[House Hearing, 116 Congress]
[From the U.S. Government Publishing Office]
MORE HIRES, FEWER HACKS: DEVELOPING
THE U.S. CYBERSECURITY WORKFORCE
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON RESEARCH AND TECHNOLOGY
OF THE
COMMITTEE ON SCIENCE, SPACE,
AND TECHNOLOGY
HOUSE OF REPRESENTATIVES
ONE HUNDRED SIXTEENTH CONGRESS
SECOND SESSION
__________
Tuesday, February 11, 2020
__________
Serial No. 116-67
__________
Printed for the use of the Committee on Science, Space, and Technology
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://science.house.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
39-616PDF WASHINGTON : 2021
--------------------------------------------------------------------------------------
COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
HON. EDDIE BERNICE JOHNSON, Texas, Chairwoman
ZOE LOFGREN, California FRANK D. LUCAS, Oklahoma,
DANIEL LIPINSKI, Illinois Ranking Member
SUZANNE BONAMICI, Oregon MO BROOKS, Alabama
AMI BERA, California, BILL POSEY, Florida
Vice Chair RANDY WEBER, Texas
LIZZIE FLETCHER, Texas BRIAN BABIN, Texas
HALEY STEVENS, Michigan ANDY BIGGS, Arizona
KENDRA HORN, Oklahoma ROGER MARSHALL, Kansas
MIKIE SHERRILL, New Jersey RALPH NORMAN, South Carolina
BRAD SHERMAN, California MICHAEL CLOUD, Texas
STEVE COHEN, Tennessee TROY BALDERSON, Ohio
JERRY McNERNEY, California PETE OLSON, Texas
ED PERLMUTTER, Colorado ANTHONY GONZALEZ, Ohio
PAUL TONKO, New York MICHAEL WALTZ, Florida
BILL FOSTER, Illinois JIM BAIRD, Indiana
DON BEYER, Virginia FRANCIS ROONEY, Florida
CHARLIE CRIST, Florida GREGORY F. MURPHY, North Carolina
SEAN CASTEN, Illinois VACANCY
BEN McADAMS, Utah
JENNIFER WEXTON, Virginia
CONOR LAMB, Pennsylvania
VACANCY
------
Subcommittee on Research and Technology
HON. HALEY STEVENS, Michigan, Chairwoman
DANIEL LIPINSKI, Illinois JIM BAIRD, Indiana, Ranking Member
MIKIE SHERRILL, New Jersey ROGER MARSHALL, Kansas
BRAD SHERMAN, California TROY BALDERSON, Ohio
PAUL TONKO, New York ANTHONY GONZALEZ, Ohio
BEN McADAMS, Utah VACANCY
STEVE COHEN, Tennessee
BILL FOSTER, Illinois
C O N T E N T S
February 11, 2020
Page
Hearing Charter.................................................. 2
Opening Statements
Statement by Representative Haley Stevens, Chairwoman,
Subcommittee on Research and Technology, Committee on Science,
Space, and Technology, U.S. House of Representatives........... 8
Written Statement............................................ 9
Statement by Representative Jim Baird, Ranking Member,
Subcommittee on Research and Technology, Committee on Science,
Space, and Technology, U.S. House of Representatives........... 10
Written Statement............................................ 11
Statement by Representative Eddie Bernice Johnson, Chairwoman,
Committee on Science, Space, and Technology, U.S. House of
Representatives................................................ 12
Written Statement............................................ 13
Witnesses:
Mr. Rodney Petersen, Director, National Initiative for
Cybersecurity Education, National Institute of Standards and
Technology
Oral Statement............................................... 15
Written Statement............................................ 17
Dr. Ambareen Siraj, Professor, Computer Science and Director,
Cybersecurity Education Research and Outreach Center, Tennessee
Tech University
Oral Statement............................................... 24
Written Statement............................................ 26
Mr. Joseph Sawasky, President and Chief Executive Officer, Merit
Network, Inc.
Oral Statement............................................... 56
Written Statement............................................ 58
Ms. Sonya Miller, HR Director, IBM Security and Enterprise &
Technology Security
Oral Statement............................................... 62
Written Statement............................................ 64
Discussion....................................................... 72
MORE HIRES, FEWER HACKS: DEVELOPING.
THE U.S. CYBERSECURITY WORKFORCE
----------
TUESDAY, FEBRUARY 11, 2020
House of Representatives,
Subcommittee on Research and Technology,
Committee on Science, Space, and Technology,
Washington, D.C.
The Subcommittee met, pursuant to notice, at 10:07 a.m.,
in room 2318 of the Rayburn House Office Building, Hon. Haley
Stevens [Chairwoman of the Subcommittee] presiding.
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairwoman Stevens. This hearing will come to order.
Without objection, the Chair is authorized to declare recess at
any time.
Good morning, and welcome to this hearing of the
Subcommittee on Research and Technology to explore the major
challenges that have led to our national cybersecurity
workforce shortage and the programs underway to address that
shortage. A sincere and very special welcome to our
distinguished panel of witnesses for joining us here today, the
effort and time you took to write your testimony and obviously
share your expertise. We're all very much looking forward to
hearing from you.
Almost every day, we hear news about security breaches,
poor system design, and vulnerabilities disrupting businesses
and individuals' lives. Part of the reason cybersecurity issues
are so prevalent is that the demand for skilled cybersecurity
professionals far exceeds the supply of those individuals.
According to CyberSeek, a tool funded by the National
Initiative for Cybersecurity Education (NICE), as of last month
there are over a half a million job openings related to
cybersecurity in the United States. That's job openings. That
means nearly one in three cybersecurity jobs go unfilled.
There are many reasons for this workforce shortfall.
Relatively few high school students have any exposure to
computer science in the classroom, let alone cybersecurity.
Even when students graduate from college with a degree in
computer science, they often lack the cybersecurity skills and
hands-on experience to fill job openings.
We also recognize and encourage the multiple pathways to
careers in cybersecurity, including certification programs and
apprenticeships. On Saturday, just this past Saturday, I held a
town hall back in Michigan on special education. And one of the
excellent resources that was highlighted was the Living and
Learning Enrichment Center, a center for adults with
disabilities that has also just recently partnered with Cisco
and the Michigan Career and Technical Institute, to start a
cybersecurity certification to train adults with disabilities
that traditionally present barriers to employment.
In addition, the cybersecurity field as a whole lacks
diversity, even more so than many other STEM (science,
technology, engineering, and math) fields. The math is yet
again simple. Last year, women accounted for only 20 percent of
the global cybersecurity workforce, the global cybersecurity
workforce. Women of color in cybersecurity jobs make on average
$10,000 less than their male counterparts. We cannot address
our current and future cybersecurity workforce needs without
recruiting and retaining more women and minorities into the
field.
All of our panelists have been leaders in addressing the
diversity challenge, and we very much look forward to hearing
about your efforts on that front.
It should not be a surprise that I'm excited to have NIST
(National Institute of Standards and Technology) represented on
this panel to talk about their leadership in building the
government's and the Nation's cybersecurity workforce. Truly,
NIST has been a leader in of course setting the standards, the
platform, even reaching out to the Department of Defense and
forming one of the first MOUs (memorandum of understanding) to
set cybersecurity standards in the advanced manufacturing
space.
