.org Mr. Nolten helps advance cyber.org's K-12 cyber
education program within age-appropriate content that aligns
with State standards for education.
Next is Dr. Tony Coulson who serves as the executive
director of the Cybersecurity Center at California State
University, San Bernardino, and as lead of National Centers of
Academic Excellence in Cybersecurity Community.
California State University, San Bernardino is designed at
a center of academic excellence in cyber defense education by
the National Security Agency and the Department of Homeland
Security and it is also a minority-serving institution.
Next is Mr. Ralph Ley, the department manager for Workforce
Development and Training Infrastructure within the National and
Homeland Security Directorate at Idaho National Labs.
Mr. Ley leads educational programs and research to address
cybersecurity issues and work force development needs.
Finally, Max Stier, the president and CEO of the
Partnership for Public Service.
In that capacity, he is overseeing the creation and growth
of a network connecting more than 1,000 colleges and
universities with 80 Federal agencies. He is a thought leader
on Federal work force issues and his work is aimed at inspiring
a new generation to serve in Government.
Without objection, the witnesses' full statements will be
inserted in the record.
I will now ask each witness to summarize his or her
statement for 5 minutes, beginning with Mr. Nolten.
STATEMENT OF KEVIN NOLTEN, DIRECTOR OF ACADEMIC OUTREACH,
CYBER.ORG, CYBER INNOVATION CENTER
Mr. Nolten. Good morning, Chairwoman Clarke, Ranking Member
Garbarino, and distinguished Members of the committee. Thank
you for the opportunity to testify today.
I am Kevin Nolten, director of cyber.org, an academic
initiative of the Cyber Innovation Center, headquartered in
Bossier City, Louisiana.
As a nonprofit focused on National security and
cybersecurity work force development for the past 4 years, we
are supported by Federal grants and contracts, one of which is
a Cybersecurity Education Training Assistance Program, as the
Chairwoman mentioned, or CETAP, a competitive grant
administered by CISA.
One of the greatest threats to our National security is the
lack of K-12 cybersecurity education. Recent cyber attacks have
demonstrated our vulnerabilities, which can be partially
attributed to the growing shortage of cybersecurity
professionals.
As a former K-12 administrator, I know the impact K-12
education has on a child's future degree and/or career. A cyber
literate population will secure our critical infrastructure.
Cyber.org's K-12 cyber education program provides teachers with
curriculum and professional development that align with
individual State and local education standard and promotes
cybersecurity technical knowledge and degree and career
awareness opportunities for students.
Through CETAP we have reached over 23,000 educators in all
50 States. It impacted over 3 million students. We embrace a
focus on underserved schools in low socioeconomic regions as 64
percent of all new teachers are from Title 1 schools. We
embrace programming specific to ensuring HBCUs have a talent
pipeline and that we are focusing on opportunities for students
with disabilities.
While we are tremendously proud of the success we have had,
however, with nearly 1 million educators and 52 million across
the country, our work has just begun.
Chair and Ranking Member, in your home State of New York,
690 educators are accessing the curricula and my team has
trained 301 teachers. Further, in all of the subcommittee
Members' States combined, over 4,400 educators are accessing
the curricula and my team has trained over 3,800 teachers. This
is a program that works.
As a recent study shows, high schools using cyber.org's
curricula sent four times more students into cyber-related
college or university degree programs, such as Cal State San
Bernardino. We appreciate that Congress has begun to recognize
the importance of cybersecurity education to combat the threats
of tomorrow, as CETAP has received bipartisan support.
For example, the Cyberspace Solarium Commission called for
additional support for CETAP. As the Chairwoman mentioned, the
fiscal year 2021 NDAA formally authorized CETAP within CISA. In
fiscal year 2021 CETAP received an increase of funding
totalling $6 million.
This year we are requesting that CETAP be funded at $10
million, which would enable further scaling of the program to
reach more teachers and ultimately benefiting more students.
As your committee considers the future of cybersecurity
education, cyber.org offers the following recommendations:
First, we recommend increased and sustained funding for
cybersecurity education and work-force development. It is
critical that CISA include funding in its annual budget request
to expand the reach of CETAP in classrooms across the country.
Second, CETAP should be formally recognized as the K-12 feeder
program for other Federal cybersecurity work force programs.
Third, we recommend special attention be given to the what is
next after the different academic milestones, whether K-12,
higher education, et cetera, to better connect students
directly to cybersecurity jobs.
CISA and cyber.org have made tremendous impact in States
across the country, but it is time to scale. Stable continuous
funding and legislative support for CETAP will enable the
program to reach saturation in all 50 States and grow the
talent pipeline. Further investment by Congress to build our
National cybersecurity defenses must include K-12 education
resources.
Cyber.org appreciates the time to testify and we are
willing to serve as a resource for the development of any
future cybersecurity education legislation.
Thank you for your time.
[The prepared statement of Mr. Nolten follows:]
Prepared Statement of Kevin Nolten
Thursday July 29, 2021 10 o'clock AM
Good morning, Chair Clarke, Ranking Member Garbarino, and
distinguished Members of the House Homeland Security Committee's
Subcommittee on Cybersecurity, Infrastructure Protection, & Innovation.
Thank you for the opportunity to testify before you today. I am Kevin
Nolten, director of CYBER.ORG, the academic initiative of the Cyber
Innovation Center, headquartered in Bossier City, LA.
CYBER.ORG is an initiative focused on cybersecurity workforce
education and development. CYBER.ORG is appreciative of the support we
receive from a grant from the Department of Homeland Security's (DHS)
Cybersecurity Infrastructure and Security Agency (CISA) as the lead
performer of the Cybersecurity Education Training Assistance Program
(CETAP) program.
I commend this subcommittee for seeking to address the long-
standing challenges facing cyber workforce development efforts,
specifically as they relate to K-12 cybersecurity education and
preparing the next generation for the jobs of tomorrow. My testimony
will address the role K-12 cybersecurity education plays in creating a
foundation of future cyber workers by closing the cybersecurity skills
gap and supercharging the future cybersecurity workforce for DHS and
industry.
I would first like to provide the subcommittee with a brief
overview of my background in education and the origin of CYBER.ORG.
Prior to joining CYBER.ORG, I was an educator and school administrator,
which provided me with a unique perspective on the education system and
the critically important role educators play in providing students with
the skills they need to succeed. This ignited my life-long passion for
educating students, helping them prepare for their futures and
ultimately improving K-12 education Nation-wide. In my role at
CYBER.ORG, I direct the organization's programmatic outreach efforts
and partnerships with the goal of increasing students' access to K-12
cybersecurity curriculum. At CYBER.ORG, we approach the cybersecurity
workforce gap as a National competitiveness issue and believe that
increasing cybersecurity literacy will improve U.S. economic and
National security. Providing students with an educational foundation
and career awareness is imperative to advancing the U.S. cybersecurity
workforce.
about cyber.org
CYBER.ORG is the academic initiative of the Cyber Innovation Center
(CIC), an economic development and technology innovation organization
focused on growing the regional economy and supporting the National
security enterprise through collaboration in mission-critical areas,
such as the cybersecurity of our nuclear command, control, and
communications systems. The CIC was founded in 2007 with the mission of
diversifying the regional economy from primarily oil & gas and
agriculture to include 21st Century, knowledge-based jobs in the cyber
and information technology (IT) fields. The CIC recognized that to
attract cyber and IT companies and jobs, the region would need a ready
and able cyber workforce, and building that workforce would require a
new approach to education. The success of our model has completely
transformed the regional economy in northwest Louisiana: Cyber and IT
are now equal to the oil & gas sector in economic impact and jobs. The
operational success around cybersecurity the CIC gained at its
inception furthered the demand for a comprehensive workforce
development program--thus the launch of CYBER.ORG, whose K12 focus
represents the entry point onto the Cyber Interstate.
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Created in 2011, CYBER.ORG (formerly the National Integrated Cyber
Education Research Center or NICERC) identified a specific need in K-12
education for a systematic and integrated solution that would build the
foundation for educating the next-generation, cyber-literate workforce.
Our goal was to engage K-12 students in STEM, computer science and most
importantly, cybersecurity. Since then, we have implemented an
integrated curricular experience across multiple academic disciplines
through the development of project-driven, hands-on curricula;
delivered educator professional development; established K-12
cybersecurity-based pathways; and created National cybersecurity
competitions; and.[sic]
CYBER.ORG was initially created using State and local funds but was
identified by the Department of Homeland Security in 2011 as an
exemplar program and received funding to scale its efforts across the
country. As a result of this funding and support, over the last 8 years
CYBER.ORG has built a K-12 cyber education program with age-appropriate
content that aligns with individual State standards for education. The
impact of that work is measured in thousands of teachers and millions
of students with access to more content, resources, and training that
will fuel the cyber workforce pipeline for the future.
the challenge
The United States has been struggling to solve the cyber workforce
shortage in this country for too long. The workforce gap that exists
today is directly connected to the country's lack of attention to STEM
(science, technology, engineering, mathematics) education 15-20 years
ago. Very similar to the Space Race, the United States must ensure that
our students, the future workforce of our country, are equipped with
the knowledge, skills, and abilities to defend against vulnerabilities
in cyber space.
CYBER.ORG recognizes this mounting challenge and has built a
successful educational model that is critical to ensuring that teachers
can teach cybersecurity and students have the skills necessary to meet
future workforce needs. The recent, unprecedented cyber attacks like
the SolarWinds and Colonial Pipeline clearly demonstrate the adverse
effects of our National cybersecurity vulnerabilities, which can in
part be attributed to the U.S. workforce shortage. We must increase
resources and partnerships with real investments in our future U.S.
workforce to ensure we are better equipped to deal with emerging
technological threats.
Statistics highlight the urgency of this challenge, as increasingly
complex attacks are occurring at a time when there are more than
464,000 unfilled cybersecurity roles in the United States. Filling
these positions is essential to protecting both public and private
organizations from outside threats, advancing U.S. innovation, and
diversifying our country's cybersecurity workforce. The first step
toward doing this is educating students on cybersecurity literacy as
early as kindergarten.
cyber.org approach--empower educators to prepare the next generation
cyber workforce
Advancing the cybersecurity workforce is critical to protecting the
country's National security and advancing its cybersecurity posture. K-
12 cybersecurity education plays a fundamental role in helping students
develop the skills needed to pursue cybersecurity careers in greater
numbers. As such, the CETAP Program is crucial to providing the United
States with the professional-level expertise needed to solve the cyber
challenges of tomorrow, but more can be done to support these efforts.
CYBER.ORG has developed a multi-pronged approach to ensuring students
Nation-wide have the educational cybersecurity foundation and career
awareness needed to advance the National cybersecurity workforce.
QUALITY CURRICULUM AND EFFECTIVE PROFESSIONAL DEVELOPMENT
Through CETAP, CYBER.ORG develops and distributes cyber and
cybersecurity curricula to K-12 educators across the country at no cost
to the educators. The CYBER.ORG approach supports cybersecurity
curriculum development to provide resources for elementary and
secondary school teachers that foster foundational cybersecurity
awareness, cybersecurity career awareness, and technical cybersecurity
skills. The curriculum is mapped to relevant State and National
standards and includes resources that make up 20+ full years of
curriculum (180+ hours). The curriculum is developed by subject-matter
experts in K-12 education, including faculty from higher education
institutions across the country and representatives from industry and
Government. The CYBER.ORG team, who serve as lead developers, are all
experienced educators, many carrying a master's and/or doctorate degree
in curriculum and instruction, educational leadership, and educational
technology.
CYBER.ORG currently provides K-12 cybersecurity workforce
development assistance to educators in all 50 States, with a cumulative
estimated impact of over 3,000,000 students. More than 23,000 teachers
are currently enrolled in CYBER.ORG's content platform and over 17,000
teachers have been trained to use CYBER.ORG content for K-12
cybersecurity education.
CYBER.ORG, in August 2021, will publish the country's first set of
National K-12 cybersecurity learning standards. Currently, there are
only a few models of State-developed cybersecurity standards and no
National standards specific to cybersecurity. The goal with the
standards is to increased access to cybersecurity education
opportunities for students that will prepare them to enter the
workforce or to expand their study in college. The standards will take
two approaches. The first is ensuring students have a foundational
cyber understanding and knowledge to live, work, and play in cyber
space safely. The second is ensuring students have the technical skills
to pursue industry-based certifications such as CompTIA's IT
Fundamentals, A+ and Security+.
NATION-WIDE DEPLOYMENT
Over the past 8 years, CYBER.ORG has been the lead technical
institution for CETAP as it has developed and distributed a scalable
program for educating the next-generation, cyber-literate workforce
through a replicable educational solution for State departments of
education, school districts, and individual educators from across the
county.
CYBER.ORG has made a significant impact in advancing K-12
cybersecurity education in States across the country thanks to
partnerships with Government, educators, and school districts. With
both a top-down and bottom-up approach, CYBER.ORG has been able to not
only align programs to relevant State standards, help States develop
cyber-related standards and pathways, and scale programming throughout
the country, but also has been able to provide classroom-specific
resources to educators wishing to implement modules on ransomware, or
other cybersecurity topics.
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
In addition to partnering with State departments of education,
school districts, and classroom teachers, CYBER.ORG also prides itself
on engagement with community organizations, non-profits, and industry.
For example, in partnership with Palo Alto Networks, CYBER.ORG worked
with the Girl Scouts USA to develop 18 cybersecurity badges to
introduce more young women to cybersecurity. To date, more than 200,000
cybersecurity badges have been earned by Girl Scouts from across the
country.
CYBER.ORG is also working with another global cybersecurity defense
contractor to develop a ``badging'' program to ensure K-12 students
have skill sets and industry-based certifications to pursue 2- and 4-
year degrees or jump straight into the cybersecurity workforce
immediately after high school.
In the National delivery, CYBER.ORG has seen 64 percent of the
teachers trained over the past 3 years come from Title 1 schools, that
is schools that service students from low socioeconomic communities.
Additionally, the efforts around diversifying the cybersecurity
workforce have been very deliberate. Recently, CYBER.ORG launched a K-
12 Historically Black College and University (HBCU) and Minority
Serving Institution (MSI) Feeder Program to further strengthen the
talent pipeline and increase the number of minority students pursuing
cybersecurity degrees. CYBER.ORG is in the process of developing a K-12
feeder program for Grambling State University (GSU), a HBCU and the
first university in Louisiana to create a cybersecurity undergraduate
degree. In 2021-2022, CYBER.ORG will replicate this program between
minority-serving school districts and HBCUs across the country.
The current reach of the CYBER.ORG curriculum content has impacted
student achievement and interest in STEM and cyber career pathways. In
a 2021 evaluation conducted by CYBER.ORG, 66 percent of students who
completed CYBER.ORG's Cybersecurity course wanted to explore career
options in cybersecurity, while 48 percent of students intended to earn
at least one cyber-related industry-based certification before
graduating from high school.
CONNECTING STUDENTS TO CYBERSECURITY DEGREES AND CAREERS
Many studies show that the formative years for a student's career
trajectory occur around the middle school level, 6th-8th grade. This
period, and the years leading up it, is critical for policy makers,
industry, Government, and educators to begin introducing students to
21st-Century options--jobs that many students don't know about, and in
some cases jobs that do not yet exist.
CYBER.ORG, as a workforce development organization, ensures
teachers have the resources and confidence to prepare students for the
next level--whether that is a 2- or 4-year college/university degree,
or whether that is direct entry from high school into a cybersecurity
career. This confidence is gained through the no-cost professional
development offered by the CYBER.ORG team.
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
In addition to increasing teacher's confidence in introducing their
students to cybersecurity careers, CYBER.ORG provides students with
Career Profile Cards (https://cyber.org/career-exploration/cyber-
career-profiles) that introduces them to jobs in cybersecurity. Aligned
to the NICE cybersecurity workforce framework, each Career Profile Card
teaches students about the job, the skills sets required, the degree
(if any) and the certifications (if any) needed for entry into this
career.
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
The multi-faceted approach CYBER.ORG takes yields results. A
regional study (https://cyber.org/sites/default/files/2020-06/
Louisiana%20Study.pdf) found that high schools with teachers enrolled
in CYBER.ORG curricula on average sent, in total, four times more
students into cyber-related college of university degree programs as
those that did not.
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
investing in k-12 cyber education
The solution for solving the cybersecurity workforce shortage is
developing a capable pipeline of cybersecurity professionals who are
entering the workforce at every level of education. CYBER.ORG is
enabling K-12 teachers to serve as force multipliers, educating
students to build the cybersecurity workforce of the future. The CETAP
model and CYBER.ORG have provided a clear blueprint for bolstering the
U.S. workforce pipeline for other areas critical to U.S. economic
development and global technological competitiveness.
The work being done by CYBER.ORG through the CETAP program also
supports the recommendations made by the Cyberspace Solarium
Commission. The Commission's report on Growing a Stronger Federal
Cybersecurity Workforce \1\ called out the importance of the CETAP
program in helping recruit the talent needed to support the Federal
workforce. The Solarium Commission also identified that the CETAP
program has ``significant room to grow.'' To grow, CETAP would need
additional funding and resources to:
---------------------------------------------------------------------------
\1\ https://www.solarium.gov/public-communications/workforce-white-
paper.
---------------------------------------------------------------------------
Increased access to curricula for educators;
Development of pathways for immediate job entry, more direct
connection of high schools to post-secondary workforce
pathways, and engagements with more HBCU institutions;
Expansion of recruiting and retaining students from military
families for future cyber employment;
Development of virtual curricula, resources that can be used
by schools for student asynchronous learning, particularly in
rural and underserved communities; and
Launch of a virtual cyber laboratory specifically used for
K-12 educators, providing an application-based learning
environment for real-world cybersecurity lessons.
Congress has recognized the importance of CETAP. With the help of
this committee's former Chair Cedric Richmond as well as Senators Rosen
and Cassidy, the fiscal year 2021 National Defense Authorization Act
(NDAA) formally authorized CETAP and codified the program's mission as
a leader in the dissemination of cybersecurity-focused K-12 education
resources and training. The fiscal year 2021 authorization was paired
with an appropriation of the annual base amount of $4.3 million with an
additional discretionary funding of $1.7 million for K-12 education at
CISA. With the additional funding, CETAP utilized the additional $1.7
million provided in discretionary support to enable the launch of three
K-12 initiatives focusing on Historically Black Colleges and University
(HBCU) feeder high schools and students with disabilities.
recommendations
CYBER.ORG, through CETAP, has made a tremendous impact in States
and districts across the country, but it is time to scale. Providing
stable, continuous funding and legislative support for CETAP will
enable the program to reach its short- and long-term goals of expanding
programming in all 50 States so that every student in the United States
is cyber literate and has the skills needed to pursue cybersecurity
careers in greater numbers and fortify the workforce needed to combat
increasingly complex attacks. The following recommendations and actions
are important to large-scale impact of CYBER.ORG and CETAP.
First, we recommend increased and sustained funding for
cybersecurity education and workforce development. It is
critical that CISA include funding in its annual budget request
to sustain and expand the reach of the CETAP program in
classrooms across the country. CETAP's cost-effective approach
will get proven successful curriculum into the hands of more
teachers who will continue to develop a strong, equitable
pipeline of cybersecurity talent.
Second, CETAP should be formally recognized as the K-12
feeder program for other, Federal cybersecurity workforce
programs. Connecting students directly to programs such as
Centers for Academic Excellence, Scholarship for Service,
Federal Apprenticeship Program, and others will ensure these
Federal efforts complement one another and provide the best
workforce outcomes possible.
Third, we recommend special attention be given to ``what's
next'' after the different academic milestones (K-12, higher
education, reskilling, etc.)--that is, addressing the need for
connecting students to cybersecurity jobs. Importantly,
connecting students, whether high school, college, university
graduates, or non-traditional students to the cybersecurity
workforce is a critical step in closing the workforce gap in
the country.
conclusion
It has been an honor to appear before this distinguished panel of
policy makers. Thank you, Chair Clarke, and Ranking Member Garbarino
for your dedication to growing and advancing the cybersecurity
workforce.
