If cybersecurity is one of the nation’s most potent threats, the answer is as much a talent question as technology. That’s why with orders from Congress, the Cybersecurity and Infrastructure Security Agency turned to the National Academy of Public Administration. NAPA evaluated what the agency is doing to help build the nation’s cyber workforce. With highlights of what it found, NAPA study co-chairs Karen Evans and Dan Chenok spoke to the Federal Drive with Tom Temin.
Tom Temin: Good to have you both with us.
Insight by Red Hat: Join us for an enlightening panel discussion with moderator, Justin Doubleday and agency and industry leaders who will explore the strategies and tools aimed at empowering the modern digital-native workforce in the intelligence community.
Daniel Chenok: Thanks, Tom. Good to be here.
Karen Evans: We’re excited to be here, Tom
Tom Temin: And saying that you two co-chaired a NAPA study is like saying Mozart was some guy that wrote a rondo. And we’ll just let listeners know that you both have very long experience in federal government itself and in federal affairs. So let’s get to what the NAPA challenge was here. What is it that CISA asked you to do? I guess this was an appropriations bill provision from a year ago from Congress.
Daniel Chenok: That’s correct Tom. The congressional staff and the members had been looking for several years at the operation of workforce programs generally, and especially within the Department of Homeland Security. First, it was the National Programs and Protectorate Division that became the Cybersecurity and Infrastructure Security Agency. And there is a set of educational programs within CISA that are led out of a directorate underneath the CISA director, which provides a lot of work with colleges and universities and other organizations through grants. And the staff was interested both in how are those programs operating, but also in how are those programs operating going forward in terms of kind of overall cyber strategy. So they conduct, as you noted, the appropriations noted that DHS should work with the National Academy to do the study. And Karen and I are both fellows of the academy. The academy does studies through a panel of fellows that kind of provide strategic guidance and direction. We were joined by a terrific panel, Danny Weitzner, Costis Toregas and Marilu Goodyear, the other panelists. The work is done by the NAPA study team led by Sally Jagger and their team was great. And they did a lot of fantastic work to drive into a question that the panel sought to expand from the original congressional charge, and we worked with DHS and the congressional staff to do so. And that is to say, what’s the overall picture of cybersecurity workforce programs in the government? How should that picture best be aligned going forward to address key cybersecurity needs of the government and the nation? And then how can the government best align its activities going forward, both CISA and other agencies like the National Institute of Standards and Technology, the Department of Defense, Department of Labor, Department of Education? All of them play a key role and have been doing phenomenal foundational work. But it hasn’t always been coordinated effectively from the top. And then we were, the last thing I’ll point out is that we have a new organization on the block, which is the White House Office of the National Cyber Director of which is a stature office within the White House to lead and coordinate across the government. So all of that created the frame for our work.
Tom Temin: Yes. And everywhere you look, some agency has a grant program with colleges or universities to try to develop workforce. So it seems like there’s a lot of efforts and maybe they don’t talk to one another enough. Is that what you found, Karen?
Karen Evans: Well, I think as as Dan laid the groundwork, there’s a lot of foundational work that was done. And the one that I’d like to point to in this particular case, based on the question that you asked is the National Initiative for Cyber Education, which is the NICE initiative. So these programs are following that framework. So everyone, under previous administrations were following the framework. What the study team found is, there is some challenges on to what is the long-term outcome, the mid-term outcome and the short-term outcome? And how do you really go about doing that? And so for example, when you talk about grant programs developed, going out, they’re focused on K-12. But are they coordinated focused on K-12 to meet the national need, both in private sector, and public sector? They’re following the framework, but are they coordinated in what they’re attempting to do to try to close that gap? And that’s what the study team was really trying to highlight that there’s a need for that.
Tom Temin: And that should be through the Chris Inglis, National Cyber Director Office did you find?
Daniel Chenok: Chris has a passion for workforce that he’s brought forward in his significant career in cybersecurity as do new leaders at the agencies including Jen Easterly as the director of CISA, and across the government. And the thing we found that in driving forward so there were a lot of activities, especially the NICE initiative at NIST that Karen mentioned that brought agencies together. There wasn’t a lot of sort of gravity from the top, if you will, around this, and Chris’s office provides that, both the institutional structure to do that and the level of impact being a White House office. And the last thing that we found was that in order to do that they needed to define a north star. So there’s a lot of different strategic plans that have been developed over the years that have a lot of really good elements. They’re not necessarily shared across the agencies. And we found that Chris’ office was well placed to work with CISA, NIST and the other key agencies to drive that forward to create that strategic framework that all parties can buy into and understand sort of how it connects to leadership from the top and move forward.
