The recent SolarWinds hack has revealed weaknesses in the ability of both the public and the private sectors to defend themselves against malicious activity in cyberspace. The congressionally mandated U.S. Cyberspace Solarium Commission, which spent the past year studying cybersecurity challenges, stated that effective cybersecurity efforts balance investments in technology, processes and people, and that the “people” aspect of cybersecurity has been in short supply for decades.
The federal government has been thinking about this personnel challenge for years. Twenty-one years ago this week, the White House issued the first National Plan for Information Systems Protection. Among other initiatives, this plan created the CyberCorps: Scholarship for Service (SFS) program, an ROTC-like effort in which the U.S. government pays for a student’s education in exchange for a future commitment to federal cyber service. The program has become one of the mainstays of public sector cybersecurity workforce development, providing scholarships for more than 3,000 students educated in colleges and universities across the country. The program subsequently places them in jobs with federal, state, local and tribal governments nationwide. But it has never grown into the program envisioned in 2000, and it puts only a small dent in the cybersecurity hiring needs of federal agencies.
Some things have changed since the early days of CyberCorps. For example, the feds no longer worry about losing talent to the private sector’s Y2K mitigation effort. Instead, the U.S. government now loses talent to the private sector as they combat an array of nation-state and criminal cybersecurity threats. Each year, the country creates cybersecurity jobs faster than it can fill them, meaning that more and more cybersecurity jobs are going unfilled. In the public sector – federal and local governments – nearly 40 percent of all cybersecurity jobs are unfilled, with 37,197 openings among 93,833 jobs.
The private sector mirrors this shortfall, with slightly more than one-third of cybersecurity jobs unfilled. The number of openings is climbing each year. Just five years ago, 412,279 cybersecurity job openings were posted across all sectors in the U.S. By 2019, there were a total of 625,437 postings, according to data shared by the creators of CyberSeek, a tool that provides data on the cybersecurity job market.
Insight by Sonatype: Stephan Mitchev, acting CTO at USPTO, discusses how USPTO is looking at supply chain issues to address cybersecurity concerns. Dr. Stephen Magill, VP of product innovation at Sonatype, provides an industry perspective.
Daunting as this trend may appear, there are reasons to be optimistic. The SFS program was designed to be scalable, and its administration by the National Science Foundation has been exceptional. Its structure allows the program to support hundreds and potentially even thousands of students per year with a streamlined federal staff. The program achieves this goal by channeling students through existing computer science, engineering, and other departments at participating schools, rather than trying to build unique academic infrastructure. The NSF runs a very competitive process to screen and select institutions to participate in SFS, and provides overhead funding to help develop and maintain each selected institution’s cybersecurity programs. There are always more schools applying to join SFS than there are new program slots, and nearly every participating institution has more qualified program applicants than the number of SFS scholarships they can award. The system is primed to grow.
Since its creation, SFS has expanded from 10 students at seven institutions to more than 380 graduates per year from 78 colleges and universities, all on the path to becoming cybersecurity professionals. Of the participating academic institutions, roughly one in five is also a Minority Serving Institution, thus helping to expand not just the size of the federal cybersecurity workforce, but also its diversity. The SFS program is administered very judiciously, with a nearly 95 percent success rate in placing graduates in qualifying government jobs. A new pilot program for community colleges, established in the 2018 National Defense Authorization Act, further demonstrates the utility, adaptability and room for growth of the program.
Now that the CyberCorps: Scholarship for Service program has had 21 years to prove its value, it is time to put the program under full steam, ramping up SFS to educate and employ thousands of future cybersecurity public sector workers each year. The Cyberspace Solarium Commission recommended doing exactly that in its March 2020 report, calling for a 20 percent increase in funding to the program in fiscal year 2021 and further increases in each of the next 10 years. This phased expansion would enable the SFS program to eventually graduate 2,000 CyberCorps students – who go on to become government employees – per year. In doing so, the program would take a much more significant bite out of the ever-growing number of unfilled public sector cybersecurity jobs.
While the growth of the SFS program may seem like an obvious step for addressing the federal cybersecurity workforce challenge, recent budgets have permitted only modest increases in the program’s size. Meanwhile, new requirements from the 2018 and 2021 National Defense Authorization Acts have increased important – but non-scholarship – funding, programming (particularly in kindergarten through 12th grade education and summer camps) for which the SFS must provide funding. Additionally, recent appropriations have required about 10% of the SFS budget to be used solely in support of community colleges, which achieves an important objective but unintentionally limits the efficient management of overall funding available for scholarships.
Despite these increases in responsibility, funding for the program remained static at about $50 to $55 million in recent years. In fact, the White House’s budget request to Congress for FY 2021 actually proposed a $3.2 million cut to the program’s budget relative to FY2019’s actual budget. Fortunately, Congress restored this reduction through the FY21 Omnibus Appropriations Bill, which provided a modest increase to $60 million in funding for SFS (including community college set-asides). However, lawmakers did not take the bolder CSC recommendation to increase funding 20% in order to initiate meaningful program growth. The FY 2022 appropriations bill will provide another opportunity to address this issue with a consequential budget increase.
The SFS program is the most effective tool available for the U.S. government and its nearly 80 partners in academia to collaborate on ensuring that the future government cybersecurity workforce is prepared to protect Americans’ increasingly digital lives. As the cybersecurity workforce becomes increasingly integral to the success of all federal missions, leaders in the executive branch and Congress should be taking every opportunity to strengthen, fund, and grow the program.
Mark Montgomery is senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies and senior advisor to the chairmen of the Cyberspace Solarium Commission. Follow Mark on Twitter @MarkCMontgomery.