I had the opportunity during RSA 2013 to interview Gen. Harry Raduege (ret.), who is currently Chairman for The Deloitte Center for Cyber Innovation. His full bio is available at the link provided. Among his many accomplishments, he was the longest-serving director of the Defense Information Systems Agency (DISA), including overseeing the restoration of ICT at the Pentagon in the wake of the 9/11 terrorist attacks.
Much of the interview discussed his background and influence on the current direction of cybersecurity at the federal level, which included the following main points:
"Cyber" Turning Point
Gen. Raduege started by talking about how he viewed the entrance of "cyber" into mainstream lingo as reflecting passing a pivot point, and credits this timing with an increased awareness around cybersecurity and other cyber-related activities and concerns. He was co-chair for the Center for Strategic and International Studies' (CSIS) Commission on Cyber Security for the 44th Presidency, which produced 3 major findings and 25 recommendations to the President (and Congress) around cybersecurity.
Whether or not "cyber" entering the mainstream language set (especially in the federal space) truly reflects a turning point is hard to gauge, though the timing seems about right. This is not to say that "cybersecurity" was not discussed in other circles well before that time (in fact, "cyber" shows up well before the cited 2007-2008 timeframe - case-in-point, I noticed it used in an old season 1 episode of The X-Files just the other day). The comment, I think, more reflects general social awareness along with general international consensus that "something big is happening and needs to be done" or that "things need to change, and now."
Education As a National Security Concern
One of Gen. Raduege's achievements includes helping the University of Maryland, University College (UMUC) launch their first 3 cybersecurity programs around 2010-2011. In 2 years of run time, UMUC has seen more than 5,000 people enrolled in cyber-security programs (BS, MS, MS policy, MS forensics), with an additional 7,000+ enrolled in other cyber-related programs. UMUC is currently educating "about 97,000 students" globally, thanks in large part to partnerships with the USG (especially the military).
Gen. Raduege noted that education around cybersecurity and related topics is vital to national security today, and touted his experience helping address personnel shortages through these programs. When asked about how to address immediate worker shortages (especially for classified positions), he demurred, and instead steered the conversation toward describing a military -> education -> civilian transition process/pipeline, since this might be the quickest means of acquiring the highest numbers of people who already possess security clearances which normally take a considerable amount of time to acquire. This perspective was intriguing, though it did not really answer the question of how to immediately address worker shortages today. I also was left wondering about all the well-qualified people who would never qualify for the military, despite having much to offer the USG as cybersecurity leaders. However, many cybersecurity jobs within the USG do not require a security clearance which should offer opportunity for well-qualified people to apply.
Regardless, the General has provided strong leadership around educational programs in order to produce a better qualified cybersecurity workforce. The model will certainly be important going forward to providing military personnel with the opportunity to become trained on cybersecurity topics.
Embracing New Education Models
As part of pushing a strong education agenda around cyber-*, Gen. Raduege also briefly spoke about the need to embrace new education models, such as massive open online courses (MOOCs). His advocation of these new methods revolved around a desire to provide quality education to everyone, everywhere, as well as to counter the fatalistic increases in traditional education costs. When asked about how to control quality in these courses, and to avoid devolving education into training, he agreed that quality was a concern due to the large current demands for cyber educated and trained professionals, but again demurred on answering the question itself.
---
There appears to be a strong desire in the USG for real, measurable progress, but there are human-related challenges. Working through those will take time. I'm not convinced that the military -> education -> civilian progression is the best answer for addressing the current worker shortage, even though it does start to address the cleared worker shortage. A perhaps cynical part of me silently wondered if advocating such a thing wasn't just a reflection of an internal bias, as well as a way to artificially create job security for military personnel after they leave the service. Moreover, relying too heavily on military-experienced personnel leaves out a very large population of smart people who, by all rights, need to be brought into the USG to help sort out the myriad cybersecurity issues.
Only time will tell how (or if) things will work out.
Sincere thanks to Gen. Raduege and Deloitte for allowing me the opportunity for the interview.