The National Institute of Standards and Technology is also
playing a critical role in cybersecurity workforce development
across this National Initiative for Cybersecurity Education,
NICE. We'll also discuss many of the important Federal programs
at the National Science Foundation, the Department of Homeland
Security, and other agencies designed to educate and train the
next generation of cybersecurity professionals.
Finally, we will explore how partnerships between
academia, industry, and Federal and State governments are
working to improve our cybersecurity workforce, humming and
collaborating, and working together. I am so proud to say that
my home State of Michigan has helped to lead the way in
developing education and training programs to equip our State's
workforce, Michiganders, with the skills they need to pursue a
career in cybersecurity.
Governor Gretchen Whitmer, and even her predecessor
Governor Snyder, have implemented programs like the Governor's
High School Cyber Challenge and Girls Go Cyber to give Michigan
high schoolers experience in cybersecurity. We will hear about
some of those efforts today.
I want to thank the witnesses for being here today to help
us understand these challenges that organizations face,
companies face to recruit a skilled cybersecurity workforce,
effective education and workforce development programs designed
to help these organizations meet cybersecurity workforce needs,
and how Federal agencies such as NIST are partnering with
industry, university, and States to have America lead the way.
Thank you.
[The prepared statement of Chairwoman Stevens follows:]
Good morning and welcome to this hearing of the
Subcommittee on Research and Technology to explore the major
challenges that have led to our national cybersecurity
workforce shortage and the programs underway to address that
shortage. A special welcome to our distinguished panel of
witnesses for joining us here today. I'm looking forward to
hearing your testimony. Almost every day we hear news about
security breaches, poor system design, and vulnerabilities
disrupting businesses and individuals' lives. Part of the
reason cybersecurity issues are so prevalent is that the demand
for skilled cybersecurity professionals far exceeds the supply
of those individuals.
According to CyberSeek, a tool funded by the National
Initiative for Cybersecurity Education (NICE), as of last month
there are over a half a million job openings related to
cybersecurity in the United States. That means nearly one in
three cybersecurity jobs go unfilled.
There are many reasons for this workforce shortfall.
Relatively few high school students have any exposure to
computer science in the classroom, let alone cybersecurity.
Even when students graduate from college with a degree in
computer science, they often lack the cybersecurity skills and
hands-on experience to fill job openings.
We must also recognize and encourage the multiple pathways
to careers in cybersecurity, including certification programs
and apprenticeships. On Saturday, I held a town hall on special
education in my district. One of the excellent resources we
highlighted is the Living & Learning Enrichment Center, a
center for adults with disabilities that has just partnered
with Cisco and the Michigan Career & Technical Institute to
start a cybersecurity certification to train adults with
disabilities that traditionally present barriers to employment.
In addition, the cybersecurity field as a whole lacks
diversity, even more so than many other STEM fields. The math
is simple: Last year, women accounted for only 20 percent of
the global cybersecurity workforce. Women of color in
cybersecurity jobs make on average $10,000 less than their male
counterparts. We cannot address our current and future
cybersecurity workforce needs without recruiting and retaining
more women and minorities into the field. All of our panelists
have been leaders in addressing the diversity challenge, and I
look forward to hearing about your efforts on that front.
It should not be a surprise that I am excited to have NIST
represented on this panel to talk about their leadership in
building the government's and the nation's cybersecurity
workforce. The National Institute of Standards and Technology
is playing a critical role in cybersecurity workforce
development across the country through the National Initiative
for Cybersecurity Education. We will also discuss many of the
important federal programs at the National Science Foundation,
the Department of Homeland Security, and other agencies
designed to educate and train the next generation of
cybersecurity professionals.
Finally, we will explore how partnerships between academia,
industry, and Federal and state governments are working to
improve our cybersecurity workforce.
I am proud to say that my home state of Michigan has led
the way in developing education and training programs to equip
Michiganders with the skills they need to pursue a career in
cybersecurity. Governor Gretchen Whitmer, and her predecessor
Governor Snyder, have implemented programs like the Governor's
High School Cyber Challenge and Girls Go Cyber to give Michigan
high schoolers experiences in cybersecurity. We will hear about
some of those efforts today.
I want to again thank the witnesses for being here today to
help us understand the challenges that organizations face to
recruit a skilled cybersecurity workforce, effective education
and workforce programs designed to help organizations meet
cybersecurity workforce needs, and how Federal agencies, such
as NIST, are partnering with industry, universities, and states
to lead the way.
Chairwoman Stevens. At this time, the Chair is now going
to recognize Dr. Baird for an opening statement.
Mr. Baird. Good morning, Chairwoman Stevens, and thank you
for holding this hearing today and giving us the opportunity to
examine the challenges both public and private that we're
facing in recruiting and training cybersecurity professionals.
And I do very much appreciate and we all appreciate all of you
witnesses being here today and taking the time out of your
schedule to do that.
But with advances in technology and the growth in the
Internet of Things come the new methods that foreign countries
and cybercriminals can use to attack and access our networks.
So Americans' information is vulnerable, and we will hear today
there is a demand for trained cybersecurity experts to identify
and defend against cyber attacks.
According to the data derived from job posting, the number
of unfilled security jobs has grown by more than 50 percent
since 2015. And by 2022, the global cybersecurity workforce
shortage is projected to reach upwards of 1.8 million. That's
just 2 years away, so it kind of gives us a clue how fast and
how demand is increasing.
So well-trained professionals are essential to our ability
to implement proven security techniques. Institutions of higher
education are working to create and improve cyber education and
training programs focused on ensuring that there are enough
professionals to meet our needs.
I am very proud to say that Indiana--did you catch that?
Indiana has several universities that are leading the way in
cyber education and training. Purdue University, which is the
home to the Nation's first computer science department, hosts
the Center for Education and Research in Information Assurance
and Security, which is CERIAS. CERIAS is one of the seven
original programs designed as a National Center of Academic
Excellence in Cyber Defense, sponsored by the Department of
Homeland Security and the National Security Agency.
The Purdue program has produced 215 graduates with
doctoral degrees in cybersecurity and 329 graduates with
master's degrees in cybersecurity. Purdue University Northwest
is home to another Center for Academic Excellence for
information assurance and cyber defense education. As of this
fall, Purdue Northwest has more than 200 students enrolled in
its cybersecurity major.
Indiana is also very lucky to have two Centers of Academic
Excellence designed and designated as 2-year institutions:
Moraine Valley Community College and Ivy Tech Community
College. These programs help us meet the growing demand
nationwide for cybersecurity professionals at all skill levels.
The Science Committee has an important role in supporting
programs that are providing the skills and expertise needed to
defend and support our systems from cyberthreats. I'm an
original co-sponsor to the Securing American Leadership in
Science and Technology Act. This legislation takes important
steps to improve America's cybersecurity capabilities. It makes
strategic investments in cybersecurity research and development
across Federal science agencies. And it supports building up
the NSF (National Science Foundation) Scholarship for Service
program, CyberCorps, to grow and improve the quality of
America's cybersecurity workforce. Protecting America's cyber-
systems is critical to our economic and national security.
While these Federal programs play an important role,
industry has really stepped up and developed some initiative
and innovative programs to address the cybersecurity skills gap
that we are currently facing, such as IBM's New Collar program.
I would like to thank each of the witnesses for taking the
time to be here, and we really appreciate your efforts and
expertise. I look forward to hearing from each of you and
provide an overview of the state of the cybersecurity workforce
and recommend how the Federal Government can best work with
industry and academia to meet this challenge.
