The cybersecurity workforce executive order: Real potential or wishful thinking?

The cybersecurity executive order of 2019 is intended to boost cybersecurity skills and improve national defense against growing cyberthreats. Will it work?

Cybersecurity executive order of 2019: Will it work?

The original version of this post was published in Forbes.

Can a presidential executive order reverse a catastrophic labor shortage? Looks like we’re about to find out.

Low unemployment is generally considered a good thing—a very good thing. Politicians of all stripes usually clamor to take credit for it.

But not when it comes to cybersecurity, where unemployment is theoretically better than low—below zero—making last month’s overall rate of 3.6% look like a recession. There are an estimated 350,000 vacant cybersecurity jobs in the U.S., with experts predicting the skills shortage will get worse.

There are an estimated 350,000 vacant cybersecurity jobs in the U.S.

Nobody is looking to take credit for that. Instead, there is considerable hand-wringing about what to do.

For good reason. At a time when cyber risks are growing daily, and cyberattacks are becoming ever more malignant, a lack of cybersecurity expertise poses an increasingly existential threat. Cyberattacks, as numerous experts have noted, are now not just about credit card or identity theft, as bad as those are.

They can have physical consequences—potentially deadly. In the past few years, hackers have demonstrated the ability to take over critical functions of modern cars, medical devices, home security systems and the control systems of critical infrastructure.

Those ominous realities are the main impetus behind President Trump’s recent “Executive Order on America’s Cybersecurity Workforce.”

The opening paragraph declares that the nation’s “cybersecurity workforce is a strategic asset that protects the American people, the homeland, and the American way of life.”

And it calls for the federal government to “create the organizational and technological tools required to maximize the cybersecurity talents and capabilities of American workers—especially when those talents and capabilities can advance our national and economic security.”

The cybersecurity EO is a good idea, but how will it work?

Good idea—but how?

Good idea. But it prompts the obvious question: How?

Well, don’t look for too many specifics yet. This cybersecurity executive order is, as Threatpost put it, “short on concrete details but long on affirming cybersecurity skills as a critical piece of federal defense.”

Yes, it does require multiple reports and initiatives, with deadlines ranging from 90 days to one year. Among them is an order to adopt the National Initiative for Cybersecurity Education Cybersecurity Workforce Framework (NICE Framework) as the basis for cybersecurity skill requirements for program participants to placing federal workers into “reskilling” programs.

The NICE Framework is “a nationally focused resource that establishes a … common lexicon to describe cybersecurity work, and workers, regardless of where, or for whom, the work is performed.” It covers work roles, tasks, skills, knowledge and abilities.

Other mandates include:

  • Establish the President’s Cup Cybersecurity Competition, an annual event for federal employees, both military and civilian.
  • A national “Call to Action to draw attention to and mobilize public- and private-sector resources, transform, elevate, and sustain the cybersecurity learning environment and align education and training with employers’ cybersecurity workforce needs.”
  • Close the skills gap in critical infrastructure sectors for both government and private-sector workers.

But none of those mandates has a specific plan on how to achieve them yet. And they are all dependent on that make-or-break component of any government initiative—money. The order concludes with the caveat that its implementation is “subject to the availability of appropriations.”

Not that this makes it meaningless. As has been noted frequently, presidential executive orders are frequently “aspirational.” President John F. Kennedy’s call in 1961 to put a man on the moon within a decade was short on specifics too. But Edwin “Buzz” Aldrin did walk on the moon in 1969, less than a decade later.

Real cybersecurity potential, but…

What are the chances of this order moving from aspiration to reality? So far, the best that most experts can say is that it has potential.

Andrew van der Stock, senior principal consultant at Synopsys, said the message in the cybersecurity executive order is good. “It implements a pipeline to create more information security talent—something the U.S. desperately needs,” he said.

The cybersecurity EO implements a pipeline to create more information security talent—something the U.S. desperately needs.

He said the mandates for federal agencies to implement the NICE Framework, for the military to establish awards and merit badges, and the request for the public, including the public education system, to establish awards and competitions “will all play into the larger plan to address the skills shortage.”

Sammy Migues, principal scientist at Synopsys, agrees that there is potential: “If the right people get behind it, some good might actually come from it,” he said.

“But it will take dedicated effort on the part of government leaders who have lots of functional objectives, none of which include planning for a digital future—after 50 years of computers.”

Not to mention that the past couple of decades is littered with presidential executive orders calling for improvements in cybersecurity—one each from Presidents Clinton and George W. Bush, and two from President Obama—plus one from President Trump two years ago calling for improved security of federal networks and critical infrastructure. During that time, while the internet has become as embedded in modern life as the automobile and television did in earlier generations, nobody would describe the online world as having become safe and secure.

Is this executive order an unfunded mandate?

Is this executive order an unfunded mandate?

And that, Migues noted, is the risk here as well—that this executive order will be “basically just another unfunded mandate that says, ‘Do better.’”

He is understandably skeptical about the order’s proposed “cybersecurity rotational assignment program,” which calls for some agencies to spend money and time to train people with an aptitude in cybersecurity, and then spread them around to other agencies—without any reimbursement.

Then there is pay. He notes the reality that the entry pay level for federal employees with a master’s degree or several years of experience is $44,000 to $58,000.

“I certainly understand that some people put country ahead of career, but the vast majority who are in the government and get trained in cybersecurity will hit the bricks the moment that’s possible,” he said.

That doesn’t mean the skills gap is being ignored. The somewhat good news is that, without any prodding from an executive order, the private sector is making considerable efforts in that area. “We can shorten the path from novice to expert. The cybersecurity industry, and pretty much every other industry, is doing that every day,” Migues said.

“We’re putting all the lessons learned from those who built the industry into automation, and outside of some well-known and well-respected exceptions in some government agencies, the vast majority of people learning cybersecurity today are simply learning how to work that technology.”

What happened to the last cybersecurity executive order?

What happened to the last cybersecurity executive order?

But perhaps the most likely predictor of whether an executive order aimed at a specific sector, like cybersecurity, will get results is to look at what has happened with previous ones.

Trump’s 2017 executive order set at least 10 deadlines for reports to be submitted on how to fulfill the various mandates contained in the order.

Were any of those deadlines met? Hard to say. There was no response to that question from the Department of Homeland Security. The White House press office referred it to the Office of Management and Budget, which did not respond either.

Which probably means all or most of them were ignored.

But it is not guaranteed, even if all the deadlines in this latest order are met, that they will transform the cybersecurity employment landscape and eliminate the skills gap.

For example, Migues said the NICE Framework “can be helpful to people who have no real-world experience but still have to do something, such as a manager trying to make their first cybersecurity position description. But I can’t see how anyone else would use it,” he said.

“Actual jobs are messy and require real-world experience that cuts across hard and soft skills in multiple areas.”

Browse our cyber security training offerings

*** This is a Security Bloggers Network syndicated blog from Software Integrity Blog authored by Taylor Armerding. Read the original post at: