Should cyber competition performance be valued like schooling in cyber workforce?

Federal agencies need well-qualified candidates to bolster the cyber workforce, but what metrics do they use to judge the qualification of those candidates?

“What we’re seeing as part of the U.S. Cyber Challenge is that there is a lot of interest for people to move into cybersecurity, because they see and they hear of the demand,” Karen Evans, former White House IT official and director of the Center for Internet Security’s U.S. Cyber Challenge, said on Training Cyber Workforce month. “What the challenge is, is what is an agency or what is an industry or company actually looking for when they need more cybersecurity professionals? I think that is the next set of challenges that really need to be worked on: What does an organization need to have, and what is the right skillset that you need to have a recruit for?”

She said the focus on college degrees stems from a desire for a “basic analytical ability” fostered by institutions of higher education. But that doesn’t necessarily have to be the final word in qualifications for a cyber workforce.

“This is where I’m pushing really hard, is that you can use excellence in competition just like you’d use excellence in academics,” she told the Federal Drive with Tom Temin. “So for example, when I entered into the federal workforce, because I had excellence in academics, it allowed me to start two grades higher. Competition, if you have excellence in performance, could actually substitute for workforce experience.”

Cybersecurity competitions are drawing more attention from and becoming more popular with federal agencies. The use of bug bounties has spread after the Defense Department held its first in 2016; since then, the Army has held one, and both the Air Force and the General Services Administration have plans to hold their own. Meanwhile, the Defense Advanced Research Projects Agency hosted a Cyber Grand Challenge in 2016 to develop automated systems defenses.

U.S. Cyber Challenge, as the name implies, oversees a number of cybersecurity competitions and training programs, some of which are either adapted directly from or tailored directly to federal programs. For example, one of its recent Cyber Quest qualifying rounds was an incident response simulation, developed from exercises used by a Department of Homeland Security task force.

Advertisement

And multiple organizations, including U.S. Cyber Challenge, tailor competitions directly related to categories and specialty areas used within the National Cybersecurity Workforce Framework developed by the National Institute of Standards and Technology’s (NIST) National Initiative for Cybersecurity Education (NICE).

The website CyberCompEx.org, which Evans described as a social media platform for cybersecurity challenges, compiles lists of these competitions and how they directly relate to the specialty areas of the Framework, like “information assurance compliance” and “systems security architecture.”

“So, say, for example, if you’re looking for competitions that are testing and looking at forensics capabilities,” Evans said. “You could look through the NIST Framework and then find competitions that align with the skills that you’re looking for.”

And agencies are starting to take advantage of these competitions to help round out their cybersecurity workforce training. Evans said that in July, the Office of Personnel Management sent new cybersecurity hires to take part in the Cyber Quest competition as part of their orientation.

But Evans said these competitions can also be fertile recruiting grounds for agencies looking for a cyber workforce. U.S. Cyber Challenge’s summer camp participants, who had to qualify in a cyber competition to get in, ranged in age from 13 to 61, but most of the participants were in their mid-20s.

“There’s a broad range,” she said. “There’s people who already have a college education trying to get the training they need in order to be able to shift their profession and go into cybersecurity. And then there’s people just starting along the college path and they’re trying to figure out ‘Do I want to go into computer science? What sorts of things do I want to go into to be practicing in this field?’”