[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
CHALLENGES OF RECRUITING AND RETAINING A CYBERSECURITY WORK FORCE
=======================================================================
HEARING
before the
SUBCOMMITTEE ON
CYBERSECURITY AND
INFRASTRUCTURE PROTECTION
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
FIRST SESSION
__________
SEPTEMBER 7, 2017
__________
Serial No. 115-26
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
28-415 PDF WASHINGTON : 2018
____________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
Internet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800
Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001
COMMITTEE ON HOMELAND SECURITY
Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas Bennie G. Thompson, Mississippi
Peter T. King, New York Sheila Jackson Lee, Texas
Mike Rogers, Alabama James R. Langevin, Rhode Island
Jeff Duncan, South Carolina Cedric L. Richmond, Louisiana
Lou Barletta, Pennsylvania William R. Keating, Massachusetts
Scott Perry, Pennsylvania Donald M. Payne, Jr., New Jersey
John Katko, New York Filemon Vela, Texas
Will Hurd, Texas Bonnie Watson Coleman, New Jersey
Martha McSally, Arizona Kathleen M. Rice, New York
John Ratcliffe, Texas J. Luis Correa, California
Daniel M. Donovan, Jr., New York Val Butler Demings, Florida
Mike Gallagher, Wisconsin Nanette Diaz Barragan, California
Clay Higgins, Louisiana
John H. Rutherford, Florida
Thomas A. Garrett, Jr., Virginia
Brian K. Fitzpatrick, Pennsylvania
Ron Estes, Kansas
Brendan P. Shields, Staff Director
Steven S. Giaier, Deputy Chief Counsel
Michael S. Twinchek, Chief Clerk
Hope Goins, Minority Staff Director
------
SUBCOMMITTEE ON CYBERSECURITY AND INFRASTRUCTURE PROTECTION
John Ratcliffe, Texas, Chairman
John Katko, New York Cedric L. Richmond, Louisiana
Daniel M. Donovan, Jr., New York Sheila Jackson Lee, Texas
Mike Gallagher, Wisconsin James R. Langevin, Rhode Island
Thomas A. Garrett, Jr., Virginia Val Butler Demings, Florida
Brian K. Fitzpatrick, Pennsylvania Bennie G. Thompson, Mississippi
Michael T. McCaul, Texas (ex (ex officio)
officio)
Kristen M. Duncan, Subcommittee Staff Director
C O N T E N T S
----------
Page
Statements
The Honorable John Ratcliffe, a Representative in Congress From
the State of Texas, and Chairman, Subcommittee on Cybersecurity
and Infrastructure Protection:
Oral Statement................................................. 1
Prepared Statement............................................. 3
The Honorable Cedric L. Richmond, a Representative in Congress
From the State of Louisiana, and Ranking Member, Subcommittee
on Cybersecurity and Infrastructure Protection:
Oral Statement................................................. 4
Prepared Statement............................................. 7
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Ranking Member, Committee on
Homeland Security:
Prepared Statement............................................. 8
Witnesses
Dr. Frederick R. Chang, Executive Director, Darwin Deason
Institute for Cyber Security, Southern Methodist University:
Oral Statement................................................. 9
Prepared Statement............................................. 10
Mr. Scott Montgomery, Vice President and Chief Technical
Strategist, McAfee:
Oral Statement................................................. 15
Prepared Statement............................................. 17
Dr. Michael Papay, Vice President and Chief Information Security
Officer, Northrup Grumman:
Oral Statement................................................. 22
Prepared Statement............................................. 24
Ms. Juliet ``Jules'' Okafor, Strategic Advisory Board Member,
International Consortium of Minority Cybersecurity
Professionals:
Oral Statement................................................. 27
Prepared Statement............................................. 28
For the Record
The Honorable James R. Langevin, a Representative in Congress
From the State of Rhode Island:
Statement of Wesley Simpson, CISSP and Chief Operating Officer,
(ISC)\2\..................................................... 5
Letter From Hon. James R. Langevin............................. 35
Appendix
Questions From Chairman John Ratcliffe for Frederick R. Chang.... 47
Question From Chairman John Ratcliffe for Scott Montgomery....... 49
Questions From Chairman John Ratcliffe for Michael Papay......... 49
CHALLENGES OF RECRUITING AND RETAINING A CYBERSECURITY WORK FORCE
----------
Thursday, September 7, 2017
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Cybersecurity and
Infrastructure Protection,
Washington, DC.
The subcommittee met, pursuant to notice, at 3:14 p.m., in
room HVC-210, Capitol Visitor Center, Hon. John Ratcliffe
(Chairman of the subcommittee) presiding.
Present: Representatives Ratcliffe, Fitzpatrick, Katko,
Richmond, Demings, and Langevin.
Also present: Representative Barragan.
Mr. Ratcliffe. The Committee on Homeland Security
Subcommittee on Cybersecurity and Infrastructure Protection
will come to order.
The subcommittee is meeting today to receive testimony
regarding the challenges of recruiting and retaining a
cybersecurity work force.
I now recognize myself for an opening statement.
Good afternoon. I would like to begin by thanking our panel
for taking the time today to be here to testify. I appreciate
your patience as we just finished up a vote series. I am glad
that you waited for us. Your thoughts and your opinions are
very important to us and will help inform us as we oversee the
Department of Homeland Security in meeting its cybersecurity
work force challenges.
Cybersecurity is one of the most daunting National security
and economic security challenges of our generation. As our
adversaries grow in sophistication, so, too, will the
challenges associated with preventing their attacks.
My colleagues on this committee have heard me say this
often, but I will say it again. America will remain the world
superpower only so long as it remains the world cybersecurity
superpower.
As the lead civilian agency for our Federal cybersecurity
posture, the Department of Homeland Security factors as a
critical piece of this equation. It is a tremendous privilege
to chair this subcommittee and I look forward to our continued
partnership with the private sector and the administration on
these important cybersecurity issues, because inaction is
simply not an option.
In 2014, it was estimated that $1 billion of personally
identifiable information was stolen from cyber attacks. It is
also estimated that the average cost of a data breach will be
$150 million by 2020. Cyber attacks are growing in frequency
and they are growing in their sophistication, but the
availability of qualified cybersecurity professionals to deal
with these challenges is unfortunately not keeping pace.
There have been several studies over the past few years
documenting the growing shortage of cybersecurity
professionals. In this ever-increasingly connected world, the
problem is only going to get worse. One estimate from the
consulting firm of Frost & Sullivan is forecasting a shortage
of a staggering 1.8 million cybersecurity workers world-wide by
2022, just 5 years from now.
Some industry estimates are that 53 percent of
organizations now experience delays of 6 months or longer to
find qualified cybersecurity candidates. We know that the
entire industry is facing an unprecedented shortage of
cybersecurity workers at all levels of competency, from front-
line defenders to CIOs.
It is against this backdrop that the Department of Homeland
Security must compete with the private sector to recruit and
retain the best talent possible in order to carry out its
cybersecurity mission and to protect our critical
infrastructure. Unfortunately, DHS's issues are compounded by
the additional hiring challenges often felt by the Federal
Government.
DHS must work to overcome slow hiring processes and work
force supply and pipeline issues in order to build the
essential work force required to meet its cyber mission. DHS
must strategically plan for the training, recruitment, and the
retention of its cybersecurity work force.
The Homeland Security Committee passed several pieces of
legislation that were signed into law to augment the
cybersecurity work force at DHS, including the Border Patrol
Agent Pay Reform Act of 2014 that expanded DHS's hiring
authorities allowing the Department to better recruit and hire
qualified cyber professionals. Unfortunately, these new
authorities have not yet been fully implemented.
This is an area where hearing from the experts before us
today will provide valuable input as we conduct oversight of
DHS's responsibilities and ensure that DHS has the human
capital and resources necessary to carry out its important
cybersecurity mission.
The Federal Government supports a number of programs to
recruit and retain its work force. In particular, the
CyberCorps Scholarship for Service Program was authorized in
the National Cybersecurity Enhancement Act of 2014 and focuses
on recruiting and training the next generation of information
technology professionals, industry control system security
professionals, and security managers.
Working with DHS, the National Science Foundation has
awarded grants for the CyberCorps Scholarship for Service
Program since 2011 to increase and strengthen Federal, State,
local, Tribal, and territorial governments' cyber work force.
As of January 2017, there were 69 active Scholarship for
Service institutions, including eight in my home State of
Texas. CyberCorps has provided scholarships to 2,945 recipients
with 2,223 graduates serving Federal, State, local, Tribal, and
territorial governments and 623 students are currently working
toward that goal.
The recent interest my office has received from both 2- and
4-year colleges in my district about participating in the
CyberCorps program is encouraging. It reinforces that
stakeholders of all sizes, from all corners of the country want
to be part of the cybersecurity work force solution.
I look forward to a robust conversation with our
distinguished panel of witnesses today that will support our
efforts in strengthening DHS's effort to recruit and retain
talented cybersecurity professionals.
The Chair now recognizes the Ranking Minority Member of the
subcommittee, the gentleman from Louisiana, Mr. Richmond.
[The statement of Mr. Ratcliffe follows:]
Statement of Chairman John Ratcliffe
September 7, 2017
Good afternoon.
I would like begin by thanking our panel for taking the time today
to testify. Your thoughts and opinions are very important as we oversee
the Department of Homeland Security in meeting its cybersecurity work
force challenges.
Cybersecurity is one of the most daunting challenges of our
generation, and as our adversaries grow in sophistication, so will the
challenges associated with preventing their attacks. My colleagues on
this committee have heard me say this often, but I'll say it again--
America will only remain the world's superpower so long as it remains
the world's cybersecurity superpower.
As the lead civilian agency for our Federal cybersecurity posture,
DHS factors as a critical piece of this equation. It is a great
privilege to chair this subcommittee, and I look forward to our
continued partnership with the private sector and the administration on
these important cybersecurity issues.
Because inaction is simply not an option.
According to the Cisco 2017 Annual Cybersecurity Report, ransomware
is growing at a yearly rate of 350 percent and the firm Cybersecurity
Ventures predicts cyber crime will cost the world in excess of $6
trillion annually by 2021, making it more profitable than the global
trade of all major illegal drugs combined. It is also estimated that
the average cost of a data breach will be $150 million by 2020. Cyber
attacks are growing in frequency and sophistication, but the
availability of qualified cybersecurity professionals to deal with
these challenges is not keeping pace.
There have been several studies over the past few years documenting
the growing shortage of cybersecurity professionals. In this ever-
increasing connected world, the problem is only going to get worse.
Today, one estimate, from the consulting firm Frost & Sullivan, is
forecasting a shortage of a staggering 1.8 million cybersecurity
workers world-wide by 2022. One industry organization estimates that 53
percent of organizations experience delays of 6 months or longer to
find qualified cybersecurity candidates.
We know that the entire industry is facing an unprecedented
shortage of cybersecurity workers at all levels of competency--from
front-line defenders to CIOs. Against this backdrop, the Department of
Homeland Security must compete with the private sector to recruit and
retain the best talent possible in order to carry out its cybersecurity
mission and protect our critical infrastructure.
Unfortunately, DHS's issues are compounded by additional hiring
challenges often felt by the Federal Government. DHS must work to
overcome slow hiring processes and work force supply and pipeline
issues in order to build the essential work force required to meet its
cyber mission. DHS must strategically plan for the training,
recruitment, and retention of its cybersecurity work force.
The Homeland Security Committee passed several pieces of
legislation that were signed into law to augment the cybersecurity work
force at DHS, including the Border Patrol Agent Pay Reform Act of 2014
that expanded DHS's hiring authorities, allowing the Department to
better recruit and hire qualified cyber professionals. Unfortunately,
these new authorities have not yet been fully implemented. This is an
area where hearing from the experts before us today will provide
valuable input as we conduct oversight of DHS's responsibilities and
ensure that DHS has the human capital and resources necessary to carry
out its important cybersecurity mission.
The Federal Government supports a number of programs to recruit and
retain its work force. In particular, the CyberCorps: Scholarship-For-
Service Program was authorized in the National Cybersecurity
Enhancement Act of 2014 and focuses on recruiting and training the next
generation of information technology professionals, industrial control
system security professionals, and security managers.
Working with DHS, the National Science Foundation has awarded
grants for the CyberCorps: Scholarship-For-Service program since 2011
to increase and strengthen Federal, State, local, Tribal, and
territorial governments' cyber work force. As of January 2017, there
were 69 active Scholarship for Service institutions, including 8 in my
home State of Texas. CyberCorps has provided scholarships to 2,945
recipients, with 2,223 graduates serving Federal, State, local, Tribal,
and territorial governments and 623 students currently working toward
that goal.
The recent interest my office has received from 2- and 4-year
colleges in my district about participating in the CyberCorps program
is encouraging. It reinforces that stakeholders of all sizes from all
corners of the country want to be part of the cybersecurity work force
solution.
I look forward to a robust conversation with our distinguished
panel of witnesses that will support our efforts in strengthening DHS's
efforts to recruit and retain talented cybersecurity professionals.
Mr. Richmond. Let me first thank the Chairman for holding
this hearing because our Nation faces an evolving array of
cyber threats and it is crucial that we have a robust, talented
cybersecurity work force.
For some time now, experts have predicted that the demand
for cybersecurity professionals was quickly outpacing our
supply. In 2012, the Bureau of Labor Statistics projected that
by 2020 there would be 400,000 computer scientists available to
fill 1.4 million computer science jobs. Recent estimates
suggest that the deficit is growing instead of shrinking and
may reach 1.8 million by 2022.
Let's be clear: This is nothing short of a threat to our
National security.
These are the professionals we rely on to help us prepare
for and respond to the next WannaCry, Mirai, or Fancy Bear.
These are the people who will prevent State-sponsored hackers
from taking down our electrical grid or infiltrating our State
election systems. These are the experts we need to stand on the
front lines during a major cyber attack and make sure we have
functioning hospitals, banks, transportation systems, and lines
of communication.
We need cybersecurity professionals in the private sector
protecting our intellectual property and personal data, and we
need them in the public sector protecting our Nation's most
sensitive intelligence. Yet we know that the Federal Government
and DHS in particular is struggling to compete with the private
sector for cyber talent.
What is more, this administration has failed to fill even
the most critical, senior-level, cybersecurity posts, asking
agencies like DHS's National Programs and Protections
Directorate to carry out broad, complex cybersecurity missions
without a permanent under secretary. This lack of leadership
makes us vulnerable.
We should be doing everything we can to right-size our
cybersecurity labor force. There is a lot more we can do. We
need to introduce students to computers before they get to
college, even the ones who go to schools that can't afford
expensive tech programs and specialized instructors. I also
believe there is untapped potential in vocational schools, 2-
year programs, minority-serving institutions, and our
historically black colleges and universities.
Once we have figured out how to get more people to choose
cybersecurity as a career, we need to convince them to turn
down a higher-paying job and spend some time in Federal
service.
Within the Federal Government, we need to promote
recruitment and retention programs, particularly at DHS which
has lagged behind other cyber-focused Federal agencies like the
NSA or FBI in attracting cyber talent. For its part, DHS needs
to be more forward-thinking and learn to anticipate the needs
of an evolving work force that values professional development,
a flexible work culture, the ability to transition in and out
of positions or even fields.
In closing, there is no question that the cyber work force
challenge is a daunting one, but the stakes are too high for us
to ignore it. Last year, the global economy lost over $450
billion to cyber criminals and over 2 billion personal records
were stolen in the United States alone. Meanwhile, studies show
that less than half of United States' businesses would say that
they are prepared for a cyber attack, and that small Main
Street businesses are struggling the most.
I look forward to hearing the testimony of our witnesses
today and hope we can identify innovative ways to work together
to address cybersecurity work force challenges.
Mr. Chairman, before I yield back, I would like to submit
for the record from Wesley Simpson, chief operating officer of
(ISC)\2\, along with the 2017 Global Information Security
Workforce Study: Women in Cybersecurity; and the report the
2017 Global Information Security Workforce Study: U.S. Federal
Government Results.
Mr. Ratcliffe. Without objection.
[The information referred to follows:]
Statement of Wesley Simpson, CISSP and Chief Operating Officer,
(ISC)\2\
September 7, 2017
Chairman Ratcliffe, Ranking Member Richmond, Members of the
subcommittee, thank you for the opportunity to provide written
testimony for today's hearing titled Challenges of Recruiting and
Retaining a Cyber Workforce. This hearing is an important one as it
highlights a critical work force and ultimately a critical National
security challenge that we face: Ensuring that we are training enough
cybersecurity professionals to address the current and projected work
force shortage in the public and private sector.
My name is Wesley Simpson and I am the chief operating officer of
the International Information System Security Certification Consortium,
commonly known as (ISC)\2\, the world's leading cybersecurity and IT
security professional organization. We are an international, non-profit
membership association for information security leaders. We have
125,000 members world-wide and continue to grow just as the cyber work
force needs grow.
In addition to the training and certification work that we do,
including the internationally recognized CISSP certification, we are
also committed to education of the general public through our support
for the Center for Cyber Safety and Education. We believe it is crucial
not only to close the current gap in cybersecurity professionals, but
we must also do so in a diverse way bringing more women and minorities
into the field of cybersecurity. Information on our work with the
Center for Cyber Safety and Education can be found at
www.iamcybersafe.org.
Earlier this year, (ISC)\2\ in partnership with the Center for
Cyber Safety and Education, Booz Allen, Frost & Sullivan and Alta
Associates released the 2017 Global Information Security Workforce
Study. This is the 8th biennial release of the study and the largest to
date. We surveyed 19,641 cyber professionals representing 170
countries. This included 2,620 professionals from the U.S. Federal
Government.
According to our survey we are on pace to reach a cyber work force
gap of 1.8 million jobs by 2022--a stunning 20% increase from our
forecast made in 2015. As part of our study, we also segmented out the
data for certain demographic groups and I will provide information
around the Government work force, and women in the cyber work force
later in my remarks.
Globally, our survey found that 66% of information security workers
said their staffs are short-handed--too few professionals to address
the threats they encountered. That's an increase of 4 percent from the
2015 survey. This number jumps to 68% when you consider only
respondents from North America.
Workers cite a number of reasons for the current shortage. These
include: Qualified personnel are difficult to find; work force
requirements are not understood by leadership; business conditions
can't support hiring additional personnel; security workers are
difficult to retain; and a belief that there is no clear information
security career path.
On the positive side, 70% of hiring managers surveyed are looking
to increase their work force. In fact, 30% are planning to increase
that work force by 20% or more. This is most evident in the fields of
health care, retail, and manufacturing. So the job opportunities are
there. In addition, fully 87% of cyber professionals started out in a
different career. While most came from IT, a number come from other
career fields. For North America, about 35% started in a different
field. This indicates that training, retraining programs, and
certification programs are working and are necessary to help close the
current work force gap.
Let me now turn to some of the segments that we examined within the
larger data set, starting with the Federal Government. Overall there is
some good news in the Government data. Half of the respondents feel
that Government security has improved. This is due to improved security
awareness, improved understanding of risk management and effective
security standards. Some 36% believe that it the level of Government
security has stayed the same, and 4% believe that Government security
has gotten worse. Of those that felt the situation has gotten worse,
they cited the need for more qualified professionals, adequate funding,
and better security standards. In addition, respondents felt that the
most important factor in securing an organization's infrastructure is
the hiring and retaining of qualified information security
professionals.
