The National Initiative for Cybersecurity Education (NICE - http://csrc.nist.gov/nice/index.htm) has evolved from the Comprehensive National Cybersecurity Initiative, and extends its scope beyond the federal workplace to include civilians and students in kindergarten through post-graduate school. The goal of NICE is to establish an operational, sustainable and continually improving cybersecurity education program for the nation to use sound cyber practices that will enhance the nation’s security.
Dr. McDuffie talked with CHIPS magazine about the National Initiative for Cybersecurity Education May 20.
Q: You've met with many people across the country from government, private industry and academia; what do you think are the most positive aspects of today's workforce?
A: As I go around the country and speak to young people who are interested in entering the workforce I think what is most encouraging and their most positive aspect is their enthusiasm. It is interesting; I have a 10-year history of dealing with young people pursuing academic careers to join the workforce and post-9/11 a large percentage of them indicated that one of the motivating factors, particularly in looking for employment in the federal government, was a sense of old-fashioned patriotism. They were looking at ways to use their talents to help defend the country, and they saw working for the government as a viable alternative for them.
Q: Much is being made of partnerships between the federal government and private industry, can you talk about the opportunities for government civilians to collaborate with cybersecurity folks at all levels in academia and the private sector?
A: Collaboration is actually what my initiative is all about. I lead the National Initiative for Cybersecurity Education, and we are all about public-private partnerships. The relationship between academia, industry and government is critical to addressing this issue. Cybersecurity is so broad and it impacts everybody in the country, everybody on the planet really. It is going to require real partnerships across all those stakeholders to make significant progress.
We have a number of activities that are ongoing, to just mention a few; I’ve been invited to speak at a number of National Associations of Counties (NACo) events. A few weeks ago they had their first cyber summit in Omaha, Nebraska; some 22 states were represented there, the governor of Nebraska spoke. It’s really a great opportunity for people at a relatively low level of government, at the county level, which really has good connectivity and access to K-12 education to understand all the ins and outs of what’s happening in cybersecurity. I certainly welcome those opportunities.
The certification community, (ISC)2, CompTIA [and] SANS Institute [for example], have adopted and mapped a lot of their certifications to the National Cybersecurity Workforce Framework, which is a document that my initiative (NICE) has created that really for the first time allows for a common language to be used when talking about the cybersecurity field, its complexities, and there are some seven different sub-areas and 31 different skillsets described in the framework. Having the document so that various groups like government, industry and academia can use a common language and talk about the different issues that are important has been a real advantage.
There is a National Cybersecurity Education Council (NCEC), formed under the guidance National Cyber Security Alliance (NCSA) [a public-private partnership between government, academia and industry to help address formal cybersecurity education in the United States], where academic institutions and a number of the big industry power players, like Oracle, Intel [and] Microsoft, for example, come together to look at the issues surrounding NICE and see how they can help and partner.
So the list kind of goes on and on; there are lots of opportunities. If you go to the Department of Homeland Security’s website: Stop Think Connect, you will find resources that are available to everyday citizens, like the National Cyber Security Awareness campaign. You can become a friend of the campaign, you can download the material for free and it really gives you enough resources so that you can go out in your own community and conduct mini workshops. [The “Friends” Program is an opportunity for citizens to help us spread the word about what we can all do to enhance our safety and security online. Anyone can be a Friend of the Campaign.]
Q: One of the NICE initiatives is to "cultivate a globally competitive cybersecurity workforce." What does that mean and what federal agencies are involved?
A: NICE is a collaboration of as many as 50 federal agencies, and in reality, we consider all federal agencies as our partners. This idea of global competition is very apparent because every country on the planet has the same cybersecurity issues, whether they are dealing with national security issues, and protection of intellectual property of companies or the privacy of individual citizens in cyberspace, it is a global issue.
The marketplace for new talent is extremely competitive, whether in industry, government or academia, people can work anywhere. So we have to make sure our educational institutions are world-class, and they are, and make sure they are teaching the latest state-of-the-art activities that are coming out of the R&D laboratories. We have to make sure our certification community is stepping up their game in terms of hands-on training and recurring certifications. It really doesn’t do anyone any good to certify someone 15 years ago and not have their certification updated on a regular basis because the field evolves so quickly.
So NICE is partnered with not only the academic community, but the certifying companies that move all those things forward, and to make sure people in this country are aware of all the opportunities that are available to them. Some are unique to U.S. citizens. The Department of Defense employs some two-thirds of all cybersecurity professionals in the federal government and to work for DoD, you must be a U.S. citizen and have a security clearance. So there is a set of jobs that are uniquely available to U.S. citizens, and we want to make sure that our citizens are aware of this. Plus, we are doing outreach to underrepresented groups. Females and minorities have been traditionally underrepresented in the STEM (science, technology, engineering and mathematics) fields so we are doing our best to reach those groups and individuals to make sure they are aware of the opportunities.
