THE CASE FOR A NATIONAL CYBERSECURITY ACADEMY: DEFINING A NATIONAL, VIRTUAL, CYBERSECURITY SERVICE ACADEMY Part 2 of 3

By Larry Clinton, Skytop Contributor / January 7th, 2023 

The National Association of Corporate Directors has twice named Mr. Clinton as one of the 100 most influential people in the field of corporate governance. He is a two term Chair of the IT Sector Coordinating Council and serves on the Cybersecurity Advisory Board for the Center for Audit Quality and the Cyber Advisory Board for the Better Business Bureau. He is widely published and has been a featured spokesman in virtually all major media outlets from WSJ, USA Today Fox News, NBC, CBS, NYT, PBS Morning Edition CNN & even MTV in India. He testifies often before Congress. He has briefed industry and governments world-wide including NATO and the OAS. ISA was also the only trade association to be part of the official cyber security briefing for the Republican National Convention in Cleveland. 

ISA recently published the Cyber Social Contract (Vol. 3), which outlines 106 recommendations for the President and Congress. The previous editions of the ISA Social Contract were endorsed by the House GOP Task Force on Cyber Security and were the basis for President Obama’s Executive Order 13636 on Cyber Security. He is the industry co-chair – DHS is the government co-chair– of the Policy Leadership Working Group on Cyber Security Collective Defense featured at the National Cyber Security Summit in New York in July. 

He literally “wrote the book” — the Cyber Risk Handbook for corporate boards which is the only private sector publication endorsed by both DHS and DOJ. PWC has independently evaluated the Cyber Risk Handbook and found it substantially changed how corporate director’s address cyber risk management leading to higher budgets, better risk management, closer alignment of cyber security with business goals and helping to create a culture of security. In 2017 ISA adapted the Handbook for the UK and Germany. As in the US, the German edition has been endorsed by the German government. ISA is now working with the OAS on a Latin American version of the handbook; as well as an edition for India and Japan, in partnerships with industry groups. 

Executive Summary  

In our last post we made the case for a national, virtual, cybersecurity academy. In this post we will discuss the key points of our proposal. In our next post we will discuss the advantages of our proposal, which we suggest as the only practical way for the U.S. to quickly, comprehensively, sustainably and cost effectively address the persistent cybersecurity workforce issue.  

It’s important to understand first what the Internet Security Alliance (ISA) is not proposing. ISA not proposing a physical academy. The ISA is also not proposing a military academy. The ISA is not proposing funding only technical cyber education.  

ISA is proposing that the federal government create a virtual national academy for cyber security. The model ISA is suggesting is the same as for the current service academies. Cadets would receive a free college education in return for 5 years government service in cyber security. The academy would provide a full education, just as the military academies do. The emphasis on cybersecurity would be equivalent to a major course of study.  

Their home college, university, or community college would provide the rest of the coursework. 

Graduates would be placed in government jobs similar to the process as military service graduates are placed. However, they would not be in the military. Cyber academy graduates would be placed into state, local and federal government institutions working in cybersecurity for 5 years. After their five-year hitch with the government, graduates likely would take cybersecurity jobs in the private sector where, due to the interconnected nature of the internet, they would continue assisting in our national defense. 

Understanding The Nature of the Cybersecurity Workforce Issue 

When the ISA was founded in 2001, we campaigned for an aggressive cyber workforce development program because there were 100,000 vacant cybersecurity positions that could not be filled.  

The most recent estimates are that twenty years later we have at least 600,000 vacant cybersecurity jobs in the U.S., and the gap is growing rapidly.  

One of the major reasons we are not making progress in closing the cyber workforce need– or what we prefer as the national defense mobilization need–is that for the most part the issue has been addressed in too narrow a context. That is, primarily as technical proficiency. The focus has been on getting a range of technical training programs out there, and in that regard, we have largely succeeded in doing that. Virtually every college and university, and many community colleges, have one.  

Cybersecurity is More Than Technology 

In reality, however, cybersecurity is a much broader issue than technology. Cybersecurity is best understood as a three-legged stool that is roughly equal parts technology, economics, and public policy. Solving the cyber defense national mobilization issue will require looking at the issue in economics terms.  