We also asked about the key factors in retaining Government
information security professionals. Interestingly, the top two
responses were not directly related to compensation, but rather focused
on training and certification. Respondents wanted the Government to
offer training programs and to pay for cyber certifications. This was
followed by improving compensation packages, flexible work schedules,
and supporting remote/flexible working. So you can see that while
compensation is important, other factors rise to the top in terms of
retaining talent in the Government work force. When looking at
incentives for new hires, we see a similar trend, with certification,
training, and education reimbursement as the most effective recruitment
tool followed by flexible work schedule.
Let me close on this segment by providing three additional findings
that are relevant to the question of attracting and retaining cyber
professionals. First, 78% of respondents felt that greatest demand for
new hires is in nonmanagerial staff. Second, the respondents felt that
the most significant impact of the current work force shortage is on
the existing information security work force. Finally, the greatest
area of need for additional training and certification is in cloud
computing. We need to fill that gap as soon as possible to ensure that
we don't face burnout and departure from the current work force. And we
need to get training programs in place in key priority areas like cloud
security.
Let me now turn to women in the cyber work force. As stated
earlier, we strongly support bringing more gender and ethnic diversity
into the cyber work force. It is a key to helping close the growing gap
that we face in both the public and private sectors here in the United
States. For this particular segment we partnered with the Executive
Women's Forum on Information Security, Risk Management, and Privacy. As
the overall report shows, the work force gap continues to rise.
Globally, the number of women professionals in the field remains
stagnant at 11% (14% for North America). While this is extremely low,
it is higher than in Europe or Asia, both of which are in single
digits. The report also shows that women continue to lag behind when it
comes to pay equity, despite higher levels of education. The report
found that more than half of women respondents have faced
discrimination in the workplace. Globally, men are four times more
likely to attain C-level and Executive-level positions and nine times
more likely to hold managerial positions in the cybersecurity field. On
the positive side, women do feel more valued when participating in
mentorship, sponsorship, and leadership development programs.
We believe that focusing on fixing the above-mentioned areas--pay
inequity, creating a more inclusive workplace, valuing education, and
providing mentorship and development opportunities for women to
advance--can move the needle in the right direction and help bring more
women into the cyber work force.
In conclusion, demand for cyber workers continues to grow.
Unfortunately, the current work force gap is also growing. We must work
together--Government, training and certification organizations,
educational institutions and the private sector--to help close that
gap.
Cybersecurity is a critical component of our National security. And
the key factor to ensuring a more secure IT infrastructure is a skilled
and trained cyber work force. As I highlighted in the data from the
2017 Global Information Security Workforce Study, we have many
challenges ahead of us. However, this study also points us to solutions
such as training and certification, bringing diversity into the work
force and through leadership development and mentorship, and finally
through incentives and pay equity.
I would like to request that the Global Information Security
Workforce Study and the accompanying segments on Government and women
be included in the record. Again, on behalf of (ISC)\2\ and its 125,000
members, I thank you for the opportunity to provide our input. Thank
you again for your focus on the cyber work force. We look forward to
continuing to be a resource to the committee and to working with the
subcommittee on this critical National security issue.
Mr. Richmond. I would also ask unanimous consent that Ms.
Barragan be allowed to participate in today's hearing.
Mr. Ratcliffe. Welcome.
Mr. Richmond. Thank you, Mr. Chairman. I yield back.
[The statement of Mr. Richmond follows:]
Statement of Ranking Member Cedric L. Richmond
September 7, 2017
For some time now, experts have predicted that the demand for
cybersecurity professionals was quickly outpacing supply. In 2012, the
Bureau of Labor Statistics projected that by 2020, there would be
400,000 computer scientists available to fill 1.4 million computer
science jobs. Recent estimates suggest the deficit is growing instead
of shrinking, and may reach 1.8 million by 2022.
Let's be clear--this is nothing short of a threat to National
security. These are the professionals we rely on to help us prepare for
and respond to the next WannaCry, Marai, or Fancy Bear. These are the
people who will prevent state-sponsored hackers from taking down our
electrical grid or infiltrating our State election systems.
And these are the experts we need to stand on the front lines
during a major cyber attack and make sure we have functioning
hospitals, banks, transportation systems, and lines of communication.
We need cybersecurity professionals in the private sector
protecting our intellectual property and personal data, and we need
them in the public sector protecting our Nation's most sensitive
intelligence. Yet, we know that the Federal Government--and DHS in
particular--is struggling to compete with the private sector for cyber
talent.
What's more, this administration has failed to fill even the most
critical, senior-level cybersecurity posts--asking agencies like DHS's
National Programs and Protection Directorate to carry out broad,
complex cybersecurity missions without a permanent under secretary.
This lack of leadership makes us vulnerable. We should be doing
everything we can to ``right-size'' our cybersecurity labor force--and
there's a lot more we can do.
We need to introduce students to computers before they get to
college--even the ones who go to schools that can't afford expensive
tech programs and specialist instructors. I also believe there may be
untapped potential in vocational schools, 2-year programs, and
minority-serving institutions.
And once we've figured out how to get more people to choose
cybersecurity as a career, we need to convince them to turn down a
higher-paying job and spend some time in Federal service. Within the
Federal Government, we need to promote recruitment and retention
programs, particularly at DHS, which has lagged behind other cyber-
focused Federal agencies like the NSA or FBI in attracting cyber
talent.
For its part, DHS needs to be more forward-thinking and learn to
anticipate the needs of an evolving work force that values professional
development, a flexible work culture, and the ability to transition in
and out of positions or even fields.
In closing, there is no question that the cyber work force
challenge is a daunting one--but the stakes are too high to ignore it.
Last year, the global economy lost over $450 billion to cyber
criminals--and over 2 billion personal records were stolen in the
United States alone. Meanwhile, studies show that less than half of
U.S. businesses would say they are prepared for a cyber attack, and
small ``Main Street'' businesses are struggling the most.
I look forward to hearing the testimony of our witnesses today, and
hope we can identify innovative ways to work together to address
cybersecurity work force challenges.
Mr. Ratcliffe. Other Members of the committee are reminded
that opening statements may be submitted for the record.
[The statement of Ranking Member Thompson follows:]
Statement of Ranking Member Bennie G. Thompson
September 7, 2017
Good afternoon. I would like to thank Chairman Ratcliffe and
Ranking Member Richmond for holding today's hearing to continue the
work of identifying solutions to an on-going National challenge: The
cyber work force shortage.
I want to take this opportunity to express my growing concern about
the number of cybersecurity leadership vacancies across the Federal
Government.
There are numerous vacancies in cybersecurity positions across the
Executive Branch, and last month, 8 of the 28 members of the National
Infrastructure Advisory Council resigned in protest of the President's
failure to prioritize cybersecurity.
Most dramatically, this administration has chased out the State
Department's first cybersecurity coordinator and plans to bury the
State Department's cyber office in the Office of Bureau of Economic and
Business Affairs.
And as we speak, there has been no nomination of someone to serve
as the under secretary of the Department of Homeland Security's
National Protection and Programs Directorate, which is tasked with
leading the Federal Government's efforts to secure our Nation's
critical infrastructure and protect Federal civilian networks from
malicious cyber activity.
A strong cybersecurity posture is essential to National security
and to our ability to compete in the global economy.
Policies necessary to build a strong cybersecurity posture require
strong leadership.
I urge the President to quickly address cybersecurity leadership
vacancies and organizational issues.
Turning to the issue at hand, I am eager to learn about innovative
private-sector approaches to developing and maintaining the
cybersecurity work force challenges.
I also hope to hear where the Federal Government can better partner
with the private sector to cultivate the cybersecurity talent.
When I am in Mississippi, all too often, I get asked why so much
focus is placed on importing cybersecurity talent from overseas instead
of cultivating the talent we have here at home.
I support tech-visas, but at the same time agree with my
constituents that we must more aggressively build and recruit a
domestic cybersecurity work force.
We also must also do more to develop cybersecurity skills in
overlooked talent pools.
Today, African Americans and Hispanics--combined--make up only 12
percent of the cybersecurity work force.
We need to do a better job understanding why that is.
We can and should continue expanding traditional career pathways to
diverse populations--from building relationships between public and
private-sector employers and diverse institutions of higher educations
and implementing mentorship programs.
But we also have to start thinking ``outside the box''.
We need to get young people from all backgrounds interested in
cybersecurity early and we need to figure out how to transition
displaced employees into the cybersecurity work force.
According to Juniper Research, the cost of data breaches globally
will increase to $2.1 trillion dollars by 2019.
And the State actors have demonstrated a clear interest in hacking
into our critical infrastructure--from dams and the utility companies--
to our elections.
We must build the cyber work force necessary to protect our
National security and our economy.
Mr. Ratcliffe. As I mentioned before, we are very pleased
to have this distinguished panel of witnesses before us today
on this vitally important topic. Dr. Frederick Chang is the
executive director of the Darwin Deason Institute for Cyber
Security at Southern Methodist University.
Dr. Chang, it is great to see you again and have a fellow
Texan here today. Welcome.
Mr. Chang. Thank you.
Mr. Ratcliffe. Mr. Scott Montgomery is the vice president
and chief technical strategist of McAfee.
We welcome you back to the subcommittee as well.
Dr. Michael Papay is the vice president and chief
information security officer of Northrop Grumman.
Dr. Papay, it is always good to see you and thank you for
being here today.
Finally, Ms. Juliet Okafor is the vice president of global
business development of Fortress Information Security.
Ms. Okafor, welcome back to the subcommittee as well to
you.
I would now ask all of the witnesses to stand and raise
your right hand so I can swear you in to testify.
[Witnesses sworn.]
Please let the record reflect that each of the witnesses
has been so sworn. You all may be seated.
The witnesses' full written statements will appear in the
record. The Chair is now pleased to recognize Dr. Chang for 5
minutes for his opening remarks.
STATEMENT OF FREDERICK R. CHANG, EXECUTIVE DIRECTOR, DARWIN
DEASON INSTITUTE FOR CYBER SECURITY, SOUTHERN METHODIST
UNIVERSITY
Mr. Chang. Thank you. Chairman Ratcliffe, Ranking Member
Richmond, Members of the subcommittee, thank you for the
opportunity to appear before you today regarding the challenges
associated with recruiting and retaining and cybersecurity work
force.
My name is Frederick R. Chang and I am the executive
director of the Darwin Deason Institute for Cyber Security at
Southern Methodist University in Dallas, Texas. I am also the
Bobby B. Lyle Centennial Distinguished Chair in Cybersecurity
and professor in the Department of Computer Science and
Engineering.
I don't need to reiterate to this group the nature of
today's cyber threats and their consequences, so I will simply
say that today's cyber insecurity is a multifaceted topic
involving technology, policy, work force, and more. In my brief
comments now, I will focus on the topic of work force.
One of the reasons why cyber compromises are so prevalent
today is that there is a lack of trained and qualified
personnel to defend the Nation's cyber assets. This lack of a
trained cybersecurity work force has been referred to as the
cyber skills gap. The gap is large and growing, as Chairman
Ratcliffe and Ranking Member Richmond have both mentioned.
Hiring managers are having a hard time finding the talent
they need right now and there is a critical need for technical
talent. Organizations will get creative in their hiring
practices. I believe the market will work in some very
innovative ways to adapt to the changing conditions by, for
example, retraining some workers for roles in cyber and moving
them around to manage the workload. Talent can and will come
from some unexpected places. I am sure we will hear some
creative ideas from the other panelists.
But the fact that the problem is growing is a serious issue
because there have been a number of important activities that
have been on-going for a while now around the country in
academia, in industry and in Government. I will quickly touch
on just a few of them now.
The NSA/DHS centers of academic excellence, the DOD and NSF
cyber scholarship programs have been good and useful programs
and have helped to jump-start and bolster university
cybersecurity programs around the country. As universities grow
their cyber portfolios to train more students, they will
benefit from comprehensive curricular guidance and important
progress is being made on that front.
Student cyber competitions are becoming increasingly
popular. As long as we can ensure the right balance between the
competitions and coursework, I am a supporter of these
competitions because I think they build depth of knowledge and
they provide a valuable team experience which will be useful
when the students enter the work force.
We are also seeing now more cyber summer camps for both
middle and high school students. I think these summer camps are
quite important because they will help us grow a pool of cyber-
and STEM-, science-, technology-, engineering-, and math-
motivated students. We need a larger pipeline of folks from
which to recruit into key cyber positions.
We will also see an increasing effort to advance
technologies that will help automate different cybersecurity
tasks and this will assist in giving human cyber experts more
time to perform other tasks that we will not be able to
automate at the time.
Let me close by saying that, in general, the actions that
are being taken now are important, valuable, and are making a
difference. But given that these actions are being taken and
the fact that the cyber skills gap continues to grow tells me
that we must do more.
In 1958, science education in America got a shot in the arm
when the National Defense Education Act was passed the year
after the Soviet satellite Sputnik was launched into outer
space. This act helped launch a generation of students who
would study math and science. So while we need to work very
hard today to recruit and retain urgent cyber positions today
and in the near future, I hope we can also consider the future
of cyber space.
How secure will it be? How will we defend it? Today's
students will be responsible for designing, creating,
operating, maintaining, and defending tomorrow's cyber
infrastructure. We need a large and capable pool of folks to
staff these positions for the future.
Thank you again for allowing me to be here today. I look
forward to your questions.
[The prepared statement of Dr. Chang follows:]
Prepared Statement of Frederick R. Chang
September 7, 2017
Chairman Ratcliffe, Ranking Member Richmond, Members of the
subcommittee, thank you for the opportunity to testify before you in
today's hearing regarding the challenges associated with recruiting and
retaining a cybersecurity work force. My name is Frederick R. Chang and
I consider it an honor and a privilege to come before this
subcommittee. I am the executive director of the Darwin Deason
Institute for Cyber Security at Southern Methodist University (SMU) in
Dallas, Texas. I am also the Bobby B. Lyle Centennial Distinguished
Chair in Cyber Security, Professor in the Department of Computer
Science and Engineering in SMU's Lyle School of Engineering, and a
senior fellow in SMU's John G. Tower Center for Political Studies.
Prior to coming to SMU, I have held academic positions at the
University of Texas at San Antonio and at the University of Texas at
Austin. I have worked in the private sector and have also served as the
director of research at the National Security Agency. I would also
mention that I served as a member of the CSIS Commission on
Cybersecurity for the 44th Presidency.
SMU is a Nationally-ranked private university in Dallas founded
over 100 years ago. The university enrolls more than 11,000 students--
including about 5,200 graduate students--who all benefit from the
academic opportunities and international reach of seven degree-granting
schools. The Carnegie Foundation recognizes SMU as a university with
``high research activity,'' which ranges across disciplines from
particle physics at the Large Hadron Collider at CERN, to geothermal
energy, to the science of human speed, to cybersecurity through the
Bobby B. Lyle School of Engineering. SMU's Lyle School of Engineering,
founded in 1925, is one of the oldest engineering schools in the
Southwest. The school offers eight undergraduate and 29 graduate
programs, including master's and doctoral degrees, through the
departments of Civil and Environmental Engineering; Computer Science
and Engineering; Electrical Engineering; Engineering Management,
Information, and Systems; and Mechanical Engineering. Finally, the
Darwin Deason Institute for Cyber Security is a research institute with
the goal of advancing the science, policy, application and education of
cybersecurity through basic and problem-driven, interdisciplinary
research.
the new normal
Early computer worms and viruses date back to the 1970's and 80's
and while they were rare and experimental back then, as we fast forward
to 2017, terms such as ``malware'', ``data breach'', ``phishing'' and
``botnets'' are unfortunately all too common today. We are no longer
surprised to read about the latest data compromise or cyber attack as
they are sadly a regular occurrence. In fact, not long ago a technology
company ran a series of television commercials depicting that it is
newsworthy when there is not a data breach. The internet, high-
performance computing clusters, high-density storage, ultra high-speed
communication links, the cloud, our laptops, and smart phones are
technologies that we take for granted today. They are so integral to
our personal and professional lives that it is hard to remember a time
when we didn't have these technologies available to us. But in the
larger scheme of things the technologies that comprise cyber space are
young and changing at a stunning rate of speed. As we have become
increasingly dependent on these technologies we have also come to
understand just how vulnerable these technologies are to malicious
attackers of many kinds. We have also come to understand the
consequences of these security vulnerabilities to us personally,
professionally, and to our National security.
The source of today's cyber insecurity is multifaceted, involving
technology, policy, law, economics, work force, and more. In my brief
comments this afternoon, I will focus on the topic of today's hearing:
The cybersecurity work force. One of the reasons why cyber intrusions
are so prevalent today is that there is a lack of trained, qualified
personnel to defend the Nation's cyber assets. This lack of trained
personnel has been referred to as the ``cyber skills gap''.
the cyber skills gap
Over the past several years there has been increasing concern about
the cyber skills gap problem, and the extent to which this gap
contributes to the Nation's challenge in defending cyber space, today
and into the future. An image that comes to mind is from the child's
game of whack-a-mole. Cyber defenders within an enterprise are
stretched too thin, quickly moving from issue to issue in an effort to
keep their networks secure. Two natural questions to ask are: How large
is the problem? Is the problem going to get worse in the future? There
have been a number of studies and reports on this topic and I have
listed a few illustrative bullets points below that shed some light on
these questions. I would hasten to add that perhaps more important than
the specific numbers that are listed are the trends that they suggest.
The size of the global cyber skills gap was estimated at
about 1 million people in a 2014 report.\1\ \2\
---------------------------------------------------------------------------
\1\ Cisco 2014 Annual Security Report, Cisco Systems, San Jose, CA,
2014.
\2\ Cobb, S. Sizing the Cybersecurity Skills Gap: A White Paper,
2016. Paper can be found here: http://cisosurvey.org/wp-content/
uploads/2016/10/sizing-cyber-skills-gap-v1a.pdf.
---------------------------------------------------------------------------
The size of cyber skills gap globally will grow to about 1.8
million in 2022. This is 20 percent higher than an estimate
made 2 years earlier.\3\
---------------------------------------------------------------------------
\3\ 2017 Global Information Security Workforce Study: Benchmarking
Workforce Capacity and Response to Cyber Risk, report can be found
here: https://iamcybersafe.org/wp-content/uploads/2017/07/N-America-
GISWS-Report.pdf.
---------------------------------------------------------------------------
The size of the cyber skills gap in the United States was
estimated to be over 200,000 in 2015.\4\ The size of the cyber
skills gap is estimated to grow to about 265,000 in North
America by 2022.\3\
---------------------------------------------------------------------------
\4\ Setalvad, A. Demand to fill cybersecurity jobs booming,
Peninsula Press, March 31, 2015, report can be found here: http://
peninsulapress.com/2015/03/31/cybersecurity-jobs-growth/.
---------------------------------------------------------------------------
In the United States there were nearly 300,000 on-line job
listings for cybersecurity-related positions between April 2016
through March 2017, and the National average ratio of existing
cybersecurity workers to cybersecurity job openings is only
2.5, while the National average for all jobs is 5.6 according
to the website CyberSeek.\5\
---------------------------------------------------------------------------
\5\ http://cyberseek.org/heatmap.html.