K-12 cybersecurity education must be viewed as the vehicle in which
we can introduce the next generation of cybersecurity professionals to
careers in the field. Expanding K-12 cybersecurity education is
critical to addressing the cybersecurity workforce shortage. DHS has
created a proven, cost-efficient model to train educators in
cybersecurity and reach more K-12 students in classrooms across the
country with cybersecurity curriculum. The CETAP program requires
additional investment to close the cybersecurity workforce gap and grow
the cybersecurity skills pipeline.
CYBER.ORG envisions a future where every student is cyber literate
and has the option to pursue cybersecurity careers. We look forward to
working with the committee and serving as a resource as it develops
policies to advance K-12 cybersecurity. We also remain committed to
working with committee Members in their States and districts to advance
the CETAP program and expand access to K-12 cybersecurity education.
CYBER.ORG appreciates the opportunity to join in this worthy
discussion and is willing to serve as a resource in the development of
any cybersecurity education legislation going forward. We are thrilled
to participate in today's hearing and look forward to a long
partnership where we can continue working to tackle this important
issue.
Thank you, and I'll be happy to answer any of your questions.
Chairwoman Clarke. Thank you, Mr. Nolten, for your
testimony.
I now recognize Dr. Coulson to summarize his statement for
5 minutes.
STATEMENT OF TONY COULSON, PH.D., PROFESSOR AND EXECUTIVE
DIRECTOR, CYBERSECURITY CENTER LEAD, NATIONAL CENTERS OF
ACADEMIC EXCELLENCE IN CYBERSECURITY COMMUNITY
Mr. Coulson. Chairwoman Clarke, Ranking Member Garbarino,
Members of the Cybersecurity Infrastructure Protection
Innovation Subcommittee, thanks for having me.
I am Tony Coulson from Cal State San Bernardino. We are a
Hispanic-serving institution location in southern California.
We have, under the leadership of Dr. Tomas Morales, expanded to
over 20,000 students and are ranked 7th nationally for social
mobility. But one thing we are known for is innovation.
Now, you might ask yourself what does a regional university
in California have to do with cybersecurity, and it is actually
very simple. As has already been mentioned, we have a
cybersecurity work force shortage. We know we have a crisis. I
just looked up the number earlier before we came on, we have
over 500,000-person shortage--500,000. Let that number sink in.
This came from cyberseek.org. That is an absurd number. If this
was doctors and nurses there would be a National outcry.
Well, the good news is Cal State San Bernardino is
committed to solve this work force problem. Recently our
university established and began to lead the National Centers
of Academic Excellence Cybersecurity Community. This community
involves 5 Federal partners, the NSA, National Security Agency,
who runs the program, DHS and CISA, NIST, and the NICE
Initiative, as well as the FBI and the Department of Energy.
Those Government partners are now coupled with the CAE
community, the Centers of Academic Excellence community that we
lead that has 335 colleges and universities working together to
collaborate and solve the work-force shortage.
Now, working with these partners, and also working with all
of these universities, we have a lot of creativity and we have
a lot of collaboration, but we also have an interesting vantage
point where we see gaps and we see silos and we see
duplication. We are trying to develop solutions. As cyber.org
and Kevin, good friends, just said, look, we know that K-12 is
a huge opportunity. There is a lot of activity in this space
and there is a lot of investment through a lot of agencies. But
there are still gaps. There is a lot of work to be done here,
such as we need to increase diversity, but also in rural and
home school networks.
So the Centers of Academic Excellence community just
released a program focusing on rural and home school. We just
helped get AP cyber onto the National curriculum. We are
putting together extracurriculars, such as camps and cyber
competitions. Matter of fact, the gen cyber program at Cal
State San Bernardino that we originally partnered with
cyber.org, the genesis of that camp at Cal State San Bernardino
that has now affected thousand of kids, led to a national Girl
Scout badge.
But it is more than K-12. The United States is facing a
deficit in cyber research. We need to home-grow research skill.
So Cal State San Bernardino and its partners in the community
just launched the Information Security Research Education
Program, a unique program where we take technical directors
from the National Labs and the National Security Agency and
others and work with student teams around the country in a
variety of different institutions to solve real-world technical
problems.
Access is also a problem, access to technology, but also
are we getting the return on investment, are we producing work-
force ready students? Well, Cal State San Bernardino created
the NICE Challenge Project, a National cyber range in use by
500 colleges and universities that provides technology and does
work-force readiness assessment.
These are a lot of programs and there is a lot of things. I
will tell you this, the Centers of Academic Excellence
Community, those 335 schools, colleges, and universities that
are working together today are producing over 100,000 diverse
quality students, re-skilling people, working with veterans,
working in our communities. This is all based on one-time
funding and most of it has come from the National Security
Agency. What I would like to see is I would like to see the
Department of Homeland Security move forward and support with
sustainable funding such an important initiative.
Thank you so much for your time today.
[The prepared statement of Dr. Coulson follows:]
Prepared Statement of Tony Coulson
July 29, 2021
Chairwoman Clarke, Ranking Member Garbarino, and Members of the
Cybersecurity, Infrastructure Protection, & Innovation Subcommittee, I
want to thank you for providing me with the opportunity to testify
today. My name is Professor Tony Coulson and I serve as the executive
director of the Cybersecurity Center at California State University,
San Bernardino (CSUSB).
CSUSB is one of 23 campuses that make up the great California State
University system--the largest 4-year public university system in the
world. Under the leadership of President Tomas Morales, CSUSB is a
Nationally-recognized university, serving more than 20,000 students,
most of whom come from the Riverside and San Bernardino counties, an
area in inland Southern California known as the Inland Empire. As a
Hispanic-Serving Institution (HSI), we are recognized for our
transformative influence in our community. More than 80 percent of
CSUSB's students are the first in their families to earn 4-year college
degrees, and two-thirds of our students come from economically-
disadvantaged circumstances. We are proud that CSUSB, with campuses San
Bernardino and Palm Desert, is ranked No. 7 among top colleges and
universities educating economically disadvantaged students and
graduating them into well-paying jobs. CSUSB is recognized globally for
our Jack H. Brown College of Business and Public Administration and
Nationally for our leadership in developing the country's cybersecurity
workforce.
I am here today to specifically talk about ways how to bridge the
Nation's cybersecurity workforce gap, how CSUSB's Cybersecurity Center
is currently leading Nation-wide initiatives in this effort, and how
existing U.S. Government programs are working with universities like
mine to achieve this goal. More than 12 years ago, CSUSB created its
Cybersecurity Center (``Center''), focused on one mission--creating a
cybersecurity talent pool and a corresponding job base within the
Inland Empire region of California. This has always been a clear need
as the Inland Empire has been an economically depressed region for the
last two decades, experiencing economic challenges like so many of our
communities across the Nation, but with one of the lowest degree
attainment rates in the State of California combined with low high
school graduation rates.
To address these issues, CSUSB created a Cybersecurity Center with
four undergraduate programs in a variety of disciplines including
criminal justice, business and public administration, computer science,
and information science. This led us to develop five master's degree
programs along the same disciplines (business, computer science,
information systems, and public administration) but with one broader
goal, to integrate the NSA Centers of Academic Excellence in
Cybersecurity with the Intelligence Community CAE program--creating a
critical new program to produce intelligence analysts with cyber
skills. This new master's program in National Cybersecurity Studies
became a model curriculum adopted by universities around the United
States. From 12 years ago with 10 students, CSUSB now has over 600
students enrolled in these degree programs. While CSUSB has always been
innovative in its approach, providing an environment that built
curriculum based on Government and industry workforce needs, it was the
students that provided the energy and truly showed their capabilities.
CSUSB is on the front line training the next generation of cyber
warriors. We are proud to say that CSUSB's student outcomes are so
strong that one program director at the U.S. Department of Homeland
Security (DHS) once said that CSUSB students ``are everywhere'' and
have commended the skill sets that CSUSB students have when they
graduate.
The Nation has had a dearth of well-trained cybersecurity workers
for many years; however, the problem is greatly exacerbated by the
integration of technology into every sector of our economy, leading to
an inevitable growth of cybersecurity attacks. These attacks have
illustrated the need to expeditiously fill the estimated 500,000-person
deficit in the Nation's cybersecurity workforce. As part of my
testimony today, I want to stress the importance of partnerships across
academia, with the Government, as well as with industry. The 2020
Cyberspace Solarium Commission report states that `` . . . sometimes
success in building a robust Federal workforce depends on elements
outside of the Federal Government. In those cases, the U.S. Government
can and should play a supporting role by providing its partners in
workforce development the tools needed to accelerate the increase in
cyber personnel.''
A 2021 report on ``The Hewlett Foundation's Cyber Talent Pipeline:
An Evolution Based on Equitable Evaluation Framework Principles''
states ``We identified 5 Minority-Serving Institutions to be in our
evaluation sample; each has committed cyber faculty, existing
innovative partnerships and the opportunity to further develop
interdisciplinary education programs . . . Cal State San Bernardino
leads a National collaboration of more than 300 universities and
colleges dedicated to cyber and piloting innovations, many of which are
community colleges.'' The report also states that ``the assumption that
elite universities are best placed to enable multidisciplinary cyber
education is not borne out by our evidence.''
Just as President John F. Kennedy called for a greater goal for the
United States to land a man on the moon, so must we as a Nation think
about the global cyber race. In his speech before a Joint Session to
Congress on May 25, 1961, the needs that President Kennedy highlighted
still resonate today: ``I believe we possess all the resources and
talents necessary. But the facts of the matter are that we have never
made the National decisions or marshaled the National resources
required for such leadership. We have never specified long-range goals
on an urgent time schedule, or managed our resources and our time so as
to insure their fulfillment.''
I am happy to be here today to discuss this important challenge,
describe what CSUSB is doing to help address the problem, discuss key
Federal partnerships we have and the outcomes they are producing, and
to share best practices for how we can address this problem head-on
together.
i. csusb and the national centers of academic excellence in
cybersecurity (ncae-c)
The National Centers of Academic Excellence in Cybersecurity (NCAE-
C) program was created in 1999, beginning with just 7 schools, and
through its successful partnerships, the program has grown to 335
schools across 48 States.\1\ The NCAE-C program is the Nation's premier
cyber workforce development initiative that leverages the unique
capabilities of the National Security Agency (NSA) and the member
schools to meet the Nation's needs for a specialized education program
and unique curricula. NCAE-C is the first, and only of its kind, to
have clearly defined academic standards, curricula, and designations
for cyber education, holding the member colleges and universities to
rigorous educational standards.
---------------------------------------------------------------------------
\1\ See Attachment A: List of schools in the NCAE-C program.
---------------------------------------------------------------------------
CSUSB's Cybersecurity Center is part of the NCAE-C system and leads
the Centers of Academic Excellence in Cybersecurity Community. Six
years ago, there were 100 institutions in the program, now there are
335 NSA-Designated Centers of Academic Excellence in Cybersecurity,
educating approximately 100,000 students in cyber-related disciplines.
The CAE Community in Cybersecurity program allows for innovation
with our Government partners at NSA, the Program Office, as well as
DHS, the Cybersecurity and Infrastructure Security Agency (CISA), the
Federal Bureau of Investigation (FBI), the National Initiative for
Cybersecurity Education (NICE), and the National Science Foundation
(NSF).
These partnerships are important as each agency plays a unique role
in the CAE program. To help increase a talent pipeline for students
into the Federal Government, DHS serves as a strategic partner in
promoting cybersecurity education and workforce development, as well as
strengthening partnerships between institutions and Federal, State,
local, and Tribal governments.
ii. csusb and cyber corps�: scholarship for service
A strong example of the benefit of partnerships is NSF's
CyberCorps�: Scholarship for Service program. This program has
sponsored thousands of cybersecurity students leading them into
Government cyber careers. This unique partnership with DHS, NSF, OMB,
and the NSA CAE Program has produced thousands of quality cybersecurity
graduates as well as building capacity for stronger cyber research and
programs at colleges and universities. DHS and NSF further expanded the
CyberCorps� program by creating the Community College Cybersecurity
Pilot scholarship program focused on veterans and persons with existing
bachelor's degrees.
iii. csusb focus on k-12 programs
CSUSB has a long-standing commitment to focusing not just on
college-age students, but also on going deeper into the educational
pipeline to start teaching cybersecurity skills to younger students. A
great example of this is CSUSB's involvement in the GenCyber program--a
partnership between the NSF and the NSA. The GenCyber program provides
K-12 students the opportunity to go to ``cybersecurity summer camp''
for free and for teachers to participate in training camps to provide
cyber literacy in the classroom. CSUSB's early work in this program
involved partnerships with the Girl Scouts of San Gorgonio Council as
well as Title I middle schools, to reach underserved communities and
promote diversity in cybersecurity talent. This successful series of
camps serving over 1,200 girls eventually led to a National Girl Scout
badge in cybersecurity.
Through recent grant programs, the greater CAE Community schools
are working together to create K-12 learning pathways to provide cyber
literacy programs and prepare students for cyber careers. Cybersecurity
teachers in schools around the country are learning new skills to teach
cybersecurity and in doing so utilizing freely available CAE materials
and those developed by our partners. The new Regions Investing in the
Next Generation (RING) program from Illinois' Moraine Valley Community
College and Alabama's University of Alabama Huntsville focuses on
teaching cybersecurity skills in rural areas and home schools and
provide resources for diverse communities including the economically
disadvantaged, the deaf and hard of hearing, and the neurodiverse.
Additionally, New York's Mohawk Valley Community College and Florida's
University of West Florida have just launched the national Enigma
cybersecurity competition. This National competition starts with 165
12-person teams (1,980 high school students) to attack and defend in
unique cyber scenarios as well as interact with potential employers.
The CAE Community now has year-round extracurricular and in-school
activities focused on cyber in K-12.
iv. creating cutting-edge programs:--insure (information security
research education)
Federal grants have also funded future-oriented programs, meaning
that CAE Community schools and Government partners are not just
focusing on the cybersecurity skills of today but also are looking at
the cybersecurity skills that are needed 5 years from now and beyond.
Recognizing a shortage of domestic research talent, CSUSB, working
with the NSF, NSA, and CAE Community partners, has advanced a cutting-
edge research program. Housed at CSUSB, this program, called the
Information Security Research Education (INSuRE) program, works with
technical directors from industry, the U.S. Department of Energy (DOE),
National labs, DHS, and the NSA, to partner with student teams around
the country on real cybersecurity problems. The CAE Community is
listening to industry and Government needs, adapting its curriculum,
and focusing on research in artificial intelligence (AI), autonomous
vehicles (AV), advanced networks, and critical infrastructure
protection.
v. csusb partnering with community colleges and the national science
foundation advanced technology education (ate)
CSUSB's collaboration and partnership mission is further evident
with the cooperation of the NSA and the NSF's Advanced Technology
Education (ATE) program. The National Cybersecurity Training and
Education Center, based at Whatcom Community College in Washington
State, focuses on opportunities and the development of cybersecurity
workforce capabilities at community colleges Nation-wide, and working
with the CAE Community, established a National Cybersecurity Virtual
Career Fair to match students from CAE colleges and universities with
employers across the Nation. In 2020, this career fair saw more than
1,400 well-qualified CAE students and 38 employers participate. This
year, the CAE Community is seeking to double that number. Future
collaborations include National apprenticeship initiatives partnering
with CAE-designated schools.
vi. csusb partnership with the nice challenge project
Another strong example of how CSUSB's successful cybersecurity
collaboration is the CAE Community's National cyber range, the NICE
Challenge Project. The program is funded through grants from NSF, DHS,
NSA, and the NICE program with a mission to create a range where
cybersecurity participants can test their cyber workforce readiness,
measured against the NIST Cybersecurity Workforce Framework (800-181)
and NSA Knowledge Unit Standards. This system, free for use in higher
education, currently serves thousands of students at 500 schools across
the Nation. This program is exploring an expansion for helping
veterans, and high schools, and working with CISA on Federal workforce
training. With further funding from DHS, CISA, and NSA, this cyber
range could be easily scaled to serve the Nation's high schools,
providing progress toward workforce readiness. Working with CISA, CSUSB
also sees opportunities for using the NICE Challenge as a means to
train, develop, and validate the Federal workforce.
vii. looking ahead
The Nation is grappling with a critical problem to address the
cyber workforce challenge. Colleges and universities across the country
are doing tremendous work to address the problem and CSUSB is doing its
part each day to help bridge the workforce gap. As Congress grapples
with solutions to these challenges, it must avoid creating new programs
in the Federal Government, but rather provide steady-state funding to
ones that are in existence and have a long history of success. The CAE
Community has existed for 22 years and has amazing return on investment
using Federal funds. Other programs such as those I have described at
NSF and NIST, working with the DHS and other agencies, are successful
programs making great strides to address the problem.
What makes the CAE Community program unique is its willingness to
collaborate with a wide range of entities, from both industry and
Government, as a critical resource. DHS has a unique vantage point
based on its mission to safeguard the Nation's homeland, and DHS should
promote sustained funding and leverage the capabilities of the CAE
Community in its efforts to address cybersecurity workforce challenges.
The colleges and universities that make up the CAE in Cybersecurity
Community have boundless energy, but what is needed from Congress is a
concerted focus and dedicated funding for all of these programs along
with the need to avoid creating overlapping and duplicative programs
across all other agencies. The model created in the CAE community,
working with DHS, FBI, NSF, and NIST have a long history of success.
The program is also created and run by those who understand
cybersecurity and the educational needs of our community. We need to
sustain and encourage the non-profit, collaborative approaches that
work and dedicated funding is critical to helping to achieve these
goals.
We also need to ensure the workforce of the future is diverse in
nature as well. The CAE Community schools are engaged in many
initiatives building out diverse workforce, including wounded warriors,
neurodiverse, women, and minority-serving institutions. The recently-
launched Cyber Education Diversity Initiative (CEDI) is housed at
Fordham University in New York State. This program is focused on
building the capacity of minority-serving institutions (MSIs) to become
CAE-designated as well as inviting students from MSIs to join
competitions, hosting workshops for faculty, and allowing for students
to transfer from MSIs to colleges with a cybersecurity degree program.
NATO Secretary General Jens Stoltenberg, speaking at the Cyber
Defence Pledge Conference in London in 2019, stated: ``It takes just a
`click' to send a cyber virus spreading across the globe. But it takes
a global effort to stop it from inflicting chaos.'' He went on to say
``But cyber goes beyond technology. The people behind the technology
are just as important. We need to build a strong and diverse workforce
of future cyber defenders.''
The efforts by CSUSB and the Centers of Academic Excellence in
Cybersecurity Community have generated undeniable results but tackling
a 500,000-person workforce shortage is a problem that will require
``all hands-on deck.'' Where there are programs that already exist with
long-standing demonstrable results, Congress should support those with
dedicated funding. Thank you for your time and I look forward to any
questions.