The issue is simply one of supply and demand.  

The demand for skilled cybersecurity personnel is outstripping the available supply. Since it’s unlikely that we are going to diminish the need for trained personnel, the only answer is to stimulate the supply. The way we need to do this is by rebalancing the economics.  

Virtually every family in the U.S. with children between the ages of 8 and 18 are worried sick about how they can possibly send their children to college because the costs of even public universities are literally frighteningly high. Obviously, this issue is even more acute for the less financially well-off of our nation. The children are worried too because they have gotten the message that they could take out student loans and have these loans burden them until they are near retirement.  

Free Tuition 

The allure of free tuition is a powerful driver to vastly expand the cyber workforce pool beyond what we are currently training, which are people for the most part who are techies at heart. But frankly, there simply are not enough of them. We need to get parents all over the country to say to their kids, such as the hundreds of thousands of people who love playing video games, that actually they can go to college free of charge and be guaranteed a great job when they get out. Doing much of what they are doing in their games, solving problems with computers and technologies, is called cybersecurity.  

By providing a strong economic incentive to consider going into cybersecurity, one that currently doesn’t exist, we have our best chance to quickly and dramatically increase the supply of people who we will train for cyber defense. 

The Virtual Cybersecurity Academy 

When we needed to respond to the previous new domain of warfare, that is air warfare, we established the Air Force Academy. Essentially, the Air Force received the same deal as Annapolis and West Point. Free college tuition in return for 5 years of government service. That is exactly the deal we should be offering candidates for the national cybersecurity service academy. 

Providing an economic incentive is the first step in building a national cybersecurity service academy. However, since we are already behind by literally hundreds of thousands of jobs while attack methods are getting more sophisticated, we don’t have the time, or money, to build an elite physical service academy.  

Digital Technology and Remote Learning  

We need a 21st century solution to this 21st century issue. We need to make the cyber service academy a virtual service academy using digital technology and remote learning. This virtual solution is much faster and much more economical than a physical academy and also opens up the ability to “attend” to everyone in the country. We already know that we have a sizable number of trained instructors with operational curricula in these numerous programs at our colleges and universities.  

We obviously would need a process to certify the curriculum, but that process is routine in most academic disciplines. If we want to jump-start the program, we could grandfather in a set of sites (e.g., the national cyber centers of excellence) while other institutions could adapt their curriculum as needed to be eligible to apply for the program.  

However, for the allure of free college tuition to be powerful enough to expand our talent pool, the grant needs to be not just for the cyber academy program. The cyber academy program would be analogous to a major course of study. Just as a student needs to take a range of courses, including their major, to graduate the same would be true with the academy. Students would select their colleges, universities, or community colleges as they do now, but the cyber academy would be their “major.” They would take the rest of their course work at the college they choose and are admitted to, similar to the current ROTC program except for non-military service. The government would pay the college the full tuition at regular rates for the academy students. Thus, the students would get the full college experience they want, but with free tuition, and the government gets a continual supply of trained personnel.  

Job Placement  

The final core element of the proposal is that just as graduates from military academies get placed, so too would the graduates of the cyber academy. However, placement would not be simply in the military. Cybersecurity has a military aspect, but it is not strictly a military issue. The military academies already have their own excellent programs tailored to the specifics of military cyber security.  

Talent Infusion at All Levels 

Graduates of the cybersecurity academy would go to all levels of government. While the federal government has its own shortages of adequately trained cybersecurity personnel, the shortages at the state and local governments are far more severe because the states and localities have far less resources to compete for the current limited pool of talent. In fact, it is virtually inconceivable that the states and localities will ever be able to adequately compete with the federal government and private sector for cyber talent without a massive increase in the trained labor pool who would be made available to them via the academy program.  

Another feature of the ISA proposal is that graduates, once they enter their government services, will be paid at standard government rates, not the inflated levels the government now must pay. In this process the government essentially recovers a good portion of the investment they made by paying for tuition. Thus, the program is a cost-effective solution.  

However, that point strays into the description of the advantages of the virtual cybersecurity academy proposal, which is the subject of the next post. a