Amid a steady drumbeat of reports on cyber-espionage and election-related hackings, lawmakers are wrestling with questions of how to best protect the country from digital threats and address a severe shortage of skilled cybersecurity workers.
That means new attention for nascent efforts to support cybersecurity education, including in K-12 schools. The National Governors Association, eight different federal agencies, and a national commission established by President Barack Obama are among those supporting a wide assortment of cybersecurity-related education and workforce-development initiatives.
The administration of President Donald Trump has also been working on its own cybersecurity executive order, an early version of which would have mandated a sweeping review of the country’s related education efforts.
The idea is that both the public and private sectors need more people capable of designing, building, operating, and securing the information-technology systems that are now essential to the functioning of everything from small businesses to public utilities to the United States’ national-security infrastructure. That requires a strong grounding in advanced mathematics and computer science, as well as specialized skills in fields as diverse as cryptography, software development, and network engineering.
But there are challenges.
Creating curricula and programs that can keep up with rapidly changing technologies isn’t easy. Neither is squeezing another new obligation into schools’ already-strained budgets and schedules. Efforts to stitch together the patchwork of existing cybersecurity-education efforts remain a work in progress.
“Cybersecurity is at the center of a lot of discussions right now, but we still have a lot of work to do,” said Stephen Parker, the legislative director for education and workforce issues at the National Governors Association, which has made the issue a top priority this year.
There’s also an ongoing debate about whether cybersecurity education should prioritize national-security or workforce-development concerns.
In January, the White House appeared headed in the former direction. President Donald Trump seemed poised to sign an executive order that included a provision directing the U.S. secretaries of the departments of Defense and Homeland Security to review the country’s cybersecurity education efforts and make recommendations for improvement, according to a draft published by The Washington Post. Trump put the order on hold, however.
Secretary of Homeland Security John Kelly later told Congress the order had undergone significant revision. A later draft published by the Lawfare blog eliminated altogether the provision related to education and workforce development.
The resulting uncertainty is generating anxiety. Privacy advocates worry that civil liberties might suffer if national security agencies are put in charge of the country’s cybersecurity education. Groups focused on private-sector-industry needs describe the country’s shortage of skilled cybersecurity workers as a crisis that demands federal attention.
Such tensions have ebbed and flowed for years.
In December, a national cybersecurity commission established by President Barack Obama sought to bridge the gap by recommending new public-private partnerships—both to better secure the country’s information-technology infrastructure and to train 150,000 new cybersecurity workers.
At all levels of government, related programmatic efforts have similarly attempted to straddle multiple worlds.
In Washington, there are cybersecurity education and workforce-training initiatives supported by the departments of Education, Energy, Homeland Security, and Labor; the federal Office of Personnel Management; the National Security Agency; and the National Science Foundation, with the National Initiative for Cybersecurity Education (NICE) at the National Institute for Standards and Technology in the federal Department of Commerce playing a coordinating role.
At the state level, leaders such as John Hickenlooper, the Democratic governor of Colorado, and Rick Snyder, the Republican governor of Michigan, have also pushed forward their own cybersecurity initiatives. Numerous states now have cybersecurity-focused career-and-technical programs, as well as dual-enrollment programs that allow high school students to earn college credits by taking cybersecurity coursework at area colleges.
And under the leadership of Virginia Gov. Terry McAuliffe, a Democrat, the National Governors Association last July launched a cybersecurity initiative dubbed “Meet the Threat.” The effort brings together educators and employers. One early outcome of their discussions: a shared desire to introduce computer-science education to young children, through coding games and competitions.
Such opportunities in the K-12 arena are only going to grow, said Bert Steele, a consultant with the nonprofit Cyber Innovation Center. “There’s an absolute hunger to get this kind of content into the classroom,” Steele said. “Everybody realizes how relevant it is in today’s society.”
The Cyber Innovation Center was launched in 2007 to attract cybersecurity jobs and prepare cybersecurity workers in northwestern Louisiana.
The center’s founders quickly realized, however, that such initiatives would ultimately depend on K-12 schools. Their response was a project called the National Integrated Cyber Education Research Center, which develops and shares cybersecurity lessons and resources with K-12 teachers around the country.
Now funded by the federal Department of Homeland Security, the center’s curricular materials have been approved by 17 states.
At the high school level, for example, the group’s “cyberliteracy” course blends civics lessons with hands-on activities involving robotics and computer programming. Students might use microcontrollers to build a robotic minesweeper, then take part in class discussions on constitutional privacy protections.
“We need to make sure students know how to live and operate in cyberspace,” said Kevin Nolten, the center’s director of academic outreach. “That includes hard skills, like network programming and security, but also humanities, such as cyberlaw and ethics.”
It’s just one of many cybersecurity education initiatives supported by several federal and state government agencies.
At the federal level, for example, the National Science Foundation works with the Office of Personnel Management to provide “CyberCorps” scholarships to students training to become cybersecurity professionals, and with the National Security Agency, to fund free “GenCyber” summer camps for K-12 students and teachers.
The NSA also works with the Homeland Security Department to designate degree-granting cybersecurity programs at more than 200 colleges and universities as Centers of Academic Excellence.
And DHS is involved in a number of other undertakings. The department, along with the National Institute of Standards and Technology at the Commerce Department, as well as the office of the secretary of defense, played a pivotal role in the development of the NICE Cybersecurity Workforce Framework, which provides a detailed breakdown of the skills required for a wide range of cybersecurity-related work. DHS also maintains an online directory of cybersecurity-training courses.
Despite all the activity, the scale and quality of K-12 cybersecurity education remains spotty.
According to an analysis of national data by the nonprofit group Change the Equation, less than one-fourth of high school seniors say they’ve ever taken a computer science course, let alone a more technical and highly specialized class focused on cybersecurity. Low-income, black, and Native American students are much less likely than Asian and white students to attend a school offering computer science.
Staffing shortages are one big barrier to improvement, said Vince Bertram, the president and CEO of Project Lead the Way, a nonprofit that provides computer science curriculum to 4,000 K-12 schools across the country and plans to unveil a yearlong cybersecurity course for high schools in fall 2018.
Another challenge is how quickly the cybersecurity field changes.
The programming languages taught today may well be irrelevant by the time a current high schooler hits the job market.
Emerging technologies such as autonomous vehicles also present new security threats. And the growing tension between privacy and security is only getting more pronounced: Should the focus of K-12 cybersecurity education be training students who can develop strong encryption systems capable of protecting users’ privacy, even against government surveillance—or students who can crack consumer-encryption systems in the name of national security?
It remains uncertain where the Trump administration will land on such questions. For the time being, it’s not even clear when the president might move ahead with his cybersecurity plan, or if education and workforce issues will be included.
Regardless of what happens in Washington, Bertram is among those pushing for cybersecurity education to proceed full steam ahead.
“Cybersecurity is absolutely critical to our national security, and job growth is absolutely critical to our national economy,” he said. “We should not need an executive order to create urgency around this work.”
A version of this article appeared in the March 22, 2017 edition of Education Week as Cybersecurity Skills in Demand