Thank you, and I yield back the balance of my time.
[The prepared statement of Mr. Baird follows:]
Good morning Chairwoman Stevens and thank you for holding
today's hearing to examine the challenges both the public and
private sectors are facing in recruiting and training
cybersecurity professionals.
With advances in technology and the growth of the
``internet of things'' come new methods that foreign countries
and cybercriminals can use to attack and access our networks.
Americans' information is vulnerable and, as we will hear
today, there is a demand for trained cybersecurity experts to
identify and defend against cyber-attacks.
According to data derived from job postings, the number of
unfilled cybersecurity jobs has grown by more than 50 percent
since 2015. By 2022, the global cybersecurity workforce
shortage is projected to reach upwards of 1.8 million unfilled
positions.
Well-trained professionals are essential to our ability to
implement proven security techniques. Institutions of higher
education are working to create and improve cyber education and
training programs focused on ensuring there are enough
professionals to meet our needs.
I am very proud to say that Indiana has several
universities that are leading the way in cyber education and
training. Purdue University, which is home to the nation's
first computer science department, hosts the Center for
Education and Research in Information Assurance and Security
(CERIAS).
CERIAS is one of the seven original programs designed as a
National Center of Academic Excellence in Cyber Defense,
sponsored by the Department of Homeland Security (DHS) and the
National Security Agency (NSA).
The Purdue program has produced 215 graduates with doctoral
degrees in Cybersecurity and 329 graduates with master's
degrees in Cybersecurity. Purdue University Northwest is home
to another Center of Academic Excellence for Information
Assurance and Cyber Defense Education. As of this fall, Purdue
Northwest has more than 200 students enrolled in its
Cybersecurity major.
Indiana is also very lucky to have two Centers of Academic
Excellence designated two-year institutions: Moraine Valley
Community College and Ivy Tech Community College. These
programs help us meet the growing demand nationwide for
cybersecurity professionals at all skill levels.
The Science Committee has an important role in supporting
programs that are providing the skills and expertise needed to
defend and support our systems from cyberthreats.
I am an original co-sponsor of the Securing American
Leadership in Science and Technology Act. This legislation
takes important steps to improve America's cybersecurity
capabilities. It makes strategic investments in cybersecurity
research and development across federal science agencies. And
it supports building up the NSF scholarship for service
program, Cybercorps, to grow and improve the quality of
America's cybersecurity workforce.
Protecting America's cyber-systems is critical to our
economic and national security.
While these federal programs play an important role,
industry has really stepped up and developed some innovative
programs to address the cybersecurity skills gap we are
currently facing, such as IBM's New Collar program.
I would like to thank each of our witnesses for taking the
time to be here with us this morning. I look forward to hearing
from you as you provide an overview of the state of the
cybersecurity workforce and recommend how the federal
government can best work with industry and academia to meet
this challenge.
Thank you and I yield back the balance of my time.
Chairwoman Stevens. Thank you. And at this time the Chair
now recognizes our Chairwoman, Chairwoman Johnson of the full
Science Committee, for an opening statement.
Chairwoman Johnson. Thank you very much, Chairwoman
Stevens and Ranking Member Baird, for holding this morning's
hearing on developing our Nation's cybersecurity workforce, and
I want to welcome and thank our expert witnesses for their
testimony as well.
We spend a lot of time in the Science, Space, and
Technology Committee focusing on the challenges in developing a
skilled STEM workforce for the 21st Century, and on exploring
the ways in the which the Federal Government can best address
these challenges. While we need to develop the STEM pipeline
across all fields, there are particular fields in which the gap
between the supply and demand is especially acute.
Cybersecurity is one of those.
Technology alone will not mitigate the many risks that
individuals, businesses, and governments face in cyberspace. We
need researchers who understand the risks as they evolve and
can build new defensive tools. We need executives who
understand what is needed to defend their own organizations. We
need technicians monitoring the systems on a daily basis. And
we need many other types of cybersecurity jobs in between.
The fact is we need to educate and train individuals in
cybersecurity at all levels, and it requires not just degrees
but different types of certifications, as well as continuing
education for those already in the workforce. And finally, we
need the general public to be well-educated about cyber
hygiene, starting in our elementary schools.
The National Initiative for Cybersecurity Education, or
NICE, was created under the Obama Administration to coordinate
and expand Federal investments in a skilled cybersecurity
workforce and a cybersecurity-savvy public. Congress, led by
this Committee, certified NICE in the Cybersecurity Enhancement
Act of 2013.
The National Institute of Standards and Technology is
tasked with leading NICE. NIST is not traditionally an agency
that leads on workforce issues. It is, however, an agency that
leads on cybersecurity standards for both the public and
private sectors. With its unique understanding and unsurpassed
expertise in cybersecurity, NIST is the right agency to
coordinate to lead efforts to develop a cybersecurity workforce
for the Nation.
The Science, Space, and Technology Committee has been
enacting cybersecurity-focused legislation since 2002, and we
are planning to move additional legislation this year. I look
forward to continuing to collaborate across the aisle and
across Committee lines to take a whole-of-government approach
to cybersecurity, starting with the workforce.
In that regard, I look forward to hearing from today's
witnesses in how the activities carried out under NICE can
continue to be strengthened.
Thank you, and I yield back.
[The prepared statement of Chairwoman Johnson follows:]
Thank you Chairwoman Stevens and Ranking Member Baird for
holding this morning's hearing on developing our nation's
cybersecurity workforce and I want to welcome and thank the
expert witnesses for their testimony.
We spend a lot of time in the Science, Space, and
Technology Committee focusing on the challenges in developing a
skilled STEM workforce for the 21st Century, and on exploring
the ways in the which the Federal government can best address
those challenges. While we need to develop the STEM pipeline
across all fields, there are particular fields for which the
gap between supply and demand is especially acute.
Cybersecurity is one such field.
Technology alone will not mitigate the many risks that
individuals, businesses, and governments face in cyber space.
We need researchers who understand the risks as they evolve and
can build new defensive tools. We need executives who
understand what is needed to defend their own organizations. We
need technicians monitoring the systems on a daily basis. And
we need many other types of cybersecurity jobs in between. The
fact is we need to educate and train individuals in
cybersecurity at all levels, and it requires not just degrees
but different types of certifications as well as continuing
education for those already in the workforce. Finally, we need
the general public to be well educated about cyber hygiene,
starting in our elementary schools.
The National Initiative for Cybersecurity Education, or
NICE, was created under the Obama Administration to coordinate
and expand Federal investments in a skilled cybersecurity
workforce and a cybersecurity savvy public. Congress, led by
this Committee, codified NICE in the Cybersecurity Enhancement
Act of 2013. The National Institute of Standards and Technology
is tasked with leading NICE. NIST is not traditionally an
agency that leads on workforce issues. It is, however, an
agency that leads on cybersecurity standards for both the
public and private sectors. With its unique and unsurpassed
expertise in cybersecurity, NIST is the right agency to
continue to lead efforts to develop a cybersecurity workforce
for the nation.
The Science, Space, and Technology Committee has been
enacting cybersecurity-focused legislation since 2002, and we
are planning to move additional legislation this year. I look
forward to continuing to collaborate across the aisle and
across Committee lines to take a whole-of-government approach
to cybersecurity, starting with the workforce.
In that regard, I look forward to hearing from today's
witnesses how the activities carried out under NICE can
continue to be strengthened.
Chairwoman Stevens. Great, thank you, Madam Chair.
If there are Members who wish to submit additional opening
statements, your statements will be added to the record at this
point.
And at this time I'd like to introduce our witnesses. Our
first witness is Mr. Rodney Petersen. Mr. Petersen is the
Director of the National Initiative for Cybersecurity
Education, NICE, at the National Institute of Standards and
Technology. Prior to his position at NICE, Mr. Petersen served
as the Managing Director of the EDUCAUSE Washington office and
Senior Government Relations Officer. He founded and directed
the EDUCAUSE Cybersecurity Initiative and was the staff liaison
for the Higher Education Information Security Council. Prior to
joining EDUCAUSE, he worked two different times for the
University of Maryland first as Chief Compliance Officer in the
Office of the President and later as the Director of IT Policy
and Planning in the Office of the Vice President and Chief
Information Officer. Mr. Petersen is also the co-editor of a
book entitled ``Computer and Network Security in Higher
Education.''
Our next witness is Dr. Ambareen Siraj. Dr. Siraj is a
Professor of Computer Science and the founding Director of
Tennessee Tech University's Cybersecurity Education Research
and Outreach Center, and has served as the leader on several
NSF and NSA (National Security Agency) education and workforce
development grants. Dr. Siraj is also the founder of the Women
in Cybersecurity organization, an NSF-funded initiative to
recruit, retain, and advance women in cybersecurity. Dr.
Siraj's research focus is on security in cyber physical
systems, Internet of Things, situation assessment and network
security, security education and workforce development. She was
a 2018 recipient of the Colloquium for Information System
Security Education Exceptional Leadership in Education Award.
After Dr. Siraj is Mr. Joseph Sawasky. Mr. Sawasky is
currently the President and CEO of Merit Network, a nonprofit
corporation governed by Michigan's public universities. Merit
owns and operates the Nation's longest-running regional
research and education network, having been formed in 1966 by
the University of Michigan, Michigan State University, and
Wayne State University. Mr. Sawasky and his team at Merit also
run the Michigan Cyber Range, the Nation's largest unclassified
network-accessible cybersecurity training platform. Prior to
his role at Merit, Mr. Sawasky was the Chief Information
Officer at Wayne State University, doing this from 2007 to
2015, during which time he also served on the boards of the
Merit Network, the Detroit CIO Executive Summit, and Michigan
Technology Leaders. He also worked at the University of Toledo
for 22 years and in his last position served as CIO. We are
delighted we recruited him to Michigan.
Our fourth witness is Ms. Sonya Miller. Ms. Miller is the
IBM H.R. Director for both IBM Security and Enterprise and
Technology Security, two distinct divisions within IBM that
require workers who have the skills and experience in
cybersecurity to protect IBM and IBM clients. IBM Security has
8,000 employees, including researchers, developers, and subject
matter experts focused on security and more than 10,000
security-related patents. Wow. Since 2015, IBM Security has
hired nearly 4,400 additional experts into its security
business. In her position, Ms. Miller is charged with ensuring
both divisions have the skilled staff necessary to fulfill
their missions. Wow. Just an absolute fantastic panel.
As our witnesses should know, each of you will have 5
minutes for your spoken testimony. Be sure to put your mic on.
Your written testimony will be included in the record for the
hearing. And when you've completed your spoken testimony, we'll
begin with questions. Each Member will have 5 minutes to
question the panel. And for testimony, we're going to start
with Mr. Petersen.
TESTIMONY OF MR. RODNEY PETERSEN, DIRECTOR,
NATIONAL INITIATIVE FOR CYBERSECURITY EDUCATION,
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Mr. Petersen. Thank you, Chairwoman Stevens, Ranking
Member Baird, and Members of the Subcommittee. I am Rodney
Petersen, the Director of the National Initiative for
Cybersecurity Education, or NICE, at the Department of
Commerce's National Institute of Standards and Technology known
as NIST. Thank you for the opportunity to appear before you
today to discuss the role that NICE plays in interagency
coordination for cybersecurity education workforce issues, and
the challenges the Federal Government faces in recruiting and
retaining skilled cybersecurity practitioners.
NICE is a partnership between government, academia, and
the private sector. Our program is focused on promoting and
energizing a robust network and ecosystem of cybersecurity
education, training, and workforce development. NICE fulfills
this mission by coordinating with its partners to build on
existing successful programs, facilitating change and
innovation, and bringing leadership and vision to increase the
number of skilled cybersecurity workers to keep our Nation
secure.
To coordinate at the Federal level, NICE Interagency
Coordinating Council convenes our Federal Government partners
for consultation, communication, policy, and strategic
direction. This coordination provides an opportunity for the
NIST-led NICE program office to communicate program updates
with key partners in the Federal Government, as well as to
learn about other Federal Government activities in support of
NICE. The group also identifies and discusses policy issues and
provides input into the strategic directions for NICE.
Another means of coordination is the NICE working group.
This working group has been established to provide a mechanism
in which the public and private sector participants can develop
concepts, design strategies, pursue actions that advance
cybersecurity education, training, and workforce development.
Let me share a couple of accomplishments from our current
NICE strategic plan. First, NICE issued six awards to pilot
Regional Alliances and Multi-stakeholder Partnerships
Stimulating Cybersecurity Education and Workforce Development.
These regional communities, known as RAMPS for cybersecurity
workforce, were designed to stimulate local economic
communities to work together to rally education and training
providers to meet local workforce needs.
Second, NICE also awarded a grant to develop a website
known as CyberSeek that was cited earlier today, which includes
both an interactive jobs heat map, as well as a career pathway
portal. The jobs heat map shows that there are over 500,000
open jobs in cybersecurity today across the United States. It
further indicates that there are almost a million people
employed in cybersecurity today. The map can be used to search
for demand by State. For example, there are 8,760 open
positions in Michigan alone, 5,603 in Tennessee, and 4,533 in
Indiana. You can also use that website to search by major
metropolitan areas either within a State or across State lines.
So, for example, the D.C. metropolitan area in which we
currently reside has 64,089 open jobs.
One of the challenges in cybersecurity education training
and workforce development is having a common language. To meet
this need, NIST published the NICE Cybersecurity Workforce
Framework. The common taxonomy in the NICE framework can be
used by employers to structure their workforce, develop
position descriptions, or craft employee development plans. The
NICE framework begins to demystify a career in cybersecurity by
showing the variety of types of work roles that exist and the
multiple career pathways for entering and advancing in a
cybersecurity career. An update to that NICE framework is
happening this year.
During 2020, NICE is embarking upon a consultative process
that will result in a new 5-year strategic plan, as required by
the Cybersecurity Enhancement Act, and that plan will be
informed by the community that we serve.
As NICE develops its next strategic plan, a few trends are
beginning to emerge. First, the need to enhance cybersecurity
career discovery for learners of all ages. Second, the need to
transform the learning process to emphasize the
multidisciplinary nature of cybersecurity and the multiple
pathways to enter into a cybersecurity career. And third, the
need to modernize the talent acquisition process to facilitate
skills-based hiring that enables career mobility.
All of these trends and current activities of NICE
directly support the goals of the National Council for the
American Worker. Established under Executive Order, the
National Council is creating the first-ever national workforce
strategy. This strategy is promoting the importance of multiple
pathways to careers, the central role that employers play as
part of our national education and workforce system, the need
for companies to employ skill-based hiring, the need for
greater transparency in the skills that companies need, and the
return on investment of different learning pathways.
NIST is excited about the accomplishments of the NICE
program in addressing the future of cybersecurity education in
the United States in order to increase the number of skilled
cybersecurity practitioners that are helping to keep our Nation
secure. NIST looks forward to continuing to support the
Nation's ability to address current and future challenges
through standards and best practices.
Thank you for the opportunity to testify today, and I
would be happy to answer any questions that you may have.
[The prepared statement of Mr. Petersen follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
TESTIMONY OF DR. AMBAREEN SIRAJ, PROFESSOR,
COMPUTER SCIENCE, AND DIRECTOR, CYBERSECURITY
EDUCATION RESEARCH AND OUTREACH CENTER,
TENNESSEE TECH UNIVERSITY
Dr. Siraj. Chairwoman Stevens, Ranking Member Baird, and
the Members of the Committee and Subcommittee, thank you for
inviting me today in this very important discussion. My name is
Ambareen Siraj. I was born and raised in Bangladesh where my
dad taught me two simple things: working hard and serving
others. I'm blessed that this Nation has provided me, an
underrepresented immigrant, with an opportunity to serve as an
educator, a researcher, and a leader.
I'm honored to share with you today how we at Tennessee
Tech are contributing to the development of the U.S.
cybersecurity workforce. Reputed statewide for its
undergraduate engineering education, Tennessee Tech is located
in the city of Cookeville in middle Tennessee with a student
population of a little over 10,000. Our computer science, C.S.,
enrollment is increasing at a higher rate than any College of
Engineering programs. Among the three focus areas in C.S.,
cybersecurity has the majority of students, around 500, and its
enrollment quadrupled in the last 4 years since it started.
Operating since 2016, CEROC (Cybersecurity Education,
Research and Outreach Center) is a Center of Academic
Excellence in cyber defense education accredited by the
National Security Agency and the Department of Homeland
Security. At CEROC our cybersecurity students, we facilitated
an integrated experience in informal education, research, and
outreach activities alongside their formal cybersecurity
education as part of the C.S. curriculum. With the mantra of
continuous learning, crowd-sourced learning, and playing it
forward, our students are constantly challenged to immerse
themselves into educational experiences that enrich self and
those around them.
Over the last few years multiple CEROC projects funded
through the National Science Foundation and the Department of
Defense have impacted thousands of secondary and postsecondary
students and hundreds of educators in Tennessee and beyond.
Scholarship for Service (SFS), DOD CySP, and GenCyber are among
these.
One of our programs with great impact is the Women in
Cybersecurity (WiCyS) initiative. At the time when female
representation of cybersecurity was only 11 percent, our
journey began in 2013 with funding from National Science
Foundation. Today, I'm proud to let you know that over 7 years
and $3.5 million funding from industry support WiCyS has
provided approximately 3,000 student scholarships, 340 faculty
scholarships, and 6,400 in attendance. Not only the flagship
conference for women in cyber, WiCyS has become, regardless of
gender, the largest security conference in the Nation that
ensures comparable representation of students and professionals
in the audience both from public and private sectors.
Operating as a nonprofit organization since late 2017,
WiCyS is more than 6,000 members strong with 89 student
chapters across 35 States, 15 professional affiliates across 20
States, and a suite of services to its community that includes
students, professionals, educators, and veterans.
There is yet a lot to be done. The current 20 percent
female representation in cybersecurity is not just a threat to
diversity and inclusion but also a threat to the cybersecurity
workforce pipeline. To bolster the cybersecurity workforce, I
encourage Congress to invest in Federal programs such as CAE
(Center for Academic Excellence), SFS (Scholarship for
Service), CySP, GenCyber, and commission more of such programs
that enable educational and nonprofit programs to support
diverse populations in cyber, community college pathways,
preparation and pipeline of educators, and nontraditional
pathways for workers. The support opportunities and resources
provided by these Federal grants are central to enable smaller
schools like us to contribute in the Nation's cyber agenda in
our own ways with our own strength and through our own
community and beyond.
As we continue to do our part, I would like to end with a
quote from one of our many students at Tennessee Tech who are
hardworking, humble, and optimistic about their future and
their country. M. writes, ``This program has given me the
courage to dream big, to continue seeking knowledge, and to
make a difference in the world.''
I sincerely appreciate the opportunity to speak today. I
hope that Tennessee Tech, CEROC, and I can continue to be a
resource for Congress. I look forward to our discussion. Thank
you.
[The prepared statement of Dr. Siraj follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
TESTIMONY OF MR. JOSEPH SAWASKY,
PRESIDENT AND CHIEF EXECUTIVE OFFICER,
MERIT NETWORK, INC.
Mr. Sawasky. Honorable Chairwoman Stevens, Ranking Member
Baird, and Members of the Subcommittee, thank you for the
invitation to present Michigan perspectives on the critical
issue of cybersecurity workforce development. My organization,
Merit Network, provides advanced networking, security, and
community solutions to higher ed, K-12, libraries, and other
nonprofits in Michigan. Given our mission-critical work across
the State, we see firsthand the ever-increasing importance of
cybersecurity and the desperate need to expand that workforce.
Our country faces threats constantly from adversarial
organizations but quietly and diligently on the frontlines are
our Nation's thin ranks of dedicated cybersecurity
professionals. According to estimates, the United States has a
shortfall of over a half million security professionals. In
Michigan alone we have nearly 9,000 vacant positions now. These
gaps are projected to widen.
Over the last several years, Michigan has developed a
unique approach to developing a cybersecurity training
ecosystem and a powerful tech platform for practicing skills.
The Michigan Cyber Range was created through collaboration
between the State, industry, and Merit beginning in 2012. The
Cyber Range is one of the Nation's largest unclassified
practicum environments for security professionals to test their
skills in cyber defense.
The Range features a simulated city called Alphaville that
contains a virtual city hall, school, library, and factory,
among other things. In our game of five practice environments,
Merit has engaged nearly 4,000 participants from Michigan and
other States and even other countries in cyber exercises.
Additionally, with the support of the Michigan Economic
Development Corporation, we've cultivated a statewide ecosystem
of training partners called Cyber Range Hubs helping them train
and certify students in a variety of cybersecurity courses
using the Cyber Range platform in its course curriculum. This
program represents a novel augmentation of traditional higher
ed and K-12 courses in the State.
There are real challenges faced by our partner
organizations in the education, government, and nonprofit
sectors in recruiting a skilled cybersecurity workforce. The
primary challenge facing nonprofits is an extremely low supply
of available talent. This low supply results in high demand for
employees, higher market salaries, and longer-than-average
times to fill vacancies. Yet nonprofits support a vast array of
essential societal services and are still charged with
protecting enormous amounts of confidential data. They face the
very same cyber threats as other sectors, but their ability to
attract cyber talent is constrained. Compounding this problem,
finding qualified teachers and trainers for cybersecurity
courses is really difficult, exacerbating the situation for
nonprofits in the industry overall.
There's consensus in Michigan that K-12 is the first key
to improving the security talent pipeline. That pipeline starts
in K-12, and it's essential that skill development and
awareness of cybersecurity career opportunities begin at early
ages. Given that this field is fairly new and rapidly evolving,
there has not been a pervasive focus on it for K-12 students or
teachers. It's imperative that we demystify and de-nerdify
cyber career opportunities to broaden the appeal of this career
path.