---------------------------------------------------------------------------
In addition to the shortfall estimates above, it is instructive to
look at some illustrative responses sampled from a variety of different
surveys of different groups of cybersecurity professionals. The goal
here is not to be exhaustive but rather to provide a perspective on
some of the challenges facing enterprises as they address the
challenges associated with hiring qualified cybersecurity workers.
In one international survey, the North American respondents
reported that they were not able to fill open cybersecurity positions
about 26 percent of the time and that for all respondents, over a
quarter of the time finding an appropriate person for the job can take
up to 6 months. In the same survey, respondents reported that while
they do receive quite a few applicants for each job opening, most
applicants are viewed as unqualified--and this response is reflected by
the North American respondents to the survey as well.\6\
---------------------------------------------------------------------------
\6\ State of Cyber Security 2017, Part 1: Current Trends in
Workforce Development, ISACA, 2017.
---------------------------------------------------------------------------
In another survey that included only North American respondents
(Information Technology (IT), and IT security professionals), 35
percent reported that there is a shortage of IT security professionals
at most every level, and 37 percent reported that there are lots of
less experienced/trained people, but it is hard to fill the most-
skilled positions. In the same survey only 33 percent of respondents
report that they have enough people to meet the threats they will face
in the coming year and only 23 percent report that their security team
is well-trained and up-to-date on the latest technologies and
threats.\7\
---------------------------------------------------------------------------
\7\ Chickowski, E. Surviving the IT Security Skills Shortage, Dark
Reading Reports, May 2017.
---------------------------------------------------------------------------
In a study we conducted at SMU we explored how organizations made
cybersecurity investment decisions.\8\ We conducted semi-structured
interviews with cybersecurity executives and managers from primarily
four vertical sectors: Health care, financial, retail, and Government.
Over 75 percent of the respondents were from U.S. organizations.
Consistent with the findings reported above, our respondents reported
that finding qualified cybersecurity talent was a key challenge.
Sufficient budgets were often available for a particular cybersecurity
project but that lack of availability of qualified personnel served as
a limiting factor in budget requests. Respondents reflected that even
though they had considerable professional networks from which to draw,
they had difficulty finding the talent they needed.
---------------------------------------------------------------------------
\8\ Moore, T., Dynes, S. & Chang, F. Identifying How Firms Manage
Cybersecurity Investment. Paper presented at the 15th Annual Workshop
on the Economics of Information Security, June 13-14, 2016 Berkeley,
California.
---------------------------------------------------------------------------
Finally, a theme that was highlighted in one of the earlier reports
on the cyber skills gap emphasized the need for technical talent.
Indeed this need is reflected in the report title: A Human Capital
Crisis in Cybersecurity: Technical Proficiency Matters.\9\ A quote from
the report describes the sentiment well: ``We not only have a shortage
of the highly technically skilled people required to operate and
support systems we have already deployed; we also face an even more
desperate shortage of people who can design secure systems, write safe
computer code, and create the ever more sophisticated tools needed to
prevent, detect, mitigate, and reconstitute systems after an attack''.
---------------------------------------------------------------------------
\9\ A Human Capital Crisis in Cybersecurity: Technical Proficiency
Matters. A White Paper of the CSIS Commission on Cybersecurity for the
44th Presidency, July 2010.
---------------------------------------------------------------------------
cyber students in demand
The previous section provided some perspective on the size and
nature of the cyber skills gap today and into the future and the trends
are that the gap is large and challenging today and that it will worsen
in the years ahead. As enterprises think through how they will staff to
meet their cyber defense needs they will do well to think creatively
and unconventionally as talent could well come from disciplines that
are not traditionally associated with cybersecurity. Additionally, as
cybersecurity becomes a higher priority within an enterprise, talented
employees from different parts of the enterprise can and are being
retrained to move into higher-priority cyber positions. In fact, we've
offered an MS degree in Security Engineering for over a decade at SMU
and that degree is popular with corporate employees who are interested
in retraining themselves.
For an enterprise it is clearly desirable to be able to hire
highly-experienced professionals who can immediately perform at a high
level, but due to the talent shortage and associated salary limitations
that may not always be possible. An alternate strategy may be to
strategically hire more junior talent and patiently grow the needed
capability internally. Indeed in our own research \8\ some of our
respondents expressed this perspective. So, in addition to the natural
course of hiring college graduates for positions that are appropriate
for their skill level, there is additional demand for cyber-capable
college graduates. I am seeing this demand for our students at SMU as
are my peers around the country for their students at their respective
universities.
---------------------------------------------------------------------------
\8\ See note, previous page.
---------------------------------------------------------------------------
As part of our undergraduate computer science major, we've offered
a security track for many years now in which students can take elective
courses in security which allows them to emphasize cybersecurity as
part of their undergraduate computer science major. We are seeing an
uptick in the number of students who are pursuing this security track
and we believe that when students pursue this track they very often go
on to pursue a cybersecurity-related job upon graduation. In addition,
anecdotally, we are seeing an uptick in the number of high-school
seniors who plan to pursue cybersecurity in their undergraduate
studies.
answering the need
The cyber skills gap has been known about and discussed for many
years now and over time, I've had my fair share of discussions with
enterprise managers who are eagerly awaiting the arrival of more
trained cyber defenders. As mentioned above these students are in high
demand. While for many hiring managers the supply of students isn't
arriving fast enough to meet the demand, there are many activities
underway in the government, the private sector, and academia--often
working together--that are helping to meet the demand. Let me touch on
a few such activities below.
Centers of Academic Excellence and Scholarships.--Historically the
NSA/DHS Centers of Academic Excellence in Cyber Defense (CAE-CD)
program (and extensions) have helped to jump start skill building in
cybersecurity in higher education, by among other things, requiring the
CAE-CD-designated universities to map their curriculum to specific
information assurance knowledge units. Additionally the Government has
funded scholarship programs (the NSF CyberCorps� Scholarship for
Service, and the Department of Defense, Information Assurance
Scholarship Program) that have provided funding (tuition, books,
stipend, etc.) for students to complete their cybersecurity education
in return for service to the Government following graduation.
Curricular guidance.--As more university capability, capacity, and
programs are created to answer the need for more cyber defenders it
will be important to have clear curricular guidelines that will assist
in building these new programs. Cybersecurity is still a young field
but is emerging as a distinct discipline. As universities compose new
cybersecurity academic programs out of elements from computer science,
computer engineering, information systems and the like, it will be
extremely valuable to have comprehensive curricular guidance. The ACM
(Association for Computing Machinery) Joint Task Force on Cybersecurity
Education is in the process of creating this guidance and it is
expected to be released later this year.\10\ Importantly it defines
cybersecurity as an interdisciplinary area of study including elements
from risk management, policy, human factors, law and more, but that
fundamentally is a computing-based discipline.
---------------------------------------------------------------------------
\10\ https://www.csec2017.org/.
---------------------------------------------------------------------------
Cyber Competitions.--For over a decade now university students have
been competing in a cybersecurity competition that is now known as the
National Collegiate Cyber Defense Competition (NCCDC). The competition
provides a challenging and motivating event in which students must
defend a simulated small company network while operationally keeping
services up and running while responding to business requests.
Depending on how they do, points are scored and teams advance in the
competition. The competition has grown in popularity over the years and
now there are 10 regions across the country that compete, and the
regional winners compete in a National finals event. At the National
finals event, a National winner is crowned. Cyber competitions in
general have become very popular, and there are now many in which to
participate and they focus in different areas (cybersecurity,
forensics, and capture-the-flag). With the increasing number of cyber
competitions it is fair to ask about their educational impact.\11\ That
said, cyber competitions provide a means to increase depth of technical
knowledge in cybersecurity \12\ and there is some evidence that cyber
competitions will attract individuals who will stay in the field a long
time.\13\ At SMU there is a student-run security club where interested
students meet to learn from each other and practice security concepts.
A highlight for club members is to participate in cyber competitions
including the NCCDC. The cyber competitions are popular with the
students in part because they feel the competitions provide a valuable
supplement to what they learn in class. Additionally, cyber
competitions give students experience working as part of a team, and
this is valuable when they graduate and join the work force. As the
popularity of cyber competitions has continued to grow, they have moved
into the K-12 domain as well.
---------------------------------------------------------------------------
\11\ Fulton, S., Schweitzer, D., and Dressler, J. What Are We
Teaching In Cyber Competitions? Frontiers in Education Conference
(FIE), October 3-6, 2012.
\12\ Manson, D., and Pike, R. The case for depth in cybersecurity
education. ACM Inroads, Vol. 5, No. 1, pp. 47-52, March 2014.
\13\ Tobey, D.H., Pusey, P., and Burley, D.L. Engaging learners in
cybersecurity careers: lessons from the launch of the national cyber
league, ACM Inroads, Vol. 5, No. 1, pp. 53-56, March 2014.
---------------------------------------------------------------------------
Cyber summer camps.--Related to, but distinct from cyber
competitions, are summer cybersecurity camps for K-12 students. For
example, the GenCyber program, funded by NSA and NSF, offers a summer
cybersecurity camp experience to middle and high school students, as
well as teachers, in an effort to increase the pool of students who
might go on to study cybersecurity in the United States. One of the
goals of these summer camps is to teach students about cyber safe and
correct on-line behaviors. Over the last several years, in keeping with
the effort to get more K-12 students interested in the STEM (Science,
Technology, Engineering, and Math) fields, among other things, SMU has
conducted a Crime Scene Investigation (CSI) summer camp for middle
schoolers. Students are introduced to the science, technology, and math
behind CSI via expert presentations from real-world professionals and
hands-on activities. For the past two summers we have added a
cybersecurity module into the CSI curriculum.
Augmenting human capability with technology.--Finally, there are
some important efforts to augment human capability in cybersecurity via
the use of technology. For example, there is promise in the use of
advanced reasoning techniques to augment the human cyber expert by
automating some portions of the cyber defense task (e.g., finding and
fixing flaws in software). This was the goal of the recent DARPA Cyber
Grand Challenge in which important advances were made in the ability to
automate the process of detecting software vulnerabilities, creating an
appropriate patch, and then applying that patch in real-time.\14\ To
the extent that these, and other, difficult and time-consuming tasks
can be automated, this will leave the time-limited human cyber expert
more time to perform important analytic tasks that are not able to be
automated at this time.
---------------------------------------------------------------------------
\14\ https://www.darpa.mil/news-events/2016-08-04.
---------------------------------------------------------------------------
conclusions
Many students I speak with are eager to join this new field and as
mentioned previously we are seeing an uptick in that interest. I
occasionally engage students in brief career-oriented discussions and a
few themes emerge in these discussions as students think about their
job choices that I thought might be relevant as we discuss recruiting
and retaining top cyber talent.
1. The students want challenging work. They are challenged in their
coursework to master difficult technical material, but also
exercise creativity in using those skills. They want nothing
less when they move into the workplace. They want to jump into
the game and show that they have what it takes.
2. The students want to make a difference. As they evaluate
positions they will try to determine if the position will allow
them to make a difference--they want their efforts to have an
impact. Sure, salary will be a factor, but as one student
commented, for some they will choose ``mission over money''.
3. The students want to keep their technical skills sharp. When
students graduate their technical skills are sharp and up-to-
date. They understand that the computing and technological
landscape changes rapidly. They will want to work with the most
modern tools, with colleagues who they respect and from whom
they can learn, and in an environment that gives them
opportunities to refresh their technical skills.
In closing, in my comments earlier I briefly mentioned a number of
activities that the Nation is undertaking now in an attempt to help
close the cyber skills gap including: Scholarships, new cybersecurity
curricular guidance, cyber competitions, cyber summer camps, and
technological advances that will augment human cyber capability. These
activities are important, valuable, and are making a difference, but I
believe we can and should do more. We now have a much better
understanding of the constantly-changing nature of the cyber threat and
the consequences of our cyber insecurity. Are there lessons to be
learned from America's ``Sputnik moment'' nearly 60 years ago?
Following the launch of the Soviet satellite Sputnik in 1957, science
education got an infusion of funds of over a billion dollars in 1958
when the National Defense Education Act was passed, and this helped
launch a new generation of students who would to be motivated to go on
to study math and science.\15\ The challenge to make cyber space more
secure is a long-term, enduring problem. While we urgently need short-
term solutions to make available more cyber-trained workers to fill
positions now and in the near-term, we also need to ask ourselves what
will cyber space look like 10, 20, and 30 years from now--and how much
more dependent will we be on it? Today's students will be responsible
for designing, creating, operating, maintaining, and defending
tomorrow's cyber infrastructure.
---------------------------------------------------------------------------
\15\ Abramson, L. Sputnik Left Legacy for U.S. Science Education,
All Things Considered, NPR, September 30, 2007. Story can be found
here: http://www.npr.org/templates/story/story.php?storyId=14829195.
Mr. Ratcliffe. Thank you, Dr. Chang.
The Chair now recognizes Mr. Montgomery for his opening
statement.
STATEMENT OF SCOTT MONTGOMERY, VICE PRESIDENT AND CHIEF
TECHNICAL STRATEGIST, MC AFEE
Mr. Montgomery. Good afternoon, Chairman Ratcliffe, Ranking
Member Richmond, and Members of the subcommittee. Thanks very
much for the opportunity to testify today.
I am Scott Montgomery, vice president and chief technical
strategist of McAfee, one of the world's leading independent
cybersecurity companies.
Inspired by the power of working together, McAfee creates
enterprise, Government, and consumer solutions that make the
world a safer place.
As a group, we have studied this well-documented work force
shortage for several years now and we need to do something
about it immediately. Following are some recommendations for
training and incentivizing more people and also using
technology to help fill the gap.
First, we should expand programs that are working today,
such as the NSF CyberCorps Scholarship for Service Program
which manages to retain an impressive 80 percent of its
graduates as workers for the Federal Government. We should also
consider expanding this program to focus on community colleges.
These institutions tend to attract a diverse variety of
students, including recent high school grads, but also
returning veterans and other adult students who might be
working full or part time.
I want to recognize full committee Chairman McCaul's Cyber
Scholarship Opportunities Act and its Senate counterpart that
was recently voted out of committee. Both require the NSF
program to include students pursuing an associate's degree in
cybersecurity without the intent of transferring to a 4-year
institution.
The public sector as well as the private sector have thorny
challenges in attracting and retaining cybersecurity talent. At
the very high level, there are three categories of Government
cyber professionals. There are operators, the people who
implement and keep security technology running, researchers who
explore the latest in cyber defense, and finally analysts,
experts that can respond to an event in the first few minutes.
It is this third area where Government and the private sector
have the most serious need.
Congress gave DHS expedited hiring authority for
cybersecurity 3 years ago, an authority that could address many
of the suggestions. It is incumbent upon the Department not
only to move these plans forward, but also to come up with
creative ways to address the known pay disparity between the
public sector and the private sector. Whether this is through
accelerated grades or accelerated retirement packages, there
has to be some creative way where we can address the pay
disparity.
We should also explore creative ways to enable the public
and private sectors to share talent. Adversaries are constantly
innovating and changing course. It is unrealistic to think that
Government cyber practitioners will be able to keep up with a
rapidly-evolving environment by themselves.
We should design a mechanism for cyber professionals to
move back and forth between the public and private sector so
that the Government organizations would have a continual
refresh of expertise, much like the National Guard.
We should work quickly to solve this cyber work force
challenge. But in the mean time, while we still have this gap,
we must rely on technology, such as moving to the cloud and
using automation wisely. We can automate lower-level tasks,
freeing up personnel to serve in key roles that humans can best
fill. Those are the analysts who can use creative insight to
determine why an attacker might have chosen a particular attack
method or target or how best to respond to an incident.
When considering the role of security technologies, it is
important to understand the market-like forces that drive the
effectiveness of cybersecurity defense. Information
technologies continuously improve over time.
Paradoxically, cyber defense do not follow this pattern.
Their effectiveness peaks shortly after release and degrades
quickly thereafter. When a new defensive capability is first
released, adversaries don't take much notice. But once it is
deployed at scale, they adopt evasion tactics and
countermeasures causing the effectiveness to degrade
significantly.
We also see the current paradigm of constant integration of
point products as ineffective and unsustainable, particularly
given the substantial number of cyber professionals needed to
knit together these disparate systems. Not only are technology
efficiencies already declining by the time the lengthy
acquisition and deployment cycles are complete, but
organizations are unable to deal with the complexity of what
they have acquired and deployed.
An approach where technology enabled with strong
collaboration can be deployed rapidly to security platforms
using open-source communication means as required. Both the
public and private-sector organizations need their tools to
utilize these kinds of open-source communication mechanisms.
No single industry partner can cover the vast spectrum of
security and privacy problems or catch every issue every time.
Only by working collaboratively in the private and public
sectors can we defeat cyber attackers.
I look forward to our discussion and would be happy to
answer any questions. Thank you.
[The prepared statement of Mr. Montgomery follows:]
Prepared Statement of Scott Montgomery
September 7, 2017
Good afternoon, Chairman Ratcliffe, Ranking Member Richmond, and
Members of the subcommittee. Thank you for the opportunity to testify
today. I am Scott Montgomery, vice president and chief technical
strategist of McAfee, LLC.
I am pleased to address the subcommittee on the challenges of
recruiting and retaining a cybersecurity work force. My testimony will
address the broad contours of the cybersecurity skills shortage, both
in the public and private sectors, and what we can do about it. One
involves people: Training more, broadening our perception of what
attributes and skills are needed, and incentivizing Government
investments in cyber specialists. The other involves technology: Moving
to the cloud, using automation wisely, and encouraging industry to move
to interoperable platforms.
First, I would like to provide some background on my experience and
McAfee's commitment to cybersecurity. I help drive the company's
technical innovation, evangelize our expertise, thought leadership, and
offerings to public and individual audiences; and work to increase the
public trust by cooperating with law enforcement on cyber criminal
investigations and disruption. With more than 20 years in content and
network security, I bring a practitioner's perspective to the art and
science of cybersecurity. I have designed, built, tested, and certified
information security and privacy solutions for such companies as
McAfee, Secure Computing, and on behalf of a wide variety of public-
sector organizations.
mcafee's commitment to cybersecurity
McAfee is one of the world's leading independent cybersecurity
companies. Inspired by the power of working together, McAfee creates
business and consumer solutions that make the world a safer place. By
building solutions that work with other industry products, McAfee helps
businesses orchestrate cyber environments that are truly integrated,
where protection, detection, and correction of threats happen
simultaneously and collaboratively. By protecting consumers across all
their devices, we secure their digital lifestyle at home and away. By
working with other security players, we are leading the effort to unite
against State-sponsored actors, cyber criminals, hacktivists, and other
disruptors for the benefit of all.
the cybersecurity skills gap
In 2016 the Center for Strategic and International Studies (CSIS)
and McAfee undertook a study titled Hacking the Skills Shortage based
on a global survey of IT professionals. Some of the findings about the
cybersecurity talent gap include:
82 percent of those surveyed reported a lack of
cybersecurity skills within their organization.
71 percent agreed that the talent shortfall makes
organizations more vulnerable to attackers, and 25 percent say
that lack of sufficient cybersecurity staff has actually
contributed to data loss or theft and reputational damage.
The most desirable skills cited in all 8 countries surveyed
were intrusion detection, secure software development, and
attack mitigation.
