VIRTUAL CYBERSECURITY SERVICE ACADEMY: FOUR OF TEN REASONS Part 3 of 3

By Larry Clinton, Skytop Contributor / January 7th, 2023 

Larry Clinton is President of the Internet Security Alliance (ISA). The ISA is a multi-sector trade association that focuses on thought leadership, policy advocacy and developing best practices for cyber security. Mr. Clinton holds a certification on Cyber Risk management for Corporate Boards from Carnegie Mellon University, He is on the faculty of the Wharton School where he teaches a graduate Executive Education course in cyber security. 

The National Association of Corporate Directors has twice named Mr. Clinton as one of the 100 most influential people in the field of corporate governance. He is a two term Chair of the IT Sector Coordinating Council and serves on the Cybersecurity Advisory Board for the Center for Audit Quality and the Cyber Advisory Board for the Better Business Bureau. He is widely published and has been a featured spokesman in virtually all major media outlets from WSJ, USA Today Fox News, NBC, CBS, NYT, PBS Morning Edition CNN & even MTV in India. He testifies often before Congress. He has briefed industry and governments world-wide including NATO and the OAS. ISA was also the only trade association to be part of the official cyber security briefing for the Republican National Convention in Cleveland. 

ISA recently published the Cyber Social Contract (Vol. 3), which outlines 106 recommendations for the President and Congress. The previous editions of the ISA Social Contract were endorsed by the House GOP Task Force on Cyber Security and were the basis for President Obama’s Executive Order 13636 on Cyber Security. He is the industry co-chair – DHS is the government co-chair– of the Policy Leadership Working Group on Cyber Security Collective Defense featured at the National Cyber Security Summit in New York in July. 

He literally “wrote the book” — the Cyber Risk Handbook for corporate boards which is the only private sector publication endorsed by both DHS and DOJ. PWC has independently evaluated the Cyber Risk Handbook and found it substantially changed how corporate director’s address cyber risk management leading to higher budgets, better risk management, closer alignment of cyber security with business goals and helping to create a culture of security. In 2017 ISA adapted the Handbook for the UK and Germany. As in the US, the German edition has been endorsed by the German government. ISA is now working with the OAS on a Latin American version of the handbook; as well as an edition for India and Japan, in partnerships with industry groups. 

Mobilizing a Workforce in the Digital Age 

In a series of recent posts, we have noted the time has come for us to create a national virtual cyber service academy, modeled on our traditional military academies but updated for the digital age. We subsequently detailed the public policy argument for this academy and outlined a governance model for it. In this post we will summarize some of the many advantages for creating this national, virtual cybersecurity service academy. It will take multiple posts to cover them all, but we will start with these. 

Advantage One: Create a Pathway to National Cybersecurity 

It is axiomatic that none of the technologies, frameworks, coalitions, or strategies to enhance our cybersecurity can ever succeed without sufficient, adequately trained personnel to implement these tools.  

There are literally hundreds of thousands of high-paying cybersecurity jobs. We don’t have the people shortage just in the United States. Worldwide there are millions of these jobs that are vacant. Many are dealing with networks that we are interconnected with in the U.S. Despite recent spending increases and the existence of a number of very good training programs, the gap is continuing to grow. Estimates of increases are for as much as 30% in the next few years,  especially in the  government sector. A recent CSIS study showed that the federal cyber workforce is near 35,000, and the gap has increased by 25% in the past 3 years. The future for the federal sector is even bleaker as natural attrition is going to make things worse. There are 16 times more federal “IT” workers over 50 years old than under 30. 

The piecemeal efforts we have tried over the past 20 years are clearly not sufficient. By creating a national cybersecurity academy, we can efficiently, effectively and permanently solve this fundamental problem. The academy is the only practical path to solve this problem quickly and at a marginal cost.  

As policy makers debate the cost of establishing a national cybersecurity academy, they would do well to remember that the tens of billions we are already spending on various cybersecurity initiatives are all inherently undermined by the lack of trained personnel.  

Solving the cybersecurity personnel shortage needs to be cybersecurity priority number one. 

Advantage Two: Creating an Academy Places Cybersecurity in It’s National Security Context 

We need to stop using the antiquated term “cybersecurity workforce development.” What we really are talking about is national security mobilization. 

After WWII we realized that the skies were a unique domain of warfare. The lack of preparation for this new domain of conflict contributed to things like Japan’s successful bombing of Pearl Harbor. If the constant stream of successful cyberattacks our government has experienced over the past few years didn’t convince us this is a national security issue, the events in Ukraine should. Hopefully we won’t need a cyber Pearl Harbor before we decide to prepare our defense with trained personnel. 