Additionally, we should expand student interest by
providing more opportunities for underrepresented groups,
including females and minorities whose participation in the
cyber workforce has been historically low.
To help promote K-12 enthusiasm in cyber, Merit runs the
Governor's High School Cyber Challenge. Last year, we had over
600 students and over 200 high school teams participate with
the top 10 teams being invited to the final contest at the
Governor's Cyber Summit in Detroit and the top three teams
being awarded trophies personally by the Governor herself.
Through this exciting event, Michigan has celebrated K-12 cyber
talent in every corner of our great State.
Considering all this, State and Federal Governments have a
critical role to play in bolstering the cybersecurity workforce
pipeline. One, they should increase support to programs aimed
at improving K-12 awareness and skill development for both
students and teachers. Two, they should increase support for
education, training, and certification, including early
credentialing in both high school and college. Three, they
should increase support for skill development for
underrepresented groups to grow that pool. And, four, they
should incentivize coordinated efforts between academia,
industry, and government.
And to wrap up, I'd like to say that many organizations
are only one cybersecurity position away from a major disaster,
and it's essential that we all work together to develop and
grow this now-critical part of the U.S. workforce. Thank you
for the opportunity to provide Michigan perspectives.
[The prepared statement of Mr. Sawasky follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
TESTIMONY OF MS. SONYA MILLER,
H.R. DIRECTOR, IBM SECURITY AND ENTERPRISE
& TECHNOLOGY SECURITY
Ms. Miller. Chairman Stevens, Ranking Member Baird, and
distinguished Members, I'm the H.R. Director for both our
internal security and for our division that helps clients to
protect against cyber attacks. IBM Security is the largest
security vendor in the world. IBM manages over 70 billion
security events per day for our clients, one of the largest
security intelligence operations in the world. We have 17,500
clients in more than 130 countries, 8,000 employees, including
researchers, developers, and subject matter experts focused on
security, and more than 10,000 security-related patents. Since
2015, IBM Security has hired nearly 4,400 additional experts
into the security business and invested more than $2 billion in
dedicated R&D (research and development).
Although today's hearing focuses on cybersecurity, the
workforce challenges for research are similar. Inclusion,
alignment, and attainment are obstacles of both cybersecurity
and the research workforce pipeline.
To this end, I would also like to take this opportunity to
thank the Committee for its very strong leadership and support
of the National Quantum Initiatives Act.
Now, to understand IBM Security, it's important to
understand the people behind the brand. Our cybersecurity
experts have a broad range of skills, including researchers
analyzing software for vulnerabilities, incident response
teams, analysts who spend hours studying the tactics of cyber
criminals, and a security operation center staff who guards us
in real time from threats around the globe.
New-collar workers with skills, experience, and diversity
but lacking degrees are a strategic opportunity for the
cybersecurity workforce. Around 2/3 of the U.S. working-age
population doesn't have a bachelor's degree. IBM new-collar
approach emphasizes work-based learning and core skills like
teaming and adaptability. It is a pathway to finding and
attracting nontraditional candidates with diverse backgrounds
and skill sets.
To expand new-collar pathways into our cybersecurity jobs,
IBM is experimenting with a multitude of approaches to educate
and develop the next generation of cybersecurity professionals.
Over 220 pathways in technology early college high schools, so
P-TECHs, are educating students in 24 countries with the
participation of over 600 companies. Through P-TECH, public
high school students can earn both a high school diploma and an
industry-recognized 2 year postsecondary degree at no cost to
them or their families, while working with industry partners
like IBM on skills mapping, mentorship, and workplace
experiences and internships. IBM launched our apprenticeship
program in October 2017. Apprentices are paid while in the
program, avoiding that student loan debt and earning skills to
work in the tech industry right away.
Finally, IBM is trying to tap into sources of talent that
have been underrepresented in cybersecurity. As others
mentioned, for example, women are globally underrepresented in
the cybersecurity profession at 24 percent, even lower than the
IT industry overall. IBM is actively recruiting
underrepresented groups through programs that seek
underrepresented talent for a more inclusive workforce.
IBM's effort to build a cybersecurity workforce proves to
be working. Nearly 20 percent of our security hires since 2015
were new-collar workers. IBM urges the Committee to examine the
following areas for change, government activity that will
improve the cybersecurity workforce. One, introduce and enact
companion legislation to S. 2775, the HACKED Act of 2019, as
passed by the Senate Commerce Committee, and work closely with
your colleagues in the Senate to pass a bipartisan proposal
that will strengthen Americans' cybersecurity workforce and
align education and training with the cybersecurity workforce
needs.
Second, higher education act reforms, including passage of
H.R. 3497, the JOBS Act of 2019, to extend Federal Pell Grant
eligibility of short-term programs, removal of restrictions
that prevent students from using their Federal work-study with
cybersecurity-related internships in private sector, and
support additional pathways to careers.
And third, explore P-TECH models. Federal agencies should
explore the P-TECH models for workforce development strategies
they can implement and expanding new-collar hiring. The Federal
Government should adopt a new-collar approach to real and
expanded sources of labor.
So thank you, Members of the Committee, for the
opportunity to present IBM's approach to improving
cybersecurity education and your consideration of this
testimony. I'm looking forward to your questions.
[The prepared statement of Ms. Miller follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairwoman Stevens. Well, we've done a few things in this
space, and you all touched on some great points.
At this time, we'd like to open up for 5 minutes of
questioning. And the Chair is going to recognize herself for 5
minutes of questioning, so we can start the clock now.
You know, certainly we've taken some steps just in the
last couple of weeks with Chairwoman Johnson's support. We
launched the first-ever Women in STEM Caucus in Congress. Dr.
Baird and I got a bill signed into law at the end of last year,
the Building Blocks of STEM Act, which is, again, supporting
those early childhood investments in educational programming
for science, technology, engineering, and mathematics. And that
continuity, as we all know, is so important, right, that
onramp, the pathways. Your testimonies all specifically touch
on that.
Mr. Petersen, I just wanted to--let's understand a little
bit about--more about NICE here, NICE within NIST within the
Department of Commerce. How big is your department?
Mr. Petersen. So we are a small team of five full-time
employees, and we have an approximate $4 million budget
appropriated by Congress, so a relatively small organization.
Chairwoman Stevens. OK. Great. Well, we'll be going
through the budget reauthorization and taking a look at that
and making sure--so the--just the--half--less than half a dozen
of you developed the CyberSeek tool or did you contract out for
that?
Mr. Petersen. So that was a grant given to----
Chairwoman Stevens. OK.
Mr. Petersen. [continuing]. CompTIA and Burning Glass to
actually----
Chairwoman Stevens. Oh, Burning Glass.
Mr. Petersen [continuing]. Develop the tool. Yes.
Chairwoman Stevens. OK. Burning Glass. Oh, they're great.
They're fabulous. Well, that's a big accomplishment. And we're
glad to share that today, and we'll continue to share that.
And is that on the NICE website? Is that----
Mr. Petersen. There's a link to it, but it's----
Chairwoman Stevens. OK.
Mr. Petersen. [continuing]. CyberSeek.org----
Chairwoman Stevens. CyberSeek----
Mr. Petersen [continuing]. You can find it.
Chairwoman Stevens. CyberSeek.org. OK, great.