76 percent of respondents say their governments are not
investing enough in programs to help cultivate cybersecurity
talent and believe the laws and regulations for cybersecurity
in their country are inadequate.
Since that July study, the numbers haven't improved any. According
to a recent Global Information Security Workforce Study, the
cybersecurity work force shortage is projected to reach 1.8 million by
2022. The cybersecurity skills shortage is equally troublesome in the
Federal Government. Tony Scott, the Federal Government's former CIO,
said in a GovLoop article, ``There are an estimated 10,000 openings in
the Federal Government for cyber professionals that we would love to
fill, but there's just not the talent available.'' Given the vital role
such Government agencies as the Departments of Defense and Homeland
Security as well as the intelligence agencies play in protecting the
United States, this skills gap is disquieting and merits attention from
policy makers.
None of this is news. We've studied this work force shortage for
several years now, and if we're serious about its importance we need to
do something about it immediately. Following are some recommendations
for training and incentivizing more people and also using technology to
help fill the gap.
train and cross-train more people
Expand the Current CyberCorps Program
First, we need to focus on expanding existing programs that train
people in the cybersecurity field. For example, The CyberCorps
Scholarship for Service (SFS) program is designed to increase and
strengthen the cadre of Federal information assurance specialists that
protect Government systems and networks. The program is structured so
that The National Science Foundation (NSF) provides grants to about 70
institutions across the country to offer scholarships to 10-12 full-
time students each. With this structure, students get free tuition for
up to 2 years in addition to annul stipends--$22,500 for undergraduates
and $34,000 for graduate students. They also get allowances for health
insurance, textbooks, and professional development. Some universities
also partner with the Department of Homeland Security (DHS) on these
programs.
Generally, students must be juniors or seniors and must qualify for
the program by attaining a specific GPA, usually at least a 3.0 or
higher. Upon completing their coursework and a required internship,
students earn a degree, then go to work as security experts in a
Government agency for at least the amount of time they have been
supported by the program. After that, they can apply for jobs in the
public or private sector.
With additional funding, the CyberCorps SFS program could be
expanded to more institutions and more students within each of those
schools. To date, the Federal Government has made a solid commitment to
supporting the SFS program, having spent $45 million in 2015, $50
million in 2016, and the most recent administration's budget requesting
$70 million. As a baseline, an investment of $40 million pays for
roughly 1,500+ students to complete the scholarship program.
With the cyber skills deficit being substantial, policy makers
should significantly increase the size of the program, possibly
something in the range of $180 million. If this level of funding were
appropriated, the program could support roughly 6,400 scholarships.
This investment would make a dent in the Federal cyber skills deficit,
estimated to be in the range of 10,000 per year. At the same time, this
level of investment could help create a new generation of Federal cyber
professionals who could serve as positive role models for a countless
number of middle and high school students across the country to
consider the benefits of a cyber career and Federal service. On a long-
term scale, this positive feedback loop of the SFS program might be its
biggest contribution.
Create a Community College Program
While the CyberCorps program serves college juniors and seniors who
are already well along the learning path, we believe another program,
or an expansion of the SFS program, could seek to attract high school
graduates who don't yet have specific career aspirations. Private
companies could partner with a community college in their area to
establish a course of study focusing on cybersecurity. The Federal
Government could fund all or part of the tuition remission for
students. Interested students would be taught both by college faculty
and private-sector practitioners. For example, an IT company could
offer several faculty members/guest lecturers who would participate
during a semester. Students would receive free tuition--paid by a
Federal program, perhaps with private-sector contributions--but they
would not receive a stipend for living arrangements, as 4-year college
students do in the CyberCorps program. Students would receive a 2-year
certificate in cybersecurity that would be transferrable to a 4-year
school. Like the CyberCorps program, graduates would spend the same
amount of time as their scholarship period, working in a guaranteed
Government job.
Community colleges tend to attract a variety of students--including
recent high school graduates but also returning veterans and other
adult students who might have pursued other careers or might even be
working full- or part-time. The community college option could also
further ethnic and racial diversity in a cyber program--something that
is badly needed. This diversity would be a plus rather than a minus for
the cybersecurity profession, as the field requires a diverse set of
skills and individuals. Not all of these skills are strictly technical,
and for those that are technical, not all require high levels of formal
education. You don't need a Ph.D.--or even a bachelor's degree--to work
in cybersecurity. For instance, a 4-year degree is not necessarily
required to work in a security operations center (SOC). As pointed out
earlier, a strong security operation requires various levels of skills,
and having a flexible scholarship program at a community college could
benefit a wide variety of applicants while providing the profession
with other types of necessary skills.
Encourage Cultural Changes to Close the Cyber Skills Gap
As cybersecurity is one of the greatest technical challenges of our
time, we need to be creative in attracting more people to the work
force. One of the ways we can do this is by changing our way of
thinking about the industry. Cybersecurity professionals can--and do--
have broad and varied backgrounds. Diverse skills and experience can
enable them to examine problems from a different perspective, bringing
creativity rather than just linear thinking to cyber problems and
solutions. The legacy tech innovator Bell Labs proved that diverse
teams produce more creative, high-quality products. Likewise, a diverse
incident response team can benefit from look at cyber incidents and
responses from a multitude of perspectives.
We must also address the gender and diversity gap, which would help
alleviate the skills gap. In North America, women constitute only 14
percent of the information security work force, according to a Women in
Cybersecurity report by the Executive Women's Forum and (ISC). The
numbers are even worse for African Americans, who comprise only 3
percent of information security analysts in the United States,
according to the Bureau of Labor Statistics figures cited in an article
in Forbes. Research on large, innovative organizations has shown that
gender and racial diversity improves the organizations' financial
performance. The title of this article in Scientific American states
the case well: How Diversity Makes Us Smarter: Being around people who
are different from us makes us more creative, more diligent and harder
working. McAfee believes we need to focus on hiring a diverse work
force, which will in turn make us an even stronger company.
Pass Legislation like the ``Cyber Scholarship Opportunities Act of
2017''
I'd also like to take a moment to applaud the recently approved
``Cyber Scholarship Opportunities Act of 2017'' that was passed through
the Senate Commerce, Science, and Transportation Committee, as well as
Chairman McCaul's ``Cyber Scholarship Opportunities Act of 2017.'' Both
bills require the SFS program to include students pursuing an
associate's degree in a cybersecurity field without the intent of
transferring to a bachelor's degree program, people who have a
bachelor's degree already, or people who are veterans of the Armed
Forces.
This is encouraging news for closing the skills gap at the operator
and junior analyst levels. McAfee supports these bills and hopes they
get signed into law. However, there is still more work to be done. The
Senate bill directs the NSF to provide awards to improve cybersecurity
education and increase teacher recruitment. We hope the Senate
considers those with hands-on cybersecurity experience as potential
candidates for teaching.
The Thorny Problem of the Government's Gap
The cybersecurity skills gap also extends to Government. Quite
simply, the public sector can't keep up with the private sector in
terms of pay scale and benefits. We have to change that to be able to
attract and retain excellent cyber professionals in the public sector.
To date, the SFS program has been particularly effective in adding to
cybersecurity talent in the Government. While all graduates are
required to begin their careers by serving in the Government, an
impressive 70 percent, according to NSF, actually remain in Government
jobs. I'd like to unpack this issue a bit and distinguish between
different types of cyber professionals in Government organizations.
At a very high level, there are three categories of cyber
professionals. First there are operators--the people who implement the
security technology and keep it running in systems and networks. You
don't need a Ph.D. in computer science to fill an operator role, and in
fact the Government has a good supply of such people either directly or
through contractors. Then there are researchers, people who explore the
latest in cyber defense. Again, the Federal Government is well-served
here by labs in the Department of Defense, DARPA, IARPA, and the
intelligence community. The third category is analysts--the people who
can respond to a breach in the first few minutes and conduct the
necessary analytical work to understand the implications of an attack
and develop a remediation plan. This is the area where the Government
has the most serious need and where they need people who are not just
technically trained but also astute and creative problem solvers.
In order to attract this kind of talent, the Federal Government
needs to find ways to incentivize people and reduce obstacles to them
serving in cybersecurity positions. The salary issue cannot be
overlooked, as this is a major incentive for most professionals--
especially in the most sought-after areas of IT like cybersecurity.
Government needs to offer competitive salaries, and if that's not
possible, Government should offer better retirement packages to be more
on a par with the private sector. Alternatively, agencies could offer
cybersecurity personnel the ability to up-level their positions (e.g.,
from a GS12 to a GS13) more quickly than usual.
Congress gave DHS expedited hiring authority for cybersecurity 3
years ago--an authority that could address many of these suggestions.
It's incumbent upon the Department to move these plans forward as soon
as possible.
Another impediment to getting cybersecurity personnel where they
need to be in Government agencies has to do with clearances. Often an
agency will require an advanced clearance to enter a facility when, in
fact, many of the systems don't house Classified data. As there's a
limited number of personnel with high-level security clearances--and as
it takes a long while to get one--this also contributes to the
cybersecurity talent shortage in Government. Expediting the vetting
process and carefully reviewing which clearances are truly necessary to
work on a system, while still protecting National security, would both
be steps in the right direction.
Another topic that deserves attention is the need to review and
declassify materials over time. This merits a lot more study, and I
know there are efforts within the Defense Department, in particular, to
better determine what data actually needs to be Classified and for how
long. If data were to be declassified more quickly, more cybersecurity
professionals with lower or no clearances would be able to be of
service.
public-private sector cross-pollination
We must also develop creative approaches to enabling the public and
private sectors to share talent, particularly during significant
cybersecurity events. Cybersecurity is a rapidly changing area, and
what's valid today might well be superseded tomorrow. We know that the
adversary is constantly innovating and changing course, often reacting
to new defensive capabilities the private sector develops. It's
unrealistic to think that Government cyber practitioners would be able
to keep up with such a rapidly-evolving environment without private-
sector assistance. We should design a mechanism for cyber
professionals--particularly analysts or those who are training to
become analysts--to move back and forth between the public and private
sector so that Government organizations would have a continual refresh
of expertise.
One way to accomplish this would be for DHS to partner with
companies and other organizations such as universities to staff a cadre
of cybersecurity professionals--operators, analysts, and researchers--
who are credentialed to move freely between public and private-sector
service. These professionals, particularly those in the private sector,
could be on call to help an impacted entity and the Government respond
to a major hack in a timely way. Both Government and private-sector
cybersecurity professionals would benefit from regular job rotations of
possibly 2 to 3 weeks each year. This type of cross-pollination would
help everyone share best practices on technology, business processes,
and people management. DHS should include a flexible, public-private
pool of certified professionals in its plan to rewrite its
cybersecurity hiring and retention plan. If DHS is not ready to act,
Congress should establish a blue-ribbon panel of public and private-
sector experts to study how a flexible cadre of cybersecurity
professionals could be started and managed. Much like the National
Guard, a flexible staffing approach to closing the skills could become
a model of excellence.
how technology can help alleviate the problem
Even though we should work hard and think creatively to fill it,
the cyber skills gap won't be closed any time soon. In the mean time,
we must rely technology more and more.
Moving to the Cloud
Both the Government and industry are moving their IT operations to
the cloud. Last year, McAfee surveyed over 2,000 professionals for our
annual cloud security research study, Building Trust in a Cloudy Sky:
The State of Cloud Adoption and Security. We found that hybrid cloud
adoption tripled in the last year, increasing from 19 percent to 57
percent in organizations surveyed. Additionally, IT executives believed
their IT budget would be 80 percent cloud-based within an average of 13
months, and 73 percent of companies are planning to move to a fully
software-defined data center within 2 years.
Here's the relevance to the work force shortage: As more
organizations move to the cloud, the cloud providers rather than the
organizations are delivering a baseline of foundational technology--
hardware, operating systems, and so forth. This reduces the overall
amount of labor that an organization's IT and information security
staff needs to exert, leveraging cloud's inherent economies of scale.
However, the move to the cloud will not, by itself, close the cyber
skills gap in the short run; there are just too many open slots to
fill. Indeed, our recent cloud study also found that 49 percent of
businesses are currently delaying cloud deployment due to a
cybersecurity skills gap. Nevertheless, the move to the cloud will help
reduce the labor shortage; it will just take more time to pay off as
more organizations off-load their IT environments to cloud providers.
Human-Machine Teaming
One strategy for addressing the cybersecurity skills deficit is to
use automation--through such solutions as machine learning and
artificial intelligence. Legacy IT systems, however--like many of those
in the Federal Government--lack the ability to take advantage of the
most contemporary security architectures and development techniques.
While it is possible to isolate or wrap security around a legacy
system, the approach is far inferior to a well-designed secure
implementation designed for the security challenges of 2017 and beyond.
This speaks to the need for investments in IT modernization and
modern cybersecurity solutions, which the President's Executive Order
addresses. We support these much-needed policy changes, which will
allow for better use of automation, or machine learning.
The ideal situation for now is what McAfee calls human-machine
teaming. This means taking advantage of the particular strengths of
each. Machine learning can save security teams both time and energy, as
it is the fastest way to identify new attacks and push that information
to endpoint security platforms. Machines are excellent at repetitive
tasks, such as making calculations across broad swaths of data. That's
one of the strengths of machine learning: Its ability to crunch big
data sets and draw statistical inferences based on that data, detecting
patterns hidden in the data at rapid speed.
Humans, on the other hand, are best at insight and analysis (the
cybersecurity analysts referred to earlier). With the assistance of
machine learning, human analysts can devise new defenses quickly,
adapting to attackers' automated processes and limiting their
effectiveness. The human intellect is capable of thinking like an
adversary and understanding a scenario that might never have been
executed in any environment previously. Machines can take over some
simple processes, automating them so the humans can be free to
understand context and implication, such as why a bad actor might want
to attack a Government agency.
Fostering Interoperability
When considering the role of security technologies, it's important
to understand the market-like forces that drive the effectiveness of
cybersecurity defense. Most information technologies continuously
improve over time. Paradoxically, cyber defense technologies do not
follow this pattern. Their effectiveness peaks shortly after release
and then degrades. When a new defensive capability is first released,
bad actors take little notice, but once deployed at scale, they adopt
evasion tactics and counter-measures, causing the effectiveness to
significantly degrade.
Where does that leave us? We see the current paradigm of constant
integration of point products--individual software applications--as
ineffective and unsustainable, particularly given the substantial
number of cyber professionals needed to knit together disparate
systems. Not only are technology efficiencies already declining by the
time the lengthy purchase and integration cycles are complete, but
organizations are unable to deal with the complexity of supporting
upwards of 30 or 40 independent tools and technologies. That's a losing
game, but it's the one security practitioners find themselves playing.
We need a different approach where technology--enabled with strong
collaboration--can be deployed rapidly to security platforms so they
can communicate with each other over open communication protocols.
Organizations in both the public and private sector need security tools
that are interoperable and interchangeable to protect against existing
and prospective threats. As cybersecurity solutions become
interoperable, they become more efficient and cost-effective. They also
become easier to maintain than a IT environment of disparate systems,
the classic IT hair ball. Over time, more interoperable cybersecurity
systems will contribute to closing the skills gap as they get more
widely deployed. We call on the cybersecurity industry to design
technology to an open standard, on an open platform, so customers are
not locked into proprietary technologies that don't work with each
other or allow for change.
McAfee has taken a major step toward fostering interoperability by
opening our Data Exchange Layer (DXL)--a communications fabric that
enables unprecedented collaboration in an open-source, real-time
system--to other developers and vendors to use at no expense. OpenDXL--
is at the core of our mission to enable security devices to share
intelligence and orchestrate security operations at rapid speed. As of
today, there are 13 companies connected to the DXL ecosystem, 12 others
in testing or development, and 14 additional companies in the design
phase.
OpenDXL is a big part of what we mean by Together Is Power. No
single industry partner can cover the vast spectrum of security and
privacy problems. No single industry partner will catch every issue
every time. Only by working collaboratively in the private and public
sectors can we defeat cyber attackers. This means bringing the best
ideas, the best technologies and the best people to bear on our common
security problem. It means leveraging technologies guided by the
strategic intellect that only humans can provide. And to ensure that we
have enough human intellect to work with our continually evolving
technology, we need to encourage more people from diverse backgrounds
to enter the cybersecurity field, train them, and--particularly in the
case of Government--reward them.
I look forward to our discussion and will be happy to answer any
questions.
Mr. Ratcliffe. Thank you, Mr. Montgomery.
The Chair now recognizes Dr. Papay for 5 minutes for his
opening remarks.
STATEMENT OF MICHAEL PAPAY, VICE PRESIDENT AND CHIEF
INFORMATION SECURITY OFFICER, NORTHRUP GRUMMAN
Mr. Papay. Thank you, Chairman Ratcliffe, Ranking Member
Richmond, and Members of the subcommittee for hosting today's
important hearing.
As our Government, military, and society become
increasingly dependent upon digital technology, it is a
National and economic security imperative to ensure that we
have a cyber-trained work force to meet this demand.
My name is Dr. Michael Papay and I am the vice president of
cyber initiatives and the chief information security officer
for Northrop Grumman, the leading cyber provider across the
Federal Government.
As critical as technology is, at Northrop Grumman, we
firmly believe that our employees are the single-most important
aspect of cybersecurity, and we have made it a top priority to
not only support the development of a larger cyber-qualified
work force globally, but also to increase its diversity.
Like DHS and the Federal Government, Northrop Grumman can
offer prospective employees something unique, the opportunity
to do really exciting, cutting-edge work that is vital to our
National security. For many cyber professionals, it is this
sense of mission that drives them.
In 2012, I had the privilege of participating in the
Homeland Security Advisory Council Task Force on Cyber Skills.
I applaud DHS for adopting many of the task force
recommendations, including additional cyber training which
Northrop Grumman provided to hundreds of DHS employees.
Northrop Grumman has also incorporated the majority of
recommendations into our internal cyber work force strategy.
At Northrop Grumman, we look at the continuum of education
from elementary school through the professional ranks to build
a diverse, highly-skilled work force. The Northrop Grumman
Foundation is honored to be the presenting sponsor of the Air
Force Association's CyberPatriot Program, a youth, teen cyber
defense competition which boasted over 4,400 teens from all 50
States last year. While most STEM programs report a female
participation rate around 12 percent, I am especially proud
that CyberPatriot boasts 23 percent female participation.
Northrop Grumman is actively engaged with universities
across the country to help to develop curriculum, fund hands-on
student research and development projects and educate future
cyber professionals. Because cyber is such a complicated and
dynamic challenge, we need a work force that brings with it a
diversity of thought, culture, education, experience, and
problem solving. Diversity drives innovation and breeds
success.
Therefore, in many cases, we are specifically targeting
investments to increase the participation of women and
underrepresented groups in the cyber profession. For example,
cyber scholars at the University of Maryland, Baltimore County,
and the Cyber Warrior Diversity Program at Morgan State
University and Coppin State University.
As part of our retention efforts and to support their
growth, we rotate cyber professionals around the company to
keep them engaged and challenged while also offering on-going
educational and training opportunities. We even developed our
own in-house cyber academy to provide our employees, customers,
and even policy makers with the macro understanding and
technical skills cyber often requires.
A few final thoughts to leave the committee with. On
clearances, beyond just a shortage of cyber professionals,
there is also a lack of cleared cyber professionals. We need to
figure out ways to improve the clearance process to ensure that
both the Federal Government and contractors have the cleared
employees to do all the critical National security work that is
required.