Attachment.--NSA Designated Centers of Academic Excellence in Cyber
Institutions
Athens State University--AL
Auburn University--AL
Calhoun Community College--AL
Jacksonville State University--AL
Snead State Community College--AL
The University of Alabama--AL
The University of Alabama at Birmingham--AL
The University of Alabama in Huntsville--AL
Tuskegee University--AL
University of South Alabama--AL
University of Arkansas--AR
University of Arkansas at Little Rock--AR
Arizona State University--AZ
Embry-Riddle Aeronautical University, Prescott Campus--AZ
Estrella Mountain Community College--AZ
Glendale Community College--AZ
Grand Canyon University--AZ
The University of Arizona--AZ
University of Advancing Technology--AZ
California State Polytechnic University, Pomona--CA
California State University, San Marcos--CA
California State University, Sacramento--CA
California State University, San Bernardino--CA
City College of San Francisco--CA
Coastline Community College--CA
Cypress College--CA
Long Beach City College--CA
National University--CA
Naval Postgraduate School--CA
Ohlone College--CA
Sierra College--CA
University of California, Davis--CA
University of California, Irvine--CA
Arapahoe Community College--CO
Colorado School of Mines--CO
Colorado State University--Pueblo--CO
Colorado Technical University--CO
Pikes Peak Community College--CO
Pueblo Community College--CO
Red Rocks Community College--CO
Regis University--CO
United States Air Force Academy--CO
University of Colorado, Colorado Springs--CO
University of Denver--CO
University of Connecticut--CT
University of New Haven--CT
Georgetown University--DC
The George Washington University--DC
University of Delaware--DE
Wilmington University--DE
Daytona State College--FL
Embry-Riddle Aeronautical University--Daytona Beach Campus--FL
Florida A&M University--FL
Florida Atlantic University--FL
Florida Institute of Technology--FL
Florida International University--FL
Florida State College at Jacksonville--FL
Florida State University--FL
Indian River State College--FL
Nova Southeastern University--FL
Saint Leo University--FL
St. Petersburg College--FL
University of Central Florida--FL
University of Florida--FL
University of North Florida--FL
University of South Florida--FL
University of West Florida--FL
Valencia College--FL
Augusta Technical College--GA
Augusta University--GA
Columbus State University--GA
Georgia Institute of Technology--GA
Georgia Southern University--Armstrong Campus--GA
Georgia State University--GA
Kennesaw State University--GA
Middle Georgia State University--GA
Middle Georgia State University--MSIT--GA
University of Georgia--GA
University of North Georgia--GA
Honolulu Community College--HI
Leeward Community College--HI
University of Hawaii--West Oahu--HI
University of Hawaii at Manoa--HI
University of Hawaii Maui College--HI
Iowa State University--IA
Idaho State University--ID
North Idaho College--ID
University of Idaho--ID
College of DuPage--IL
DePaul University--IL
Illinois Institute of Technology--IL
Illinois State University--IL
John A Logan College--IL
Lewis University--IL
Lincoln Land Community College--IL
Loyola University Chicago--IL
Moraine Valley Community College--IL
Rock Valley College--IL
Roosevelt University--IL
University of Illinois at Springfield--IL
University of Illinois, Urbana--Champaign--IL
Indiana University--IN
Ivy Tech Community College--IN
Purdue University--IN
Purdue University Northwest--IN
Butler Community College--KS
Fort Hays State University--KS
Johnson County Community College--KS
Kansas State University--KS
University of Kansas--KS
Wichita State University--KS
Bluegrass Community and Technical College--KY
Murray State University--KY
Northern Kentucky University--KY
Owensboro Community and Technical College--KY
University of Louisville--Graduate Certificate of Cybersecurity--KY
University of Louisville, Kentucky--KY
University of the Cumberlands--KY
Bossier Parish Community College--LA
Louisiana Tech University--LA
University of New Orleans--LA
Boston University--MA
Northeastern University--MA
University of Massachusetts Lowell--MA
Worcester Polytechnic Institute--MA
Anne Arundel Community College--MD
Bowie State University--MD
Capitol Technology University--MD
Cecil College--MD
College of Southern Maryland--MD
Hagerstown Community College--MD
Harford Community College--MD
Howard Community College--MD
Morgan State University--MD
Prince George's Community College--MD
The Community College of Baltimore County--MD
The Johns Hopkins University--MD
Towson University--MD
United States Naval Academy--MD
University of Maryland--MD
University of Maryland Global Campus--MD
University of Maryland, Baltimore County--MD
Southern Maine Community College--ME
University of Maine at Augusta--ME
Baker College--MI
Davenport University--MI
Delta College--MI
Eastern Michigan University--MI
Ferris State University--MI
Grand Rapids Community College--MI
Henry Ford College--MI
Lansing Community College--MI
Macomb Community College--MI
Oakland University--MI
University of Detroit, Mercy--MI
Walsh College--MI
Washtenaw Community College--MI
Capella University--MN
Century College--MN
Lake Superior College--MN
Metropolitan State University--MN
St. Cloud State University--MN
Walden University--MN
Metropolitan Community College--Kansas City--MO
Missouri University of Science and Technology--MO
Southeast Missouri State University--MO
St. Louis Community College--MO
University of Missouri--Columbia--MO
University of Missouri--St. Louis--MO
Webster University--MO
Mississippi State University--MS
Great Falls College Montana State University--MT
Missoula College--MT
Alamance Community College--NC
East Carolina University--NC
Fayetteville Technical Community College--NC
Forsyth Technical Community College--NC
Montreat College--NC
North Carolina A&T State University--NC
North Carolina State University--NC
Pitt Community College--NC
Sampson Community College--NC
University of North Carolina, Charlotte--NC
University of North Carolina, Wilmington--NC
Wake Technical Community College--NC
Bismarck State College--ND
North Dakota State University--ND
Bellevue University--NE
Metropolitan Community College--NE
Northeast Community College--NE
University of Nebraska, Omaha--NE
Dartmouth College--NH
University of New Hampshire--NH
Brookdale Community Collge--NJ
County College of Morris--NJ
Fairleigh Dickinson University--NJ
New Jersey City University--NJ
New Jersey Institute of Technology--NJ
Rutgers, The State University of New Jersey--NJ
Stevens Institute of Technology--NJ
Central New Mexico Community College--NM
Eastern New Mexico University--Ruidoso Branch Community College--NM
New Mexico Tech--NM
University of New Mexico--NM
College of Southern Nevada--NV
University of Nevada, Las Vegas--NV
University of Nevada, Reno--NV
Binghamton University (SUNY at Binghamton)--NY
Excelsior College--NY
Fordham University--NY
Mercy College--NY
Mohawk Valley Community College--NY
New York Institute of Technology--NY
New York University--NY
Pace University--NY
Rochester Institute of Technology--NY
Rockland Community College--NY
Syracuse University--NY
University at Albany, the State University of New York--NY
University at Buffalo, the State University of New York--NY
Utica College--NY
Utica College--MS Cybersecurity--NY
Westchester Community College--NY
Air Force Institute of Technology--OH
Cedarville University--OH
Clark State Community College--OH
Columbus State Community College--OH
Franklin University--OH
Sinclair Community College--OH
Terra State Community College--OH
The Ohio State University--OH
University of Cincinnati--OH
Wright State University--OH
Oklahoma City Community College--OK
Oklahoma State University--OK
Rose State College--OK
University of Tulsa--OK
Chemeketa Community College--OR
Mt. Hood Community College--OR
Portland Community College--OR
Portland State University--OR
Bloomsburg University of Pennsylvania--PA
Carnegie Mellon University--PA
Drexel University--PA
East Stroudsburg University--PA
Indiana University of Pennsylvania--PA
Lehigh Carbon Community College--PA
Pennsylvania Highlands Community College--PA
Pennsylvania State University--PA
Pittsburgh Technical College--PA
Robert Morris University--PA
Saint Vincent College--PA
University of Pittsburgh--PA
Valley Forge Military College--PA
West Chester University of Pennsylvania--PA
Polytechnic University of Puerto Rico--PR
Community College of Rhode Island--RI
New England Institute of Technology--RI
University of Rhode Island--RI
Clemson University--SC
South Carolina State University--SC
The Citadel--SC
Trident Technical College--SC
University of South Carolina--SC
Dakota State University--SD
Jackson State Community College--TN
LeMoyne--Owen College--TN
Roane State Community College--TN
Tennessee Tech University--TN
The University of Tennessee at Chattanooga--TN
University of Memphis--TN
El Paso Community College--TX
Hill College--TX
Houston Community College--TX
Laredo College--TX
McLennan Community College--TX
Our Lady of the Lake University--TX
Sam Houston State University--TX
San Antonio College--TX
South Texas College--TX
Southern Methodist University--TX
St. Philip's College--TX
Texas A&M University--TX
Texas A&M University--Corpus Christi--TX
Texas A&M University--San Antonio--TX
Texas State Technical College in Harlingen--TX
The University of Texas at Austin--TX
The University of Texas at San Antonio--TX
University of Dallas--TX
University of Houston--TX
University of North Texas--TX
University of Texas at Dallas--TX
University of Texas at El Paso--TX
Brigham Young University--UT
Southern Utah University--UT
Danville Community College--VA
ECPI University--VA
George Mason University--VA
Germanna Community College--VA
Hampton University--VA
James Madison University--VA
Liberty University--VA
Lord Fairfax Community College--VA
Marymount University--VA
Mountain Empire Community College--VA
Norfolk State University--VA
Northern Virginia Community College--VA
Old Dominion University--VA
Radford University--VA
Regent University--VA
Southwest Virginia Community College--VA
Thomas Nelson Community College--VA
Tidewater Community College--VA
University of Virginia--VA
Virginia Commonwealth University--VA
Virginia Polytechnic Institute and State University--VA
Virginia Western Community College--VA
Champlain College--UT
Norwich University--UT
City University of Seattle--WA
Columbia Basin College--WA
Edmonds Community College--WA
Green River College--WA
Highline College--WA
Spokane Falls Community College--WA
University of Washington--WA
Whatcom Community College--WA
Madison College--WI
Marquette University--WI
University of Wisconsin--Stout--WI
Waukesha County Technical College--WI
American Public University System--WV
Blue Ridge Community and Technical College--WV
West Virginia University--WV
Chairwoman Clarke. Thank you, Dr. Coulson.
I now recognize Mr. Ley to summarize his statement for 5
minutes.
STATEMENT OF RALPH F. LEY, DEPARTMENT MANAGER, WORKFORCE
DEVELOPMENT AND TRAINING INFRASTRUCTURE ASSURANCE & ANALYSIS
DIVISION, NATIONAL & HOMELAND SECURITY, IDAHO NATIONAL
LABORATORY
Mr. Ley. Thank you, Chairwoman Clarke, Ranking Member
Garbarino, and Members of the committee. It is an honor and a
privilege to be with you today.
My name is Ralph Ley. I am the department manager for
Workforce Development and Training within the National and
Homeland Security Directorate at Idaho National Laboratory. I
am grateful for the opportunity to testify on the issues
regarding the Nation's cyber talent pipeline and ways to ensure
our work force is ready to meet future threats.
As you probably all know, INL's long history with nuclear
energy from its inception to the latest and recent work with
small modular nuclear reactors, other energy sources, our one-
of-a-kind wireless ranges and the wireless networks that are
continuing to expand across the United States, various
infrastructures and their test beds helping industry. It is
easy to understand why we have a deep understanding for
industrial control systems, control systems in general and how
to protect them. In fact, the Cyberspace Solarium Commission
called out INL as the Nation's center of excellence for
industrial control system cybersecurity issues. Well-founded.
Our department takes great pride in having the opportunity
and responsibility to lead, influence, and execute a broad
portfolio of educational programs and research that address IT
and OT cybersecurity issues and work force development needs.
Although INL supports and has its own numerous K-12
cybersecurity initiatives and the great work, as you can see
already some of the witnesses have testified, fantastic work,
my primary focus today is to talk about issues relating to the
post-secondary education institutes and existing work force
already in business and Government agencies. That is an area
that needs to be addressed and very quickly.
For over 15 years DOE and DHS have asked us to provide ICS
cybersecurity training courses to private-sector businesses,
utilities, and Government agencies. The desired result was for
participants to become aware of the difference between IT and
OT networks and systems, how they interact with each other on
the job, the IT and OT experts on businesses, and to develop
projects within academia and industry to better understand the
issues surrounding the cyber education of the Nation's work
force--what are the impediments and influences in driving the
cyber health, if you will, of organizations. One of our latest
projects and documents you may have seen is in collaboration
with Idaho State University, La Trobe University, titled
``Building an Industrial Cybersecurity Workforce: A Manager's
Guide''. This is just a first attempt and first product that we
have developed to address the job roles required by ICS
professionals and how an organization may establish a capable
work force. NIST has recognized the value of our efforts and
has asked us to join them in building out their NICE framework
that focuses on IT cybersecurity and move it into and
incorporate segments and areas and issues surrounding the OT or
industrial control systems as well.
To further flush out issues that need to be addressed: We
have also established our own industrial cybersecurity
community to practice. One hundred fifty participants from the
universities, industries, organizations from around the Nation
and internationally to look at the issues.
The recurring issues that are most prominent and that need
to be addressed are, as I have listed in the testimony,
standardizing curriculum for cyber degrees, establishing a
shared repository for cybersecurity curriculum so that all
institutes, large and small, can have access to it. But our
main focus here is to--and we recommend the focus of energy to
help industry organizations understand what their actual cyber
job roles are and the educational needs. We find many don't
even understand what their organizations need in cyber job
roles and leading to the education of those individuals, and
also how to hire the right individuals.
There are many other issues out there that need to be
addressed, but those are the two areas that we need to look at.
I appreciate the opportunity to testify and I want to thank
you again for your attention to this very important issue of
our Nation and I look forward to your questions on
cybersecurity and the work force and increasing the flow of the
cyber talent pipeline.
[The prepared statement of Mr. Ley follows:]
Prepared Statement of Ralph F. Ley
July 29, 2021
Chairwoman Clarke, Ranking Member Garbarino, and Members of the
committee, it is an honor and privilege to be with you today. My name
is Ralph Ley, and I am the department manager for workforce development
and training within the national and homeland security directorate at
Idaho National Laboratory (INL). I'm grateful for the opportunity to
testify on issues regarding the Nation's cyber talent pipeline and ways
to ensure our workforce is ready to meet future threats.
I want to thank this subcommittee for addressing what we believe is
a foundational workforce development and education issue facing this
Nation from the standpoint of a continuously changing cyber threat
landscape requiring professionals who have career-long access to
updated curriculum containing new tactics, techniques, and procedures
to sufficiently protect their networks and systems.
Our conversation today is an important step forward for
establishing a unified team with a focused approach toward implementing
solutions to cyber workforce issues and progress--our security will
benefit from this unified effort, it is greatly needed and appreciated.
INL's Nationally-recognized expertise in industrial control systems
(ICS) or operational technology (OT) cybersecurity stems from its long
history and primary mission to conduct research, development, and
demonstration of solutions that assure the advancement of nuclear
energy, clean energy, and critical infrastructure protection
technologies. From the beginning related infrastructure were full of
control systems to ensure their safe and efficient operations. My
department takes great pride in having the opportunities and
responsibilities to lead, influence, and execute a broad portfolio of
educational programs and research which address cybersecurity issues
and workforce development needs.
For over a decade Department of Energy (DOE) and Department of
Homeland Security (DHS) Cybersecurity and Infrastructure Security
Agency (CISA) sponsored ICS cybersecurity training courses have been
conducted at INL in immersive classroom and hands-on learning
environments. The target audience has been primarily private-sector
businesses and utilities who need their staff to understand the
differences between protecting IT and OT networks and systems. Simply
put, IT cybersecurity is based on keeping a business's information
readily available, accurate, and dependable, whereas OT cybersecurity
lives in a cyber-physical world manipulating businesses assets which
can impact production and throughput/output of materials. These
sponsored courses offered by INL are designed to bridge the knowledge
gap by bringing together people who operate either their company's IT
systems or OT systems and force them to work together in realistic work
settings. The results of these courses accompanied by the significant
increase in recent threats to OT systems has contributed heavily to
industry's awareness, or better described--awakening--to the need for
improved OT cybersecurity practices accompanied by established
standards for workforce development and training.
Processes and procedures for securing IT systems are well-
documented in a wide variety of general overarching best practices and
some industry-specific standards. The same guidance has been late
coming for securing OT systems, however this guidance is now much more
readily available than even just a few years ago. Along with
established cybersecurity procedures or standards has been guidance on
what education and training is required by cyber professionals to
implement these new measures.
The National Institute of Standards and Technology (NIST) National
Initiative for Cybersecurity Education (NICE) workforce framework,
often referred to as the NICE Framework, is arguably the most well-
known cybersecurity education and training standard. It addresses the
education and training needs of the cybersecurity workforce by
providing common vocabulary for the field and a detailed list of
cybersecurity Knowledge, Skills, Abilities, and Tasks (KSATs) for each
identified cyber work role. While the NICE Framework is intended to be
applicable to a wide range of cybersecurity workers in an organization,
IT roles and IT KSATs are ultimately the focus of the competency
recommendations provided. As IT and OT systems become increasingly
connected and vulnerabilities associated with both increases, the need
to extend the framework to incorporate ICS systems has begun.
INL in collaboration with academic and industry partners has
endeavored to assist in the efforts to address the lack of a similar
framework and KSATs for OT work roles. A major first step was INL's
collaboration with Idaho State University (ISU) and La Trobe University
(LTU) in a two-phased project resulting in the ``Building an Industrial
Cybersecurity Workforce: A Manager's Guide''. This non-prescriptive
document is a first step toward identifying the unique knowledge and
job roles required of ICS professionals and establishing a capable
workforce. NIST has recognized the value of this effort and has
requested INL's participation in expanding the NICE Framework to
incorporate OT roles and OT KSATs.
Lack of recognized OT job roles and associated KSATs has had a
definite influence on the existing availability of OT-specific
workforce training offerings. Years of research and development of
education and training courses for CISA, DoD, and industry,
collaboration with academic institutes, and interviewing students
identified other potential influencers that appeared to be impeding the
flow of the IT and OT cyber talent workforce pipeline. To validate
INL's findings, we created a joint INL-ISU Industrial Cybersecurity
Community of Practice (ICSCOP) recurring workshop and invited over 150
representatives from universities, Government entities, and industry
experts to participate. Participants were provided presentations on two
known cyber workforce issues: (1) Curriculum Standards for ICS cyber-
related degree programs, and (2) ICS workforce development factors. The
resulting group discussion by participants validated previously
identified influencers and established working groups to address
solutions. Influencers span IT and OT topics and included:
First, standardized curriculum. There needs to be standard
curriculum requirements for cyber-related degree programs, IT-
and OT-focused, offered by academic institutes. For example,
the requirements to attain a degree in cybersecurity varies
from university, to university making is hard for employers to
know the level of competency of any individual possessing such
a degree and seeking employment. Lack of standards also leave
the individual unsure of their qualifications for jobs solely
based on the degree.
Second, employers do not understand the existing
cybersecurity-related tasks their employees are responsible for
in their daily jobs. This makes it impossible to know what each
employee's cyber education and training requirements are or to
create a roadmap for improvement. It also makes it difficult to
identify if there is a need to hire additional staff to address
unfilled cyber job roles. Employers require a holistic process
that can assist with identifying the existing cyber job roles
of their employees, identify potential personnel gaps, suggest
individual cyber education and training roadmaps, and link the
level of education of employees to the cyber ``health'' of the
organization.
Third, Human Resource (HR) departments do not possess the
necessary tools to identify and hire the best candidate for a
cyber-related job position. They are forced to use the same
hiring methods as other positions within their business:
Reviewing resumes and conducting interviews. Although academic
institutes cannot create different degree programs tailored
specifically for each individual business's needs, skills
testing matched to standardized KSATs would assist employers
with this issue and provide academic institutes a view of the
most requested cyber skills by employers to adjust degree
programs.
Fourth, as mentioned previously, the pace of new
cybersecurity emerging threats, new technology,
vulnerabilities, etc., is faster than most of the existing
board certification processes used by academic institutes to
approve updated curriculum. This makes it harder for academic
institutes to rapidly update materials and offer students
programs with the most recent information. A central
clearinghouse for approved new ICS cyber-related curriculum
readily available for academic institutes to adopt if desired
may be one solution.
