M.R. Cole/Getty Images

Featured eBooks
Open Season Guide 2024
The Changing Transportation Landscape
Army Trends
Workforce

Winning the War for Cyber – and Cyber Talent

A White House cyber director lacks budget and staff, and a cabinet-level "Department of Cybersecurity" risks alienating stakeholders, but there is a model already in place that could manage the "whole of government" cybersecurity approach.

Ronald Sanders and Mike McConnell

|
By Ronald Sanders and Mike McConnell

The U.S. is in a 'war' for cyber talent, and in our opinion, we are in danger of losing it. 

We are not talking about the benign sort of competition for that talent that occurs between companies and government agencies in the overheated U.S. labor market, although that's not unimportant. Rather, we are talking about the development and deployment of U.S. cybersecurity professionals to protect our country's national security interests, especially vis-à-vis those of geopolitical rivals like Russia and China, Iran and North Korea, and their extralegal proxies. 

Simply put, our adversaries are producing and leveraging more cyber talent than we are, and that talent translates into more cyber capability, especially the national security kind…at least potentially. And while we can close some of that gap from a qualitative standpoint—we have some of the world's smartest people protecting us—and have done so to date, that may not be enough. As the U.S. and its allies become more and more digitally dependent—and more and more digitally vulnerable as a consequence—we should all be worried about ensuring that our country has the cybersecurity talent and concomitant capability and structure to protect us. And that means having enough skilled cyber professionals, in both private and public sectors, to stand watch over the U.S. government's data, systems, and networks, including but not limited to those that are classified. 

But in the case of cybersecurity, it's even more complicated than that…it also means having the cyber talent and capability and structure to protect all of the Nation's critical information and communications technology infrastructure, most of which is owned and operated by our private sector. That is the underlying focus of a congressionally mandated report just issued by the National Academy of Public Administration, and we have some thoughts about its recommendations.

Developing the nation's cybersecurity workforce

Simply put, it is our view—as well as the NAPA Report's—that the U.S. is not developing and deploying enough of the skilled cyber professionals we need to protect and pursue our national interests broadly defined, and the report recommends that among other things, the new National Cybersecurity Director—former National Security Agency (NSA) Deputy Director Chris Inglis is the first to have that illustrious title—should oversee a national effort to achieve that lofty goal from his perch in the Executive Office of the President.

While that is certainly a good start, we are not sure that this ultimately goes far enough. In our view, trying to lead and more importantly, sustain such an effort from the EOP, as politically charged and resource constrained as it usually is, will almost certainly result in suboptimization, and we strongly suggest  that cybersecurity leadership from the White House be augmented by a more expansive—and in our view, ultimately a more sustainable—approach, one born out of our experience in setting up and leading the Office of the Director of National Intelligence. 

ODNI was tasked with overseeing a similar effort by the Congress in the Intelligence Reform and Terrorism Prevention Act of 2004, in hopes of preventing another 9-11. And it did so with a politically compromised structure that was neither central bureaucracy nor a "czar" based in the White House. The fact is that it worked, at least after a fashion (primarily because of the unsung efforts of its dedicated staff), but in so doing, it may just have created a new organizational model, one that in our view, a cyber czar in the White House desperately needs.  

Why is this important? Because as the NAPA Report points out, the nation's cybersecurity—and the development of a second-to-none U.S. cybersecurity workforce that serves its interests—is perhaps the ultimate in team sports, requiring the cooperation and collaboration of a whole host of federal, state, local, non-profit, and private sector actors. As a consequence, its structure, and the direction, authority, and control over such things as budgets and personnel, really matters. Indeed, it may be the difference between the success and failure of the National Cybersecurity Director, at a time when few things are more important to the security of our digitally dependent Nation.

Why not the National Cyber Director?

As noted, the NAPA Report would put the National Cybersecurity Director in charge of developing a national cybersecurity strategy that is grounded in a strong, capable cybersecurity workforce. What does that mean, exactly? In our view—and we have some experience in the matter—it means coordinating the efforts of a host of actors across the private sector, academia and state and local government that have historically resisted federal control. Even federal agencies can be resistant to centralized authority, protecting their own bureaucratic interests even in the face of a "whole of government" imperative like cybersecurity. 