And as part of that heat-mapping process and, you know, as
we look to get in front of this, we--and, Ms. Miller, you
probably know this all too well, which is that the job profiles
are always changing, right? So we're seeking to hire for
certain roles. We know we have an emphasis on cybersecurity,
but with IOT (internet of things), other advancements, you
mentioned quantum, the nature of the work is changing. Have any
of you explored or seen how job profiling, taxonomy work, maybe
in--you know, with some of the big placement agencies,
Manpower, Kelly Services in Michigan, has that impacted this
cybersecurity workforce skills gap that we're experiencing? I
don't know if, Ms. Miller, you wanted to chime in there.
Ms. Miller. Well, IBM, we provide several assessments to
candidates around personality, so it's testing for the softer
skills, as well as learning agility, so a propensity toward
lifelong learning. So instead of testing for a specific job,
we're really looking for these kind of softer skills, as well
as some level of technical capability. So, you know, jobs--
there's jobs now that didn't exist 10 years ago. Therefore, you
have to have that agility in how your assessing people. You
can't just assess them for the job at hand.
Chairwoman Stevens. Yes. And, Mr. Sawasky, are you seeing
this, you know, the talent qualifications as described--you're
working hand-in-hand with the universities and have this great
career in this space, but the job profiling here I also think
is something that we want to kind of match up so that, you
know, when we're entering into the workforce, we've got that
pipeline and access.
Mr. Sawasky. Yes, absolutely. You know, I think what we're
looking for are problem-solvers and pattern-finders here,
regardless of sort of academic discipline. Some of the finest
IT professionals I've ever worked with were anthropologists and
psychologists and others.
Chairwoman Stevens. Yes.
Mr. Sawasky. So it's not absolutely necessary that
computer science is, you know, the first part of the background
for a successful career in cyber.
Chairwoman Stevens. Great. Dr. Siraj?
Dr. Siraj. So, you know, if you go to the CyberSeek
website, there is also an interactive pathways tab. And if you
click on that, it shows that in reality most of the data shows
that the top jobs are all based on computer science. But, you
know, it is absolutely true that cyber is very
multidisciplinary. And then we can have people coming from all
walks of life to have something--I mean, everyone can
contribute to solve a problem in cyber because cyber is so
vast.
Plus, also, you know, the NIST/NICE workforce framework
also helps with that because in that framework Department of
Homeland Security actually gave out a tool where someone can go
in and say, OK, I'm interested in data base, and it will show
that student or that person, you know, where in the NIST
framework that this person can contribute to in what way.
Chairwoman Stevens. Yes.
Dr. Siraj. Again, cyber is something that anyone can
contribute to with their own skills.
Chairwoman Stevens. Right. And so, Mr. Petersen, I'm sure
some of this is resonant with you. Do you see NICE being able
to work with every one of our witnesses and their portfolio of
work? And would our witnesses also agree that you get a lot out
of working with NICE and that department? So this five-person
department in the, you know, Department of Commerce, NIST----
Mr. Petersen. Yes, I was going to comment even though we
have five team members, the NICE community is vast and
everybody----
Chairwoman Stevens. Yes.
Mr. Petersen [continuing]. On the stage, every
organization represented here has worked directly with NIST and
NICE in the past in our national efforts. So our----
Chairwoman Stevens. Leveraged partnerships.
Mr. Petersen. Absolutely.
Chairwoman Stevens. Great. Thank you. I'm slightly over.
I'm going to yield back the rest of my time and recognize my
colleague Dr. Baird for 5 minutes of questioning.
Mr. Baird. Thank you, Madam Chair. And, you know, I've
gained a great deal of insight just having you here today, and
I'm sure those that are listening and read the reports will
also feel the same way.
But, Ms. Miller, I see in your testimony you said you
handle 70 billion security events per day for your clients? I
mean, that----
Ms. Miller. Well, not me personally, yes. IBM Security
does.
Mr. Baird. I understand. So then I have an interest in
veterans, and so they bring a wealth of skills from their
military training and then they got a lot of hands-on
experience. Sometimes they're not able to transfer their
military training over into various programs. So I guess my
question is what's IBM doing in their new-collar program? Is
that applicable to veterans? And then the second part of the,
have veterans participated in this program?
Ms. Miller. Yes, absolutely. So we have a variety of
programs targeted to veterans because they tend to actually be
a very good fit for cybersecurity roles, whether they've worked
in cybersecurity while in the military or they got requisite
training once they've left the military. We have a Veterans
Employment Initiative, so that's free training on IBM software.
And it comes with a certificate at the end. We touch over 100
veterans per year with that program using IBMers donating their
time.
We also have a corporate partnership with the USC Marshall
School Masters of Business for veterans, so we have IBM
mentors, advisors, and SMEs (small and mid-size enterprise)
donating their time to work with the veterans on capstone
projects, so basically developing innovative solutions to real-
world issues.
And, finally, we're also hiring veterans at all levels in
the company and in the security organization. I actually in
January was down in Austin, and we have a cohort of apprentices
that started in the first quarter of last year. Fifty percent
of those apprentices are veterans. One actually worked in
cybersecurity while in the military, and then applied through
the apprenticeship program what's going private sector. Another
one actually left the military. He worked for 10 years as a
corrections officer, decided to use some of his military
benefits, and now he's in our apprenticeship program. They're
hardware hackers and they're doing excellent.
Mr. Baird. Super. Then my next question goes to all of
you. You know, I mentioned earlier that Indiana has got four
Cybersecurity Centers for Academic Excellence, and I'm having
fun with the Chair about Indiana and Michigan, but in reality
I'm just using them because I'm familiar with it. So the
question comes down to how the Federal Government can further
build on programs like they have at Purdue, and someone
mentioned more like a 2-year program and so on. So I guess I'm
just asking how we as the Federal Government giving you the
opportunity to expand on how you think we can be helpful in
that area and to fill the half million jobs we have?
And so this is going to be ladies first. Dr. Siraj, you go
first, and then Ms. Miller and then back to Mr. Petersen.
Dr. Siraj. So, you know, as I said in my testimony that
programs like the CAE program that is NSA DHS program--
programs, NSF programs like CyberCorps, DOD (Department of
Defense) program like Cybersecurity Scholarship, GenCyber
program, I mean, all of these programs have been so impactful
to--I think the best thing about these programs is that it
enables smaller schools to have resources to build an army on
the ground. And then, you know, once we have all these
institutions making change in their own community, then
collectively we are going to see so much in the Nation.
So, you know, empowering these programs, again, NIST/NICE
has been extremely crucial for universities to get the momentum
going and also commissioning more programs like this that looks
at how to train educators in cybersecurity because that is the
biggest challenge. In 2018 there were 114 Ph.D.s in
cybersecurity, and only 14 of them went to universities as
faculty. So if we want to build pipeline in universities for
students, we have to find some ways to train and prepare and
allow educators to go into universities.
Mr. Baird. I see I'm over on time. Is it all right if----
Chairwoman Stevens. Yes, of course.
Mr. Baird [continuing]. They go ahead? Go ahead.
Ms. Miller. OK. I'll be quick. The Higher Education Act I
talked about reforms there, really removing the obstacles on
how people can use the funding students so that they're not
pushed into having to go through a 4-year degree. So I talked
about work-study programs and using their benefits to work in
the private sector in the field that's relevant for their
career aspirations, as well as using Pell Grants for shorter
education, you know, certifications and things like that versus
the 4-year degree I think is really important where we really
could use some help there to help students.