Fifth, closely aligned with the first influencer is the lack
of availability of standardized hands-on or near-hands-on
training apparatus for ICS cybersecurity education programs,
especially in rural geographical areas. A shared repository of
curriculum and capabilities provided in a hub-and-spoke
regional model where all academic institutes benefit from a
National repository of resources is the needed.
Sixth, the existing workforce needs continuing education
options from local academic institutes other than the time-
consuming and expensive solution of employees obtaining another
degree. The continuing education options must be trackable by
individuals throughout their cyber careers and identify for
employers the currency of the education the person has
received. Academic institutes have begun establishing their own
educational badge and/or credential systems. A recognized
National standard for these systems is needed before employers
will put stock in the validity of these necessary systems.
Outcomes from the ICSCOP workshops and working group meetings are
not limited to validation of influencers impeding the flow of the cyber
talent pipeline. INL is working with State and local government
entities, academic institutes at all levels of education, and business
around the State as collaborators and sounding boards of the workforce
development solutions explored. The thought process to this approach is
that if solutions can work in one State, they have a high probability
of working in others.
An example of these activities is the Associate Lab Director for
N&HS is a co-chairperson on a new task force led by the Idaho
Department of Commerce. The purpose is to make Idaho the most secure
State against cybersecurity attacks aimed at businesses, Governmental
entities, institutions, and citizens which will substantially improve
and protect our growing economy. Activities include coordinating,
informing, and training Idahoans across the State as to safeguards and
resources from the perspective of many experts and interested groups.
Recommendations from the task force will inform the Governor,
legislature, and other stakeholders on major cybersecurity threats and
opportunities for Idaho. This effort can easily be replicated by other
States desiring a collaborative approach to addressing cybersecurity
issues.
Other efforts include Idaho National Laboratory (INL) in
collaboration with industry, academia, and the science and research
communities kicked off a multi-year Idaho Cyber Research Project
(ICRP). This project is designed to apply existing solutions to some of
the major influencers. A small army of interns (20 to 30) from Idaho
universities and 2-year colleges are assisting INL staff by visiting
organizations desiring assistance with cyber ``health'' issues and
providing potential solutions. Solutions include using tools that can
provide a cyber workforce evaluation resulting in cyber training paths
validated by job roles for employees, assistance implementing new
approaches to hiring cyber candidates and current employee cyber skills
testing, cyber job posting solutions, consideration of apprenticeship
opportunities, creating a workforce cyber competency profile for a
business, and collaboration opportunities with academic institutes
desiring partnerships to improve cyber curriculum offerings to their
sector-specific needs. Solutions that resonate with local entities and
are validated will be briefed at future ICSCOP meetings to discuss
options for adoption by a broader audience.
Finally, I would like to note that there are other issues facing
the cyber workforce talent pipeline, but the ones listed are, in our
opinion, the most problematic and biggest hinderances to a smoothly
flowing talent pipeline. Many entities are working separately on
solutions to the influencers I have outlined. This approach lends
itself to creativity and flexibility with the multiple solutions
offered to fit various entities needs; however, this approach can also
lead to duplicative efforts and inefficient spending of scarce funds.
We are seeing this issue arise with Federal and DoD entities. The CISA
office of Cybersecurity Defense Education and Training (CDET) is
uniquely poised to implement and manage National cyber workforce R&D
programs along with education and training courses. CDET should be
looked to as the lead office for all CISA workforce development
efforts. DoD should establish a similar, joint office and directly
collaborate with CDET for efficiency.
INL stands ready to assist as needed in this Nation's efforts to
increase the cybersecurity posture of all citizens whether through
workforce development and education or bringing to bear its ICS
cybersecurity control systems experts, cyber researchers, engineers,
and threat analysts.
I appreciate the opportunity to testify, and I want to thank you
again for your attention to this very important issue for our Nation. I
look forward to your questions.
Chairwoman Clarke. I thank you, Mr. Ley, for your
testimony.
Finally, I recognize Mr. Stier to summarize his statement
for 5 minutes.
STATEMENT OF MAX STIER, PRESIDENT AND CEO, PARTNERSHIP FOR
PUBLIC SERVICE
Mr. Stier. Thank you, Chairwoman Clarke and Ranking Member
Garbarino. It is a real pleasure to have the opportunity to
testify before you this morning on such an important issue.
Cybersecurity is so vital and our Federal Government is
central to addressing this issue. My focus, as you indicated in
the summary, of the Partnership for Public Service will be on
the Federal work force. We are a nonpartisan, nonprofit
organization really focused on better Government for a stronger
democracy. We have been working on the issue of cyber for some
time now.
Just to give one stat that helps demonstrate how big the
problem is, if you look at the cyber work force in the Federal
Government right now, under 6 percent of it is under the age of
30. So to be real clear, it is just extraordinary. There is no
generational diversity more broadly.
There are five reasons for this. The first is that the
Federal Government's brand is damaged. Government shutdowns,
hiring freezes, negative rhetoric, political interference in
science, all these things have tarnished the brand. Second, the
opportunities for young people to serve are hidden and scarce.
Again, a devastating statistic. Just 4 percent--4 percent of
new hires are drawn from Federal programs employing current
students and recent graduates. So Government rarely gets talent
coming in that is young, bluntly. No. 3, the hiring process is
broken and the barriers to entry are many--could spend all 5
minutes on this, and I am going to pass unless you want more
detail later--100 days-plus to hire people and the assessment
processes are broken. Very importantly and often overlooked,
this is No. 4, we are not retaining the talent that we get. So
if you look at those full-time employees under the age of 30
who are leaving Government, three-quarters of them are leaving
within 2 years. So if you do everything right on the front end
and you don't address the retention issue, you actually don't
solve the problem. Fifth, critically, the diversity is bad
across the Federal work force, but it is much, much worse in
the cyber arena.
Now, cybersecurity has been on the GAO high-risk list since
1997. we need to do more than admire this problem. Ranking
Member Garbarino, I loved your point, let us have some concrete
things to do. I am going to give you 10 of them.
First and foremost, most important, we need to create
higher expectations for the leadership in Government, and that
includes, bluntly, Congress as well. We need leadership to pay
attention and to see it as their responsibility to own getting
the right talent into Government. By and large they don't do
that and it is a big problem.
No. 2, we need the leaders in Government to actually have a
very different level of understanding around technology. I am
not talking about obviously the CIOs and the CTOs. The general
program leadership more broadly in the world that we live in
today has to have a sophistication and fluency in technology
that is often missing. They need to be upscaled or different
people need to be brought in.
Third, and equally important, we need more sustained
leaders. Right now a Senate-confirmed appointee lasts only 2
years on average. It is impossible, bluntly, to make a
difference on these management issues like cyber without a
longer-term tenure for leaders. So a very concrete example,
Secretary Granholm wants to have a CESER career leader in there
rather than a political appointee. That is very smart.
No. 2, we need to utilize innovative talent models like our
cyber talent initiative. Happy to describe that in greater
detail.
No. 3, we need to promote the Government mission. People
will come to Government if they understand they are serving the
American people. NASA does a great job. They have a custom-
built career website that includes videos of what they do. We
produce a program called a Service to America Medals. We need
to be able to highlight the great things people can do if they
are in Government.
No. 4, we have got to improve the recruiting and hiring to
begin with. We had the National Commission on Military National
Public Service. They did a fantastic job. Lots of
recommendations that are ready for legislation now and they
should be done. We should have exit interviews of those in the
cyber fields so we are understanding why we are not holding
onto talent that we need.
No. 5, we need to get more young people in Government. Here
this is basic strategy. Student internships ought to be the
primary entry hiring for Government. They are not right now.
They need to be paid internships or else we are not going to
get the diverse talent.
No. 6, we need to overhaul the pay system more broadly in
Government and certainly around cyber. Know that this pay
system in Government was designed in 1949. It is not
sufficiently market-sensitive. That is a real problem.
Seven, we have got to invest in the H.R. work force or you
won't have these people coming in. We need an enterprise
strategy.
Eight, we need to embrace a culture that has technology and
innovation collaboration that is central. That is a leadership
issue. I mentioned DEI as being critical in this work force
strategy.
Ten, coming back around to the leadership side, we need
continued oversight from this committee, we need to see this as
an annual hearing, we need to see you visiting agencies that
are doing well, and we need you looking out for the Government
brand.
As fast as I can talk. Look forward to questions.
[The prepared statement of Mr. Stier follows:]
Prepared Statement of Max Stier
July 29, 2021
introduction
Chairwoman Clarke, Ranking Member Garbarino, and Members of the
Subcommittee on Cybersecurity, Infrastructure Protection, and
Innovation, thank you for the opportunity to appear before you today to
discuss the importance of building a robust cybersecurity talent
pipeline.
The Partnership for Public Service is a non-partisan, non-profit
organization dedicated to inspiring public service and increasing the
efficiency and effectiveness of the Federal Government. The Partnership
was founded on the premise that any organization's best asset is its
people.
Cybersecurity, a critical element of any organization's resilience,
has been indispensable to the Federal Government's response to the
COVID-19 pandemic. Early in the pandemic, security considerations moved
to the forefront as more employees than ever before worked and accessed
agency information networks remotely and used digital tools to continue
operations and service delivery. As the Federal Government thinks about
the future of work, it is clear that cybersecurity will remain at the
forefront. And, of course, there are moments of crisis in securing the
Nation's cyber infrastructure--the SolarWinds cyber attack in 2020 and
the Colonial Pipeline hack in May 2021 illustrate the importance of
having Federal cyber experts who can respond quickly to an increasingly
sophisticated threat landscape.
Although these cyber attacks shine a fresh spotlight on the
country's vulnerabilities, cybersecurity has been identified as a GAO
High-Risk List area since 1997.\1\ Despite being on the list for 24
years, there remains a Nation-wide shortage of highly-qualified
cybersecurity specialists, and the Federal Government has fallen behind
in the race for this talent. Amidst the growing demand for cyber
professionals, agencies have struggled to recruit, hire, retain, and
train workers in the cybersecurity field. Many of the personnel issues
confronting the cybersecurity workforce are endemic in the Federal
system that makes recruiting and retaining the best and brightest
talent in any career field a formidable challenge. To protect the
country against current and future threats, Congress must focus on
revitalizing and investing in the Federal cyber workforce.
---------------------------------------------------------------------------
\1\ Senate Committee on Homeland Security and Governmental Affairs,
``GAO's 2021 High Risk List: Addressing Waste, Fraud, and Abuse,''
March 2, 2021. Testimony from Eugene L. Dodaro, Comptroller General of
U.S. Government Accountability Office. Retrieved from https://
www.hsgac.senate.gov/gaos-2021-high-risk-list-addressing-waste-fraud-
and-abuse.
---------------------------------------------------------------------------
The Partnership offers a variety of programs that allow us to work
with Federal employees to strengthen their leadership skills, prepare
them to build strong teams and work across organizational boundaries.
We also work with agencies on issues such as attracting top talent,
engaging and supporting their workforce, and fostering innovation. For
example, our cross-sector Cybersecurity Talent Initiative \2\ is a
partnership with MasterCard, Microsoft, and Workday that provides
students in cybersecurity-related fields with public and private-sector
work experience. This program guarantees students a 2-year placement at
a Federal agency with cybersecurity needs and provides agencies with
capable talent to address current and emerging challenges. Through
these initiatives, we help Federal leaders and agencies achieve better
outcomes for the people they serve.
---------------------------------------------------------------------------
\2\ Cybersecurity Talent Initiative. Retrieved from https://
cybertalentinitiative.org/.
---------------------------------------------------------------------------
For the past decade, the Partnership's research has highlighted
strategies and opportunities for Government to build a more capable
cyber workforce. For instance, our 2009 ``Cyber In-Security'' report
outlines factors hampering Government's ability to build an efficient
and effective cybersecurity workforce.\3\ Our 2015 supplementary
report, ``Cyber In-Security II,'' outlines key findings and strategies
to help Government build a capable cyber workforce and close the
Federal talent gap.\4\
---------------------------------------------------------------------------
\3\ Partnership for Public Service, ``Cyber In-Security,'' July
2009. Retrieved from https://ourpublicservice.org/publications/cyber-
in-security-strengthening-the-Federal-cybersecurity-workforce/.
\4\ Partnership for Public Service, ``Cyber In-Security II,'' April
2015. Retrieved from https://ourpublicservice.org/publications/cyber-
in-security-ii-closing-the-Federal-talent-gap/.
---------------------------------------------------------------------------
challenges facing the federal cyber work force
Unpacking the data on the Federal cybersecurity work force reveals
different stories across the Government. There are areas of growth,
including in Government-wide totals--the number of full-time Federal
cyber employees increased by 7.85 percent between September 2016 and
September 2020. Over the same period, the Federal work force overall
increased by 3.66 percent.
However, there are concerning trends in other areas of the cyber
workforce. For example, some agencies saw declines in full-time
employees--the Department of Agriculture's cyber workforce decreased
from 3,300 employees in September 2016 to 2,700 in September 2020,
while at the Department of Labor it decreased from 750 to 660 employees
in the same time frame.\5\
---------------------------------------------------------------------------
\5\ Statistics on Federal employees are drawn from Office of
Personnel Management FedScope data on the Federal workforce unless
indicated otherwise.
---------------------------------------------------------------------------
Government also faces challenges in recruiting, hiring, and
retaining a cyber workforce that looks like the American public. For
example, 50.8 percent of the U.S. population identifies as female;\6\
however, in September 2020, just 25.4 percent of the full-time Federal
cyber workforce identified as female, compared to 43.2 percent
Government-wide.
---------------------------------------------------------------------------
\6\ U.S. Census Bureau. Retrieved from https://www.census.gov/
quickfacts/fact/table/US/PST045219.
---------------------------------------------------------------------------
The Federal cybersecurity workforce is also older than the U.S.
labor force. The percent of full-time cyber employees under the age of
30 steadily increased from 4.1 percent to 5.7 percent between September
2014 and September 2020; however, this still lags behind the almost 20
percent of the employed U.S. labor force in 2020 that is under age 30.
To revitalize the cyber workforce, the administration and Congress
must address both immediate and long-standing problems. Key data points
from the overall Federal workforce signal the urgent need for attention
to this vital National asset. These trends are not new but will be
harder to fix the longer we wait:
In the Federal IT workforce, there are 16 times more
employees over the age of 50 than under age 30.
Roughly one-third of full-time employees on board at the
beginning of fiscal 2019 will be eligible to retire by the end
of fiscal 2023.
Use of the Federal Pathways intern program, which should be
a main pipeline into Federal service, has plummeted. According
to the fiscal 2020 budget request, the number of new hires of
student interns fell from 35,000 in 2010 to 4,000 in 2018.\7\
---------------------------------------------------------------------------
\7\ ``Analytical Perspectives, Budget of the U.S. Government,
Fiscal Year 2020,'' March 18, 2019, p. 77. Retrieved from https://
www.govinfo.gov/content/pkg/BUDGET-2020-PER/pdf/BUDGET-2020-PER.pdf.
---------------------------------------------------------------------------
Of the full-time employees under 30 who voluntarily quit
Federal service in fiscal 2019, over 73 percent did so with
less than 2 years of Federal tenure, suggesting that many young
people do not have a positive work experience in the Federal
Government or lack sufficient incentives to stay in Federal
service.
Data also shows major diversity challenges in the Federal
workforce, which grow even greater at the higher echelons of
service. For example, only 35.5 percent of the career Senior
Executive Service are female, and only 22.7 percent of the
career SES are people of color.
The 2020 Best Places to Work in the Federal Government� \8\
employee engagement score was 69 out of 100, lagging behind the
private sector by more than 8 points and suggesting that more
can be done to cultivate a highly engaged, high-performing
Federal workforce.
---------------------------------------------------------------------------
\8\ Partnership for Public Service, Best Places to Work in the
Federal Government�. Retrieved from https://bestplacestowork.org/.
---------------------------------------------------------------------------
It takes the Government an average of 98 days to bring new
talent on board--more than double the time in the private
sector.\9\
---------------------------------------------------------------------------
\9\ Office of Personnel Management, ``OPM Issues Updated Time-to-
Hire Guidance,'' February 2020. Retrieved from https://www.opm.gov/
news/releases/2020/02/opm-issues-updated-time-to-hire-guidance/.
---------------------------------------------------------------------------
About 83 percent of major Federal departments and agencies
struggle with staffing shortages and 63 percent report gaps in
the knowledge and skills of their employees.\10\
---------------------------------------------------------------------------
\10\ Office of Personnel Management, ``2018 Federal Workforce
Priorities Report,'' February 2018. Retrieved from https://www.opm.gov/
policy-data-oversight/human-capital-management/Federal-workforce-
priorities-report/2018-Federal-workforce-priorities-report.pdf.
---------------------------------------------------------------------------
According to the Survey on the Future of Government
Service,\11\ just 32 percent of respondents say their agency
has a strategic recruitment plan that is aligned to its
workforce needs.
---------------------------------------------------------------------------
\11\ ``Survey on the Future of Government Service,'' October 13,
2020. The survey is a collaborative effort by the Partnership for
Public Service, the Princeton School of Public and International
Affairs at Princeton University, the Center for the Study of Democratic
Institutions at Vanderbilt University and Georgetown University.
Retrieved from https://ourpublicservice.org/publications/survey-on-the-
future-of-government-service/.
---------------------------------------------------------------------------
the importance of strengthening government's cyber workforce
Federal jobs offer mission-driven work with opportunities to help
solve the biggest challenges facing our Nation. Our Government needs
cyber talent to secure our National security and economic interests,
and help the country rise to the significant challenges of the day and
prepare for what lies ahead. In particular, the dearth of young civil
servants represents a lost opportunity for our Federal Government as
well as the Nation's young professionals.
The Federal Government not only needs to work harder to recruit and
hire great talent, but also create an environment that retains high-
performing employees. Fundamental reforms to the Government's
antiquated pay and classification system--or more targeted personnel
systems, such as the DHS cyber personnel system--would better equip the
Government to compete for cyber talent. Even within the constraints of
the Federal pay system, though, our Government can pursue multiple
strategies to make the Federal Government the employer of choice not
only for entry-level talent but also for mid- and senior-level talent.
There are many reasons why Government is failing to recruit and
retain talent, especially young people, and the problems are deep-
seated:
The Federal Government's brand is damaged.--Government shutdowns,
hiring freezes, and negative rhetoric have hurt the image of Government
and the people who serve. An Axios Harris poll in March 2019 examined
the reputation of America's 99 most high-profile companies and the
Federal Government, and the Government ranked dead last.\12\ That was
before a pandemic further eroded public confidence in Government.
---------------------------------------------------------------------------
\12\ The Harris Poll, ``Axios Harris Poll 100,'' 2019. Retrieved
from https://theharrispoll.com/axios-harrispoll-100-2019/.
---------------------------------------------------------------------------
Opportunities for young people are hidden and scarce.--Many
students do not know about compelling career opportunities in
Government or how to apply for them. In addition, Government hiring
processes have historically shown a disproportionate preference for
experienced professionals, limiting opportunities for promising young
talent. For instance, internships are underused across the Federal
Government and just 4 percent of new hires are drawn from Federal
programs employing current students and recent graduates. An added
challenge for the cyber community is that candidates often find it
difficult to enter the Federal workforce due to poor advertisement of
available cyber opportunities in Government. This is largely due to the
antiquated way these jobs are classified and outdated position
descriptions that do not accurately depict the skills and knowledge
necessary for the role.
Barriers to entry abound for job candidates. An unintuitive on-line
jobs portal in USAJOBS, a 70-year-old compensation system, and a time-
to-hire average of nearly 100 days all make it difficult for Government
to attract top talent. Government may always struggle to match private-
sector salaries, but it must do better on multiple human resource
fronts in the competition for mission-critical talent.