Tom Temin: And by the way, that NICE initiative that dates back a good 12 years or so correct?
Karen Evans: Close to 15 years. I mean, I’m dating myself, right, because the federal CIO has always done workforce studies. Dan knows that, now we’re really dating ourselves, right? And so cybersecurity has always been a critical skill gap that needed to be filled. So what – and it goes back to the Bush administration started the comprehensive National Cybersecurity Initiative, which then went into the review that the Obama administration did, right? And so there has been a lot of foundational work. But I do think that one thing that the study team brought forward and the panel was pretty passionate about this is when you’re looking at this, isn’t it, when you say governmentwide, governmentwide can mean a lot of things. It can mean internal only for federal workforce, and the contractors that are supporting them, or it can be a governmentwide strategy that’s supporting a national need. And so what we found was that really needed to be specified that it’s a national need. And that there are a lot of pockets of innovation that are happening across the nation. And what we’re suggesting is that through Chris’ office, the White House is a convener that they can bring these different pockets of innovation together to make us go forward so we can close these gaps.
Tom Temin: Got it. OK so before we get to the details of CISA and DHS itself then, that would sound like your major recommendation for almost the White House, really, more than for DHS, is to tie all this together through that office, through that workforce-oriented office that Chris Inglis has been making a lot of headway in running.
Daniel Chenok: So the White House provides leadership and strategic guidance. They’re not, we wouldn’t say that the panel recommended that they be operational in how stood this up, but that they coordinate and establish a governance framework across the agencies that’s based on, notably based on important data. So a lot of the conversation gets done not necessarily with information that’s shared about the progress on cybersecurity across agencies in terms of how the national picture looks and how the government picture looks, as Karen just described. So one of the key findings that the panel made was that you can tie all this together through an increased agreement of and design of data collection, and data aggregation to understand sort of what’s happening with the cybersecurity workforce. And we recommended something like a bureau of cybersecurity statistics or a similar organization focused on data that would be that center of gravity in the government around this important element.
Tom Temin: That could live at CISA, for example?
Daniel Chenok: It could. Because fiscal agencies live around the the government. Karen has been in an agency with a fiscal agency as well, so knows that well.
Karen Evans: Yes, several. So that’s probably one of my favorite recommendations that came out from the group overall, because it’s been talked about, and it’s been proposed. And it was focused, I think, initially, when it came out into the press was around cyber incidences and trying to get information around types of cyber incidences and those things like that. And you look at Cyberseek, which is already out there, another foundational effort, but you’re looking at the data sources. And when you really start looking at the government, the government is about information. And it’s a trusted broker for information. So look at Department of Justice, there’s a Bureau of Justice Statistics, it’s almost like anything you want to know about some type of law enforcement issue, there is a statistical piece associated with it, just like the Bureau of Labor Statistics, just like the Census, right, just like Energy Information Agency where it has – and so there’s there is an established government framework around these statistical agencies that makes their information valid and a reliable source. So, instead of us intuiting that we know that we need so many forensics analysis people to close the gap both in private sector and in public sector, a bureau of cyber statistics could actually start measuring and looking at what’s working what isn’t and making statistically valid comments, predictions about where we are on the workforce.
Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app
Tom Temin: And let’s talk about a moment for what you found at CISA’s own efforts, which was the seed of this entire work that expanded to the governmentwide and industrywide look, but is CISA itself doing a good job in what it’s supposed to do with respect to workforce development?
Karen Evans: So they are and Congress was very specific about the areas that we were supposed to be looking at them. It was around specific things like diversity, right, scalability, those types of things. They had a series of programs that I think everybody, when the study team brought it forward, we’re amazed at the amount of programs that [Cyber Defense Education and Training] and CISA were actually working on. And Congress was specifically interested in one particular program. And through this work, they found that they’re doing five other programs, four other programs. But what really has to happen is, are these really the right programs? So the recommendation was, “Hey, you guys should really take a look at this. And if these are the right things, and we looked at a bunch of things saying that’s why you need the governance strategy, that’s why you need this, the strategy overall going forward, is because they’re doing a heck of a job with the minimum resources that they have.” But we really have to know are these activities that they’re doing, really producing the outcomes that we want, which is closing the gap, and really helping with workforce? And there is a debate, which is why academia is so important to this discussion, as well, between training and education and competency-based, right, versus skills-based. And how do you bring that all together so that you can have individuals who can demonstrate they have the competencies and the skills to be able to perform the job?