What’s also gratifying is that if you choose to go into this field, you don’t necessarily have to relocate to Washington. There are job opportunities across the country at the state and local government level and certainly every industry, whether small, medium or large, in your local area is going to have a need for cybersecurity professionals. So there is a huge job market, and it is only going to expand as we move into the future.
Q: How would you convince young people to pursue a cybersecurity education and to join the federal government, especially since the federal government is under tremendous fiscal pressure right now?
A: That’s a really good question because it certainly is a challenging environment. Right now some agencies are operating under hiring freezes, and limited budgets make it difficult to paint a good picture for new people coming on board. But in spite of that, one of the few areas that has enjoyed a relatively stable, if not increasing funding at the federal level, is cybersecurity. The highest levels in government have recognized the importance of this area in terms of nation defense. They have also recognized the importance of this area in terms of STEM education as an innovator that drives job creation and economic growth in this country. In order to maintain our lead and progress in those areas, cybersecurity becomes the underlying enabler of the entire STEM enterprise.
You can’t do science, engineering, mathematics or technology without a computer on your desk. Those computers are always networked together and there are always issues about the security, reliability and availability of those systems. So regardless of the scientific endeavor you may be interested in as a young person, you can always use a cybersecurity background to leapfrog your career into other specific STEM areas. There are good jobs everywhere if you are looking to work with the cutting-edge and R&D, particularly on the offensive side of cybersecurity, the only place you can legally do that is inside the federal government working for agencies like the National Security Agency , the Department of Defense and others.
So I think we have an advantage over the private sector in the federal government in that we have the best ‘toys.’ Young people are typically excited and drawn to advanced technology and we have plenty of that in government.
Q: Those are good points. I really like the idea of appealing to young people through the use of new technologies, but some pundits would say that the federal government lags behind industry in its use of advanced technologies.
A: There may be pockets in agencies or smaller agencies under tight budget constraints that can’t update their systems and still have significant vulnerabilities, but across the country in terms of R&D, the majority of funding for research and development is coming from the federal government. The National Science Foundation funds just about everything at the university level. We also have a very active Small Business Innovation Research Program (SBIR).
The security agencies, like the National Security Agency, the national labs and the Department of Defense have active research and development at the very cutting-edge of all of these fields – quantum information science and cryptology, for example. NSA is a world-class organization at the leading-edge of all these technologies. If you are looking at where the best and the brightest are operating, the national labs are good places to start.
Q: The NICE framework describes cybersecurity work regardless of organizational structures or job titles. The Department of Defense is currently developing the DoD cyberspace workforce framework based on the NICE model. What do you see as the benefits for DoD and individual workforce members in using the framework?
A: The framework is the result of work over a number of years of study and struggle to wrap our arms around this idea of the cybersecurity workforce in the federal government. The Office of Personnel Management, the Federal CIO Council, the Department of Defense and others have conducted numerous surveys and studies of the workforce to identify the various aspects and nature of cybersecurity work across federal government.
So when I began working in the NICE, I was very fortunate in that the people who were assigned to me were the same people from various agencies who were directly involved in the previous grassroots surveys. So we decided to bring all that work that had been done before together and to look for the synergies with the idea to identify particular types of work and to come up with an overarching taxonomy to define cybersecurity work.
How you define certain things is really important to the overall impression of the field. So we wanted this language to be a common, universal language, not government-speak or DoD-speak, or something so full of buzzwords that the average person couldn’t understand or get a good concept of it. So if you look at the framework, you will see that it is really applicable across any sector, government or industry, whether it be in energy, transportation, medical, financial, and the list goes on and on. We really went above and beyond to decompose the workforce into its component parts because the work really is more than the guy just working on a firewall or performing intrusion detection, it includes policy issues, procurement, support, R&D, and the list goes on and on.
So this framework now for the first time allows people across all these different sectors to look across the workforce so that when they are doing gap analysis, they are comparing apples to apples. So when we are doing gap analysis in the federal government, we can identify certain types of positions which may be critical to fill and it becomes very easy to aggregate this type of information across agencies.
We’ve had a lot of buy-in to the framework. It really only went out last year and since then the Office of Personnel Management has adopted it. They have developed a set of data elements that will allow federal agencies to add two-digit codes to job titles, job descriptions that already exist because there is no job code for cybersecurity. There are information technology specialists, computer scientists, computer engineers, there are six or seven careers in federal government that all do aspects of cybersecurity work and by adding these two-digit codes, once that is fully implemented, the federal government will be able to look at the workforce and identify specifically who is doing what and really get a good gap analysis to see where we might need 20 percent more of this type of work here or maybe 50 percent more of another type of work there. Now we really have a common language to talk about it.
