In Need of a Reboot
Recommends Lifting Restrictions On Cybersecurity Scholarships
Since 2001, the National Science Foundation has administered a program designed to ease the shortage in the federal cybersecurity workforce by offering scholarships to students in return for commitments to work in the federal sector after graduation. The CyberCorps®: Scholarship for Service program offers grants to participating schools for scholarships as well money for additional faculty, facilities and research projects. Colleges can get five-year, renewable grants of up to $5 million for scholarships and capacity-building.
But community colleges have been virtually excluded from the program, which as of 2013 had awarded scholarships to more than 2,000 students at 57 schools and placed graduates in 140 federal agencies. Scholarship amounts are for $20,000 to $30,000 a year.
Until this year, the scholarship program was open only to research-based doctoral students or full-time students within three years of graduation with a bachelor’s or master’s degree in a cybersecurity program.
A change in federal law this year gave community colleges a small opening to qualify for the scholarship program. But the opening came with a significant impediment: Community colleges are eligible only as sub-awardees of a four-year college partner.
Under the law, students in their second year of a two-year program at community colleges can qualify for one year of support if there is a formal agreement between the two-year school and a four-year partner to complete a bachelor’s degree. The transferring student would be eligible for two years of additional support while finishing his degree at the four-year school.
That barrier would be lifted if Congress adopts the recommendations contained in a new report by National Academy of Public Administration. Titled “Increasing the Effectiveness of the Federal Role in Cybersecurity Education, the report says that community colleges should be eligible for consideration on their own.
The report states that cybersecurity training at the nation’s colleges and universities are in dire need of a reboot.
The need for more cybersecurity professionals — both to operate and deploy systems that are already implemented, but to also design safe systems and write safe computer code — is clear.
Consider the roster of prominent victims of computer hacking:
• Target stores saw the credit card numbers of 40 million customers comprised three years ago.
• Sony Pictures Entertainment, the Hollywood behemoth, was embarrassed when its computers were hacked last November by a group which released thousands of emails, documents, Social Security numbers and other personal information in an attempt to block the release of the North Korean-focused comedy “The Interview”.
• The federal Office of Personnel Management, which was unable to stop theft of millions of files to federal employees, including Social Security numbers and other sensitive data.
• And even CIA Director John Brennan, whose personal email account, which contained sensitive government information, was hacked by a teenager.
These incidents, and others, have underscored increasing threats from malicious hackers and criminals who attack banks, power grids, schools, health records, credit cards, and defense capabilities. They have placed cybersecurity at the center of the country’s agenda and created a burgeoning and unmet for a skilled cybersecurity workforce.
The federal government has stepped into this void, prodding colleges and universities to train more cybersecurity experts. A total of 199 colleges—including 40 community colleges—are now designated by the National Security Agency and the U.S. Department of Homeland Security as Centers of Academic Excellence for Information Assurance and/or Cyber Defense.
Community colleges typically offer associate of applied science degrees in information assurance and cybersecurity, as well as various credit certificates in cyber and network security. The colleges also offer a variety of cyber and technology continuing education courses.
But the path to a cybersecurity degree or certificate often is unclear. The cybersecurity report blames the workforce gap, in part, on students interested in the field have a poor grasp of available cyberecurity educational programs and scholarships. There are few clear pathways to a degree or certificate.
“There’s a lot of confusion out there with the students, and what is supposed to happen and where they should go to school and how they should map this out,” said Karen Evans, national director for the U.S. Cyber Challenge and former e-government administrator for the Office of Management and Budget.
Speaking during the release of the report in Washington earlier this month, Evans added: “A lot of people say we can’t fill the gap because students don’t want to come to the public sector, and that’s not true. They just don’t know how to traverse through the resources.”
The report says, “The nation’s critical infrastructure is increasingly reliant on information technology, while cyber attacks continue to get worse. A well-trained cybersecurity workforce is essential to both government and private industry. With cyber threats growing, however, the United States faces a severe shortage of properly trained and equipped cybersecurity professionals.”
“The shortage is compounded both by the continuing increase in the total number of cyber-attacks and the constantly evolving nature of the threat landscape,” the report added. “As cybersecurity professionals develop, master, and teach the skills necessary to combat one type of cyber attack, those who attack our systems, whether they are our nation’s enemies or simply criminals seeking to profit by exploiting our vulnerabilities, are hard at work putting together new methods for infiltrating our computer systems. While part of the strategy is the development of more robust, resilient technology, developing a workforce that can protect and defend our cyber infrastructure must continue to be a priority.”
The report examined two key programs in cybersecurity training: the scholarship program and the National Centers of Academic Excellence in Information Assurance/Cyber Defense (CAE) program, operated by the Department of Homeland Security and the National Security Agency.
One of the key recommendations in the report is to allow community colleges to qualify for the program on its own, regardless of whether it has a relationship with a four-year school.
“Not everyone in a two-year program is destined to transfer to a four-year school to complete an undergraduate degree,” the report says. “Many students want to stop with an associate degree and enter the workforce with that two-year credential. This is especially true for two groups: (1) returning veterans and (2) mid-career executives, both of whom are looking for a career realignment or booster. And employers may find such individuals well qualified to perform a number of cybersecurity roles.
The report makes several other recommendations, including:
* Strengthen the hands-on education component in both the CAE and SFS programs. There is a growing appreciation that cybersecurity education at all post-secondary levels benefits from hands-on learning experiences and laboratory exposure doing projects with real world tools and moving beyond class room knowledge.
* Identify, track, and use performance indicators for both the CAE and SFS programs. The indicators can help employers find schools that produce the best students and inform students’ decisions as to which schools best meet their needs.
* Expand the number of positions that allow SFS recipients to “work off” their public service employment obligations to include state, local and tribal governments.
The entire 52-page report can be downloaded at http://napawash.org/images/reports/2015/Increasing_Effectiveness_of_ Federal_Role_in_Cyber_Education.pdf.