Proposed law seeks to boost federal cyber workforce through apprenticeships, training

  • Falling Waters, W. Va., is the site of the VA’s National IT Training Academy. The Federal Cybersecurity Workforce Expansion Act intends to bolster the federal cyber workforce through apprenticeship and training programs. (Veterans Affairs)

    Infosec training and apprenticeship experts are applauding a recently proposed bipartisan legislation that, if signed into law, would bolster the federal cyber workforce through an apprenticeship program at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and a pilot training program administered by the Department of Veterans Affairs.

    That said, one pundit said the deadlines this law would allot to the agencies are too generous to generate the near-term workforce reinforcements that are so desperately needed. And cyber experts, while on board with the concept, said success or failure depends on the structure of the program.

    In late June, Sens. Maggie Hassan, D-N.H., and John Cornyn, R-Texas, submitted a proposed bipartisan legislation, the Federal Cybersecurity Workforce Expansion Act, which would add new section into the Homeland Security Act of 2002 in order to establish workforce programs based on recommendations from the Cyberspace Solarium Commission.

    Under the terms of the law, CISA would be given two years to establish at least one Department of Labor-approved apprenticeship program that would result in full-time or contractual employment with the government agency. The program would need to focus on developing the particular skills needed to meet CISA’s workforce needs, and to provide adequate training, the agency would be allowed to partner with “eligible entities” that possess knowledge of and experience in cyber workforce development.

    Meanwhile, the VA would be granted one year’s time to establish its own pilot program for former members of the armed forces looking to become credentialed in cyber and transition to a professional infosec career. The program would need to align with the NICE (National Initiative for Cybersecurity Education Cybersecurity Workforce) framework and involve virtual coursework/training, hands-on labs and assessment, and federal work-based learning opportunities.

    “It is exciting to see the federal government look to apprenticeship as a way to grow their workforce,” said Tony Bryan, executive director of St. Louis-based apprenticeship organization CyberUp. “The model is similar to something I experienced during my time in the military. Shortly after 9/11 happened, U.S. air marshals were looking to ramp their workforce through transitioning veterans. A program was built to recruit veterans into the program and successfully bridged the gap from military to U.S. marshals and met a federal employment need. If done correctly and with the right partners, CISA should experience the same level of success in growing its workforce over the next several years.”

    Several experts noted the major demand for cybersecurity specialists across the public and private sectors. However, the former in particular struggles to recruit and retain talent because they typically cannot pay as well as corporations. But this new act would help develop new pools of talent.

    “I think it’s a terrific idea. It’s out-of-the-box innovative thinking,” said Roger Grimes, data driven defense evangelist at KnowBe4. “It’s too bad we didn’t start it 10 years ago. It is a super-simple, obvious solution to a problem that we have.”

    While Grimes admitted that he’s wary of government-borne solutions and finds that federal agencies can tend to move too slowly, he said that CISA is a significant exception to the rule. “It’s only been around for a couple of years, but it has been the most impressive government organization around cybersecurity that I could have ever imagined.” And combining CISA’s efforts with the Department of VA is a great “two-for-one.”

    A summary of the legislation notes that CISA “requested sufficient lead time for setting up the program, so it would be effective and not nearsighted because it was rushed to creation.” This was one area that several experts were critical over.

    “Anything designed to get more trained people into [cyber] jobs is a good thing,” said Lamar Bailey, senior director of security research at Tripwire. “The problem with this act is the timing. CISA has up to two years to implement this program. We have multiple private organizations, universities and colleges that already have programs in place. If these can be considered ‘eligible entities,’ then this program could be running much faster.”

    Bailey shared a similar sentiment for the proposed Department of VA program, saying “the timeline needs to be accelerated, and can be done in phases using different levels of training certifications – so that will make a difference in the nearer term.”

    Grimes offered his own perspective on what he hopes the CISA and Department of VA programs would teach up-and-coming cyber professionals, should the legislation ever pass Congress and get signed by President Joe Biden. First and foremost, he would like to see a focus on risk management and prioritization, including “looking at the most likely threats and addressing those first and best.”

    “The reality is that three or four of types of attacks are responsible for almost all computer security attacks today: social engineering, unpatched software, authentication password weaknesses, and remote access control issues. Those three or four things are responsible for almost all attacks,” said Grimes. And yet, “the problem with a lot of these programs is they try to cover 200 things, and they’ll spend [only] 30 minutes on social engineering,” which is so important to understand.

    “And so when you go to educate these students, make sure that they understand risk management principles – and that they not only focus on the ways that that organizations are most likely to be attacked, but they themselves are trained in that way. [So] that they spend more time on social engineering, they spend more time on patch management, they spend more time on identity management and authentication. Because that’s our problem now: We’ve got a whole lot of people that are super-great generalists, [but] we really need an army of people that are focusing on the most likely threats first.”