The Fort Meade Alliance (FMA) released a white paper in February which provides an in-depth analysis of the nation’s rapidly changing cyber needs, as seen through the eyes of top cyber officials, companies and thought leaders in the cybersecurity field.
Titled “Cyber Mindset: Transforming Education and Expanding the Workforce for America’s Cybersecurity Challenge and Maryland’s Newest Industry,” the paper recommends specific education and training initiatives. It is available under the Publications link on www.ftmeadalliance.org.
According to FMA President Rosemary Budd, the year-long project grew out of the FMA’s “Cybersecurity: Key to the Future” forum held in February 2011, and the FMA’s nonprofit mission to promote Fort Meade and its agencies and tenants.
“It became a priority of the FMA to focus on the cybersecurity workforce and specifically the needs we have here in the region … as well as across the state of Maryland,” Budd said, explaining the need for the white paper. “It’s not just technical skills. [Adequately addressing] these problems requires problem solving, critical thinking, the ability to work in teams and the ability to communicate. It’s not a one-dimensional problem.”
The FMA unveiled its white paper at a luncheon that featured remarks by Mark Orndorff, chief information assurance executive for the Defense Information Systems Agency (DISA) and Air Force Col. George Lamont, director of exercise, training and readiness for the U.S. Cyber Command.
In its study of the cybersecurity problem, Budd said it became clear to the FMA that the nation faces not only a rising incidence of cyberattacks, but also a profound shortage of cyber experts.
One assessment by the SANS Institute concluded that America currently needs 20,000 to 30,000 cyber experts, but has just 1,000, the white paper notes.
“An expert and agile cybersecurity industry is critical not only to our national defense, but also to supporting virtually every sector of the American economy and vital infrastructure,” Budd said. “However, the country — and the Fort Meade region in particular — will have to overcome education and training challenges in order to assemble that expert cyber workforce.”
Cyber experts who attended the 2011 forum also stressed that America needs to foster cyber experts not only in engineering and information technology (IT), but also in a wide range of fields that include policymaking, risk management, law, finance and energy.
Penny Cantwell, chair of education and workforce development for the FMA, provided an overview of some of the systemic cyber challenges that need to be overcome. During last year’s forum, she said, participants became aware of a misunderstanding about the criteria for describing cyber and the necessary workforce skills.
“Cybersecurity is complex, yielding gaps in curricula at colleges and universities,” she said, citing the need for additional training to meet certifications and backfill skill sets after many cyber workers are hired.
Orndorff observed that the nation’s cybersecurity effort suffers from a notion that tasks and operators are split into four function categories: attack, exploitation, defense and providing/operating networks.
The key challenge, he said, lies in understanding the dynamics between those areas and making sure cyber workers don’t feel they have responsibility in only one of those categories.
“As we think through what we are trying to do against a sophisticated adversary, we’ve got to break that down and work more closely together,” he said. “Our approach … is that what we need to provide is a defendable architecture. We don’t have that today. From a workforce perspective … you’ve got to embed the skills that are important for cyber across the entire spectrum of the IT curriculum.”
Lamont acknowledged that Cyber Command’s overall picture has improved since last year’s forum, with initial staffing of the command now underway.
“A significant level of attention is being paid at the most senior levels,” he said, to include the development of policies and the issuance of guidance. “Whereas before it was a niche area or maybe a curiosity, there’s been significant documentation put forward this last year.”
Cyber Command also has been reaching out to local and national communities through academia and universities, Lamont said, to include programs and partnerships with the University of Maryland College Park, UMBC, community colleges and private sector learning institutions.
Additionally, Cyber Command has begun to develop and leverage recruiting and internship programs with NSA and the other services.
While Cyber Command has gotten off to a smooth start, the rest of the story, as famed radio newsman Paul Harvey would say, is that the pace has been somewhat slower than Cyber Command’s leadership would like it to be.
“It’s almost like world hunger or world peace,” Lamont said. “We have to train a cyber-ready force instantaneously with rapidly changing technology and an incredibly adaptable threat vector and do it with very limited resources in a budget-restrained environment.”
Nevertheless, Cyber Command hit its first huge milestone in early February with a joint training standard that was approved by Army Gen. Keith Alexander, who heads up both NSA and Cyber Command. Another imperative, Lamont said, is to create an attractive cyber career path for employees and prospective employees.
“There is a lot of duplication overlap in our training curricula in universities, military, academia and industry,” he said.
To assist with these and other challenges, Cantwell said the FMA intends to spearhead some new initiatives based on the white paper’s findings that will help create relevant cybersecurity curricula and help Maryland succeed in building a first-class cyber workforce.
Foremost, she said, is the need to increase the pipeline of potential science, technology, engineering and mathematics (STEM) graduates by better integrating STEM concepts into schools and preparing students for taking on higher competency skills.
Additionally, the FMA is concerned with the graduation rate in Maryland of foreign students, which could potentially hinder goals to grow an adequate cyber workforce.
“In 2010, 53% of all Ph.D. graduates in STEM and engineering disciplines [were] foreign,” Cantwell said. “We are taking away slots that would go to students who could qualify for a security clearance.”
Among the initiatives the FMA is now formulating will be an annual meeting aimed at allowing government, private industry, educators and community partners to work in partnership and share new concepts and lessons learned, Cantwell said. As part of this initiative, working groups will address and discuss cybersecurity issues and concerns.
Another new cybersecurity education initiative will promote partnership among regional school systems to help provide the technical skills for cybersecurity expertise, Cantwell said.
“By having these various school systems working integrated partnership teams for cybersecurity resolution, students will also gain proficiencies in those soft skills that the cyber industry indicates are missing in their new hires,” she said. “We believe we are in an excellent position to build educational programs that will meet the needs of the cyber sector and become a national model for cyber education.”