The government needs to help provide educational resources to address the shortage of qualified workers to fill U.S. cybersecurity positions, according to experts who testified at a House Science, Space, and Technology committee hearing on Tuesday.
“The workforce need is acute and immediate, with a projected shortfall of nearly 1.5 million professionals by the year 2020,” said Diana Burley, executive director and chair of the Institute for Information Infrastructure Protection and professor of human and organizational learning at George Washington University.
She explained that two critical approaches to addressing that future shortfall are to incorporate coding and computer science into K-12 curriculum and to include more lessons on analytics and critical thinking.
“We certainly need to make sure that everyone understands what cybersecurity is, what role they play in that workforce,” Burley said. “We have to target all of the K-12 teachers instead of just focusing on those who have self-identified as being interested in computer science or in cybersecurity.”
Burley encouraged the Federal government to leverage the work of the Association for Computing Machinery joint task force on cybersecurity education, which is currently developing a cybersecurity curriculum guidance that will be completed by the end of the year.
Iain Mulholland, industry member of the Center for Strategic and International Studies Cyber Policy Task Force and CTO of Security at VMware, said that even among trained IT workers, there is still a lack of education in basic cybersecurity practices.
“We find it incredibly difficult to hire well-qualified security engineers,” Mulholland said, adding that he often has to teach general tech personnel about security practices. “I would love to see basic security skills be part of every computer science degree.”
Both Burley and Gregory Wilshusen, director of information security issues at the U.S. Government Accountability Office, agreed that community and technical colleges can play a critical role in creating the necessary cybersecurity workforce in coming years.
Wilshusen explained that the government also has a number of options for encouraging students to move from those cybersecurity programs in school into Federal service.
“One of the things would be reimbursement of student loans,” said Wilshusen, adding that this is already a technique used by GAO. “That’s a very useful and effective way to recruit staff.”
However, committee members expressed concern that the executive order mandating a hiring freeze in the Federal government would prevent agencies from doing just that. Rep. Ami Bera, D-Calif., said that he would hope to find bipartisan support for creating an exemption for cybersecurity workers.
“We’re seeking clarification on that now, just to make certain,” said Charles H. Romine, director of the Information Technology Lab at the National Institute of Standards and Technology.
Rep. Don Beyer, D-Va., raised concerns that President Donald Trump’s reported use of a personal cellphone and unsecured Twitter account sets a bad example for Federal cybersecurity practices.
“Awareness is one thing, but understanding the implications of your behavior, which then lead to behavior changes, is another,” Burley responded.
Committee Chair Barbara Comstock, R-Va., said that she expects the committee to hold future hearings about the specifics of cybersecurity education.