The reality is we are already under attack. We are under attack all day, every day, thousands of times a day, including from nation-states and state affiliated attackers. Things are getting worse and we don’t have nearly enough trained people to defend ourselves. Much like modern aircraft fundamentally changed the nature of international conflict, so too has digitalization altered the nature of conflict and hence the nature of effective defense. Our cybersecurity requires a very different set of skills than the traditional military. Cybersecurity training requires not only technical training in the technology itself but a wide range of associated skills such as strategic thinking, probability estimation, human resources (people are our greatest vulnerability) as well as supply chain management, auditing, and strategy. 

We can’t solve our cybersecurity problems without understanding them. This begins with thinking about and talking about this issue using the proper terminology. We need a national defense mobilization effort, and we need it soon. At the very least our government agencies need adequate personnel.  

There is another sense in which the national cyber academy would place the cybersecurity issue in its correct context as an economics issue. Our personnel shortage is a classic economics problem of supply and demand. We simply do not have an adequate supply of trained people to meet the ever-growing demand. The answer to this economic problem is to use economic stimulus to generate an adequate supply of trained people. That economic stimulus is the same one we use for our traditional military defenders – free college tuition to students who will repay the nation by devoting 5 years of government service in our national defense.  

Advantage Three:  The Cybersecurity Academy is Cost-Effective  

One characteristic of this program is that its cost can be largely managed on a year-to-year basis simply by increasing or lowering the number of applicants allowed into the program. For illustrative purposes we will assume that policy makers would want to solve the federal cyber mobilization shortage in four years.  

While there are hundreds of thousands of cybersecurity jobs vacant in the country, there are “only” about 36,000 vacant jobs at the federal level and a roughly equal number of vacancies at state and local government levels. That’s roughly 70,000 jobs we need to fill at all three levels combined. Postulating classes of 10,000 students at the current average cost of tuition and fees at a 4-year public college (roughly $20,000), let’s consider a hybrid virtual-physical cyber academy operating in concert with our existing educational structures. Roughly equivalent to ROTC, it would cost the federal government about $800,000. If we add a very generous 20% on top for administration, then we have a $1billion dollar a year program.  

A program of that size would solve our federal cybersecurity personnel shortage in four years. With this funding, in eight years the entire government, including state and local shortage, would be solved. A program twice the size would resolve all our government’s cybersecurity cyber personnel issues in four years.  

Keeping in mind that the tens of billions we are already spending on government cybersecurity is being undermined by the lack of trained personnel. This is a modest and very cost-effective step. Moreover, when these students graduate, they would be paid at normal GS levels, not the vastly inflated process the government is currently paying as they try to keep up with industry. Therefore, the government would not only have a permanent supply of adequately trained people at modest cost, they would also recoup some of their investment through lower salaries.  

Advantage Four: The Academy Addresses Our Cybersecurity Issue at Its Proper Scale 

The data shows us clearly that the current piecemeal system of acquiring sufficient cyber personnel is not working. We need a dramatic increase in trained personnel, and we need them fast. One might wonder if it’s feasible to recruit thousands of students into these programs. As a point of reference, last year there were 41,000 applicants to the five current service academies, and only about 4,000 received appointments. So just from that population, there are about 38,000 students interested in national service. While they all probably wouldn’t want the cyber service academy, presumably many might be interested. And that population alone is four times the size we would need to populate a 10,000 a year class of cyber cadets to apply for the national cybersecurity academy.  

In addition, there is barely a family with children between the ages of 7 and 17 in our country that is not apoplectic over how to send their children to college because of the cost. The prospect of enabling a child to go to college free of charge would no doubt motivate parents all across the country to encourage their young children to look into this cybersecurity field.  

But could we actually motivate the required number of students?  

The students are apoplectic, too. They are fully aware that in the 21st century a college degree is the union card to a middle-class lifestyle. But they also know paying for college with loans generally means they will be paying for college almost until they retire. In addition, there are millions of young people immersed in computer games and e-sports. The stars of the e-sports teams could be recruited to urge applying for the academy in a targeted marketing plan.  

The bottom line is that creating a national, virtual cybersecurity academy is immensely “do-able” and would solve one of our most fundamental cybersecurity challenges in a comparatively short amount of time at a very affordable price, which would generate substantial return on investment.  

The biggest challenge is just committing to do it. Up next, even more reasons for creating a national cybersecurity academy.