More cyber-trained Federal employees. Cyber training across
the Federal Government is inconsistent. The Federal Government
as a whole needs to put a greater emphasis on ensuring its
employees have the cyber understanding and tools to effectively
and securely do their jobs.
Increased partnerships and coordination. There is no single
answer to addressing the shortage of cyber workers. Continuing
to work across academia, Government, and industry is essential
to leveraging investments, best practices, and collectively
working together to ensure that our great Nation continues to
securely grow and prosper in this increasingly digital age.
I would be happy to answer any questions. Northrop Grumman
looks forward to working with the subcommittee on this effort.
Thank you again.
[The prepared statement of Dr. Papay follows:]
Prepared Statement of Michael Papay
September 7, 2017
Thank you Chairman Ratcliffe, Ranking Member Richmond, and Members
of the House Homeland Security Subcommittee on Cybersecurity and
Infrastructure Protection for holding today's hearing on the critical
topics of attracting, retaining, educating, and training our Nation's
cyber work force. As our Government, military, and society overall
become increasingly dependent upon digital technology, it is a National
AND economic security imperative to ensure that we have the cyber-
trained work force to meet this demand.
My name is Dr. Michael Papay and I am vice president of cyber
initiatives and chief information security officer (CISO) for Northrop
Grumman, a leading cyber provider across the Federal Government and
producer of innovative solutions from autonomous systems to strike
platforms to space products. Given the often sensitive and critical
National security nature of our work; it is absolutely essential for
resilient cybersecurity to be a key component to all that we do. From
original code, to hardware, to uninterrupted mission performance while
enduring cyber threats, our customers trust us to deliver systems that
enable them to confidently execute the mission in any environment,
including cyber space. We are proud of our strong reputation earned
through 70 years of integrity, innovation, dedication to the customer,
and a proven track record of performance. As important as technology
is, at Northrop Grumman we firmly believe that our employees are the
single most important aspect of cybersecurity. Therefore, we have made
it a top priority to not only support the development of a larger cyber
qualified work force globally but also to increase its diversity.
Thank you again for having me here today and I hope that my
testimony is useful. I look forward to your questions.
attracting and retaining employees
Northrop Grumman is at the forefront of cyber research,
development, and technology, and it is our people that make this
possible. While Northrop Grumman, like the DHS and the Federal
Government, must continue to work to overcome a perception hurdle for
cyber talent--we can offer prospective employees something unique--the
opportunity to do really exciting, cutting-edge work that is vital to
our National security. For many cyber professionals (and employees
across Northrop Grumman and the Federal Government) it is this sense of
mission that drives them.
As part of our effort to ensure that our cyber employees are
continually challenged and provided opportunities for growth, we move
them around inside the company from customer to customer, tough problem
to tough problem. We utilize rotational programs that expose and train
our cyber work force in defending our network, enabling our customers'
missions, and supporting full spectrum cyber operations. We work with
employees to help them create their own growth along the cyber career
path, give them the time to take the training necessary to maintain
their certifications, and keep their knowledge and skills fresh. We
even offer educational assistance in some instances.
To provide our employees, customers, and even policy makers with
the macro understanding and technical skills cyber often requires,
Northrop Grumman created its own, in-house ``Cyber Academy''. We also
utilize a matrix model for customer mission support and employee
development--allowing us to hire for critical skills and redeploy our
talent across programs. We are committed to providing positions that
work best for our employees by allowing flexible work schedules and
opening up work locations in customer-approved non-traditional cyber
hubs throughout the country to broaden our talent pool.
At Northrop Grumman, we are focused on attracting all those who are
interested and qualify through a sense of mission, passion for solving
complex challenges, and desire to work on cutting-edge technologies
that they are unable to do anywhere else in the world.
partnering with the federal government and dhs cyber training
In 2012, I had the privilege of participating in the Homeland
Security Advisory Council Task Force on CyberSkills, an initiative that
was launched to help develop a National security work force as well as
enable DHS to recruit and retain its own cyber talent. I applaud DHS
for adopting many of the Task Force's recommendations. At Northrop
Grumman, I am pleased to note that we have incorporated the majority of
these recommendations as part of our internal cyber work force
strategy. Members of my team also participated in the DHS Cyber
Education and Workforce Development Working Group and then the NIST
National Initiative for Cybersecurity Education (NICE). Northrop
Grumman representatives are members of both the Collegiate Working
Group and the K-12 Working Group. Our engagement brings industry
perspective in full collaboration with Government and academia. We also
contribute to the NIST NICE Workforce 2.0 model which creates a
framework for professionalization of the cyber career.
Partnering with our Federal Government customers on cyber work
force education and training is critical to supporting a National
security mission and our mutual success. One of the key findings of the
CyberSkills Task Force was the need to provide more cyber training to
DHS employees and I am pleased that Northrop Grumman has helped support
this initiative. Starting in 2014, as part of our National
Cybersecurity & Communications Integration Center (NCCIC) contract, we
began using 39 cyber training courses to help DHS employees increase
their efficiency and improve retention. Our training program heavily
leveraged our internal Northrop Grumman Cyber Academy for a large
portion of the course content and developed a three-level competency
model. Hundreds of DHS employees received targeted training ranging
from how to review cyber threat analysis reports to effectively
coordinating with partners. Northrop Grumman cyber practitioners
provided advice and guidance on National-level cyber security policy as
well as implementation and support of new or existing technical
solutions to enhance the mission. These training plans aligned to Cyber
Skills and Cyber Pay initiatives, with incentives tied to requisitions
and future hirings.
northrop grumman cyber workforce development
Growing a cyber work force from the ground up begins with inspiring
youth to pursue this field. At Northrop Grumman and for our customers,
in working to build a cyber work force, we look at the continuum of
education--from elementary school through the professional ranks--and
are collaborating with academia and organizations world-wide to help
address this issue and build a diverse, highly-skilled work force.
For more than 7 years--Northrop Grumman has partnered with the Air
Force Association to present the CyberPatriot National Youth Cyber
Education Program. CyberPatriot is one of our most successful and
impactful initiatives and features the wildly popular annual cyber
defense competition. It started in 2009 with 8 teams and I'm proud to
say over 4,400 teams participated this past year from all 50 States,
Canada, and Department of Defense Dependent Schools in the Pacific and
Europe. Given the fact that teams average about 5 students, we are
reaching tens of thousands of youth each year who are learning how to
harden and protect computers and networks. A full 87 percent of
CyberPatriot participants go on to pursue STEM degrees in college. In
addition to deep technical skills, the students, through the program
structure, their mentors and hands-on experience, also develop their
talents in cyber ethics, collaboration, communication, and leadership--
all life skills that enhance their career readiness. Northrop Grumman
has awarded more than $350,000 in scholarships to winning teams. Like
others in industry and Government, the company has employed these high
school students as paid summer interns, more than 300 to date, working
side-by-side with our cyber professionals. Many of these interns have
stayed with Northrop Grumman, returning summer after summer for paid
internships through high school and then college. While most STEM
programs report a female participation rate around 12 percent, I am
especially proud that CyberPatriot boasts 23 percent female
participation! None of this could be accomplished without the academic
partner of the program, the University of Texas San Antonio's Center
for Infrastructure Assurance and Security. To that end, we have found
that you cannot only focus on higher education or at the high school
level. In many cases, students have already decided upon their desired
field by the 5th or 6th grade. Therefore, the earlier you can expose
students to STEM topics in an engaging and exciting way as we do with
the CyberPatriot Elementary School Cyber Education Initiative, the
greater likelihood they will pursue a STEM path.
university partnerships
Northrop Grumman is actively engaged with universities across the
country to provide an industry perspective on cyber curriculum and
degree programs to prepare students for real-world challenges. We
helped launch the Nation's first cyber honors program at the University
of Maryland--College Park called ACES, the Advanced Cybersecurity
Experience for Students. ACES is a living learning community for
exceptional students from a variety of majors to enhance their cyber
studies. We've also assisted in creating the Nation's first
undergraduate Cybersecurity Engineering degree at George Mason
University in Fairfax, Virginia. Further, at the University of
Maryland--Baltimore County (UMBC), we are providing grants to students
from diverse academic and socio-economic backgrounds to pursue
cybersecurity education. At great schools ranging from Cal Poly Pomona
to the University of Cincinnati and dozens of others across the country
our employees are actively engaged in helping to develop curriculum,
fund hands-on student projects, and educate future cyber professionals.
diversity
Because cyber is such a complicated and dynamic challenge, we need
a work force that brings with it diversity of thought, culture,
education, experience, and problem solving--diversity drives innovation
and breeds success. Diversity is truly a strategic asset. Working with
university and professional organizations that cater to diverse
populations is a great way to attract cyber employees and build a
stronger, ethnically and racially diverse work force. We partner with
the Society of Hispanic Professional Engineers, Women in Technology,
Women in Cyber Security, and Society of Women Engineers to name just a
few organizations. We need to ensure that young girls, minorities, and
other underrepresented populations recognize that they are welcome and
can succeed in the cyber work force. This past year working with a
small, disadvantaged business located in Baltimore, Maryland we
developed the Cyber Warrior Diversity Program at Morgan State
University and Coppin State University, two Historically Black Colleges
and Universities (HBCU). This training is designed to prepare
individuals to defend information systems and networks by training,
testing, and providing certifications in accordance with the DoD
Information Assurance Workforce Improvement Program. Additionally, the
Northrop Grumman Foundation is funding a 3-year, $2 million program
with the National Society of Black Engineer's (NSBE) designed to expand
the Nation's engineering work force through a partnership with
Historically Black Colleges and Universities (HBCUs). The Northrop
Grumman Corporation/NSBE Integrated Pipeline Program will provide 72
engineering students with $8,000 scholarship grants, internships with
Northrop Grumman and year-round academic and professional development
support. The program's three HBCU partners--Florida A&M University,
Howard University, and North Carolina A&T State University--will
receive grants, technical assistance, and a package of programs
researched and managed by NSBE.
Expanding the diversity of the cyber work force is critical to not
only ensuring that we have a sufficient number of cyber professionals
but also the range of perspectives and backgrounds necessary to counter
a constantly-evolving threat.
breaking barriers
I am honored to be here today representing Northrop Grumman and
proud of our company's efforts to help develop a robust pipeline of
innovative thinkers, engineers, and passionate professionals who will
secure our Nation's cyber future. A few final thoughts to leave the
committee with:
Clearances.--Beyond just a shortage of cyber professionals,
there is also a lack of cleared cyber professionals. We need to
figure out ways to improve the clearance process to ensure that
both the Federal Government and contractors have the cleared
employees to do all the critical National security work that is
required.
More Cyber-Trained Federal Employees.--Cyber training across
the Federal Government is inconsistent. The Federal Governments
as a whole needs to put a greater emphasis on ensuring its
employees have the cyber understanding and tools to effectively
and securely do their jobs.
Increased Partnerships and Coordination.--There is no single
answer to addressing the shortage of cyber workers. Continuing
to work across academia, Government, and industry is essential
to leveraging investments, best practices, and collectively
working together to ensure that our great Nation continues to
securely grow and prosper in this increasingly digital age.
I would be happy to answer any questions and Northrop Grumman looks
forward to working with the committee on this effort.
Thank you again.
Mr. Ratcliffe. Thank you, Dr. Papay.
The Chair now recognizes Ms. Okafor for 5 minutes.
STATEMENT OF JULIET ``JULES'' OKAFOR, STRATEGIC ADVISORY BOARD
MEMBER, INTERNATIONAL CONSORTIUM OF MINORITY CYBERSECURITY
PROFESSIONALS
Ms. Okafor. Thank you, Chairman Ratcliffe, Ranking Member
Richmond, and Members of the House Homeland Security
Subcommittee on Cybersecurity Infrastructure Protection.
I am pleased to appear before you today to discuss the
challenges of addressing the severe people problem that hinders
our ability to address the advancing threat against our
Nation's critical infrastructure.
Technology alone cannot bridge the increasing skills gap
our Federal Government continues to face in recruiting and
retaining highly skilled cybersecurity talent. Similar to the
private sector, it is our belief that the Federal Government
must take a more innovative approach to the recruitment and
retention of our future cyber work force.
My name is Juliet Okafor, J.D., vice president of business
development for Fortress Information Security and Strategic
Advisory Board member for the ICMCP, the International
Consortium of Minority Cybersecurity Professionals. I am the
first black and female employee of Fortress Information
Security, a minority-owned cyber risk, intelligence, and
management start-up based in Orlando, Florida.
Fortress was founded in 2015 by two entrepreneurs who
thought to apply practical business intelligence to address the
most complex and emerging challenges across IT, OT, and third-
party risk management facing the global critical
infrastructure. Our approach for the market, bundling
analytics-enabled security-risk orchestration technology, risk
governance, and the people. It stemmed from the constant
concern reported by CISOs of the world's largest organizations
about their ability to hire skilled security staff to fill
critical technical security roles.
In May 2016, I joined the International Consortium of
Minority Cybersecurity Professionals as the first female co-
chairwoman of the Strategic Advisory Board. I lead strategic
planning and roadmap development for strategic initiatives,
partnerships, and community outreach.
In this role, spend much of my time listening to the
efforts taken by the largest global corporations, small
businesses, and educational institutions regarding building a
talented, diverse, highly diverse, and innovative cyber work
force, and then identifying opportunities, programs, tools, and
processes that we can implement with these enterprises to
leverage and expand diversity-inclusion programs.
The key organizational objectives of ICMCP are, No. 1, to
increase the number of female and minority students pursuing
cybersecurity-related disciplines at both the undergraduate and
post-graduate levels by funding scholarship opportunities;
facilitate the career advancement of existing member
cybersecurity practitioners through mentoring and grants
leading to advanced degrees and/or professional certifications
in the field of cybersecurity; promote public awareness of
cybersecurity and the opportunities for minorities and
underrepresented groups in the profession; No. 4, function as a
representative body on issues and developments that affect the
careers of minority and women cybersecurity professionals; No.
5, establish a mechanism for gathering and disseminating
information toward minorities and underrepresented groups.
In my testimony today, I will highlight the challenges
being faced across the public and private sectors in
recruitment and retention of cybersecurity talent. These
challenges are compounded for diverse populations which face
issues with career investment for existing diverse
practitioners and retention challenges that also exist in
keeping diverse talent once they are recruited.
I will also discuss the efforts and progress made by large
and small enterprises, grassroots and nonprofits, like the
organizations I represent today, and the efforts that they are
making to address the cybersecurity industry's largest and most
critical vulnerability, the human factor.
Our research shows that these challenges extend across
Government and private sector with scarce talent in high
demand, making it even more critical to focus efforts on
increasing capacity.
As noted in the Cybersecurity National Action Plan and 2017
budget, the goal remains to identify, recruit, develop, retain,
and expand the pipeline of the best, brightest, and most
diverse cybersecurity talent for Federal service and for our
Nation.
Additionally, a 2014 CIA Diversity in Leadership Study
commissioned by the director of the CIA, one of the Nation's
largest intelligence and security agencies, said that the lack
of diversity in its leadership ranks is of great concern and
that diversity is critical to the mission.
The agency further stated that a lack of diversity of
thought and experience was identified by Congressional
committees and independent commissions as a contributing factor
to past intelligence failures and that diversity is mission
critical is no longer a debatable proposition, if it ever was.
I thank you for allowing me to speak with you today.
[The prepared statement of Ms. Okafor follows:]
Prepared Statement of Juliet ``Jules'' Okafor
September 7, 2017
Thank you Chairman Ratcliffe, Ranking Member Richmond, and Members
of the House Homeland Security Subcommittee on Cybersecurity and
Infrastructure Protection. I am pleased to appear before you today to
discuss the challenges of addressing the severe ``people problem'' in
addressing the advancing threat to our Nation's critical
infrastructure. Technology alone cannot bridge the increasing skills
gap our Federal Government continues to face in recruiting and
retaining highly-skilled cybersecurity talent. Similar to the private
sector, it is our belief that the Federal Government must take a more
innovative approach to the recruitment and retention of our future
cyber work force.
My name is Juliet Okafor, JD, vice president of business
development for Fortress Information Security and strategic advisory
board member for the International Consortium of Minority Cybersecurity
Professionals (ICMCP). I am the first black and female employee of
Fortress Information Security, a minority-owned, cyber risk
intelligence and management start-up based in Orlando, Florida.
Fortress was founded in 2015 by two serial entrepreneurs, who sought to
apply practical business intelligence to address the most complex and
emerging challenges across IT, OT, and Third-Party Risk Management,
facing the global critical infrastructure. Our approach to the market--
bundling analytics-enabled security risk orchestration technology, risk
governance, and people stemmed from the constant concern reported by
CISO's of the world's largest organizations about their ability to hire
skilled security staff to fill critical technical security roles.
In May 2016, I joined the International Consortium of Cybersecurity
Professionals as the first female co-chairwoman of the Strategic
Advisory Board and chair of the fundraising committee for ICMCP. I lead
strategic planning and roadmap development for strategic initiatives,
partnerships, and community outreach. In this role, I spend much of my
time listening to the efforts experienced by the largest global
corporations, small businesses, and educational institutions regarding
building a talented, diverse, and innovative cyber work force. Then
identifying opportunities, programs, tools, and processes that
enterprises can leverage to expand diversity and inclusion programs.
ICMCP's the key organizational objectives are to:
1. Increase the number of female and minority students pursuing
cybersecurity-related disciplines at both the undergraduate and
post-graduate levels by funding scholarships opportunities.
2. Facilitate the career advancement of existing member
cybersecurity practitioners through mentoring and grants
leading to advanced degrees and/or professional certifications
in the field of cybersecurity.
3. Promote public awareness of cybersecurity and the opportunities
for minorities in the profession.
4. Function as a representative body on issues and developments
that affect the careers of minority cybersecurity
professionals.
5. Establish a mechanism for gathering and disseminating
information for minority cybersecurity professionals.
In my testimony today, I will highlight the challenges being faced
across the public and private sectors in recruitment and retention of
cybersecurity talent. These challenges are compounded for diverse
populations, which faces issues with career advancements for existing
diverse practitioners and retention challenges that also exist in
keeping diverse talent once they are recruited. We will also discuss
the efforts and progress made by large and small enterprises, and
grassroots non-profits like the organizations I represent today,
Fortress Information Security and ICMCP, have made in addressing the
cybersecurity industry's largest and critical vulnerability--the human
factor.
Our research shows that these challenges extend across Government
and private sector, with scarce talent and high demand, making it even
more critical to focus efforts on increasing capacity. As noted in the
Cybersecurity National Action Plan and 2017 Budget, the goal remains ``
. . . to identify, recruit, develop, retain, and expand the pipeline of
the best, brightest, and most diverse cybersecurity talent for Federal
service and for our Nation.'' Additionally, a 2014 CIA Diversity in
Leadership study commissioned by the director of the CIA, one of the
Nation highest intelligence and security agency cited that the lack of
diversity in its leadership ranks is of great concern as diversity is
``critical to the mission''. The agency further stated that ``a lack of
diversity of thought and experience was identified by Congressional
committees and independent commissions as a contributing to past
intelligence failures . . . that diversity is mission-critical is no
longer a debatable proposition--if it ever was''.
the shortages in the cybersecurity work force diversity
According to Frost & Sullivan's 2017 International Information
Systems Security Certification Consortium (ISC) Global Information
Security Workforce Study (GISWS) of over 19,000 information security
professionals globally, across 170 countries, women represent only 11
percent of the total cybersecurity work force despite a projected work
force shortfall of 1.5 million people during the next 5 years due to a
lack of trained professionals. The percentage representation of African
Americans and Hispanics in cybersecurity has been reported at
approximately 12 percent combined, for both these groups. This data
takes on added meaning when we consider the projected growth in the
U.S. minority population over the next few decades where the Hispanic
population is expected to grow to 28.8 percent of the U.S. population
and the African American population is expected to climb to almost 20
percent according to Census data reflecting population growth 2014-
2060.