Tom Temin: In essence, the government needs, and the components need to determine first that they’re doing the right thing, even if they’re doing it, not only doing it well but doing the right thing, because you can do the wrong thing well, it doesn’t help. So they got to do the right thing. And then it has to have some kind of way of reducing duplication, essentially is what you’re saying so that it can be more efficient.
Daniel Chenok: Yeah, and it’s even more complex, because there are near-term, mid-term and long-term focus programs. And so the coordination and go forward plan in the foundation of each is different. So near term is in-service training, things like the cyber reskilling academy, people that are in the workforce now getting up to speed on current needs for cybersecurity, both technically and also operationally and managerial considerations. Then there’s the mid term, which is sort of the entry level workforce, the people coming out of vocational schools, colleges and universities, community colleges sit to drive the workforce forward from an entry-level perspective. And then you’ve got the long term, the K-12, where there is, kids need to learn about cybersecurity just like they learn about history and English as part of their set of foundational skills for the 21st century. And so the answers and approaches that CISA, working with the agencies and NCD wants to take are gonna look a little bit different for each category, but they’re out of the pipeline flow that kind of addresses the whole picture.
Tom Temin: And underlying all of this work, I get the sense that you have the sense that the near-term problems are getting more urgent because the dangers of a real cybersecurity disaster keep lapping closer and closer to our shores. And also that this is not something that can be characterized like a moonshot, like we’re gonna cure cancer.. But it sounds like an ongoing effort, something we’re gonna have to live with just like disease control for pretty much now on.
Karen Evans: Well, and so I think, as Dan talked about breaking it down into short term, mid term long term, and the study worked on that, when you look at some of the programs that CISA is actually doing, they do try to break them out into short term, mid term long term, right? And the other thing, which this study brings forward that CISA is also looking into, are nontraditional areas, right, like nontraditional, you don’t have to have a computer science degree, right? So the report also spends a lot of time examining the cyber talent management system, where Congress also gave DHS those authorities, right, to be able to stream line for lack of a better term, bringing people in and making it more competitive with private industry. But you’re also like measuring aptitudes and skills as the person comes through this system, right? So you could easily go down a rabbit hole about four year degrees, and all these other things like that. And that’s the short term piece, right? And so this is a program that launched and Angie Bailey, little shout out to Angie Bailey who’s also a NAPA fellow, implemented that before she left, but it was in conjunction with CISA and the DHS [chief information officer]. So, that’s a program that Congress gave DHS specific authority for. When it’s successful, because I keep saying when it’s successful, everybody else says “if it’s successful,” when it’s successful, then it needs to be examined about how do you then scale that program to other agencies and be able to give them the authority so that you can streamline the hiring process? So the workforce in the short term is highlighting things that are not new to you, Tom, that you’ve covered, is a lot of, well the challenges or the barriers to entry into federal workforce. And so, again, if you go to these nontraditional approaches, you’re attracting new people, can you reduce that frustration, so that you can bring them in to close those skill gaps, and then, like Dan said, do training while they’re on site, right, like do training, on-the-job training and be partnered with private sector as well as academia to close that mid term gap? So that has to get institutionalized. That’s really what the report is focused on is there’s a convergence of great leadership, personalities, programs, all the tools are there. So what the study is saying is, hey, get this strategy and get this governance structure in place. So it can continue to address this problem going into the future, just like you said.
Tom Temin: So Dan, to wrap it all up, would you say then that you have presented a pretty good blueprint, that if Congress and the agencies and the White House do all their part, we could really have a great, what do they say, “all the wood behind the right arrowhead” as we head toward better cyber?
Daniel Chenok: Yeah and that’s the role of the National Academy. I think that’s why Congress sought the perspective of the academy which brings together academic experts, former government leaders like Karen and myself, other subject matter experts who have had considerable careers and expertise in particular areas. And so, as with other Academy studies, we tried to step back and say, alright, here’s the immediate question that Congress asked. In order to answer this question, there’s a larger problem that we can help define and help move the ball forward and leave a pathway for government to proceed, which is what we hope to do with the study.
Tom Temin: Alright, let’s hope they read it. It’s only 94 pages, not too big by federal reports. Dan Chenok and Karen Evans, co-chairs of the cyber workforce study for the National Academy of Public Administration. Thank you both for being with me.
Karen Evans: Thank you, Tom.
Daniel Chenok: Thanks, Tom.
Copyright © 2023 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.