The United States has a severe shortage of cybersecurity professionals. A jobs report from the first quarter of 2017 revealed that 209,000 cybersecurity jobs in the United States remain unfilled. Demand for these jobs is expected to grow by over 50 percent through 2018. As threats in cyberspace increase in frequency and impact, a widening workforce gap will make the United States and its global partners more vulnerable.
This workforce shortage creates acute risks for critical infrastructure owners and operators in the United States. While private entities own the vast majority of these assets, and are responsible for their safety and security, many do not have sufficient cybersecurity professionals to provide adequate protection for their networks and internet-connected industrial control systems. At the same time, threats to critical infrastructure are expanding and the confluence of these factors could have severe security implications for the US.
The National Guard (“the Guard”) is proving to be a vital asset in addressing this demand/supply gap. Over the past few years, the Guard has increased its workforce to help secure IT networks for the Department of Defense, state governments, and even some critical infrastructure assets.
To date, the National Guard Bureau has formed cyber defense units comprising both Army and Air Force units to prevent attacks on public and private IT networks. This included the creation of a new force structure at the state level, comprising eight- to ten-person cyber defense teams known as the Defensive Cyber Operations Elements. Additionally, ten Federal Emergency Management Agency regions are handled by Cyber Protection Teams.
The number of these units is expanding: by 2019, the National Guard Bureau will “have 34 states with extensive [Cyber Protection Team] capability…this force will provide over 3,000 additional cyber warriors to our nation’s capability.”
Stakeholders in the Department of Defense, state governments, and the private sector should collaborate to establish a clear strategy to bolster the security of critical infrastructure, and increase employment of cyber Guardsmen to address the workforce shortage.
Although they have a variety of roles depending on state, local, and federal needs, cyber Guard units should shift attention to hardening the defensive posture of key infrastructure assets. The Guard should recruit IT professionals who already work with industrial control systems, as these individuals can work at their usual jobs during the weekday and report to the Guard on select weekends. These professionals already have strong knowledge of industrial control systems architecture, which makes them invaluable contributors to security enhancements. Guardsmen across a state can collaborate on vulnerability assessments and more easily formulate best practices across sectors. Recruiting professionals who already defend critical infrastructure into cyber Guard units can generate trust between the private sectors and government. These experienced professionals who join the Guard become a natural bridge between the private sector and government, fostering public-private trust.
To implement this policy, states should collaborate with the respective Chief Information Officer, Chief Information Security Officer, and industry partners to formulate partnership agreements with cyber Guard units. The scope of the agreement should include establishing official partnerships between the Guard and the infrastructure owners, setting up information sharing mechanisms and joint training sessions, and setting short-, medium-, and long-term goals for bolstering security of these key assets.
The governor should require annual assessments of these partnerships to ensure goals are met within legal parameters and to alter tactics and strategies to adapt to changes in the cyber threat environment. This hands-on approach between states, the Guard, and industry will meld local knowledge of critical infrastructure with National Guard Bureau expertise to form partnerships that efficiently allocate resources to address vulnerabilities.
While the states are responsible for the planning and implementation of the cyber Guard units’ initiatives, the U.S. military should fund these efforts. The Department of Defense receives the largest portion of discretionary spending of any federal agency, with a budget that will likely increase under the Trump administration. Policymakers should work with Congress to ensure that cyber Guard units receive substantial budget increases to support funding for creating, training, and operating more units.
The Department of Defense should implement an incentive-based structure to help recruit and retain the Guard’s talented workforce. The Department of Defense and state governments can offer financial incentives to join the Guard to attract the most highly skilled individuals in each state. For instance, it should build upon the Federal Cybersecurity Workforce Strategy model issued in July 2016 that offers compensation flexibility, formal training and on-the-job learning and development, mentoring, and student loan repayment, among other incentives.
The Guard can be a critical part of the solution to the United States’ pressing cybersecurity workforce shortage that has rendered critical infrastructure vulnerable to attacks. Local units funded by the Department of Defense and overseen by state governments have the resources and knowledge to bolster defenses of assets most critical to homeland security. Cyber Guard units can bring together those already trained in cyber defense in some of the critical infrastructure assets that the Guard units are tasked to protect. This arrangement can integrate skills across different critical infrastructure sectors within each state to provide robust network defense services from some of the states’ most capable defenders.
Bobby Shields is a Security Policy Studies Masters candidate with concentrations in Cyber Security and Energy Security. He currently works as the Program Assistant for the Elliott School’s NSSP and MIPP programs.
For further reading on this issue:
Brian Claus et al., “Using the Oldest Military Force for the Newest National Defense,” Journal of Strategic Security (4:18, Winter 2015).
Colin Wood, “Cybersecurity Gets a Boost from the National Guard,” Government Technology, February 28, 2014, http://www.govtech.com/security/Cybersecurity-Gets-a-Boost-from-the-National-Guard.html
William Matthews, “Building A Cyber Force,” National Guard Magazine, October 2015, https://www.ngaus.org/newsroom/news/building-cyber-force
William Matthews, “Cyber Uncertainty,” National Guard Magazine, July 2014, http://nationalguardmagazine.com/display_article.php?id=1764536&id_issue=218066