The same thing will certainly apply to federal contractors because they want to align with the federal government, and private industry is seeing value in the taxonomy and they are adopting it on their own on a strictly voluntary basis. The academic institutions that are the National Centers of Academic Excellence for information assurance education are adopting it and are mapping their curricula to an academic framework. So we are seeing a lot of synergy.
On top of that, this is a living document. Later next month [June], we are going to begin the process of updating it, we are going to take the comments we’ve received since it has been out to improve the document and make sure we stay current with what is happening in the world to produce our next version. We plan to continue updating the document because the field will continue to evolve and we want to make sure the framework remains fresh and current. So probably every two or three years or so, you will see a new version of the framework, there won’t be major changes maybe 5 to 10 percent in an area where we will make adjustments keeping that same philosophy that we will be speaking in a language that everyone can identify with.
Q: You mentioned the two-digit codes, will they be used for targeted recruitment and possibly contribute to the conversation about developing different compensation models for critically needed skills?
A: Absolutely. Not only that, but there is already critical activity going on by the Office of Personnel Management, they are looking at six critical career fields in the federal government where they believe there is a shortage of personnel, cybersecurity is one, STEM education, contracting, economists, human resources professionals and auditors I believe are the six.
So there is a shortage in general across federal agencies for qualified people in all those areas. I’m on one of theco-chairs of the sub-group that is looking at cybersecurity, and we are using the framework to give us a baseline so we can do a gap analysis to begin targeted recruitment for the specific skillsets that are needed. We are looking at compensation packages; we are looking at personal life balance, all the issues that would affect recruiting for these highly educated individuals. The federal government as a whole is making a concerted effort to get the right people in the right positions.
Q: What organizations do you work with to develop NICE education and training resources?
A: There is a huge list and it is pretty broad, but the big players are certainly the National Science Foundation and the U.S. Department of Education. They are co-leads in our Formal Cybersecurity Education Component. Not only are they looking at the development of proper curriculum but cataloging the curriculum, training and opportunities that are available across the country. I’m working with a number of universities and community colleges, Prince George’s Community College in Maryland and their CyberWatch program has been identified as a National Center of Academic Excellence for cybersecurity and has received a $5 million grant from NSF so they are really doing outreach across community colleges to make sure they have the right tools available.
The National Security Agency and the Department of Homeland Defense are intensely interested in training and education resources so DHS put together a portal called NICCS, the National Initiative for Cybersecurity Careers and Studies, that is populated with training and education resources that will continue to be updated, and it is available to the federal workforce and the public as well.
It is a pretty large and gratifying collaboration of federal agencies and the public-private sector across the country that are working together to address this issue.
Q: Is there anything else the cyber workforce or the general public should know about NICE?
A: The next big thing for us is our workshop. We’ve been holding a major workshop for the last three years. Last year we were rained out by Hurricane Sandy. We are going to be doing our next one Sept. 17 through 19 at NIST (National Institute of Standards and Technology) headquarters in Gaithersburg, Maryland. The conference workshop is open to everybody and we usually get a pretty good mix of government, private sector and academia. Registration opens up in June so I would encourage everyone to join us. We are going to stream the workshops online so those that are under travel restrictions will still be able to participate. It is our annual big key event that highlights everything that is part of the NICE and you learn about everything that is going on across the country.
Q: Anything else?
A: The only thing I didn’t mention is the cyber competitions. You hear a lot about the U.S. Cyber Challenge Competition and U.S. CyberPatriot Competition. There are competitions targeted at high school and college students. These cyber competitions are becoming really important for students to be able to see if they enjoy the cyber field and also to see how teamwork works in cybersecurity.
Also, the sponsors are typically industry sponsors who are using them more and more for recruitment and some will make job offers on the spot. There is an effort called U.S. Cyber Challenge which holds weeklong boot camps, usually four of them, over the course of the summer for universities in different parts of the country. They provide coursework, ethics and some exposure to hiring agencies so there are a lot of these competitions to attract people to the cyber field. So if you are in high school or college or in the field already, look for these competitions to exercise your cyber muscles.
The 2013 Workshop will focus is “Navigating the National Cybersecurity Education Interstate Highway." The NICE Workshop will showcase keynote speakers, panel discussions, poster sessions and an interactive view on cybersecurity education, best practices and competitions.
Registration opens in June 2013 at www.nist.gov/nice/.
Questions should be directed to NICE workshop chair, Magdalena Benitez at