In a recent USEOC Report, projections for selected STEM occupations
with fast employment growth, projected 2012-22, Information Security
Analysts have a 37 percent projected growth rate (currently 75,100 jobs
annually and 102,500 jobs created annually by 2022), with a Median
Annual Wage in 2013 of $88,590.00. Global Information Security
Workforce Sub-Reports issued by various industry groups (to include
(ISC)2) cite the consistent underrepresentation of African Americans
and Hispanics in STEM careers. Only some 6 percent of STEM workers are
African American compared to an overall 10 percent of the U.S. work
force. Similarly, Hispanics comprise only 7 percent of the STEM work
force while making up 15 percent of the U.S. work force. In the past,
human bias was understood to be largely a conscious and intentional
reason for such gross underrepresentation. New research from the fields
of neuroscience and sociology now suggest that human biases are largely
unconscious and unintentional.
As the demographics of the U.S. population continue to become more
diversified, the importance of increasing the participation of women
and minorities in the work force becomes of paramount concern. Ashley
Tolbert, a recent Information Security graduate from Carnegie Mellon
now working in the Bay Area in Cyber Security Operations, writes of her
experiences as a student, intern, and professional in the cybersecurity
field that ``a lack of diversity and inclusion in the information
security field is one of the foremost impediments to attracting and
retaining diverse talent, which the industry sorely needs. Since
cybersecurity is one of the biggest challenges to our Nation's National
and economic security and we're facing a major talent shortfall in the
industry, strategies to ensure all capable talent regardless of race,
ethnicity, or sexual orientation feel welcome and included is
important.''
This work force shortfall should be of much consternation given
that cyber crime and information theft, to include cyber espionage,
remain the most serious economic and National security challenges that
our country faces. It has also been reported that this under-
participation by large segments of our society represents a loss of
opportunity for individuals, a loss of talent in the work force, and a
loss of creativity in shaping the future of cybersecurity. Not only is
it a basic issue of digital diversity and equality, but it threatens
our global economic viability as a Nation.
the roots of the cybersecurity workforce diversity goes back to our
middle schools and high schools
The work force shortfall and the growing diversity gap in the
cybersecurity industry in the United States also reflects the broader
challenge that the USA faces in science, technology, engineering, and
mathematics, or STEM, programs in our schools. Until we can get more
students matriculating with STEM-related degrees, these challenges
faced within the cybersecurity industry and overall information
technology industry will persist. According to the PEW Research ``Fact
Tank'' Report of International Students in Math and Science, American
15-year-olds were ranked 38th out of the 71 countries included in the
report. The results were only slightly more encouraging for our 8-year-
olds, who were ranked 11th out of the 38 countries included. As a
country, we have to be laser-focused on quality and retention in middle
and high school STEM programs, as these formative years determine the
future talent pipeline for the cybersecurity work force. Strategies and
programs are needed to provide significantly more apprenticeship
opportunities as well as opportunities in colleges and universities, to
include an infusion of Federal resources to support everything from
curriculum and faculty development to tuition support.
Chairman Ratcliffe, our STEM imperative cannot be more urgent for
minority students when we consider the projected growth of minority
populations according to the census data and the reported labor trends
citing the fact that over 90 percent of all jobs by 2030 will require
information technology skills.
the imperatives for grassroots organizations and private enterprises
Nonprofits and educations institutions are tackling the cyber
divide by creating academic scholarship opportunities to attract more
females and students of color into the career field. For existing
minority cybersecurity practitioners, ICMCP is deploying strategic
mentoring programs geared toward fostering the career growth of junior
and mid-level practitioners into becoming the next generation of
executive decision makers. Studies by various groups, have underscored
the importance of work-based learning programs, mentorship,
apprenticeship, sponsorship, and employee affinity groups as key
strategic components of successful diversity and inclusion programs and
employee retention initiatives.
Toward fulfilling these five key organizational objectives, last
year ICMCP was able to accomplish the following thanks to the
generosity of our sponsors,
Awarded 10 Academic Scholarships @$5K
Awarded 5 Certification (average $3K)
Awarded 1 Executive Development ($16K)
Placed 12 interns in cybersecurity positions
Matched 17 Proteges to Mutually-Matched Mentors
Assisted and facilitated the job placements of over one
dozen minority cybersecurity professionals at various levels in
several industries
Implemented the first operational Security Operations Center
(SOC) at an academic institution toward ensuring students
graduate with hands-on skills to augment their classroom
learning.
So far in 2017, ICMCP has already accomplished the following:
Awarded over $100K in academic scholarships,
Awarded at least 10 certification vouchers (ISC2, CompTIA,
SANS, ISACA, IAPP),
Coordinated the placement of 15 interns and 20 job-seekers.
We should also mention our participation in note-worthy and
Government-led initiatives diversity underpinnings also tackling the
``Great Minority Cybersecurity Divide'' which include:
gencyber
The National Security Agency's GenCyber program, co-sponsored by
the National Science Foundation, sponsors cybersecurity summer camps
for students and teachers at the K-12 level. The goals of the GenCyber
program are to help increase in cybersecurity and diversity in the
cybersecurity career field; help students understand correct and safe
on-line behavior and to improve the teaching methods for delivering
cybersecurity content in the K-12 curricula. This year the program
sponsored 130 GenCyber camps and reached nearly 5,000 students and
1,000 teachers across the Nation.
the consortium enabling cybersecurity opportunities and research
(cecor)
The Consortium Enabling Cybersecurity Opportunities and Research
(CECOR) funded by the Department of Energy is a collaborative effort
among 13 colleges and universities and 2 National laboratories to
develop a K-12 pipeline for the cybersecurity work force.
cybercorps scholarship for service (sfs) program
SFS is a program designed to increase and strengthen the cadre of
Federal information assurance professionals that protect the
Government's critical information infrastructure. This program provides
scholarships that may fully fund the typical costs incurred by full-
time students while attending a participating institution, including
tuition and education and related fees. The scholarships are funded
through grants awarded by the National Science Foundation, NSF.
But this is clearly not enough. To make significant progress in
developing and employing the cybersecurity capacity our Nation needs,
we need to be filling over 200,000 cybersecurity jobs annually
according to the Frost and Sullivan ISC2 GISWS Report and to be filling
these jobs with diverse candidates.
diversity wins
Chairman Ratcliffe, several studies have proven that diverse teams
wins and specifically in the private sector, diversity has been shown
to positively impact bottom-line revenues. In fact recent reports are
showing that every incremental percentage point in African American and
Hispanic representation at NASDAQ-listed tech companies is linked with
a 3 percentage point increase in revenues. If the racial/ethnic
diversity of tech companies' work forces reflected that of the
engineering talent pool, the sector at large could generate a 20-22
percent increase in revenue--an additional $300-$370 billion each year.
Companies with above-median Hispanic representation (currently standing
at roughly 5-6 percent of the technical work force) are linked with
annual revenues that are 40 percent higher than companies that fall
below the median in Hispanic representation. The links between African
American representation and revenues were also positive, yet did not
show statistical significance.
There is also a linkage between racial/ethnic diversity and
operating margins--every 1 percentage point increase in racial/ethnic
diversity at a tech company is linked with 0.3--0.4 percentage point
increase in operating margins. Extrapolating to the tech sector
achieving levels of racial/ethnic diversity that reflect the talent
marketplace would be linked with $6-7 billion in additional operating
earnings industry-wide, or roughly a 2-3 percent increase in total
industry earnings.
These links between diversity and financial performance are not
unique to the tech industry--a range of studies conducted in other
industries support them. For instance, research published in the
American Sociological Review found that firms with high levels of
racial/ethnic diversity have more than 98 percent higher sales revenue,
serve over 54 percent more customers, are roughly 33 percent more
likely to have above-average market share, and are nearly 30 percent.
Our analysis is supported from the commercial sector, by the well-
known consulting firm of McKinsey & Company, who conducted a 2015 study
of 366 public companies across a range of industries in the United
Kingdom, Canada, the United States, and Latin America. The resulting
analysis of the 366 companies revealed a statistically significant
connection between diversity and financial performance. The companies
with the highest gender diversity were 15 percent more likely to have
financial returns that were above their National industry median, and
the companies with the highest racial/ethnic diversity were 35 percent
more likely to have financial returns above their National industry
median. The correlation does not prove that greater gender and ethnic
diversity in corporate leadership automatically translates into more
profit--but rather indicates that companies that commit to diverse
leadership are more successful.
conclusion
Mr. Chairman, in closing, there are lots of vital efforts underway
to tackle the problem we have titled the ``The Great Diversity Divide''
and progress is being made. Sadly however, with over 250,000 unfilled
jobs in cyber each year, with the average representation of women in
the cybersecurity industry averaging barely 10 percent for the past few
years, same with the combined representation of African Americans and
Hispanics with 1 or 2 percentage points, there is much more that can be
done and that must be done when we consider the projected minority
population growth and trends in the labor market.
Thank you for the opportunity to testify before you today, and I
look forward to any questions that you have.
Mr. Ratcliffe. Thank you, Ms. Okafor.
I now recognize myself for 5 minutes for questions.
I want to start out by thanking you all again for your very
thoughtful opening statements.
Dr. Chang, I want to start with you because I know in
addition to your prior Federal experience at NSA you are now
essentially on the front lines teaching and educating our
future cyber work force. Therefore so I would like your
perspective on whether working for a larger purpose factors
into whether students will choose to serve the Government. In
other words, does the potential of protecting our homeland and
working at a Classified level, incentivize students and young
people?
Mr. Chang. Yes, I believe it is. I on occasion have the
opportunity to chat with students about career choices, about,
you know, individual opportunities they may seek. It would be
fair to say that for a number of the students they believe that
there is potentially something larger than just salary. Now,
clearly salary will have a bearing, but I did have one
particular student, who, by the way, is a veteran, a former
Marine, the guy is a rock star. He is a terrific cyber
performer. Any company represented here I think would really
enjoy having him. He specifically made the point that for him
and many people that he knows would basically choose mission
over money.
They want to have an impact, they want to make a
difference. They are trained, they are ready, they want to get
in the game. To the extent that they understand that, whatever
organization will allow them and their skills to make a
difference, they would absolutely raise the hand.
Mr. Ratcliffe. Terrific, thank you.
Mr. Montgomery, with so much focus in recent years about
expanding cyber educational opportunities, like we have talked
about and in your opening statement as well, why do you think
the cyber skills gap is getting worse?
Mr. Montgomery. Well, demand. Think about what is under
control of most organizations. They control the number of
people that they can hire. They control the budget for
technology. Another static factor is the number of hours in the
day, that doesn't change. But think about what does change
dynamically. The number of systems that you use in your own
household, for example, rages beyond control.
I remarked to a reporter today I have five more IP-enabled
devices in my book bag today than I did 5 years ago. I don't
see that trend diminishing. So demand, and I don't mean demand
for the skills of the personnel, I mean the demand upon those
personnel themselves.
So if you have these dynamic factors, the number of
systems, the attacks against those systems, the lucrative
nature of cyber crime, the interconnectivity of devices to just
about everything these days, it creates an untenable math
problem that the practitioner can't solve by himself.
So we don't have enough kids coming in, we all know that,
but we are also making the existing problem of the existing
practitioner worse because of the raw demand of computer power.
Mr. Ratcliffe. Terrific, thank you.
Dr. Papay, what programs have you found to be most
effective for your company's recruiting and retention efforts?
Are there metrics at Northrop Grumman that are used to judge
the success and failure of recruitment and retention programs?
Obviously, one of the purposes of this is that we are
trying to learn from some of the private-sector best practices
and whether or not those can apply or should apply in the
Federal sector.
Mr. Papay. Thank you, Mr. Chairman. So we approach the
problem just like any other business would. Where do you want
to spend your money? Where do you want to invest your time and
energy in looking at, first of all, the recruiting side and
then on the retention side. So let me just give you a few
numbers, like, some metrics that we look at for Cyber Patriot,
for instance.
If we look at the Cyber Patriot participation of the
students that are coming in there in the middle schools and
high schools, about 87 percent of the kids that are in that
program go on to pursue a STEM degree in college. That is a
pretty good number.
Then you look at how many of those kids go on and get a
college degree and come to work at big companies or go work for
the Government, then how long can you keep them with the
company? So we look at numbers, like, something like a 92
percent of those kids that come out of the Cyber Patriot
Program and then come in to work for Northrop Grumman as an
intern or as a summer hire, about 92 percent of them come back
again and stay and either continue their education or continue
their career with us or both.
So you have got to think about where you want to invest
your money and where you want to spend the time. I think the
Federal Government can look at that like a business.
Mr. Ratcliffe. Terrific.
My time is expired.
The Chair now recognizes the Ranking Minority Member for
his questions.
Mr. Richmond. Sure.
Dr. Chang, I will just start with a comment where you are.
So if you look at SMU, whose tuition is, give or take,
somewhere around $45,000 a year, not including room and board,
the demand upon students as they come out of college now, the
financial demand is a serious obstacle as we talk about--maybe
somebody has a solution for it. Who knows?
So the question becomes, and I think that you are right
when you start talking about supply and demand and you start
talking about the overall good of the country, demand is so
high right now, whether you are talking about Samsung and a
refrigerator that hooks up to the internet of things or you are
talking about my sous vide device where I can cook over wifi in
my home while I am here in the District of Columbia and it is
in New Orleans.
So the demand is very extraordinary, which then the supply
is still limited and it is going to be limited for a while. So
the question I have is, as Government, how do we think outside
the box? How do we do things in a creative manner to create
some capacity? How do we compete for those students who have a
number of challenges that they have to deal with?
Just as a side, do you know any State or local governments
that are doing a good job at retention or recruitment?
Mr. Chang. I will offer a couple of thoughts. So I think
there is sort-of this notion of top-down and bottom-up. So the
bottom-up perspective basically says when students graduate
they kind-of know and follow where the other students go. So if
they join a company or an organization and the students say,
hey, that is a really great place, come join me, they sort-of
keep track of each other. So there is this sort-of bottom-up
perspective that if you get some number of students, they may
attract some others.
I think there is also sort-of a top-down perspective as
well that says if DHS, for example, were able to recruit a
really big-name cyber professional, that would be a little bit
of a magnet for some other students. So I think maybe some
Fortune 500 CISO or something like that or some big name out of
Government, I do think the students would say, gosh, that is
somebody I admire, that is somebody I respect, somebody I can
learn from, might be an interesting strategy as well.
Mr. Richmond. Anyone else?
Ms. Okafor.
Ms. Okafor. Thank you. I believe that cybersecurity has a
branding problem. One of the biggest inhibitors in my
conversations with students and practitioners looking to enter
the field from non-IT-related industries is that it is mostly
military or it is seen as highly technical with penetration
testing. It sort-of in some situations lacks the kind of cool
that I think a lot of millennials are looking toward when they
are looking to build out their career.
Then when you talk about the Federal Government and you
think about some of the issues that we are facing in society
today, some people are reticent to enter something that both
seems very, you know, sort-of situated around military and then
institutionally-based.
So one of the things that I noticed is, a number of years
ago when I, and I won't share my age, but when I was growing
up, I saw a number of commercials as a young black woman who
grew up in Brooklyn about the military and the benefits the
military had very early on. For a commitment up front, you got
a lot on the back end. I think cybersecurity needs to really
start to broaden its awareness of the opportunities in it and
get people to invest in the mission very early on.
That will then allow them to, as they are being sort-of
approached by other industries, it is not just the money
because they are aware of what the benefits are and they also
understand what the task is that they would be a part of. So I
think that would be much more helpful with regards to the
branding issue I see.
Mr. Richmond. Thank you. I guess just from my perspective,
and you all can just tell me if you agree, part of it is just
that when you work for Government it is so rigid. When you are
in the cybersecurity space or really coding space or whatever
you want to call it, you know, the days of wearing a suit, the
days of all of this structure are really going away because
people have the ability to work anywhere and work in any kind
of environment.
Are we perpetuating our own barrier by our traditional
means of how we think about the workplace as opposed to what
technology offers?
With that, Mr. Chairman, I will yield back.
But, you know, a yes or a no or a sentence would help.
Mr. Papay. Yes. I will expand a little bit. One of the
things that I think, and to Ms. Okafor's point, cyber doesn't
know boundaries, it doesn't know buildings, it doesn't know
facilities, it doesn't know data centers, it doesn't know
anything. It knows where the demand is. So the notion of going
to this same cube to work on something that affects someone in
Ohio versus Montana versus Texas, it is a little bit at cross
purposes, absolutely.
Mr. Ratcliffe. All right.
The Chair now recognizes the gentleman from Rhode Island,
Mr. Langevin.
Mr. Langevin. Thank you, Mr. Chairman. I want to thank you
for holding this hearing.
I want to thank our distinguished panel for being here. I
appreciate the contributions that each of you have made in your
own right to advancing the field of cybersecurity.
So, Mr. Chairman, in March, NICE, National Initiative for
Cybersecurity Education, issued a request for information on
scope and sufficiency of efforts to educate and train the
Nation's cybersecurity work force. I responded to highlight
several areas that I hope that they will focus on.
I ask unanimous consent, Mr. Chairman, if I could, that the
letter that I sent to be included in the record as context for
my questions for this distinguished panel.
Mr. Ratcliffe. Without objection.
[The information follows:]
Letter From Hon. James R. Langevin
August 1, 2017.
Ms. Danielle Santos,
Cybersecurity Workforce RFI, National Institute of Standards and
Technology, 100 Bureau Drive, Stop 2000, Gaithersburg, MD
20899.
Dear Ms. Santos: The National Institute of Standards and Technology
has requested information on the scope and sufficiency of efforts to
educate and train the American cybersecurity work force of the future.
Investment in our nation's cybersecurity work force is crucial to our
national and economic security, and I write to applaud NIST for its
efforts in this matter. While we often focus on the technologies that
result from research, it is at least as much the skilled work force
behind the breakthroughs that drives our country forward.
Unfortunately, we are far behind where we need to be. Within the
cybersecurity work force today, we have hundreds of thousands of jobs
unfilled, thereby limiting our ability as a nation to respond to the
malicious actors who daily target our infrastructure, finances, and
intellectual property. We need short-, medium-, and long-term solutions
that reach all components of the educational pipeline from K-12
education to university programs to certifications. We also need to
explore retraining and apprenticeships as ways to infuse additional
talent into the field.