We are failing to adapt to the needs of a more mobile workforce.--
Our Federal personnel system is geared to the model of the lifetime
Federal employee. We value and need those who want to dedicate their
whole careers to Federal service. But we also must seize opportunities
to recruit those who want to serve for shorter durations, especially as
younger workers increasingly want more mobility in their careers. Just
35 percent of millennials expect to stay with their current employer
for 5 or more years, but there were notable correlations between those
who did plan to stay and those who believe their employers perform well
on issues related to financial performance, community impact, talent
development, and diversity and inclusion.\13\
---------------------------------------------------------------------------
\13\ Deloitte, ``The Deloitte Global Millennial Survey 2020,'' June
25, 2020. Retrieved from https://www2.deloitte.com/global/en/pages/
about-deloitte/articles/millennialsurvey.html.
---------------------------------------------------------------------------
Undergirding these challenges is the need for a heightened
commitment to diversity, equity, and inclusion.--While the Federal
Government outperforms many private-sector organizations on this front,
there is room for improvement in Federal leadership ranks. Among career
leaders in the Government's Senior Executive Service (SES), just 36
percent are female and only 23 percent identify as people of color. And
among SES leaders in STEM, just 26 percent are female and only 18
percent identify as people of color. Federal agencies need to do more
to provide and promote opportunities to underrepresented communities
and ensure that our Government mirrors the people it serves.
Altering the status quo will not be easy but it will be critical to
the Nation's future. And this moment in time offers a rare convergence
of opportunity: A Federal workforce which has dramatically changed the
way it works over the past year and is primed for adaptation amid the
staggering health, social, and economic challenges it must take the
lead in tackling; and the rise of Generation Z, which is
technologically adept and hungry to make a difference.
The past year has shown the dedication, resiliency, and
resourcefulness of the Federal workforce. At many agencies, most
Federal employees shifted quickly to telework as the pandemic spread,
while others bravely remained on the front lines in jobs that cannot be
performed remotely. On all fronts, Federal workers have found
innovative ways to serve the people during the pandemic. Thus, out of
crisis comes opportunity. We have a once-in-a-generation moment to
transform the workforce and the way it works, and to inspire Americans
to enter public service.
Both the world and the workplace are rapidly changing. In the post-
pandemic era, we must not go back to the old ways of doing business
when the new ways make more sense. We should seize this moment to
modernize the ways in which Government operates, which in many
instances are predicated on laws and practices that are decades old and
out of sync with today's fast-paced digital economy and invest in a
cybersecurity workforce for the future.
solutions for building the cyber talent pipeline: what can congress do?
Here are ten ways that Congress can accelerate this revitalization
and transformation of the Federal cyber workforce:
(1) Create high expectations for Federal leaders.
A transformation of the workforce and how Federal employees do
their jobs will not be possible without also reimagining leadership in
the Federal Government. Good leaders motivate and advocate for their
employees, build trust and create the conditions necessary for
employees to perform at their best. The civilian side of Government
should take a lesson from the military side, where people are viewed as
an asset, not a cost, and where investments in leadership development
are critical to the strategy for success.
In 2019, the Partnership developed the Public Service Leadership
Model,\14\ recognizing the unique nature of leadership in Government,
centered on stewardship of public trust and commitment to public good.
We believe this model should be the standard for leaders--both career
and political--across the Federal Government. The model identifies the
core values that leaders must prioritize and the critical competencies
they must master to achieve their agencies' missions and desired
impact. These include setting a vision, empowering others and being
accountable for results. We were proud to create this model with a
nonpartisan group of distinguished leaders from across sectors, and in
the months to come we hope to work with Congress, the Executive branch
and others to improve and measure overall leadership effectiveness.
---------------------------------------------------------------------------
\14\ Partnership for Public Service, Public Service Leadership
Model. Retrieved from https://ourpublicservice.org/our-work/public-
service-leadership-model/.
---------------------------------------------------------------------------
Congress also should hold political and career Federal leaders
accountable not only for owning policy but also for the organizational
health of their agencies. In many cases, agencies and bureaus could
benefit from career executives at the helm--nonpartisan, professional
leaders who can provide needed stability and deep expertise. An example
of this is the Department of Energy's Office of Cybersecurity, Energy
Security, and Emergency Response (CESER), which is currently helmed by
a career civil servant. Our Government has over 4,000 politically-
appointed positions, with roughly 1,200 of them subject to Senate
confirmation, and the process for selecting, vetting, and appointing
them is complex, inefficient, and time-consuming. We encourage Congress
to consider reducing the number of political appointees and creating
more opportunities for career experts to lead.
In addition to taking ownership of the health of the workforce,
political and career programmatic and policy leaders in Government
today must also have a familiarity with technology and cybersecurity
issues in order to focus on key priorities and make informed choices.
That's why the Partnership created the AI Federal Leadership Program in
2019. This 6-month, complimentary program is meant to help Federal
leaders (specifically members of the SES) better understand the needs
and opportunities around artificial intelligence, and prepare them to
integrate this technology with policy and program implementation. This
program is another cross-sector effort with technology leaders,
including Microsoft, Google, and the Ford Foundation.
With respect to the workforce, Congress should hold political
appointees responsible for recruiting and retaining highly-qualified
talent, developing future leaders, engaging employees, and holding
subordinate managers accountable for addressing performance. Congress
should urge agency leaders to use the annual Federal Employee Viewpoint
Survey and the Best Places to Work in the Federal Government� rankings
to drive better results in their agencies. Employee engagement is not
just about happy employees. Higher scores in employee engagement equate
to better performance and higher-quality service, which in turn become
valuable recruiting tools. For example, in a recent analysis of
performance data from nearly 150 Department of Veterans Affairs
hospitals across the country, the Partnership found that higher patient
satisfaction, better call center performance and lower nurse turnover
were all associated with a more satisfied and committed workforce.\15\
---------------------------------------------------------------------------
\15\ Partnership for Public Service, ``Employee engagement is more
than just a survey,'' March 2, 2020. Retrieved from https://
ourpublicservice.org/blog/employee-engagement-is-more-than-just-a-
survey/.
---------------------------------------------------------------------------
Congress and the administration should also embrace the bold goal
of closing the over 8-point gap between the Government and the private
sector in the Best Places to Work in the Federal Government� engagement
index, and even increasing the Federal score over the private-sector
score. The Government has a powerful asset in having a mission-driven
workforce. This purpose-driven work, if combined with excellent
leadership, will lead to much more engaged employees and better
outcomes for the American public.
(2) Utilize innovative talent models.
To attract talent at all levels, Congress and the administration
should work together to create new and innovative pathways--and expand
existing ones--for diverse mission-critical talent to join public
service through fellowships, talent exchanges, and service corps.
In 2019, the Partnership collaborated with Mastercard, Microsoft,
Workday, and a dozen Federal agencies to establish the Cybersecurity
Talent Initiative, which aims to build the next generation of cyber
leaders for our country. This innovative cross-sector opportunity
enables recent graduates to spend 2 years working for and receiving
training in the Federal Government in a cyber-related position. At the
end of 2 years, they will have an opportunity to apply for a position
with one of the corporate partners and, if hired, will be eligible to
receive student loan assistance up to $75,000 from their private-sector
employer. This model is the first of its kind. The inaugural class of
eight future cybersecurity leaders brings a variety of academic and
professional experience to five Federal agencies, and we anticipate
placing at least 25 participants across nine Federal agencies and
components for the second cohort.
One benefit of these efforts is that we are educating young people
about cyber careers across sectors and helping them learn about
organizations and missions they may have never heard of before. Other
Federal programs like the U.S. Digital Service, 18F, and Presidential
Innovation Fellows allow ``technical tours of duty'' with the Federal
Government and are unique in helping promote and respond to an
increasing desire for the next generation to be more mobile in their
careers. The programs provide a model for filling other ``hard-to-
fill'' positions in Government.
(3) Promote Government's mission.
Both the world and the workplace are rapidly changing. Our
Government needs a new generation of young people to serve in a data-
and technology-driven environment, with expertise in such sectors as
cybersecurity, technology, engineering, finance, and health care.
Making the Federal Government an ``employer of choice'' requires
greater awareness by the Government of what employees want in the
workplace, coupled with improved public perception of opportunities in
Federal service. As the Federal Government struggles to attract
students and recent graduates, it is clear that more must be done to
improve the Government's ``brand.'' Government shutdowns, hiring
freezes, and negative rhetoric damage the image of Government and the
people who serve.
The Federal Government, because of budget constraints, will always
have a hard time competing with the private sector on pay, but agencies
almost always have an advantage in offering employees a sense of
mission. Our Best Places to Work� rankings regularly show that the
match between employee skills and agency mission is a key driver of
employee engagement, second only to effective leadership. Too often,
though, Federal job announcements are dry, confusing, and fail to
inspire. The Partnership has identified bright spots in marketing, such
as NASA's custom-built career website, which supplements USAJOBS and
showcases their mission, including through videos from current
employees sharing their stories.\16\ NASA understood that, to attract
professionals in STEM fields, the agency needed to set itself apart
from other employers by focusing on its unique mission and impact.
Other agencies, such as the Department of the Interior, leverage social
media platforms to promote their missions and the work of their agency.
---------------------------------------------------------------------------
\16\ Partnership for Public Service and Salesforce, ``Tech to Hire:
Transforming Federal H.R. Beginning with Recruiting and Hiring,''
October 3, 2018. Available at https://ourpublicservice.org/wp-content/
uploads/2018/10/TechtoHire.pdf.
---------------------------------------------------------------------------
The Federal Government needs to do more to showcase the incredible
array of professional opportunities it offers and to recognize the
accomplishments and innovation of the current workforce. Without
compelling and shared stories of success in Government, Government will
struggle to become an employer of choice for the tech-savvy, forward-
looking talent that it needs to attract.
This subcommittee can also play an important role in encouraging
Congressional colleagues to recognize the successes of the Federal
workforce. Federal employees are often blamed for policy failures, and
rarely acknowledged when things go right. One way to revitalize the
workforce is simply to change the tone and get away from the demeaning
rhetoric that frequently characterizes discussion of the Federal
workforce. Political leaders should celebrate outstanding
contributions, such as the remarkable achievements of the nominees and
winners of the annual Service to America Medals \17\ and the
Presidential Rank Awards.
---------------------------------------------------------------------------
\17\ Service to America Medals. Retrieved from https://
servicetoamericamedals.org/.
---------------------------------------------------------------------------
(4) Improve recruiting, hiring, and retention.
Congress should start the hard process of updating the legal
framework for the civil service, much of which dates back to laws
passed in 1949 and 1978. The Federal Government needs cybersecurity
experts, doctors, economists, and emergency response specialists, but
we have a personnel system designed for phone operators. The antiquated
system is an impediment to the Government's ability to meet the needs
of today's interconnected, technology-driven world and prepare for the
challenges of the future. A Government-wide initiative could help
agencies improve the hiring process so they can more easily attract,
assess, hire, and on-board highly-qualified applicants. This effort
should include simplifying and demystifying the application processes,
including the USAJOBS portal.
As a starting point, Congress should enact the civil service
recommendations of ``Inspired to Serve,'' the final report of the
National Commission on Military, National, and Public Service.\18\ On a
bipartisan and consensus basis, and after studying the Federal civil
service for over 2 years, the Commission issued last year a bold and
thoughtful set of recommendations for improving talent management,
including proposals to make Federal hiring more efficient. We urge
Congress to move forward on a bipartisan basis as quickly as possible
to enact these proposals. Some key Commission recommendations--and
ideas the Partnership has long supported--include:
---------------------------------------------------------------------------
\18\ National Commission on Military, National and Public Service,
``Inspired to Serve,'' March 25, 2020. Retrieved from https://
inspire2serve.gov/reports.
---------------------------------------------------------------------------
Establishing a civilian cybersecurity reserve program, as
proposed in the bipartisan Civilian Cyber Security Reserve Act
(H.R. 2894).
Allowing agencies to appoint Federal employees who have
successfully completed reskilling programs to positions in
their new field without the employee having to move to a lower
grade level, as proposed by the bipartisan Facilitating Federal
Employee Reskilling Act (S. 1330).\19\
---------------------------------------------------------------------------
\19\ This legislation was included in S. 1260, the U.S. Innovation
and Competition Act of 2020, which passed the Senate in June.
---------------------------------------------------------------------------
Amending the criteria for direct hire authority to enable
agencies to use this authority when they face a shortage of
highly-qualified applicants.
Expanding direct hiring authority for students and recent
graduates.
Modernizing the veterans' preference rules, which are
currently confusing for both agencies and veterans alike.
Improving the Pathways programs, which include the
Presidential Management Fellows and intern and recent graduate
programs.
The Government not only needs to work harder to recruit and hire
great talent, but also to retain it. Even within the constraints of the
Federal pay system, the Government can pursue multiple strategies to
make the Government the employer of choice not only for entry-level
talent but also for mid- and senior-level talent. When people do leave
Government, agencies should be collecting data on their reasons for
departing or taking another job. Currently, a Government-wide exit
survey exists only for the SES. Data on why people leave Government
will be instrumental in helping agencies better recruit and retain the
next generation. The surveys would be particularly useful in
understanding why almost half of people who quit working for the
Federal Government leave within 2 years.
(5) Get young people in Government.
Today's college students are interested in making a difference, but
those considering the Federal Government as a place where they can do
so face challenges in getting hired. Programs that Congress should
reinvigorate include the Pathways programs, which provide younger,
early career talent with exposure to and positive experiences working
in Government. Needed improvements include ensuring internships are
paid and easing agencies' ability to convert interns into full-time
positions. In addition to lifting the caps on the expedited hiring
authority for students and recent graduates, Congress should also
consider an ROTC-like program for Federal service and encourage
agencies to recruit on campuses.
The need to improve the hiring process is especially urgent for
cybersecurity jobs, where Government faces stiff competition for talent
with the private sector. The Federal Government's antiquated hiring
system is not designed to compete at the speed of private-sector
companies who can actively recruit and quickly hire young STEM and
cyber talent. Dr. Elizabeth Kolmstetter, NASA's Director of Talent
Strategy and Engagement, gave an example of one Texas A&M student who
met a SpaceX recruiter and was offered a job the same day, finalized
the offer over the weekend and moved to California the next week to
begin work.\20\ Kolmstetter also noted that in fiscal year 2018 about
61 percent of NASA's engineering vacancies, 87 percent of scientist
vacancies, and 86 percent of mathematics vacancies had fewer than three
qualified (not most qualified)\21\ applicants. The talent is out there,
and Government's mission remains more compelling than ever, but
agencies are losing out because the Federal hiring system isn't nimble
enough to compete with the private sector.
---------------------------------------------------------------------------
\20\ Testimony before the National Commission on Military,
National, and Public Service, ``Public Service Hearing: Critical Skills
and Benefits,'' May 15, 2019. Retrieved from https://inspire2serve.gov/
sites/default/files/2020-09/Kolmstetter%20Testimony_Public%20Service%-
20Hearing_Critical%20Skills%20and%20Benefits.pdf.
\21\ Qualification standards are ``a description of the minimum
requirements necessary to perform work of a particular occupation
successfully and safely,'' according to OPM.
---------------------------------------------------------------------------
(6) Overhaul the pay and classification system.
The Government's 1949 pay and classification system was designed
for clerical workers, not for the highly professional, specialized
skills that are needed in today's civil service. The lack of an
occupation-specific, market-based compensation system is particularly
damaging to the ability of the Federal Government to recruit and retain
scientists, many of whom have far more lucrative opportunities in the
private sector.
The OPM Handbook of Occupational Groups and Families contains 407
separate job series. The sophisticated cyber, IT, data science and STEM
skills that the Government badly needs were barely envisioned when the
system was created. We need broader pay-banding that allows agencies
the flexibilities to set more market-based, occupational-specific
salaries. Unique pay systems like that created under the authority of
the Financial Institutions Reform, Recovery, and Enforcement Act
(FIRREA) of 1989 are an acknowledgement that a rigid pay system does
not work. While the Federal Government will never be able to match
private-sector salaries for many positions, broader pay bands would
enable agencies the flexibility to attract the most critically-needed
talent.
The Partnership's report, ``Building the Enterprise: A New Civil
Service Framework,''\22\ laid out a new pay-setting process for the
Federal workforce. The modernized pay system would establish broad pay
bands for employees rather than rigid grades, better align salaries and
benefits on an occupation-by-occupation basis, set salaries based on
those comparisons and give agencies the flexibility to bring talent in
at the appropriate salary level. While this is a long-term effort,
allowing market-based pay for specific mission-critical occupations in
the near term is a place to start and would help attract and retain
needed talent. Again, the final report of the National Commission on
Military, National, and Public Service also endorses a comprehensive
modernization of the entire Federal talent management system.
---------------------------------------------------------------------------
\22\ Partnership for Public Service, ``Building the Enterprise: A
New Civil Service Framework,'' April 10, 2014. Retrieved from https://
ourpublicservice.org/publications/building-the-enterprise/.
---------------------------------------------------------------------------
The Partnership's recent studies reinforce the need for investment
in the Federal human resources workforce. For example, our ``State of
Renewal'' report lays out recommendations for improving the State
Department's talent management life cycle over 6 to 12 months, without
the need for any additional legislation, as well as changes that will
take longer and require Congressional action. Our report ``Time for
Talent: Improving Federal Recruiting and Hiring''\23\ lays out
practical approaches that agencies can take within the existing system
to attract mission-critical talent. And in ``Rapid Reinforcements:
Strategies for Federal Surge Hiring,''\24\ we identified strategies
that can help agencies when faced with circumstances that require a
rapid growth in the workforce, such as National emergencies, large-
scale attrition, new mission requirements, or the need for emergent
skills.
---------------------------------------------------------------------------
\23\ Partnership for Public Service, ``A Time for Talent: Improving
Federal Recruiting and Hiring,'' August 26, 2020. Retrieved from
https://ourpublicservice.org/publications/a-time-for-talent/.
\24\ Partnership for Public Service, ``Rapid Replacements:
Strategies for Federal Surge Hiring,'' October 29, 2020. Retrieved from
https://ourpublicservice.org/publications/rapid-reinforcements-
strategies-for-Federal-surge-hiring/.
---------------------------------------------------------------------------
(7) Invest in the H.R. workforce.
Agencies cannot move forward on these recommended strategies,
however, unless their human resource offices have the requisite skills,
capacity, and tools. There are outstanding and innovative H.R.
professionals across the Government, but there are also skills gaps in
their offices. They are often overwhelmed by responsibilities and the
complexities of Federal human capital law. Often, H.R. specialists are
not familiar with the authorities they have available to them, and do
not have the technologies, data, and analytical skills that would
better enable them to recruit and hire while also engaging in strategic
workforce planning for the future.
Congress should jump-start efforts to increase the skills and
professionalism of the Federal H.R. community by requiring OPM to start
providing technical training to H.R. specialists again, conducting a
review of overall training needs and how those needs can be met, and
funding IT needs of the H.R. community. Congress should also ensure
that agencies undertake strategic workforce planning and make sure that
Chief Human Capital Officers have a voice in the strategic and budget
planning processes so that agency leaders will be informed of the H.R.
needs necessary to carry out their policies and programs.
(8) Create a workforce culture that embraces technology, innovation,
and collaboration.
Our recent report ``Resilient: Keeping Your Wits--Workforce,
Innovation, Technology, Security--About You,''\25\ summarizes a survey
of 300 Federal leaders and a series of roundtable discussions on the
lessons of the pandemic. A key takeaway is that an agile workforce,
cutting-edge cybersecurity, modern technologies, and continual
innovation are all interdependent in creating resiliency in the Federal
Government. Also, when asked what a resilient Federal Government looks
like, more respondents linked resiliency to an agile workforce than the
other issue areas discussed in the report.
