Senate Bill Addresses Federal Cyber Workforce ShortageWorkforce Expansion Act Would Create CISA, VA Training Programs
In an effort to reduce a growing cybersecurity workforce shortage at the federal level, Sens. Maggie Hassan, D-N.H., and John Cornyn, R-Texas, have introduced legislation that would create a pilot apprenticeship program within the Cybersecurity and Infrastructure Security Agency.
The Federal Cybersecurity Workforce Expansion Act would also create a cyber-training program within the Department of Veterans Affairs, equipping veterans to hold careers in cyber defense.
"Our national cybersecurity infrastructure is woefully lacking, as evidenced by the SolarWinds breach," Hassan says. "In order to bolster our cyber defenses and protect our critical infrastructure, we need to increase the number of cybersecurity professionals in the federal government. This bipartisan bill will also help address the workforce challenges in the veteran community by standing up a cyber-training program at the VA to help veterans secure good-paying, stable jobs."
The workforce shortage in cybersecurity is no doubt glaring. Industrywide, nearly 3 million jobs remain unfilled, and more than half of all cybersecurity professionals polled believe that staff shortages are placing their organizations at "moderate" or "extreme" risk, according to a recent report by the consulting firm Law and Forensics.
In the public sector, more than 36,000 cybersecurity jobs - or 37% of available jobs - remain unfilled, the report notes.
Both recruitment and retaining top talent have proven difficult for the U.S. government because Fortune 500 companies in large cities often pay CISOs $400,000 in base salary, according to the report. In contrast, the public sector often pays a base pay of just over $170,000 per year.
As a result, higher education institutions are being urged to continue building out their training programs, with parallel attempts to recruit talented cyber professionals on the lure of public service.
CISA has also underscored the importance of training qualified personnel, citing "people" as one of its "Five Ps of CISA's Success," which also include partners, policy, programs and public affairs.
President Joe Biden's proposed fiscal 2022 budget includes $2.1 billion in funding for CISA - a $110 million increase from the previous year, with an emphasis on talent recruitment and hiring. Rep. John Katko, R-N.Y., also recently pushed for CISA's annual budget to exceed $5 billion.
Increasing 'Bench Strength'
The workforce expansion bill "seems to have outlined a novel strategy - provide paid apprenticeships to increase the bench strength of cyber practitioners in government and private sector critical infrastructure," says Mike Hamilton, former vice chair for the Department of Homeland Security's State, Local, Tribal, and Territorial Government Coordinating Council.
"This legislation seems to almost provide a guarantee of a well-paid role, applied in areas of national infrastructure protection," Hamilton says. "Legislation like this that supports both training and placement of cyber practitioners can increase the 'bench strength' we badly need."
Echoing the statement, Jonathan Hill, dean of the Seidenberg School of Computer Science and Information Systems at Pace University, says: "As the outrage of the recent Colonial Pipeline hacking already fades from memory, it is critical that our elected officials take action to keep the shortage of cybersecurity talent on our national radar screen. The proposal to create an apprenticeship at CISA is important, but it must be matched by similar opportunities at other federal agencies, our big financial institutions as well as other private sector companies that should invest in the development of this next generation of cyber warriors."
Hamilton, the former CISO for the city of Seattle, also notes that the "focus on providing training and apprenticeship opportunities to veterans is smart, as the perception is that they'll be more likely to accept a position in a federal agency" based on their previous service.
Still, obstacles remain. Hamilton notes that "there may be problems in achieving the main goal - hiring in the federal government - for the same reasons that exist today. For example, the opportunity to work in the critical infrastructure sector would likely pay a lot better than federal the wage."
U.S. Cyberattacks on the Rise
The new legislation from Sens. Hassan and Cornyn follows a series of cyberattacks targeting critical U.S. infrastructure. This May, the U.S. suffered the largest cyberattack on oil infrastructure in the nation's history. Colonial Pipeline Co., whose pipeline spans the East Coast, fell victim to a ransomware hit that led the company to temporarily shut down the pipeline.
Colonial Pipeline paid a $4.4 million ransom to the criminal group DarkSide, which reportedly operates out of Eastern Europe, to receive a decryptor. But the FBI later recovered $2.3 million of the ransom (see: How Did FBI Recover Colonial Pipeline's DarkSide Bitcoins?).
The SolarWinds attack supply chain attack, discovered in December 2020 and reportedly carried out by a Russians, led to follow-on attacks on nine U.S. agencies, including the Treasury Department and the Department of Commerce, as well as 100 companies, including Microsoft, SolarWinds and VMWare. At the time, U.S. Sen. Richard Durbin, D-Ill., likened the attack to a declaration of war (see: 7 Takeaways: Supply Chain Attack Hits SolarWinds Customers).
Also, an attack beginning in January targeting vulnerable on-premises Microsoft Exchange Servers provided attackers with access to credentials, administrator privileges and devices. Some 250,000 servers were reportedly breached - including 30,000 in the U.S., 7,000 in the U.K., along with the European Banking Authority, the Norwegian Parliament and Chile's Commission for the Financial Market (see: Microsoft Exchange Flaw: Attacks Surge After Code Published).
'A Workforce Prepared to Respond'
"Cyberthreats are evolving each day, and we must have a workforce prepared to respond," Cornyn says of the proposed bill. "By harnessing the experience of our veterans and creating more opportunities for hands-on learning, this legislation would help ensure we are ready to fend off cyberattacks from our adversaries."
Another pending bipartisan bill - yet to be considered in the House and Senate - would rotate cybersecurity professionals between several federal agencies.