In order to properly understand the scope of the challenge, it is
crucial that NIST applies measures and metrics to the cybersecurity
work force, and I was pleased to see their inclusion within the
request. As a nation, we must analyze the expected demand for
cybersecurity personnel, the efficacy of training programs in producing
skilled workers, and the ability of our educators, both in number and
in capability, to instruct students. Furthermore, we must share across
our communities the lessons and best practices learned from these
studies to ensure that students throughout the nation have access to
the best cybersecurity education possible no matter where they live.
Additionally, the dynamic nature of technology development ensures
that even our best-laid plans will require adaptation as innovative
technologies come on the market. This is perhaps one of the most
significant challenges that we will face in shaping tomorrow's work
force, and it will require novel approaches to training. The emerging
use of artificial intelligence to assist cybersecurity tasks, for
example, may dramatically alter the tasks of a computer and network
security engineer in the coming decades. Similarly, the rapid growth in
connected devices may create new classes of cybersecurity professionals
focused on the unique challenges posed by the Internet of Things. We
must prepare our work force for this future while also preparing them
to be adaptable to the disruptions that we expect but cannot predict.
Only by continuing to invest in our skilled work force will we be
able to ensure our nation's continued security and prosperity in the
digital economy. This request for information is a positive
contribution to understanding where the work force is today and what we
must do in the future. I thank you for your leadership on this issue
and I look forward to the results of your request.
Sincerely,
James R. Langevin,
Member of Congress.
Mr. Langevin. Thank you, Mr. Chairman.
So to the panel, in all of your testimony, you point out
that there is a strong demand signal for more cybersecurity
workers. Yet, and you in particular, Dr. Chang, can appreciate
as one of the members of the CSIS task force with me and
Chairman McCaul, and I thank you for your work there, but
understand that this is not a new problem. The demand signal
really has existed for well over a decade now. One of the
biggest challenges that policy makers have faced, in my view,
is figuring out why there really hasn't been more of a market-
driven response to the shortage.
So based on your experiences, why has the cybersecurity
work force gap lagged behind the broader computer science gap
which has seemed much more responsive to the growing demand for
software engineers?
Mr. Chang. Yes, so a couple of things. So I think it is
very thoughtful when you make a comparison between
cybersecurity and computer science. The field of computer
science as a major has been around for many years now, as you
know. In terms of a specific discipline for cybersecurity, it
is very new.
It seems to us that we have been sort-of thinking about
cybersecurity for a very long time, but as a discipline
distinct from computer science, computer engineering,
information technology, it really is very new. So as students
begin taking some of these programs from these different
universities, they are not getting the same thing.
I mention in my testimony the idea that when universities
begin building up their cybersecurity programs there really
needs to be a common curricular guidance so that everybody
basically says cybersecurity is kind-of the same thing. Because
right now it is a little bit of a mix-and-match and so you
will, you know, you will get a major or a minor or a
certificate or something, but you are not getting quite the
same thing.
So it is, you know, still a little bit of a new thing. I
think it is now public awareness has raised, but it is still
basically a pretty infant discipline.
Mr. Langevin. Thank you.
Mr. Montgomery. I would agree, and I don't want to sound
like a broken record, but it is demand. It is demand. The
demand for practitioners has far outpaced the ability for the
educational system to deliver because we have changed
everything. You didn't buy anything on your telephone 10 years
ago. Many of us didn't buy anything on the internet 10 years
ago. Many of us didn't have broadbands to our house 10 years
ago. Certainly, no one had an internet-connected refrigerator
or television 10 years ago.
So it is absolutely that I don't think that it is a lack of
interest or a lack of programs. I don't think it is a lack of
educational institutions offering education. I think it is
nascent from the cybersecurity as a discipline standpoint, but
we simply have far more demand than our ability to fulfill and
that will worsen as more devices are IP-enabled. The Patriot
Missile has an IP address while it is in flight. That is going
to get worse before it gets better.
Mr. Papay. Congressman Langevin, if I may agree with Scott
here for a second, I know it doesn't happen often, the demand
is building up because all of the things that are out there
that are legacy systems as well are now possible attack
targets. So you even think about DHS's mission, not just one
from a responsibility to provide information out to businesses
and Government organizations through US-CERT, but also the work
that DHS does in TSA and CBP, all those are opportunities for
people who are cyber-trained to become part of DHS's mission
and protect the systems that DHS delivers for our Nation. So
the demand may be even more than we see up front because of
that number of legacy systems that are out there that need
protection.
Mr. Langevin. Thank you.
Ms. Okafor. I would add a caveat that it is not the demand
itself, but the lack of response to the demand, meaning we are
not changing fast enough with regard to the systems that we
have in place.
For instance, the Ranking Member talked about, you know,
sort of the rigidity of the Federal Government. I am often
concerned with the kind of education that exists to prepare
people for a cybersecurity job. You need more hands-on
learning. But often, you are still seeing these certificate
programs come up that teach using just books.
So what happens? They graduate school and then it becomes a
company's responsibility to invest in training the work force
to actually start on Day 1. So there is a gap there because
organizations are not quickly responding, due to bureaucracy or
politics, to the demand of the new work force.
Then finally, we talk about technology as an enabler, but I
want to talk about the fact that technology is engineered by
people. Unless we address the fact that people still continue
to have unconscious bias and are reticent to change and,
therefore, it is impacting our ability to hire quickly enough
to bring on the right people to address the demand. Thank you.
Mr. Langevin. Thank you.
I know my time is expired.
I thank all of you for your insights into this. I just, you
know, I just see the, you know, the fact that, you know,
computer scientists are learning new language, new things are
being coded. I mean, the web programming languages are new and
apps have only existed for a decade, but, you know, there are
plenty of app coders, but we don't see enough market demand
moving into cybersecurity, I would say, filling those roles.
So we have a couple hundred thousand openings right now in
the cybersecurity field and we just don't--it doesn't seem like
that is migrating enough in terms of training enough people in
that field, so it is a challenge.
But I know my time is expired. I yield back. I will perhaps
have some questions for the panel that I will submit for the
record. Thank you.
Mr. Ratcliffe. Advise the gentleman I intend to have a
second round if you are interested in staying around.
The Chair recognizes the gentlelady from Florida, Mrs.
Demings.
Mrs. Demings. Thank you so much, Mr. Chairman.
Thank you to our witnesses and welcome.
Particularly to you, Ms. Okafor, who comes from my home
town.
What a very interesting topic. I want to thank our Chairman
and Ranking Member for it.
Mr. Montgomery, I would just like to go back to what you
were saying about demand. You know, I spent a lot of years in
law enforcement and we used to talk a lot about being proactive
and not reactive. DHS was created 17 years ago or so to change
the way we do business. So did we just not see the demand
coming? Or did the internet exceed our wildest dreams?
Mr. Montgomery. Can it be both? If I had told you when
homeland was founded what you would be able to do from the
confines of your pocket and your phone, would you have believed
it?
I believe that the pace of technology has accelerated so
dramatically in the last 20 years so much faster than the prior
200, the things that we do and take for granted today, they
simply didn't exist 10 years ago, 15 years ago, 20 years ago.
So I think it is we are always going to err on the side of
availability and progress. There is definitely contention
between availability and progress and security and privacy. The
practitioner's first job is to say no, you can't do that, it is
new, I don't understand it yet. But what do we say as
consumers? Hey, I just need it to work. So there is definitely
contention.
I don't think the Government missed the boat or missed the
size of the problem any more than anyone else did. It is simply
a question of the pace outpacing our ability to respond. I
don't think that is a Government issue, I think that happens in
every organization, whether they are in the private sector or
not.
Mrs. Demings. You also talked about a shared work force, if
you will, combining a private and public sector employee to do
both jobs. I think the pros of that are very, very obvious.
Could you talk about some of the cons of having that kind of
work environment?
Mr. Montgomery. Well, certainly clearances and the
clearance process make it trickier for certain systems to be
protected. But let's face it, the overwhelming percentage of
systems and the overwhelming percentage of data are
Unclassified. Certainly, as the Department moves toward the
cloud and embraces that economy of scale like everyone else,
that rotating work force could be relegated to the cloud
management aspects which are more public. So I think there are
ways to offset sort-of the recurring nature or the temporary
nature of workers by simply relegating them to more
Unclassified roles.
I see tremendous benefit in that a private citizen may not
understand what the word ``mission'' means until they are
exposed to it. I am a software engineer by background, but my
own exposure to the word ``mission'' came with involvement in
the Department of Defense. I take that word more seriously now
than I did when I was a kid in the cube. I think the same thing
could be said of these cyber partnerships between the private
and public sector.
Mrs. Demings. Thank you.
Ms. Okafor, in a study that was done this year involving
women who had worked or working in cybersecurity, over half of
them reported that they had been discriminated against in some
way. You certainly talked about being a first on more than one
occasion. I would like to hear about your own experiences of
discrimination within the field and hear some more about what
recommendations you would make for employees in the private and
the public sector to create an environment that is more
conducive to recruiting women and other minorities.
Ms. Okafor. I would be happy to share. So it is, you know,
it is not easy to be the first black woman, but I wear it as a
badge of honor. The biggest areas of discrimination I face
tends to be overt. There is a subtlety mostly of a suggestion
that I perhaps don't know what I am talking about or perhaps
need to be explained.
I find often that I need my male coworkers to vouch for
some of my big ideas, unlike some of my male counterparts. So I
can't say that in my experience I have faced anything that
would sort-of, you know, touch anything near some more overt
forms of racial discrimination, but there are lots of
conversations that I am not included in because lots of the
dealing happens after hours in places that perhaps they don't
think I would perhaps be welcome.
So what I suggest for organizations is really starting to
question itself. I talk a lot about organizations conducting
both third-party and self-assessments of the culture. The
culture of an organization is critical, not only with regard to
who they are hiring and who is in the organization, but also an
unhappy, unproductive work force cannot be a secure work force.
So those two are linked; and therefore, an organization
needs to understand how it treats its employees, how it is
perceived by the market with regard to attracting employees and
then ensuring that they give opportunities for women to be seen
as having the right frame of mind, the right thoughts on big
projects, to have executives that they can see as being perhaps
an ideal that they could perhaps reach.
So I feel like you can no longer separate the need for
diversity of thought, gender, racial diversity without also
saying that without doing that you are impacting directly the
ability to secure the organization, secure the Nation. Thanks.
Mrs. Demings. Thank you so much. I am out of----
Mr. Montgomery. I am sorry, if I can just add briefly.
Mrs. Demings. OK, please go ahead.
Mr. Montgomery. I can't agree enough. No insider threat
starts their career as a threat to their organization. It is
through cultural pressure, cultural unhappiness. We have seen
this at TSA on the front lines. No one starts unhappy. It is
their environmental pressures that create insider threat, so I
totally agree on checking your culture and reassessing from
time to time.
Mrs. Demings. Thank you so much.
Thank you, Mr. Chairman.
Mr. Ratcliffe. The Chair now recognizes the gentleman from
New York, Mr. Katko.
Mr. Katko. Thank you all for being here. I constantly hear
from my constituents back home about this issue, about the
whole cybersecurity issue. They are terrified. Getting it right
is critically important.
I have really got to commend both of you for the last
colloquy you had because it is really important to have the
discussions. You can't make change until you identify the
problem. Once you identify the problem, then you can address
it. So I encourage you to continue to speak up and let us know
how we can help, if in any way. So it is a very important issue
and keep it up.
But, Dr. Montgomery, I want to talk a bit about the public/
private-sector cross-pollinization I call it, pollination,
whatever we want to call it. I am very interested in that. I
think it is something that can be a very dynamic thing. I am
also interested in how we can better expand that and better
utilize that moving forward as a way to get people from both
the Government sector and the private sector get on the same
page more instead of having this more stratified relationship
that we have now.
So would you like to comment on that a little bit? I would
like to have others as well.
Mr. Montgomery. Sure. So first and foremost, having some
industry influence inside the confines of Government is never
going to be a bad thing. Exposing permanent Government
employees----
Mr. Katko. So what you are saying is people in Government
don't always know everything that is right for industry?
Mr. Montgomery. I would never say it that way specifically.
Mr. Katko. That is shocking.
[Laughter.]
Mr. Katko. Well, I am, I am telling you that is why we want
to do it.
Mr. Montgomery. But I think that sharing of ideas, there is
certainly process in the Government that has to be observed
with respect to data classification. But beyond that sort of
rigid wall, the whole reason that enterprise works and industry
works is because it is allowed to try to solve problems more
creatively.
The other thing I think that helps a lot with respect to a
visiting work force, so to speak, is the diversity of that work
force itself. Many of them will be returning veterans whose
experience in the most difficult places on earth lends itself
pretty well to crisis situations in a civilian organization as
well.
But if you think about visiting professionals, you may wind
up having all sorts of diversity, whether it is racial
diversity, whether it is more women in the workplace, but that
constant influx of new ideas is how problems get solved.
Cybersecurity is almost, when you look at the highest ends
of the practitioners, it is almost more like an art than a
science and it takes a lot of different points of view. Right
now, we don't have enough points of view, including more people
who aren't necessarily, ``cyber practitioners'' to be some of
these rotating personnel who will sharpen the ideas of the
cyber practitioners, being exposed to those ideas in the cyber
workplace.
I can't say enough about how this will help spur new
thinking, both in the private sector as well as the public
sector.
Mr. Katko. The Department of Homeland Security has just
secured its first loaned executive, as they call it. I think we
need more. I say that because even in my subcommittee which I
chair, the Transportation and Protective Service Subcommittee,
we now have a Secret Service agent that is detailed to us. He
is giving us a totally different perspective on the Secret
Service side of things.
So I totally agree with it. Now you see a lot of colonels
come through here and they do their time, if you will, on
Capitol Hill before they become a general. They have to
understand how this place works if they are ever going to be
able to be effective at their jobs as a general for the most
part.
So I would like to hear from you all, not just that it is a
good idea. How can we expand it? What can we do better with
that? What would you suggest we do?
Go ahead, Dr. Papay, you want to try?
Mr. Papay. Sure. So one of the things that as you are
facing this big demand, a shortage of people, we are never
going to fill the gap by just continuing to funnel new kids in
the bottom. You are not going to get to 1.8 million jobs in
2022 doing it that way. So the importance of information
sharing now becomes clear in our role as cyber defenders. I
share information on a tactical level and a strategic level
with both my defense industrial base partners and the
Government counterparts.
We need to adopt a much more broad information-sharing
approach that takes advantage of the fact that my folks now
don't have to find every threat targeted at my company because
somebody else over there found that threat first, let me know
about it, and I put it in automatically, automatic information
sharing, I am up, I am good, and I am protected. So I think
scalable solutions are the key and information sharing is one
of those.
I don't think we realized it at the time when we were
thinking about, hey, we have got to get information sharing
more broad. It is a scalable solution that helps us solve that
gap.
Mr. Katko. Ms. Okafor.
Ms. Okafor. I would agree with him. Two of the examples
that I have seen that work really, really brilliantly is when
you have the public and private sector actually collaborate
around a goal. I have seen cyber exercises in particular
industries, so, for instance, maritime security via U.S. Coast
Guard. They have been doing these exercises all across the
country where they are inviting U.S. Coast Guard cybersecurity
professionals in addition to industry and they are actually
doing exercises together. So they can each come to the table
with what they know and actually solve a problem.
I have also seen this done with GridEx, which is an
initiative led by the Department of Energy, and all of the
energy companies who are naturally sharing information, they
come together to work to do tabletop exercises, cybersecurity
workshops, and this is an opportunity in a much more informal
setting to actually have a real conversation.
I think the problem with the public and private sector,
they speak different languages. Oftentimes in these very rigid,
hierarchical structures, people are not willing to share. So
these are some of the things I have seen in real life that
actually have people leave and they feel much more enlightened
than they started.
Mr. Katko. Thank you.
Dr. Chang, anything?
Mr. Chang. Yes. I will mention information sharing, though,
in a different way. So at our university, there is a security
group where students meet on their own time voluntarily once a
week to basically share information with each other. You see
that they are exploring different career options.
One of the sessions they have is to basically bring
companies in to kind-of describe what those companies do. So
when you are a student, maybe you have heard of Google or
Facebook or Microsoft or something, you probably haven't heard
of DHS or TSA or, you know, Customs and Border Protection or
something.
So the extent to which students find out that, gosh,
working at this particular organization has a really cool cyber
mission, they just wouldn't know. So the extent that you can
kind-of get the word out there I think would be quite
appealing.
Students really do, they are sponges, they are soaking it
up. So they actively seek information. If the word got out
there a little bit more that there is an interesting cyber
mission, that would be helpful.
Mr. Katko. It just seems to me that a great way to do it is
with cross-pollinization. I hope we can continue to expand
this. If there are ideas you think about later of what we can
do to incentivize that or do something, it should go both ways.
I mean, we would want people from Capitol Hill to come work
in industry for 6 months and see that side of it as well. It
would definitely give them a different perspective, especially
as the pay disparity between the two, so maybe that is not such
a good idea.
[Laughter.]
Mr. Katko. But it is very, very important. I encourage you
all to partake in it as best you can. We are going to endeavor
to do the same.
With that I yield back, Mr. Chairman.
Mr. Ratcliffe. Thank you.
The Chair now recognizes the gentlelady from California,
Ms. Barragan.
Ms. Barragan. Thank you, Mr. Chair.
I represent a majority minority district. It is about 75
percent Latino and African American. I recently read a report
that said only about 12 percent of the information security
work force was made up of African Americans, Asian Americans,
and Latinos. What is the cybersecurity industry doing to ensure
a more representative work force?
Go ahead, you want to start?
Ms. Okafor. OK. So yes, the fact you stated is completely
correct. The activities are disparate, and I think that is part
of the problem is not a lot of the organizations are working
together. But what we are seeing from the large organizations,
like a McAfee, like Google, Facebook, what they are doing is
most recently Google actually put a new Howard University
campus on its campus in order to start to raise awareness of
minority students about the opportunities at Google.
What we have also seen is a rise in those organizations
sponsoring HBCU programs, doing college tours that take into
consideration HBCUs and primarily Hispanic-serving
institutions.
What they are attempting to do is, instead of expecting, as
in the past, that minorities and women find them, they are
actually going out into those communities and using the
channels that they know those communities actually look to for
additional information.
What they are also trying to do is sort-of broaden overall
awareness with, you know, sort-of social activism, things that,
you know, that represent strongly with women, taking part in
some of the urban community events that they might not
typically be seen.
Then more than anything, actually doing career days where
they are having their employees go on-site, do either lunch-
and-learns that I have seen or they are actually doing
workshops with some of the students just to talk to them about
the opportunities.
So the activities have not been combined and I think that
might be part of the problem. But what I have seen is a
frequency, an increasing amount of frequency in the activities
that they are conducting.
Ms. Barragan. So the district I represent also is a very
low-income community. Median income is about $44,000. Only
about 11 percent of students go on to college. So everything I
am hearing is having the word ``college'' in it, you know, on
colleges it is happening. You are telling me, you know, a lot
of college tours. What about the students who don't want to do
a 4-year? What kind of opportunities are there for them in this
work force? What can we do to make sure that they are not left
out?
Before I let you answer, you know, I used to be on a
council in a very affluent city called Hermosa Beach. They had
something called UCode, and you could sign up as a student and
you could go after school. It was not--it was expensive. Even
people there said it was not affordable. You don't see anything
like that in Compton or Watts where I represent. Certainly, it
would be very challenging for people there to send their kids
to something that is so expensive. So what can we do to make
sure we don't leave these communities out?