---------------------------------------------------------------------------
\25\ Partnership for Public Service, American Council for
Technology and Industry Advisory Council, and Meritalk, ``Resilient:
Keeping Your Wits--Workforce, Innovation, Technology, Security--About
You,'' January 25, 2021. Retrieved from https://ourpublicservice.org/
publications/resilientkeeping-your-wits-about-you/.
---------------------------------------------------------------------------
The success of the Federal workforce depends not only on the
quality of its talent and its leaders, but also on a culture where
employees are encouraged to try new ideas and make smart technology
investments. The new workplace environment must also involve more
collaboration between Federal, State, local, and Tribal governments and
the private and non-profit sectors.
Recognizing that revitalizing the Government requires attention to
leadership and stewardship, talent, innovation and technology, and
collaboration, the Partnership's ``Roadmap for Renewing the Federal
Government,''\26\ launched last fall, describes the challenges the
Government faces in each of these areas, bright spots showing
improvements, and needed solutions. The Roadmap provides a list of
actions that the Biden administration and Congress can take to begin
laying the groundwork for renewing the Federal Government, and the
issue pages on the website summarize proposals that we believe should
have the support of both Congress and the administration.
---------------------------------------------------------------------------
\26\ Partnership for Public Service, ``Roadmap for Renewing the
Federal Government. Retrieved from https://ourpublicservice.org/
roadmap-for-renewal/.
---------------------------------------------------------------------------
(9) Make diversity, equity, and inclusion a central part of workforce
strategy.
A commitment to diversity, equity, and inclusion must be a
cornerstone in the transformation of how the Government recruits,
hires, develops, and retains talent.\27\ The Partnership hears
consistently from current and former agency leaders that it is critical
to address this issue in the scientific and technical community. This
commitment ultimately leads to higher organizational performance by
ensuring the door is open for top talent and by enabling new and
creative ways of thinking that empower better decision making. Also, a
Government that better reflects its people also will increase public
trust in our democratic institutions.
---------------------------------------------------------------------------
\27\ For example, see Jennifer Miller, ``For young job seekers,
diversity and inclusion in the workforce aren't a preference. They're a
requirement,'' Washington Post, February 18, 2021. Retrieved from
https://www.washingtonpost.com/business/2021/02/18/millennial-genz-
workplace-diversity-equity-inclusion/.
---------------------------------------------------------------------------
President Biden has issued a memorandum prioritizing diversity,
equity, and inclusion as a National security imperative, in order to
ensure that critical perspectives and talents are represented in the
entire National security workforce.\28\ Congress should support these
efforts, and should help ensure that diversity, equity, and inclusion
are in the DNA of every department and agency in the Federal
Government.
---------------------------------------------------------------------------
\28\ President Joseph R. Biden Jr., ``Memorandum on Revitalizing
America's Foreign Policy and National Security Workforce, Institutions,
and Partnerships,'' February 4, 2021. Retrieved from https://
www.whitehouse.gov/briefing-room/presidential-actions/2021/02/04/
memorandum-revitalizing-americas-foreign-policy-and-national-security-
workforce-institutions-and-partnerships/.
---------------------------------------------------------------------------
(10) Continue oversight and get to know Federal employees.
The subcommittee today is helping to identify challenges and
opportunities facing the Federal cyber workforce. We encourage you to
make this hearing an annual occurrence. The subcommittee could follow
up by holding a hearing on agencies and subcomponents that are doing
well with cyber recruiting, hiring, and employee engagement to help
celebrate success and encourage replication.
Members of Congress should also get out to visit agencies and their
employees and hear from those on the front lines. Visiting Federal
employees where they work, whether at headquarters or in the field, is
one of the best ways to understand both the deep challenges facing the
Federal workforce and the incredible work that the Federal Government
does on behalf of the American people every day. Better yet, the vast
majority of Federal employees are located outside of Washington, in
every State and Congressional district, so they are also your
constituents.
Finally, policy makers should remember that they are stewards of
Government's brand. How Members of Congress discuss public servants
matters, especially when communicating with the next generation. When
speaking to students--in formal settings like commencement speeches or
simply in conversations with constituents--take the opportunity to
share Government's unique, mission-focused work and the vital role of
Federal employees.
conclusion
Congress has an opportunity right now to further drive bold
cybersecurity reforms to keep pace with the evolution of technology and
meet the challenges of today and tomorrow.
For this reason, we want to commend the bipartisan effort made by
this subcommittee to pass legislation that will strengthen the Nation's
cybersecurity.\29\ The State and Local Cybersecurity Improvement Act
(H.R. 3138)\30\ introduced by Chairwoman Clarke and Ranking Member
Garbarino will provide funding to ensure State, local, Tribal, and
territorial governments are securing their cyber environments. The
Cybersecurity Vulnerability Remediation Act (H.R. 2980)\31\ introduced
by Rep. Jackson Lee will allow the Department of Homeland Security to
continue mitigating cybersecurity weaknesses that exist due to
insufficient software or hardware. And the CISA Cyber Exercise Act
(H.R. 3223)\32\ introduced by Rep. Slotkin will strengthen the agency's
ability to fulfill its intended mandate by establishing a program to
assess and review CISA's preparedness and resilience to cyber attacks.
These measures will build upon work from the previous Congress to
improve Government's cyber capabilities and ensure the effectiveness of
CISA and other cyber components.
---------------------------------------------------------------------------
\29\ House Committee on Homeland Security, ``House Passes Thirteen
Bipartisan Homeland Security Bills, Including Cybersecurity Grant
Program,'' July 1, 2021. Retrieved from https://homeland.house.gov/
news/legislation/house-passes-thirteen-bipartisan-homeland-security-
bills-including-cybersecurity-grant-program.
\30\ H.R. 3138, ``State and Local Cybersecurity Improvement Act.''
Retrieved from https://www.congress.gov/bill/117th-congress/house-bill/
3138/text.
\31\ H.R. 2980, ``Cybersecurity Vulnerability Remediation Act.''
Retrieved from https://www.congress.gov/bill/117th-congress/house-bill/
2980/text.
\32\ H.R. 3223, ``CISA Cyber Exercise Act.'' Retrieved from https:/
/www.congress.gov/bill/117th-congress/house-bill/3223.
---------------------------------------------------------------------------
We also applaud the introduction of the Federal Rotational Cyber
Workforce Program Act by Senators Peters, Rosen and Hoeven in the
Senate (S. 1097)\33\ and Representatives Khanna and Mace in the House
(H.R. 3599).\34\ These bills would help the Federal Government better
train and retain cybersecurity professionals and provide Federal
employees with professional development opportunities that ensure the
Nation's future cyber needs are met.
---------------------------------------------------------------------------
\33\ S. 1097, ``Federal Rotational Cyber Workforce Program Act of
2021.'' Retrieved from https://www.congress.gov/bill/117th-congress/
senate-bill/1097.
\34\ H.R. 3599--117th Congress (2021-2022): ``Federal Rotational
Cyber Workforce Program Act of 2021.'' July 2021. Retrieved from
https://www.congress.gov/bill/117th-congress/house-bill/3599.
---------------------------------------------------------------------------
Thank you again for holding this hearing. Building a robust cyber
talent pipeline is a complex but necessary endeavor, and this testimony
only scratches the surface of the efforts that are needed across the
Executive and Legislative branches. We look forward to working with you
and your staff as you move forward with your legislative and oversight
agenda for the Federal cyber workforce in the 117th Congress.
Chairwoman Clarke. I thank all of our witnesses for their
testimony here today and I will remind the subcommittee that we
will each have 5 minutes to question the panel.
I now recognize myself for questions.
For Mr. Ley, the cyber attacks against the Oldsmar water
treatment facility and the Colonial Pipeline earlier this year,
coupled with on-going reports that our adversaries are using
cyber tools to target critical infrastructure have renewed
conversations about how to better defend our OT networks.
As employers gain a greater understanding of the gaps in
their OT cybersecurity work force, it is clear that employees
will need to be re-skilled or upskilled for these positions or
receive additional trainings through continuing education
programs.
What steps are necessary to facilitate access to the
trainings and certifications required for these positions?
Mr. Ley. It is a great question, Chairman Clarke.
The issues lies deeper than the access. There is a lot of
access to a lot of academic information training courses and so
forth. Again, what seems to be--surprised most folks--and we
have gone to many different organizations, energy companies,
water treatment facilities, to your point, businesses,
manufacturing companies, even municipalities, and when we talk
to them they really don't even really know where to start with
identifying the education that they need, what topics. I know
that sounds very strange, but we have developed methodology, we
have task analysis surveys, we use the NICE framework to ask
questions on what their folks do and where they touch cyber,
IT, and OT. Obviously they need to know that to know where to
send their folks and how to educate their work force and their
organizations. Consistently--consistently, they don't have an
idea.
So we developed a process and a tool set, not just ours but
in conjunction with other businesses that already have some of
these solutions out there, that can--entities, organizations
can utilize, even Government agencies, to sit down first and
start with identifying what are the educational needs of their
individuals. You can't fix a vulnerability, you can't fix or
mitigate a threat if your folks aren't even aware what they
should know and how to know that there is a threat even
targeted at----
Chairwoman Clarke. Thank you, Mr. Ley. Let me move on. We
have a short period of time, but we--to be continued.
Mr. Nolten, with support from additional discretionary
funding from CISA, cyber.org recently launched a K-12 feeder
program with Historically Black Colleges and Universities and
Minority-Serving Institutions to encourage more minority
students to seek cybersecurity degrees.
Please elaborate on how this program will work and the
goals you have for it. With additional Federal support how
would you be able to expand your efforts to reach more students
of color?
Mr. Nolten. Great question, Chairwoman Clarke.
Cyber.org's HBCU feeder program and Minority-Serving
Institution feeder program is key to diversifying the
cybersecurity work force. Our work is ensuring that high
schools who are feeding into HBCU programs have the
availability of curriculum, professional development,
technology, and resources to stand up a cyber lab or a cyber
classroom in order to introduce students to cybersecurity
careers.
K-12 education, as I mentioned in my testimony, is the
formative years for ensuring that students have awareness of
what they want to be when they grow up. If we ensure that our
work is placed in Title 1 schools, in rural communities, we
will begin diversifying the cyber work force by partnering with
MSIs and HCBUs across the country.
Chairwoman Clarke. Mr. Stier, a major challenge for Federal
agencies has been retaining skilled cybersecurity
professionals, yet agencies do not necessarily track the
reasons behind the poor retention.
What should agencies like DHS and CISA do to better
understand why cybersecurity employees choose to leave and what
steps can agencies take to improve retention?
Mr. Stier. Great. Thank you so much for the question. I
will give you at least three.
The first is, I mentioned in my testimony that exit
interviews would be very helpful in understanding, so long as
there was real-time turnaround of that information and it went
to leadership. If it is collected and it doesn't got to
leadership, it is not going to make a difference.
No. 2, we already have the Federal Employee Viewpoint
Survey, which is how we create our places to work rankings. We
have data on an annual basis that tells us what is really going
on in every organization in government. Leaders should be held
accountable for those numbers, and that would make a very big
difference.
The third and most important issue is that, again, leaders
have to see that this is their job and responsibility and the
most senior leadership in Government has to hold the people who
work for them accountable to ensure that these numbers are
good. If they prioritize it themselves, you will see change.
Chairwoman Clarke. Mr. Stier, I think your screen froze.
But I am out of time. We will circle back.
Let me now recognize the Ranking Member of cybersecurity,
the gentleman from New York, Mr. Garbarino, for his questions.
Mr. Garbarino. Thank you, Chairwoman. Thank you to all the
witnesses again for being here today.
I want to start with Mr. Stier.
I really do appreciate some of the things you said in your
testimony about concrete items that we need to change. You
pretty much took my first question away from me, which is good,
but I want to build on something because you talked--you
specifically mentioned how we should hire--we should get
interns and interns should be able to come right in after
they--college interns and they can come right in after they
have completed their internship. That is what a lot of--that is
what law firms do with kids in law school, that is what
bankers--I mean it works for the private sector, so I think it
would be great at getting young people involved. Right now I
think it takes almost possibly--getting a job at CISA a new
hire can wait for a year. A college student coming out of
college can't wait a year if they have got debt.
So, you know, what exactly--I mean is there a process there
that you are thinking of? You know, what exactly should we do?
How do we cut down on the year wait list?
Mr. Stier. Yes. So you are 100 percent right. I mean and
the most obvious example of what needs to happen is our Federal
Government needs to approach talent management as the best
private-sector organizations do. The most obvious thing in any
professional organization, it starts with its strategy. As we
do at the Partnership for Public Service, we think our student
internship program is our primary mechanism for identifying
talent for entry jobs. That is not happening in the Federal
Government right now. There are some rule changes that Congress
could institute. They could make it easier to converge interns
into full-time employees. Right now, if you are unpaid or if
you are hired by a third party, even one that gets diverse
talent, that is much more difficult to actually convert in. So
those are real rule changes that would make a difference.
But fundamentally, I think the issue is really having
leaders inside Government, the agency Secretaries, the
different component heads, as well as the career leaders,
understanding it is their responsibility and having clear
metrics about what the expectation is. It is not working right
now. It has gone the wrong direction. So we have seen fewer and
fewer young people in Government today. It is not because of
lack of interest. It is not because of lack of interest. That
is relevant, but that is not the primary issue.
So it would be, No. 1, hold leaders accountable. No. 2,
make a few rule changes that would make it easier to convert
interns into full-time employees. No. 3, make sure that there
is real budget for this. That includes making sure that the
interns are actually paid. Then the other issue, clearly in
cyber in many instances, is security clearances. One of the
things that can be done is ensuring that the security clearance
process is completed while interns are students. There are
different agencies that do this better. So we should be
drafting on the approaches that the agencies that are best in
class are using for all of Government.
Mr. Garbarino. I appreciate that. That is a great answer.
Does anybody--any of the other witnesses want to jump on
anything additionally we need to do?
Mr. Coulson. I would just like to interject. Internship is
one process, but I think there is a huge opportunity here for
apprenticeship. To have people earn while they learn, but also
increases velocity because students are able to gain experience
while they are in their job, while they are receiving their
education. It also tightens the partnership with educational
institutions to build the work force you need as opposed to
well, here is somebody we graduate, I hope it worked out. It is
a much more integrative approach.
So I would suggest that that would be something that be
explored and I would be glad to talk to you further about this
as we are about to in the CAE community pilot a major
apprenticeship program in cyber directed at Government.
Mr. Garbarino. Now, your apprenticeship, would you--the
apprenticeships would be with the Government or with private
companies and the people could transfer into the--I mean how
would--what is your--how are you doing this? What is the pilot
program?
Mr. Coulson. Well, it is both. Because of the interest of
time, it is complex to describe, but let me just say that I
think that the apprenticeship model has been incredibly
underused and there is a lot of energy coming out of other
parts of the Government, and I would like to see that in the
area of National security, because it allows us to mentor and
produce and validate talent while they are in school and while
they are working.
Mr. Garbarino. I appreciate it, Mr. Coulson.
I hope we get a second round of questioning because I had a
couple more, but I yield back.
Thank you, Chairwoman.
Chairwoman Clarke. Mr. Ranking Member, should time permit I
definitely support that.
Let me now recognize that--other Members for questions they
may wish to ask our witnesses.
In accordance with the guidelines laid out by the Chairman
and Ranking Member in their February 3 colloquy, I will
recognize Members in order of seniority, alternating between
the Majority and the Minority. Members are also reminded to
unmute themselves when recognized for questioning.
Having said that, the Chair recognizes for 5 minutes the
gentleman from Rhode Island, Mr. Langevin, for his questions at
this time.
Mr. Langevin. Thank you, Madam Chair. I want to thank our
witnesses for their testimony today. Very insightful.
I will also mention, with respect to the Ranking Members'
line of questioning on internships and apprenticeships, I
applaud those efforts. That is why I am also a big fan of the
cyber core program, whereby students can apply at that program
and if they are accepted tuition is covered for the junior and
senior year. They will be able to--they get paid a stipend,
about $32,000, and then they go into a cyber job at local,
State, and Federal Government for 2 years after that.
Let me get to another--my line of questioning.
Mr. Ley, I am very interested in proving cybersecurity
training among our operational technology work force. The
Chair, Madam Chairman, had brought up this during her line of
questioning. So that is where we are simultaneously further
behind the curve and where most damage can be done.
So our National cyber director, Chris Inglis, often talks
about cybersecurity education having three tiers, the many, the
some, and the few. So the many are the people who use
technology in their every day lives, which is to say almost
everyone. Mr. Nolten has done an admirable job describing
expanding K-12 education for everyone. The few are the
cybersecurity professionals who have cyber as part of their job
titles. The kind of folks Dr. Coulson's programs churn out. But
I want to focus on the ``some'', the people who in the IT world
are the software developers or network architects.
So these are the people who need a much more nuanced view
of cybersecurity than most, but for whom it remains secondary
to their main job function. In the OT space, these are the
maintainers, the installers, the operators of industrial
control systems.
So I continue to be concerned that while training for these
occupations includes an incredible emphasis on a safety
culture, cyber risks have barely penetrated.
So, Mr. Ley, in your view how can we better incorporate
cybersecurity into the training for OT professionals who do not
focus on cyber?
Mr. Ley. Thank you, sir. Great question.
We have a lot of the information. Obviously our training
courses cover a lot. Unfortunately, expanding that information
out to other platforms to offer that, businesses out there, the
organizations, the local municipalities, can't necessarily
afford some of the training that they actually need. Some of
the training that we offer, working with CISA right now,
looking at opportunities to take the curriculum we have, offer
it to universities, colleges, other institutes, take the
information we have, take the curriculum and let them offer the
same curriculum and provide them support so that those
businesses out there, the some, the nations out there, don't
have to come here, they can go locally. Universities and
colleges can start developing these offerings themselves. They
know the businesses, they know the organizations, they know the
specialties they need. A lot of academic institutes come to us
and say we need this specialty. We can develop it and we push
it out. That is the area we recommend really needs to be
developed.
We started to explore that, but that would be where I would
ask.
Mr. Langevin. Thank you.
Let me get to another question for Mr. Stier. In your
testimony you referenced the need to update pay and
classification for the Federal work force. This is something
that the Cyberspace Solarium Commission, on which I serve, has
looked at closely. Madam Chair, I ask unanimous consent that
the Solarium Commission's white paper entitled ``Growing a
Stronger Federal Cyber Work Force'' be inserted in the record.*
---------------------------------------------------------------------------
* The document has been retained in committee files and is
available at https://www.solarium.gov/public-communications/workforce-
white-paper.
---------------------------------------------------------------------------
Mr. Stier, would you take it from the administration and
Congress to get the--what would it take from the administration
and Congress to get the civilian work force competitive with
the private sector? Should the National cyber director chair
this effort, which will necessarily involve several elements of
the inter agency?
Mr. Stier. So, look, I think that it does make sense to
have a coordinated response. I will note that one of the things
that as legislators you need to pay great attention to is you
actually put legislation in in 2014 to give authority to DHS on
cyber pay. It is just getting rolled out right now in
September. That is too long. You can't wait 7 years for this
kind of action.
So one risk of creating the sort-of National or Federal-
wide effort is that there will be a lot of talk and not a lot
of action. So I would be looking to actually be setting up, you
know, time tables about when things actually need to get done
and clear metrics about what success looks like. But it begins
with having an enterprise-wide, a Government-wide plan about
what we need in the way of human capital and then what do we
need to do to get it. A lot of it may be upskilling existing
talent, it could be new talent. I see the clock has run, but I
would be thinking about it in a strategic way to approach the
problem.
Mr. Langevin. Very good.
My time has expired. I thank you for the insights you have
offered.
Madam Chair, I yield back.
Chairwoman Clarke. The Chair now recognizes for 5 minutes
the gentlewoman from Tennessee, Ms. Harshberger, for 5 minutes.