In our view, tasking a White House czar to herd cybersecurity policy, strategy, and operations is a true mission impossible. There are too many examples of this—the diminutive Office of National Drug Control Policy is perhaps the most obvious—to count. The sad fact is that even when it may be in the national interest, few will salute (or succumb) to White House direction, particularly if it means subsuming their own parochial interests to that direction. 

Bottom line: That stick doesn't work for the cybersecurity enterprise. 

In our cynical view, the carrot won't work either. In this case, the carrot is money—the promise of federal funds as an incentive to do the NCD's cybersecurity bidding, in coordination with the Office of Management and Budget. While all of the various independent and semi-independent actors involved in that effort will gladly take federal funding, that funding comes from a variety of sources. At least seven federal agencies have grant programs in this area, not to mention funding from state and local governments, school districts and schools, public and private donations, colleges and universities, etc., and while they all seek to incentivize cybersecurity generally (and cybersecurity education specifically), the devil's in their details, and the NCD's small staff can hardly be expected to herd all of those cats. 

What about a Department of Cybersecurity?

If "authority, direction, and control" over the development of the nation's cybersecurity workforce and broader cybersecurity operations cannot effectively come from a small office in the EOP, why not apply the Department of Homeland Security model and put all of the relevant agencies under one bureaucratic roof? 

It should be obvious that this other extreme is just as problematic. Indeed, one need only look at the challenges that have faced DHS since its mega-merger inception to question the efficacy of this approach. That is not a criticism of DHS, just a fact. It is therefore fair to ask whether the nation's cybersecurity can benefit from a mega-merger of existing capabilities and programs.

We think not. Cybersecurity depends not only on achieving "horizontal" unity of effort among the federal agencies that have a piece of the cybersecurity mission, but also building and unifying a "vertical" coalition as well, among all the public and private institutions and organizations that have some influence over cybersecurity.

All of those entities have something to do with the development of a U.S. cybersecurity strategy and a workforce to execute it, and they are all independent—not only legally but also in mindset—and the political and pedagogical complexities in achieving that unity of effort amongst them, whether by persuasion or by direction, are simply mind-numbing.  

Our Proposal: the 'Goldilocks' solution

So, if a White House czar on one hand, and a centralized Department of Cybersecurity on the other won't work, what do we suggest? In our view, challenges like cybersecurity, and the development and deployment of a national cybersecurity workforce as a subset of that challenge, simply do not lend themselves to a hierarchical, command and control model emanating from Washington, DC.

We saw that play out first-hand with the Congress's creation of the Office of the Director National Intelligence, which shied away from establishing a Department of Intelligence that mirrored its contemporary DHS cousin, in favor of something that was more federated in nature. That structure was established largely by default, to try to integrate the intelligence community without disturbing the jealously guarded statutory authority and control that cabinet secretaries—especially the secretary of defense—have over their intelligence agencies. 

Congress attempted to do both with ODNI, and one can argue that that compromise had (and has) its faults. But the dedicated leadership and staff in ODNI managed to make that structure work, if not optimally, then at least better than top-down bureaucracies like DHS. Indeed, we used to compare notes with our DHS colleagues, who lamented the practical limitations of simply telling the Department's components what to do, only to have them do what they wanted. 

We recommend a similar model for cybersecurity and the development of a supporting national workforce. Such a structure acknowledges the whole of nation nature of the cybersecurity mission (including the development of a national cybersecurity workforce); realizes that collaboration, rather than hierarchical direction, is the key to achieving any sort of unity of effort in that regard; and institutionalizes that effort in a single organizational hub that is insulated from the political football that is the EOP.

That model must be sized to do its strategic job: not with the thousands of "headquarters-knows-best" staff that come with a mega-department merger; but more than just a handful of experts in the EOP who can only issue platitudes and principles. 

In other words, for better or worse, an ODNI-like structure that can integrate the horizontal and vertical efforts of all of those public and private entities that have a role to play in that regard, big enough to be able to provide the strategic guidance and oversight necessary to achieve that end, but not so big as to be tempted to try to direct or control all the entities involved in safeguarding cybersecurity.

Mike McConnell, a retired Navy vice admiral and former director of the National Security Agency and Director of the National Intelligence, is currently executive director of the Florida Center for Cybersecurity at the University of South Florida.

Ronald Sanders is staff director of the Florida Center for Cybersecurity and previously served as chair of the Federal Salary Council and associate director of National Intelligence for Human Capital.

NEXT STORY: The IRS Announces a New Office That Will Focus on Taxpayer Experience

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.