Mr. Papay. So, ma'am, another great example of that is a
partnership we just started with the National Society of Black
Engineers where, like you say, you reach out to them through
these societies where you can reach a larger population. This
is a--it is an integrated pipeline program to provide 72
engineering students with $8,000 scholarship grants at
historically black colleges and universities.
You don't have to go to a 4-year university to get into the
cyber program. You know, we are hiring kids in high school and
getting them started that early. Then if they want to stop
after 2 years and then work on some certifications, that is
what you need to get started in cyber.
Then you continue and if they are interested and they want
to go on for a further degree, great, we will support that. But
you have got to reach in to them early and say here is an
opportunity for a scholarship. If you don't have a lot of
money, a great chance to go to a school nearby and get started.
Ms. Okafor. Also, the idea of the lack of, you know, either
the pipeline or the lack of ability to track talent often comes
down to dollars and cents. The digital divide is a big issue
with the number of minorities and Latino students not having
the same access to technology at a younger age as some of their
white counterparts or white peers.
So a number of institutions, like Symantec, they are
donating some of their technology to schools in areas with
primarily underrepresented groups. I have seen that quite a
bit.
The other thing that I am seeing is a rise in the number of
apprenticeships that are available to either students of
vocational programs and junior colleges or high school students
who demonstrate an ability to pass a certain criteria or a
test.
In doing so, what they are doing is building loyalty to the
organization early on, but they are also creating hands-on
learning that will allow them to be ready on Day 1 with the
organization making the initial investment in that talent and
saying we think you are important enough to invest our money
and our resources to train you.
So there is a preponderance of apprenticeships, hands-on
learning programs, internships that are focusing on junior
colleges, community colleges, and also vocational institutions.
Ms. Barragan. Great, thank you.
I yield back.
Mr. Ratcliffe. Thank the gentlelady for coming to our
subcommittee hearing.
I am going to exercise my discretion as the Chairman to ask
a second round of questions, and I invite any Members that want
to do that and I will recognize you as well, really for the
purpose of asking one question.
I think we have had a great discourse on some of the areas
where we need to focus, some of the solutions. But with respect
to the overall goal here, assisting the Department of Homeland
Security in accomplishing its cyber mission, I want to make
sure that I have given each of you the opportunity to highlight
the most important and the most immediate steps that you think
DHS can take to mitigate the shortage of cybersecurity workers
at the Department.
I know, Mr. Montgomery, that you have identified the
CyberCorps, expanding that as one of the things.
It is not intended to be redundant, but I want to make sure
that we have captured everything valuable that you all might be
able to relate to us.
So I will just go down in order and start with you, Dr.
Chang.
Mr. Chang. OK. So as I mentioned, occasionally I have
conversations with students about career choices and so forth.
I expressly put to them the question, if you were motivated to
work for the Government, what do you think?
So the organizations that kind of rose to the top for them
were NSA and FBI. One student actually mentioned that they had
watched ``CSI: Cyber'' on TV and thought that was really cool,
so I don't know how many other students watch ``CSI: Cyber''
but, you know, maybe that sort-of rose, you know, created a
little bit more demand for FBI. So I think it is really
important, again, to kind-of raise awareness.
Another thing that comes up, and I think this is important,
the students come out of school at the top of their game and
they are technically really sharp, they kind-of, you know, want
to stay sharp. If they thought that they would move to an
organization that weren't using the best tools, that didn't
have the best people, they would be less motivated to go there.
So I would really encourage the idea that it is a place
that is, you know, sort-of at the leading edge, you get to work
with really cool people, it has got a great mission. These are
some of the thoughts that students have.
Mr. Ratcliffe. Terrific. Thank you, Dr. Chang.
Mr. Montgomery. So two things I think that are immediate.
No. 1, I would echo Dr. Papay's comments on information
sharing. If there is an incident at CBP and it is a system that
exists in every other portion of the department, CBP should
automatically share that information to the rest of the
Department, it shouldn't be a discussion, it shouldn't be a
committee, it shouldn't be tabled, it should be automatic.
So if a system is attacked, we know the root cause, we know
how to protect against that particular attack. All of that
should be made available to the rest of the Department
immediately, automatically, without anybody having to touch it.
There are ways to do that and they don't actually cost that
much, they are actually free, so employ them.
The second thing I would say is, we talk about the math
problem, there is a finite number of people, there is a finite
amount of budget, 24 hours in the day. So anything that reduces
the labor on those practitioners has to be employed. The public
cloud is part of this, right?
So let us say a system, to secure a system takes one
practitioner 10 hours, just making this up. By contracting with
a public cloud provider or a hybrid cloud provider like
Northrop, the amount of labor that the practitioner has to
spend goes down to only 4 hours because the cloud provider is
providing 6 hours of that labor, you have to employ those
techniques. You are not going to get more workers, we already
talked about that, so you have to reduce the amount of labor.
How do you do it? Automation, information sharing, cloud
technologies.
Mr. Ratcliffe. Thank you.
Dr. Papay.
Mr. Papay. I think if I could make one additional
recommendation, it would be for the new administration at DHS
to go back and look at that 2012 Homeland Security Advisory
Council Task Force on Cyber Skills report where we laid out 11
recommendations, and refresh it a little bit, look at it again
with a new eye and say, hey, that was 5 years ago, how many of
these are still valid, how many of these haven't we done,
should we pick up a couple more and really push, because that
was a lot of effort by a lot of people across academia and
Government and industry to participate in that.
Mr. Ratcliffe. Terrific.
Ms. Okafor.
Ms. Okafor. One of the things I think is a key way for the
public sector to benefit from the private-sector ingenuity and
innovation is USA Jobs. I myself have taken the steps of trying
to apply for jobs in the Federal Government and found a job in
the private sector. So I can imagine that there are lots of
people who perhaps would be interested in working for the
Government who just are daunted by the process.
You know, if anything, Google, Facebook, you know, the
McAfees and the Northrop Grummans of the world, they have
figured some of that stuff out, we don't have to reinvent the
wheel. So why not use some of that work that has already been
done? So we don't have to completely innovate, we are just
enhancing some of the things we know have already been done.
So I would say I do believe that there is some of this that
could be focused on technology, but easily the private sector
could help with some of the hiring practices through the system
currently existing. Thanks.
Mr. Ratcliffe. Very good.
Would the gentlelady from Florida like to be recognized?
Well, very good then.
I really want to thank the witnesses for your insightful,
thoughtful, and frankly, very valuable testimony today.
I also want to thank the Members for their questions.
Members of the committee may have some additional questions
for some of you and we would ask you to respond to those in
writing.
Pursuant to committee rule VII(D) the hearing record will
be held open for a period of 10 days. Without objection, the
subcommittee stands adjourned.
[Whereupon, at 4:32 p.m., the subcommittee was adjourned.]
A P P E N D I X
----------
Questions From Chairman John Ratcliffe for Frederick R. Chang
Question 1a. It seems right now that we are waging war against
criminals who would hack our systems, and the role of the cybersecurity
professional is one of defender. Do you foresee technical solutions
that could perform the work that cyber defenders do now?
Answer. I believe we will see continued innovation and investment
in technologies that aim to assist the human cyber defender. As was
discussed in the hearing, the cyber skills gap is large and growing, so
to the extent that technological breakthroughs can be achieved to
assist existing cyber defenders would potentially be of great value. In
my written testimony I briefly referenced the recent DARPA Cyber Grand
Challenge. The goal of the Cyber Grand Challenge was to explore the
possibility of actually automating the complex tasks of: (A)
Identifying a vulnerability in software, (B) creating a fix (or
``patch'') for that vulnerability and then (C) implementing that patch,
in real time. These are complex and time-consuming tasks to perform for
a human cyber defender. The result of this Cyber Grand Challenge
demonstrated the progress that could be made in automating these tasks.
This was an important and significant result. Did the technology
perform at the level of the human experts? No--but the results that
were achieved are a positive sign about the sorts of advances that
might be possible over time.
The technologies of artificial intelligence and machine learning
have been around for decades now but in recent years we have seen some
important advances in how these machine learning (deep learning)
technologies can assist us in everyday tasks (e.g., visual pattern
recognition, language processing). We will see increasing efforts to
incorporate these sorts of technologies to assist the human cyber
defender. At a very general level the idea would be to have computers
process large data sets in an attempt to detect suspicious behavior in
the data--in a way that a human might not be able to detect. Its clear
why techniques like these will be pursued: (A) Limited numbers of human
cyber defenders, (B) growing amounts of data to analyze, (C) the
criticality of proactively stopping the attacks before they compromise
a network or system. The techniques are far from perfect, but important
progress is being made. We are also seeing these and other sorts of
technologies being positioned on the inside of networks, again with the
intent of detecting anomalous behavior and taking action rapidly. At a
much more general level, I am bullish on human innovation and ingenuity
in discovering creative ways to harness technology in the aid of human
cyber defenders.
Question 1b. What research is being performed in cyber defense
tools?
Answer. In the response to the previous question I touched on some
types of tools that are being developed to assist the human cyber
defender. Indeed there is a whole industry of researchers, inventors,
developers, startup companies, large established technology companies
and Government labs working on R&D in cyber defense and cyber defense
tools. As mentioned earlier, I remain bullish on how creative solutions
may be brought to bear on the cyber problem; there are lots of bright
and motivated people who are working in this space now. With that said,
the efforts to create effective cyber defense tools, in my view, will
be improved based on the extent to which they are based on a solid
scientific foundation, and this foundation--the science of
cybersecurity--has been elusive. The field remains too reactive and
after-the-fact. Something bad happens and we have to react afterwards.
We lack an adequate understanding of how to construct and compose
systems that are fundamentally resilient and secure, based on first
principles.\1\ A very recent report \2\ from the National Research
Council (NRC) captures the sentiment very well: ``Security science has
the goal of improving understanding of which aspects of a system
(including its environment and users) create vulnerabilities or enable
someone or something (inside or outside the system) to exploit them.
Ideally, security science provides not just predictions for when
attacks are likely to succeed, but also evidence linking cause and
effect pointing to solution mechanisms. A science of security would
develop over time, for example, a body of scientific laws, testable
explanations, predictions about systems, and confirmation or validation
of predicted outcomes.'' The NRC report continues: ``A scientific
approach to cybersecurity challenges could enrich understanding of the
existing landscape of systems, defenses, attacks, and adversaries.
Clear and well-substantiated models could help identify potential
payoffs and support of mission needs while avoiding likely dead ends
and poor places to invest effort. There are strong and well-developed
bases in the contributing disciplines. In mathematics and computer
science, these include work in logic, computational complexity, and
game theory. In the human sciences, they include work in judgment,
decision making, interface design, and organizational behavior.''
---------------------------------------------------------------------------
\1\ Schneider, F.B. (2012). Blueprint for a science of
cybersecurity. The Next Wave, Vol. 19, No. 2, pp. 47-57, National
Security Agency, Ft. Meade, MD.
\2\ Millett, L.I., Fischhoff, B., and Weinberger, P.J., (Editors),
(2017). Foundational Cybersecurity Research: Improving Science,
Engineering, and Institutions, National Academies Press, Washington,
DC.
---------------------------------------------------------------------------
As the community tasked with developing new cyber defense tools
works to innovate and create new and better tools, I think it is
equally important that the research community work to advance the
scientific foundation that will help to make tomorrow's cyber defense
tools even more effective. The NSA sponsors a Science of Security (SoS)
effort currently that is actively engaging the open academic community
in advancing this foundational research. The activity has defined a set
of hard problems as a way to focus the effort. The hard problems
include: (A) Scalability and Composability, (B) Policy-Governed Secure
Collaboration, (C) Security-Metrics-Driven Evaluation, Design,
Development, and Deployment, (D) Resilient Architectures, and (E)
Understanding and Accounting for Human Behavior. More detail on the
NSA's SoS effort can be found on the NSA website \3\ as well as the
Science of Security website.\4\
---------------------------------------------------------------------------
\3\ https://www.nsa.gov/what-we-do/research/science-of-security/.
\4\ https://cps-vo.org/group/SoS/.
---------------------------------------------------------------------------
Question 2. You mention that many companies are ``training in
place'' to educate individuals to fill cybersecurity knowledge or
skills gaps. While this is a worthy exercise, it takes time. What steps
can DHS take now to fill the gap, while embarking at the same time on a
retraining program?
Answer. In an effort to bring on cyber talent more quickly,
companies are engaging with students at the high school level. With the
success of various different cybersecurity competitions at the
university level (e.g., the National Collegiate Cyber Defense
Competition), cyber competitions have now expanded to include students
at the high school level (e.g., Cyber Patriot). One company (and I
understand that there are others that are pursuing a similar strategy)
is pursuing a strategy to bring on some high school students--who have
participated in high school cyber competitions--as summer interns. Upon
their high-school graduation, some of these students would be offered
full-time positions in the company and the company would support their
college education, while they are full-time employees. Perhaps DHS has
been looking into this, but if not, it might be a way to augment cyber
capability.
On a related topic--given that many of these positions will require
the employee to be granted a security clearance, I can comment on one
company's thinking about this issue. The company recognizes that the
time required for their new employee's security clearance processing to
be completed can sometimes be lengthy. As a result they have given a
lot of thought about how to ensure that the employee is motivated,
productive, and contributing during the security clearance processing
period. Via a combination of relevant Unclassified projects and self-
learning assignments, the company works hard to introduce the new
employee to the company's culture, working environment, etc. such that
once the security clearance is granted, the employee can hit the ground
running to become as productive as possible, as quickly as possible.
One other thought was triggered by a conversation I had recently
with a couple of military reservists who are currently employed as
cybersecurity employees in the private sector--along with an article I
recently came across.\5\ The article describes that there are large
numbers of folks who serve in the Reserves or National Guard who have
cyber skills that could increasingly be brought to bear to expand the
pool of qualified cyber workers that are available to the Government,
particularly in times of crisis.
---------------------------------------------------------------------------
\5\ https://techcrunch.com/2017/04/18/reservists-and-the-national-
guard-offer-untapped-resources-for-cybersecurity/.
---------------------------------------------------------------------------
One final thought relates to the one above and involves
volunteerism. During periods of crisis and emergency, many Americans
generously offer their time--and specialized skills--to assist. An
example comes from the field of amateur radio (also referred to as
``ham radio'') where there are many examples of people, who hold an
amateur radio license, who assist with communications when conventional
communication systems are temporarily down due to a storm, hurricane,
or other natural disaster. By analogy, perhaps it would be possible to
form a civilian voluntary cyber corps to assist DHS during periods of
crisis. The State of Michigan has implemented this sort of notion and
describes many benefits.\6\
---------------------------------------------------------------------------
\6\ http://www.michigan.gov/som/0,4669,7-192-78403_78404_78419---
,00.html.
---------------------------------------------------------------------------
Question From Chairman John Ratcliffe for Scott Montgomery
Question. We heard in the hearing that DHS has to overcome a
perception hurdle. What can DHS offer its prospective cyber work force
to mitigate this perception besides the importance of its mission?
Answer. DHS needs to think and act more strategically when
recruiting cybersecurity talent. It all starts back at DHS--DHS needs
to upgrade cybersecurity compensation at all levels to attract the best
and the brightest and ensure that these professionals, when they earn
it, are fast-tracked to more senior levels. DHS needs to ensure that
those professionals that want to stay on the technical track, rather
than moving up the management ladder, are likewise given real
opportunities for career advancement. DHS needs to customize
cybersecurity training and continue to invest in its talented cyber
work force to ensure that DHS is seen as an agency that values and
trains its people. Finally, DHS needs to stream line its decision
making as much as possible to ensure that cybersecurity professionals
can work in a fast-paced, exciting environment.
Questions From Chairman John Ratcliffe for Michael Papay
Question 1. We heard in the hearing that DHS has to overcome a
perception hurdle. What can DHS offer its prospective cyber work force
to mitigate this perception besides the importance of its mission?
Answer. The Department of Homeland Security (DHS) plays an
absolutely essential role in providing cyber protection for our
critical infrastructure, Government systems, and our way of life. We
need to do a better job in communicating the criticality of DHS's cyber
responsibilities. I think if the public (and DHS employees) better
understood the importance of DHS, it could help ensure that the
organization was more respected/ appreciated and subsequently instill a
stronger sense of service within its work force.
An additional way to help DHS enhance its ability to attract talent
is to build an even more positive campaign around Cyber Grants and the
National Science Foundation Scholarship for Service program. Students
get college tuition paid in exchange for service after graduation.
Since students have a choice of which Federal agency to work, DHS can
stand-out among the other agencies by advertising among key target
audiences the importance of their mission, their work environment, the
enormous opportunities, and professional development programs that make
it a great place to work. Cyber Grants is frequently offered at
universities with high minority population, DHS could effectively build
an even stronger, more diverse, and qualified work force (especially if
they focus on institutions ((2-year and 4-year)) with those who have
achieved the DHS/NSA Certification of Academic Excellence in
Information Assurance Education ((CAE)) ). Additionally, if DHS hires
students out of the CAE2Y program (community college) they could
develop an energized, qualified, diverse, and committed work force.
Beyond the importance of its mission, in many ways DHS is on the
cutting edge of technology. The Science and Technology, Cyber Division
is focused on developing innovative solutions for a wide range of
challenges. It might be useful to leverage the exciting work of this
organization as a tool to energize the Department's cyber work force.
DHS does unjustly suffer from a perception challenge. However, by
doing more to communicate the importance of DHS's role in protecting
our National security, strengthening the college recruitment and
highlighting the exciting technologies that DHS is involved in, I am
hopeful that we can help embolden its cyber work force.
Question 2. What do you think is the main reason that CyberPatriot
programs have a 23 percent participation rate for females with 12
percent for the average STEM programs?
Answer. CyberPatriot has higher participation of girls than most
programs because, quite simply, it is a focus for both Northrop Grumman
and the Air Force Association.
CyberPatriot has grown from 9% female participation in 2009 to 23%
girls in 2017. The program offers a fun, team environment that makes it
easy for girls to get involved. We encourage all girl teams and provide
them registration free of charge. Another reason CyberPatriot has
higher female participation is because we recognize that children are
determining/considering future academic and career choices by about
grade 5-7, if we wait 'til high school, it is too late. That's one
critical reason CyberPatriot added the middle school division in the
competition--girls have not self-selected out of STEM/cyber fields. In
order to open minds even earlier, we created the cyber awareness
program (Elementary School Cyber Education Initiative (ESCEI)) for
grades K-6. We've sent out more than 6,000 free-of-charge ESCEI
packages to academic and other young children's programs, so young
girls are getting great exposure to the topic--they think it's a
perfectly acceptable and normal academic and career choice.
Lastly, many of Northrop Grumman's women employees spend time
volunteering in classrooms and coaching CyberPatriot teams. These women
are fantastic role models and help inspire future generations of girls
to get involved in cyber. Also, we're targeting women's professional
associations (Women in Cybersecurity, Women in Technology, Society of
Women Engineers, and others) to not only speak at their conferences
about the need for girls in Cyber/STEM but also give them another
opportunity for their own outreach.
Getting more girls involved in STEM programs is critical to not
only helping girls reach their full potential, but diversity in the
cyber field also strengthens our long-term economic and National
security.