Ms. Harshberger. Thank you, Madam Chair, and thank you
witnesses for being here. This is to me a really exciting topic
because we are so deficient in cybersecurity work force. From
different meetings I have been in, you know, it would take a
million people to fill some of the slots that we need, but to
me that is unbelievably--that is ridiculous. We need people.
You know, when I go around my district, I make sure to tell
every entity I can, every school system, anybody who will
listen, encourage these young people to look at this field.
I guess one of my first questions is for Mr. Stier. You
know, I am sure you are aware that DHS has yet to finish its
development and roll out of the CTMS program. The main goal of
this initiative is to cut the time it takes to hire these
cybersecurity professionals. Really to redefine how the
Government evaluates their skill set and their pay rates. You
know, I was talking to someone at one of the think tanks and
they are like, they can really ask whatever they want and we
take them because there is such a need.
You know, the committee is concerned about how long it
takes DHS to implement this program, which was authorized back
in 2014. What is your perspective on how effective a tool this
will be for the Department?
I guess my other question is what recommendations do you
have for DHS so we can meet those goals? I am doing all I can
to tell people about a field that I think would be very
interesting for even middle schoolers going on up to high
school, before they ever get into that arena.
Mr. Stier. So, Congresswoman, I think you are--it is so
important you are doing what you are doing because your voice
really matters to encourage people too. I just see this as a
field for themselves or something that, bluntly, should be part
of whatever else they are doing. I think the direct answer to
your question is that we really need more consistent long-term
leadership on these issues.
You are 100 percent right, this has been crazy-slow in an
area where slow is incredibly dangerous. The risk moves so fast
that by the time you get to where you think you need to be, you
are already behind the curve. I have heard, you know, folks in
Government say we work real hard to catch up to the past. That
is not where we need to be.
I think fundamentally the most important structural change
that you could make is ensuring that we had consistent
leadership on these management technology issues across
administrations. So think of this way, the FBI director has a
10-year term, the comptroller general at GAO has a 15-year
term. The reality is GAO is one of the best-run organizations
in Government because you have a leader who knows that the work
that they do around talent will actually pay off for himself.
I would suggest that you think about trying to ensure that
there is cyber leadership that is consistent over the years.
Again, I mentioned this earlier, that Secretary Granholm wants
to see the CESER leadership actually be career. I would be
thinking about that CISA as well. You have a really strong
person there right now, but if the average tenure is 2 years,
there is no way you are going to actually see significant
progress. People inside are all going to be running toward the
new leadership and very careful about not getting too far over
their skis knowing that someone new is coming in and that
becomes a real problem.
So that to me would be my No. 1 suggestion. There are other
things I think you can do, but I will be quiet for now.
Ms. Harshberger. Well, you know, it is almost like when you
hear these experts talking and they are saying people can even
use Google and look at traffic patterns in certain countries. I
am like, that is unbelievable. Does it take a 4-year degree?
How are you going to get these people interested to go into
this field because the need is so critical?
To me, we would designate this need as critical
infrastructure if I could, but we can't do that. If anybody
wants to answer, do they need a 4-year degree? What kind of
degree do they need to even enter this field?
Mr. Coulson. I would interject, we work a lot with
community colleges, but I think there is a mantra here.
Career technical education especially--people have looked
at it, well, that is vocational, that is, you know, welding and
things. No, cyber fits there too. Often times in my work we
have to let kids find out how smart they really are. That is
usually education becomes a gateway drug, if you will. So if we
can identify them and we have a program where we are looking at
aptitude for cyber, not aptitude in terms of you can and you
can't, but where do you fit? Then to identify them and come up
with programs that nurture that talent all the way through. We
could have kids coming out of high school that could work at
the technician level. We have community colleges that are now
even doing not only associate's degrees and certificates, but
are also including bachelor's degrees.
I think academia has a reputation of being glacial, but I
would suggest that that is not necessarily a fact in the cyber
space.
Ms. Harshberger. Well, Mr. Coulson, you are speaking my
language.
My time is out and I thank you.
I yield back, Madam Chair.
Chairwoman Clarke. The Chair now recognizes for 5 minutes
the gentleman from New York, Mr. Torres.
Mr. Torres. Thank you, Madam Chair.
Three years ago I came across a New York Times article with
the following headline: ``The Mad Dash to Find a Cybersecurity
Workforce''. The article was citing cybersecurity ventures,
claims that by 2021 the cybersecurity work force would have 3.5
million vacancies. We are in 2021.
So I am curious to know has that projection come true? What
is the extent of the shortages in the cybersecurity work force
as of 2021? Anyone who has an answer to that question can feel
free to answer.
Mr. Coulson. OK. Everybody has a prediction on that. That
might be a global number, but within the United States right
now, you know, best that I could find this morning was actually
just over 500,000. That is in the compressed hiring that we are
in right now. But the Solarium Commission report that
Representative Langevin worked on, says something I think is
overall answer to that question, and it is we have had reports,
we have had predictions, we have had things for 20 years. What
we need is action on it, because the problem has not been
getting better, it has been getting worse.
Mr. Torres. In order to--and I am in favor of action, I
just want to understand the precise nature of the problem. So
are these vacancies--to what extent are these vacancies coming
from the public sector and the private sector? Do we know the
breakdown? Do we know the number of vacancies that require a
college education?
Mr. Stier. So I can speak--this is Max Stier at the
Partnership--I can speak to the Federal Government. The answer
is we really don't know what the real need is. This is my point
about the importance of really doing a more thorough human
capital plan for the Government in cyber and beyond. I think we
need it in more than that.
I can't resist also saying that the gap is not simply in
the actual technical talent, the gap in some ways is more
profound in the fluency around these issues, in the leadership
more broadly. You know, people who are not actually in jobs
that are designated as technical positions fundamentally
actually need to understand these issues in order to do their
work appropriately.
I think if you are thinking about what the actual gap is,
you ought to be examining that one as much as the actual work
force.
Mr. Torres. Is that a number--we need more cybersecurity
generalists? Is that?
Mr. Stier. It is less that--I would say, for example, that
if you are coming in as the Secretary of an agency in the
Federal Government, if you are running a component, if you are
a career senior executive running a large program, you have to
be thinking about cyber issues and understanding what the
implications are for your programmatic choices. That includes,
you know, the talent needs. You will need to be able to address
those problems. That is an information gap. You don't need a
cyber professional in those positions, but you need people who
are fluent and aware.
Mr. Torres. I have a question for each member of the panel.
What is the most successful cyber work force development
initiative that you know of and that should be scaled up?
Mr. Nolten. I will jump in, Congressman, and mention that
CETAP is proven to be a successful program in that we are
introducing students to cybersecurity careers and degree
opportunities at an early age, elementary and secondary.
When a student asks me what do you want to--or when I ask
my students, what do you want to be when you grow up, at that
very moment I am providing them a gateway into the
opportunities that exist for them post-high school as well as
post-graduate. Not every student is going to go to college and
so what we want to ensure is that upon graduating high school
we have students with industry-based certifications, that they
are skilled to go walk into an organization and be employable
immediately. Employability is the key and we want to see that
CETAP be grown so that high school students who are going into
any of the 17--16-17 critical infrastructures within DHS's
structure, that those students have the ability and the
knowledge to----
Mr. Torres. Can I interject? What is your placement rate?
Mr. Nolten. I am sorry, sir?
Mr. Torres. Your placement rate.
Mr. Nolten. So right now we see that high school students
who are participating in CETAP's program, four times as many
students are going into a cyber-based degree field within a 2-
year and/or 4-year program.
Mr. Torres. How many students have gone through your
program?
Mr. Nolten. Over 3 million students have benefited from our
program in all 50 States.
Mr. Torres. Does the rest of the panel have any thoughts on
what is the most successful existing cybersecurity work force
initiative?
Mr. Ley. I would--I am sorry.
Mr. Coulson. Please go ahead.
Mr. Ley. I would like to suggest there is a program that is
not even funded and even an initiative right now, and it is to
match. What we find in our research is that the students coming
out of degree programs, even out of high school, and the hiring
at these organizations, businesses, Government entities, there
is not a defined mechanism to really place the most talented
individuals in the jobs where they can be the most successful.
There is nothing based on the old hiring process of resumes and
interviews is what is taking place. We continue to hear from
businesses, Government entities, well, we hired the most--we
thought was the best person and it takes us 18 months to 2
years to get them trained up to be useful. Why is that? Because
there is not a mechanism. You identified the mechanism, but
there is no funded program to actually implement that to say
nice KSATs, hiring job applications has the same KSATs, we can
see what the students have, what skills they have and match
them to the job and the people can hire the right people the
first time instead of the second and third time.
That is an issue that should be out there.
Mr. Torres. My time expired, so I am going to----
Chairwoman Clarke. Thank you very much, Mr. Torres.
The Chair now recognizes for 5 minutes the gentleman from
Georgia, Mr. Clyde.
Mr. Clyde. Thank you very much, Madam Chair. I appreciate
this very important hearing.
One of my concerns is the dependence that we have on the H-
1B visa program, or the student visa program. Oftentimes we see
our universities and businesses invest in people that we bring
in from overseas and we teach them cyber and they take up the
opportunities that we have in this country and they learn all
sorts of great things and then they take their talents and they
go back home to their home countries.
So I see that as not being a great return on investment and
we are losing out on the opportunity to develop Americans who
can fill those jobs.
So I guess my question--and I would like to start with Dr.
Coulson--so how can we best encourage the home-grown talent so
we don't have to depend on the H-1B talent that at some point
is going to go back to their home country and we are going to
lose that opportunity and what has been invested in those
people.
Now, I understand that those people might actually, you
know, bring something to us as well, but still, you know, they
are not American citizens. You know, they are not going to stay
here. They are going to go home and take that talent and
everything they learned with them.
So how do we do that? How do we best encourage home-grown
talent?
Mr. Coulson. So two-thirds of Ph.D.s in this country are
non-domestic. That is a crisis in itself. There is a number of
programs that I could inform you of after, but in the interest
of time.
The research program that we just started is really looking
at, all right, how do we home grow talent. It doesn't have to
be all from our one university. Again, I will go to my mantra,
kids sometimes don't know how smart they are.
Mr. Clyde. Right.
Mr. Coulson. So the program we created now with 38
universities, working with technical directors on actual
problems is meant to reach into the undergraduate level and
start teaching them the science of research so that we can
pipeline these and grow our domestic talent and also develop an
affinity for the real challenges that Government is doing.
In the Centers of Academic Excellence Community I think
that is a great example of something we are doing to tackle
that one issue, which is very significant for the future of
technical leadership in the United States.
Mr. Clyde. Well, thank you. I appreciate that.
You know, as part of the Department of Homeland Security
subcommittee, you know, one of the greatest threats we have is
ransomware from the outside. So I think one of the greatest
defenses we have is home-grown talent that can defend against
that.
So does any other of the witnesses, would you like to add
anything, Mr. Nolten or Mr. Ley or Mr. Stier, to that?
Mr. Ley. I would also bring back attention to what Tony
brought up earlier about apprenticeship programs.
Mr. Clyde. Right.
Mr. Ley. It is a way to bring the--start the folks out in a
company and let them learn and their actual reason--to
understand why they are learning, because they are working for
that business. Apprenticeship programs are huge and a key. We
really need to focus on that. Right now there really is not--in
the Department of Labor or Department of Commence there is
really not a defined apprenticeship for cyber-related skills.
There is a reason plumbers and electricians have apprenticeship
programs, because you can't get all the hands-on training just
sitting in a classroom. Apprenticeships bring that and they are
huge.
Mr. Nolten. Congressman, if I may add----
Mr. Clyde. Thank you very much. That is an excellent
insight. Go ahead, please, Mr. Nolten.
Mr. Nolten. Congressman, if I may add one statement here.
Research has shown that a child begins to form what they want
to be when they grow up around the middle school level. That is
sixth, seventh, and eighth grade. If we look at other countries
around the world and see where their dollars are being
invested, it is in K-12 education.
So in order to begin solving this pipeline issue that we
have, we have to focus on ensuring that we have students who
are skilled and knowledgeable about the opportunities that
exist in cybersecurity.
Mr. Clyde. All right. I think that. Thank you.
I appreciate that and unless anyone else has a comment,
then, Madam Chair, I yield back. I think that is great
information though.
Chairwoman Clarke. Thank you, Congressman.
The Chair now recognizes for 5 minutes, the gentlewoman
from New York, Ms. Rice.
Ms. Rice. Thank you, Madam Chair.
I would like to continue talking a little bit more about
community colleges. I think we all agree that they play an
incredibly important role in connecting students with an
affordable higher education. In my district, Nassau Community
College, which is a Minority-Serving Institution, has a
cybersecurity certificate program designed for students who
intend to go onto pursue a 4-year cybersecurity degree.
Dr. Coulson, do existing Federal programs adequately
support programs like the one I just described at Nassau
Community College? What if any additional resources may
community colleges, particularly minority-serving institutions,
need to assist them in building, growing, and diversifying the
cybersecurity work force programs?
Mr. Coulson. Well, the Centers of Academic Excellence
program has over 150 community colleges. We have set up a
National articulation database. That was with Moraine Valley
Community College. That is some great work with the National
Science Foundation's advanced technology education program with
Whatcom Community College and Cal State San Bernardino were
working through the community college network to see what is it
that employers want, but also how can we diversify talent on so
many ways? We have something called the Cyber Education
Diversity Initiative, which focuses on Minority-Serving
Institutions, but also we have program for the deaf and the
hard of hearing, Wounded Warriors, neuro-diverse communities,
and so on. I think the community colleges play a pivotal role.
A lot of times it is in the area traditionally seen as re-
skilling, but I would say that it is also upskilling.
So I think that community colleges in general are really an
economic engine and especially for opportunity for many people.
The issue that we have in the Centers of Academic Excellence in
terms of funding is everything is one-time funding, one-time
grant related through a number of agencies. I would really like
to see the Department of Homeland Security invest in this
program with sustained funding so that we aren't doing hand-to
mouth, but we could attack this problem strategically.
Ms. Rice. That is actually a really good point and I think
that we should take that advice about the funding. I think that
is critical. I agree with you.
You know, I think there is also a misconception that all
cybersecurity jobs require an advanced degree. But cyber.org's
website explains in the--its cyber career profiles that there
are a number of good-paying cybersecurity careers that don't
necessarily require a degree at all.
Mr. Nolten, you know, we are talking about K-12 and I know
that you have experience working with K-12 educators, what more
can be done to increase awareness of the full range of
cybersecurity career options that are available to young
people? I think it is really important--I think the Federal
Government needs to support high schools that want to implement
career and technical education programs around cybersecurity
that are designed to, you know, send students into the work
force right after graduation.
But, Mr. Nolten, if you could just talk a little bit more
about how can we increase awareness? I think that, you know, if
kids knew what was out there--you know, I forget who--I think
you said that--talked about that critical time period of sixth,
seventh, eighth grade where kids are beginning to make kind-of
career choices. If they are not hearing about it in school and
they don't know what the potential is, then they are missing
that opportunity.
Mr. Nolten. Congresswoman Rice, I mean that is a great
question and it is a great awareness that we must take.
One simple example, Sally has two apples at the house, she
has five friends coming over, how many apples does Sally need
to go out and buy. This is a simple subtraction problem that
many of our educators are using. My encouragement to K-12
educators is don't use apples, use gigabytes. Sally has a
computer at the house, it has two gigabytes of memory, she has
a really cool program she wants to run that requires five, how
many gigabytes does Sally need to add? By changing the context
of what we are teaching inside the classroom, we are able to
introduce these students and place seeds of opportunity in our
minds of our students. This very work, this very structure, we
allow students to explore career opportunities that they have
no idea about, their mom or dad or guardians had no experience
in. This effort and this movement must be scaled. We must
ensure that teachers have the confidence, the ability, and the
resources from a funding standpoint to be able to teach
cybersecurity and to change those apples to gigabytes.
Ms. Rice. Well, thank you all so much. I think this has
been a great discussion.
Madam Chair, I yield back. Thank you.
Chairwoman Clarke. Thank you, Congresswoman.
The Chair recognizes for 5 minutes the gentleman from
Kansas, Mr. LaTurner.
Mr. LaTurner. Thank you, Madam Chairwoman.
Mr. Stier, let me start with you. There is a seemingly
endless supply of cyber work force related legislative
proposals. But I am concerned that often times Congress focuses
on the shiny new bills instead of conducting the necessary
oversight to ensure the prior bills have been properly enacted.
Where should the committee be focusing when it comes to
oversight over enacted lines of effort?
Mr. Stier. So thank you for such a wonderful question. I
agree with you that often times we see problems Congress
legislates and then done, move on to the next thing. The
reality is, in my view, legislation is the starter's pistol, it
is actually not the race. Your oversight function is profoundly
important.
So one of the recommendations I made in my testimony was
that you actually make this an annual testimony, or rather an
annual hearing. I love the example that was given earlier about
the need for long-term money, because there is no way to plan
on these programs if you don't have multi-year funding. It is
the same here, if you let agencies know that this is not about
giving them an authority and then walking away, but rather that
you have actually a plan, you intend to be able to have
oversight on an annual basis with a set of metrics, performance
metrics, that you build into your thinking. That may change
over time. I think that will change the incentives for agencies
and the likelihood that you actually see more progress from the
investments that you are making.
So I would think about this, again as you suggest, not as
a, you know, legislate and walk on, but rather what are our
goals, you know, what is our current thinking about the tools
we need right now. How will we know whether or not we have been
successful. Then come back to it in a regular way with notice
to agencies that this is about to happen. I think you would see
in different outcomes. Not easy outcomes, because, bluntly,
these are tough problems and they are problems that are
changing.
Mr. LaTurner. I appreciate that.
This question is for all of you and it is a really broad
one. With so much focus in recent years about expanding cyber
educational opportunities, do we feel like we are at the point
that we are starting to close the gap, are we making a dent?
Mr. Ley. I will just say from my perspective, from a lab
perspective, from testing control systems and looking at and
providing courses to folks, I think we are making a dent. Some
of the issues are very systemic and I think are just not known,
even to panel members. We talk about the tools that connect the
high school, get them excited there. There's lot of progress. I
have 23 interns from colleges and universities around my State
and other universities around the Nation and I ask them, if you
are in a degree program, a cyber-related degree program, why?
What are you going to do with it? They don't know. There really
is not a mechanism--there are mechanisms out there, we are not
connecting them to what jobs they need to go to.
So as far as degrees and topics we are teaching, yes, I
think we are making a dent, I think we are offering the right
curriculum and I think it will ever be expanding. It is not
going to change. But we have got to connect the students who
have moved on and are excited, think they know what to do, they
get to that next level and they are--where are the tools, where
are the things I can go to look to what is next for me. They
are not being exposed to those.
Mr. LaTurner. I appreciate that.
Yes, Mr. Coulson, go ahead.
Mr. Coulson. So 6 years ago when we started the Centers of
Academic Excellence Community, we were about 15,000 students.
We now have over 100,000. A lot of that has to do with a long-
term vision reaching into the K-12 space, seeing the dividends
of programs like cyber.org, the GenCyber camp program, and
others that are stimulating interest. We are starting to see
that bubble up. But it is a long-haul game. I think that is a
real message here.
As you said earlier, shiny object funding is not going to
solve this problem.
Mr. LaTurner. Very good.
Mr. Stier, I saw you have your hand up.
Mr. Stier. So, yes. I think just to--there are a lot of
people working really hard on these issues and we are making,
in absolute terms, progress. But what I would say is that
fundamentally this is about dealing with problems that are in
the real world and against the problem set that we face, my
view is we are losing ground not gaining it, certainly in the
arena that I can see.
Mr. LaTurner. Wow. I want to hear your perspective.
Go ahead, Mr. Nolten.
Mr. Nolten. Congressman, two quick stats. CETAP's impact is
well over 3 million. While that may be an exciting number to
many, the denominator there is 52 million. Our work has just
begun.
Mr. LaTurner. Thank you so much.
Madam Chairwoman, my time has expired. I yield back.
Chairwoman Clarke. Thank you, Congressman.
For colleagues who may be interested, I am going to enter
into a second round of questioning. There are a few questions
that I have remaining. For anyone else on the subcommittee who
also may have additional questions, you will have an
opportunity at this time.
Dr. Coulson, a major part of addressing our cyber work
force shortage must include re-skilling workers for
cybersecurity jobs. I think certainly in the midst of this
pandemic where we are hearing about the great resignation,
there may be an opportunity if we open our eyes wide enough or
open the aperture so that we are looking at some of our
employees who may not be returning to some of the professions
that they were once in.
How are universities and community colleges currently
working to include nontraditional students already in the work
force or in their programs? What barriers exist for
participation and what can we do to expand access?
Mr. Coulson. Well, that is excellent. This is something I
am so excited that you asked me, to be quite honest. Re-
skilling is absolutely necessary, it is absolutely important. I
think the academic community has looked at cyber and said,
look, we need all hands on deck. How do we get somebody with an
existing degree or maybe had a different life before, how do we
see where they fit in cyber, which is such a broad field.
We ran a pilot program with the National Science Foundation
that provided scholarships for veterans and re-skilling workers
through the community college program to get them into the
cyber work force. We wanted to see what was making them tick.
But more than that, on a broader spectrum, we are seeing
programs that are emerging in our Centers of Academic
Excellence and we are incentivizing them not only in on-line
learning, but in other ways that fit around schedules so that
somebody could still actually work in their job but look toward
a new career and make accommodations for different age groups
and people who are differently abled.
There are so many programs there and I would love to have a
longer discussion on it, but we--I will say this, we are
working in that area because it is so very important and
universities and community colleges are expanding capacity as
much as possible, marketing. Actually, next month we are
running a National virtual career fair for cybersecurity
students and trying to link them with employers, but also try
and stimulate interest in re-skilling.
Chairwoman Clarke. Got caught out there for a moment.
This is to the panel. What should the Federal Government's
role be in facilitating apprenticeship programs in the private
sector? If you have given any consideration to that.
Mr. Coulson. I think Mr. Stier said earlier, what are the
standards for a cybersecurity discipline. So we actually just
started a project with the American Council on Education to try
and help set those standards, and we are going to work with the
Department of Labor to see if we can get at least the first of
what we consider many different disciplines within cyber,
because obviously this critical infrastructure and so on.
One of the areas that I think the Federal Government could
really help us in, especially in the Department of Labor, is
velocity. To get the apprenticeship programs moving is such a
laborious technical process that many of our industry partners
have said, I don't understand this and they are ready to walk
away. I would really like to, you know, work or maybe put
together subcommittee on how we could fix that problem and
increase velocity. Because apprenticeship is very foreign in
the United States but it is such a key--has such key potential
to solving this problem.
Chairwoman Clarke. Very well.
I wanted to do a deeper dive with you, Mr. Stier, about how
agencies can improve retention. We know that, you know, there
is great demand for the limited talent that exists. We are
constantly hearing of private sector poaching from the public
sector. Could you give us a little bit more depth to what we
can do in the retention space?
Mr. Stier. Absolutely. It begins to have real-time data on
what is actually happening and have leaders that are held
accountable for that data. Otherwise, you know, there are a lot
of things you can do, but you don't know if you are doing the
most important things.
You know, what we see in the work that we do is, No. 1,
especially young talent, they want to feel like they are being
invested in. I will note that there is a really--in my view, a
big difference in the way by and large the uniformed services
are treated versus the civilian services. In the military by
and large they see their talent as an asset. Oftentimes the
talent inside the Federal Government, the civilian talent, is
treated as if it is a cost. We need to see I think way more
investment in the people in the knowledge that they are
getting, in the responsibility that they are getting, and also
in the management that they are getting. If you did that, I am
quite confident that you would see a lot higher retention
numbers.
If you look at our best places to work rankings, the No. 1
issue for why people are actually leaving is their perceptions
of their leadership, from the first line supervisor to the more
senior people in the organization, and it is not good. It is,
you know, 10+ points below what you would see in the private
sector. They're purpose-driven, they want to be there, but if
you give them bad management they are not going to say.
So that to me would be the most important thing to do, is
improve the management, hold them accountable, provide real
investment in their growth and responsibility. The Government
has the best value proposition around. You can make a
difference in the world, which most young talent really care a
lot about.
Chairwoman Clarke. Very well. Thank you.
My time has run out.
I now recognize the Ranking Member of the subcommittee, the
gentleman from New York, Mr. Garbarino, for any additional
questions he may have.
Mr. Garbarino. Thank you, Chairwoman. I do have at least
one more question.
Mr. Stier, we will start with you. The Cyber Corps
Scholarship for Service program, run by the National Science
Foundation, has been a great program to encourage students to
enter public service. I understand that to date nearly 3,500
students have taken advantage of the program.
What more can we do to increase participation in this
program? Or maybe not--and if not, it is not increased
participation in this program, what is the difference--is this
program better or could we maybe start some sort of cyber
university, similar to one of the other--like the Naval Academy
or the Merchant Marine Academy? You know, the Merchant Marine
Academy was started in 1943 because of shortage in merchant
marines. We have a shortage in people that need to go into the
Government cyber work force.
Is this something that we should be looking at, or should
we just stick with training them at outside colleges and hope
they come to work for us?
Mr. Stier. Sure. So, Congressman, I think this is a
fantastic question. I come back to the military model, and you
used it, which is you can think about the academies versus the
ROTC. In my view it is much more cost-effective to make further
investment in an ROTC model rather than the bricks and mortars
of a new institution. It is not simply that it is more cost-
effective, but it is also in my view more--you will have higher
leverage. If you leverage off of the, you know, Government-
wide--you know, we have best in class higher education in this
country and if you create more scholarship opportunities for
service in Government, you will--it will be, again, a cheaper
way of getting great talent and it will be integrated against
the whole of society, because you also want to make sure that
people who are coming into Government represent the entire--
geographically, racially, gender, all those things.
So my counsel would be to, you know, further invest in
programs that are more likely ROTC than it is to try to create
a new entity focused on a specific area like cyber.
I think you will find immediate return because you don't--
it takes a long time to create an institution and we don't have
that time. I think you will have better pay-off.
I will say that we can undoubtedly do better in the way we
use that talent. The Chair's questions around retention should
be applied here with the folks that--because, yes, they may
have a service requirement, but you really want to have a
program that keeps them well long after that service
requirement has ended.
Then there are programs like what we have, the Cyber Talent
Initiative, where we are partnering with the private sector,
with MasterCard and Microsoft and Workday. They are actually
supporting bringing talent into Government knowing that talent
might also come to them.
So there are a lot of novel ways of trying to drive talent
into the sector and into Government.
Mr. Garbarino. I appreciate it, Mr. Stier.
Any of the other witnesses want to add on or have any
thought on the question?
Mr. Coulson. Well, actually I am a scholarship for service
institution. I would say that that was one of the keys that
built capacity within my institution to create such great cyber
talent. But there are other programs, like the Department of
Defense Cybersecurity Scholarship Program that acts like an NFL
draft, if you will, where the best talent gets submitted and
they can pick and choose.
I think Mr. Stier brings up a very important point, and
that is if we built bricks and mortar, it takes a long time,
but also it closes the number of dimensions. I think a cyber
university concentrating on one skill set is great, but that is
not what cyber is about. Cyber is so much broader and you need
innovation from all sectors. As I like to say, innovate
locally, deploy Nationally.
I think that is where the scholarship for service, and like
Mr. Stier said, like an ROTC type of approach works probably
more effectively and gives the taxpayer more bang for the buck.
Mr. Garbarino. I appreciate that. Thank you very much.
Madam Chairwoman, I yield back.
Chairwoman Clarke. Well, with that, I thank our witnesses
for their very valuable testimony here today and my colleagues
and Members for their questions.
The Members of the subcommittee may have additional
questions for the witnesses and we ask that you respond
expeditiously in writing to those questions.
Without objection, the committee record shall be open for
10 days.
Hearing no further business, the subcommittee stands
adjourned. Thank you, everyone.
[Whereupon, at 11:32 p.m., the subcommittee was adjourned.]
A P P E N D I X
----------
Statement of Bitwise Industries
July 29, 2021
Chairwoman Clarke, Ranking Member Garbarino, and Members of the
subcommittee: Bitwise Industries is grateful for the opportunity to
submit this testimony in connection with the subcommittee's exploration
of the need for and development of cybersecurity professionals.
Since 2013, Bitwise Industries, a female- and minority-led
technology company headquartered in Fresno, CA, has been training
underserved people from undervalued places for jobs in the digital
economy. Our workforce training programs have prepared over 5,000
student workers, more than half of whom are women and/or people of
color, for high-growth, high-wage jobs in the technology industry. Many
of these individuals have gone from making under $21K/year to well over
$61K/year. Following the program, 80 percent are employed in tech jobs
resulting in $295 million of aggregate wages. In addition to outside
employment, the technology consulting side of our business hires many
of these students, proving it is possible to build stellar technology
in unexpected places with diverse, nontraditional talent.
The key to our success is our apprenticeship model, which unlocks
potential by coupling paid, experiential technical training with access
and referral to essential services that address/remove barriers caused
by poverty and bias. Our apprenticeship program is expanding to include
a cybersecurity track for which we will seek Registered Apprenticeship
designation. We employ a holistic and personalized approach to
recruiting talent from underserved communities and building a nurturing
community around them so that we can ensure that individuals have what
they need to learn and thrive, including first and foremost, a sense of
belonging. Their success then ignites and transforms the regional
economies of the cities in which Bitwise Industries serves. Since
launching in Fresno, we have built similar ecosystems in the California
cities of Merced, Bakersfield, and Oakland, and recently announced our
expansion into Toledo, OH. The next set of cities at the top of our
expansion priority list includes Buffalo, NY and Birmingham, AL.
As you consider measures that Congress can take to facilitate the
growth of an inclusive and skilled cybersecurity workforce, we urge you
to examine with a critical eye barriers to the employment of
marginalized people who have been persistently underrepresented in
critically important professions such as this. Careers in cybersecurity
are not only essential to the future prosperity and safety of our
Nation, but also hold promise as a means of securing economic stability
for many. These are jobs with salaries that ripple throughout
overlooked communities if they are available to the full range of
people who are qualified for and desire them.
underrepresentation in the cybersecurity and tech fields hurts the
quality and quantity of resulting work
In 2021, evidence of the systemic underrepresentation and
inequitable position of marginalized people in tech jobs requiring
fluency in coding and networking exists anywhere one looks. According
to Bureau of Labor Statistics data, as of 2020, just 9.1 percent of
Americans employed in computer and mathematical occupations were Black,
in a National workforce that is more than 12 percent Black. For Latinx
workers just 8.4 percent are working in STEM fields, compared to 17.6
of all workers. Moreover, Black and Latinx workers constituted smaller
percentages of the information security workforce than of all workers,
and women were particularly absent from the cybersecurity field,
accounting for just 11.4 percent of its employees, but nearly 47
percent of the entire workforce.
The relative inclusion of Black and Latinx workers and members of
other underrepresented groups has declined since the publication of a
2017 report for the Center for Cyber Safety and Education, (ISC)\2\,
and the International Consortium of Minority Cybersecurity
Professionals (ICMCP). The report found that while minority
representation in cybersecurity professions was roughly consistent with
comparable representation in the National workforce, other indicators
of inequity abounded. People of color in leadership roles tended to be
more highly educated than their white non-Hispanic counterparts, for
example, but employees of color were disproportionately concentrated in
non-management positions. In addition, both men and women of color
working in cybersecurity reported lower average salaries than white
counterparts, and workers of color were less likely to have received
salary increases during the most recent year than white workers.
The effectiveness of our increasingly important efforts to secure
information and operations that rely on connectivity are hindered by
the disproportionate demographic characteristics of the cybersecurity
workforce. As a recent paper from the Institute for Critical
Infrastructure Technology observed, ``Security teams that bring
diversity of thought and perspective to the decision-making process are
best equipped to navigate [the] complex ecosystem of players,
technologies, and cultures'' that must be taken into account in shaping
cybersecurity solutions.
Experiential studies have confirmed that characteristics including
age, income, gender, ethnicity, and cultural affinity affect
participants' perceptions of information security risks in consistent
ways; similarly, in other work-oriented contexts, researchers have
found that teams whose members come from different walks of life excel
at innovation and problem-solving because they benefit from the
inclusion of a wide range of viewpoints.
The Nation's cybersecurity workforce would do its best possible
work if it reflected our country's unique strength--the vast variety of
cultures and experiences that shape us as individuals. Workplace
leadership experts David Rock and Heidi Grant astutely pointed out in
their Harvard Business Review article that collaboration across
cultures ``challenge[s] your brain to overcome its stale ways of
thinking and sharpen its performance.''
Government also risks squandering an opportunity to advance equity
in access to programming and resources by failing to take
transformative action to ensure that talented people from underserved
communities find their place in the tech industry and in the short-
staffed cybersecurity field in particular. When only a homogenous group
of people who have historically been able to enter a system are charged
with shaping it for the future, the weaknesses of the system are
virtually guaranteed to be replicated consciously or unconsciously.
Thus, if the Federal Government hires only people with advanced degrees
or other qualifications that are expensive to obtain to be its
recruiters, build its presence on-line, and protect IT networks, their
work will naturally serve the needs and interests of others like them,
and will fail to democratize entry. It is unsurprising that it has
proven to be a persistent challenge for an institution whose workforce
largely consists of individuals who are not underserved to design
programs to effectively reach, serve, and protect its most marginalized
constituents, since, for example, people designing websites for the
Emergency Broadband Benefit or rental payment assistance programs are
likely not to have had any personal experience using these resources.
It is imperative that the Federal Government enlist more people,
companies, and communities, including contractors and consultants, that
historically have been excluded and that have themselves experienced
the challenges it seeks to address so it can develop technical
solutions for all Americans.
apprenticeships unleash previously untapped tech talent
Since our inception in 2013, Bitwise Industries has been preparing
underestimated people for success in tech careers by offering flexible
short-term pre-apprenticeship programs, paid apprenticeships, and
holistic support for the people in whom we invest. Our experience with
the thousands of individuals who have entered our training programs
over the past 8 years has affirmed our conviction that apprenticeships
are a critical, and as-yet underutilized, pathway into the tech
workforce for members of underrepresented communities with the
requisite talent and commitment to thrive.
Our apprenticeship model works for people who would not otherwise
obtain the necessary knowledge and experience to enter this field
because it eliminates the many practical and psychological barriers
that reinforce systemic exclusion.
Perhaps most important is the fact that our trainees don't need to
take on any debt to advance their careers. Pre-apprentices who need
financial assistance receive scholarships and are able to work jobs
around class schedules, and our apprentices earn a living wage with
benefits while they are learning and building portfolios of work on the
job. For each one of these people, our staff coordinates complementary
services--from child care, to transportation, to access to hardware and
a broadband connection--that ensure that trainees have the time and
mental energy to devote to developing their skills. We also value
community and belonging, and we work hard to make sure that students
and apprentices feel welcomed in our spaces and interact with peers
with whom they identify when they come to a class or work team.
Graduates of Bitwise Industries' apprenticeships do not necessarily
have resumes that resemble those of a typical tech or cybersecurity
work team, but they are capable and talented, and they bring the kind
of diverse perspective to their work from which the Federal
Government's cybersecurity efforts would greatly benefit. A typical
student or apprentice in one of our programs has obtained a high school
diploma or GED but has not earned any tertiary degree or professional
certificate; many of our trainees have come to us from employment in
restaurants, retail, manufacturing, and farming. These individuals have
repeatedly and consistently proven that, with the right environment and
support, they can obtain in-demand skills and thrive in information
technology jobs. Nearly all of our apprenticeship graduates, and four-
fifths of those who have taken classes with us, remain in tech-oriented
jobs today, and by their third year on the job, these people have
secured average salaries of $81,000 per year. Bitwise Industries' tech
consulting business has hired many of those who've completed
apprenticeships through our program, so we can attest from personal
experience to the acumen of our trainees in designing and building
solutions for a wide variety of clients in industries ranging from
agriculture to entertainment to finance and banking.
In addition to possessing requisite technical skill and
collaborative ability, people who have trained for careers in
information technology in Bitwise Industries' apprenticeships rather
than through college-based academic programs are representative of the
underestimated communities in that we serve, and comprised of people
groups who have historically faced discrimination in the workplace and
exclusion from the lucrative information technology field. We
intentionally install our full ecosystem in cities whose populations
are diverse in terms of race, ethnicity, national origin, educational
attainment, involvement with the criminal justice system, family
structure, and other circumstances, and we focus outreach and
recruitment efforts in the most underserved and economically
undervalued neighborhoods. As a result, about two-thirds of all of our
students and apprentices have been people who identified as Black or
Latinx. Women have easily outnumbered men in our classes and
apprenticeship cohorts, and more than 40 percent of our people are
LGBTQIA+ and non-binary. In addition, nearly half of our trainees have
been undocumented individuals and people who are first-generation
Americans, and many have belonged to groups recognized as encountering
particular barriers to employment, such as people with criminal
convictions.
hiring standards and practices must evolve to achieve inclusion and
fill openings in the cybersecurity workforce
As the capacity of Bitwise Industries' apprenticeship program
expands and the success of our model inspires more providers to offer
apprenticeship-style training for information technology fields, the
pool of talent available to fill cybersecurity positions will grow and
better reflect the full spectrum of Americans' characteristics and
experiences. At the same time pathways into desirable jobs will need to
adapt to recognize and take advantage of the ability that apprenticed
workers possess.
Too often, the prerequisites to access opportunities in Government
employment are mired in obsolete tradition, and designed to exclude or
to achieve ends that are at odds with equity.
We urge Members of this subcommittee to push and mandate Federal
hiring managers to reconsider credential and application requirements
for cybersecurity and other tech jobs, and to eliminate or amend them
wherever possible to open the door to a wider swath of the underserved
population. For example, though degrees, certifications, and related
job experience are typical barriers to entry into cybersecurity jobs,
the Bureau of Labor Statistics has identified as the skills most
critical to these roles attributes--problem-solving skills, ingenuity,
attention to detail, and analytical skill in assessing computer systems
and networks--that people can attain and develop just as well through
practical training. Moreover, obtaining Federal Government employment
usually demands not just that candidates have secured the requisite
skill in the manner least accessible to marginalized individuals, but
also that applicants possess the patience, networks, and background
knowledge necessary to reconstruct their resumes and describe their
experience in an idiosyncratic format. Instead of earning certificates
and constructing narratives about their ability to do the work, Bitwise
Industries' students and apprentices build portfolios of projects that
showcase their work and allow prospective employers to see their
skills. The Federal Government's human resources systems should allow
for multiple methods of demonstrating technical ability to ensure that
people of all backgrounds can, and actually do choose to, compete for
employment.
We note that President Biden's recent Executive Order on advancing
diversity, equity, inclusion, and accessibility in the Federal
Government instructs agencies to build pipelines into Government
employment by deepening partnerships with colleges and universities
that serve students of color and women. While these institutions are an
important source of talent, their capacity is limited, and members of
underserved communities continue to have less logistical and financial
ability to pursue degrees than counterparts. To transform the face of
the Federal workforce, the Government must look beyond its usual
horizons and open jobs to--and direct recruitment efforts at--people
like Bitwise Industries' students and apprentices, who have gained
valuable knowledge and skills through nontraditional paths.
Thank you for your consideration of this testimony and your
commitment to leveraging American workers' ambition and creativity to
strengthen safety on-line and protect against attacks on the electronic
resources and services on which we rely.
[all]