Mr. Petersen. So I think what NICE and NIST is best at is
convening communities, and so a lot of our work is at the
national level. We actually convene an annual K-12 conference
to bring together K-12 educators and administrators from across
the Nation. We do our own annual NICE conference that brings
together industry, academia, as well as government. We also
collaborate internationally. There's quite a few other
countries that are interested in adopting the NICE
Cybersecurity Workforce Framework as a standard not only for
their country but because of the global nature of work.
But we fundamentally believe that a lot of the solutions
and the answers are in the local communities, whether it be a
State like Michigan and the ecosystem that Mr. Sawasky
described is exactly what we promote in Indiana and all of your
different States, or at the local level, regional level,
however that might be defined. So when I earlier described that
RAMPS for Cybersecurity Workforce Development, that's really
about regional alliances, getting the K-12 higher education
training ecosystem working together to meet local workforce
needs.
Mr. Sawasky. I think fundamentally we need more funding to
grow the, you know, cybersecurity workforce than we have now. I
listened to my colleagues talk about, you know, graduating
hundreds of cyber pros at a time. And really we need to be
looking growing them at thousands at a time.
And the notion of early credentialing, building on what
Ms. Miller said, is really important. I will let you know that
my son Jerrod was pursuing his bachelor's degree in computer
science, and I strongly urged him to obtain a professional
cybersecurity certification in his sophomore year, and he did
that. And he got a job, and he's actually paying for his own
school now. He's out of the house, which is nice as well. And
he is becoming very successful with that early credentialing
program, and allowing students to support that early
credentialing in formal--in normal degree pathways I think is
really important.
Mr. Baird. Thank you. And I yield back.
Chairwoman Stevens. Great. And at this time we're going to
recognize Ms. Johnson for 5 minutes of questioning.
Chairwoman Johnson. Thank you very much.
I guess I can direct this to each of you. What are the
major challenges that have led to the cybersecurity workforce
shortfall? And what should Congress focus its future efforts on
to bolster the cybersecurity workforce?
Dr. Siraj. OK. So I will start. I think K-12 is the, you
know, most impactful because there is really not so much
activity in cybersecurity at K-12 and computer science. There
are only 33 States now that have started to have some
programming in computer science, and cybersecurity is much,
much behind that. So preparing teachers in K-12, you know,
provide opportunities to students like high school students,
giving them internships in cybersecurity, doing partnership
with educational institutions, giving infrastructure to K-12 so
that--you know, there is a trend right now that K-12 schools
are being hacked, so they need to also, you know, strengthen
their infrastructure.
And, again--so that's K-12. And in postsecondary there is
so much to do. Not many schools offer cybersecurity courses. I
think the key thing is to--not to treat cybersecurity as a silo
but integrate in computer science education, in STEM education.
In fact, make it a general education course in universities.
Mr. Sawasky. I think awareness is really important. A lot
of children in K through 12 aren't even aware that
cybersecurity is an option for careers. And I think in Michigan
with our Governor's Cyber Challenge, that's really helped
promote that awareness, too. And it's been fun to watch people
who traditionally haven't thought about career opportunities in
that field really dig in and work with their teachers and local
coaches.
And Merit being a network provider offers as a cloud-based
service so that we can reach every corner of our State into
underserved areas like Detroit and to rural areas like
Marquette, Michigan. We've seen talent emerge from those
programs.
Ms. Miller. So just to kind of build off of that, so 2/3
of high school students said the idea of a career in
cybersecurity had never been mentioned to them by, you know,
teachers and guidance counselors, so there's one of our
problems is that, you know, again, it's not being mentioned.
It's not being thought about while they're in school.
One of the things IBM is doing focusing on this is we
actually have something called IBM Cyber Day for Girls where we
have some of our professionals in cybersecurity at IBM go out
and meet with middle school girls to tell them about careers in
cybersecurity, as well as go through kind of a workshopping day
where they, you know, teach them about IOT, cybersecurity
hygiene, and those types of things to hopefully get them more
excited about cybersecurity. So we're trying to, you know, kind
of kill a couple birds with the same stone by getting women or
girls more interested in cybersecurity, as well as educating
about cybersecurity.
I also mentioned was we do need more curriculum--strong
curriculum in community colleges and 4-year colleges around
cybersecurity. Many do not have majors, minors, or any kind of
program study and certificate that they can get in those areas,
and I think that's going to be important as we continue to move
on and focus on the skill set.
Mr. Petersen. And while NICE would certainly agree with
everything that's been said and career discovery being
critical, I would say in addition to young people, we need to
focus on working adults. We need to focus on the transitioning
veterans, veterans' spouses, military spouses, adults that are
underemployed, unemployed, opportunity youth who are in that 18
to 25 age group who aren't currently getting an education or
working in a job because that's going to be the long-term
solution. But we have an immediate shortage today, and we have
to focus on adults as well as young children to have both a
near-term as well as a long-term solution.
Dr. Siraj. Also if I may add, community college is a big
part of the conversation because they represent the most
diverse body of students, so we must find effective ways to
create pathways from community college to 4-year universities
or find ways to get this community college students into
industry because there are--you know, there aren't many jobs
that will accept community college students with associate
degrees in cyber.
Chairwoman Johnson. Thank you very much. My time is
expired.
Chairwoman Stevens. At this time we're going to recognize
Dr. Foster for 5 minutes of questioning.
Mr. Foster. Well, thank you. I'd like to speak about--the
Department of Homeland Security oversees a program called
Cybersecurity Education and Training Assistance Program, or
CETAP, that's run by the National Integrated Cyber Education
Research Center pronounced NICERC. Now, CETAP promotes
cybersecurity education at multiple grade levels in multiple
States, including Illinois. It provides Federal financial
assistance toward community-based efforts to increase knowledge
of cybersecurity topics and to encourage interest in
cybersecurity as an academic pursuit and as a professional
career.
CETAP has hosted professional development workshops in
both Joliet and Aurora in my district, and Joliet and Aurora
teachers have attended professional development workshops
hosted by Chicago State University. Unfortunately, it's my
understanding that the latest President's budget has zeroed out
this program once again.
Now, Mr. Petersen or anyone else on the panel, could you
describe the CETAP program and curricula and what makes it
successful?
Mr. Petersen. So I am directly familiar with the NICERC
program, as you describe. And as I just said earlier, we
support a pretty broad, vast community and I'm proud to say
NICERC is very actively engaged with us and us with them as
well. For example, they are regular participants and sponsors
at our K-12 Cybersecurity Education Conference, which brings
together educators and administrators from across the Nation.
And, as you described, many States, many school districts, and
many State Departments of Education are using their curriculum.
And it's a way to get cybersecurity, as we heard described
earlier, into the schools at a younger and younger age. So we
certainly appreciate the effort they've done to both raise
awareness and the need to integrate cybersecurity across the
curriculum in our K-12 schools and the way to kind of
distribute the work that needs to be done across the United
States by developing a common curriculum that they're trying to
introduce in multiple States.
Mr. Foster. Yes. So are there many other curricular--
curricula-based programs for K-12, or are they mainly boot
camps?
Mr. Petersen. So curriculum happens in a lot of different
ways. I mean, for example, at the high school level there's
career technical education programs or CTE programs, and
there's career technical student organizations, as well as
other nonprofits that are partnering with the schools to both
develop curriculum, as well as to develop programs of study
that the students can pursue to become specialized or more
aware of cybersecurity curriculum.
I would say it's an emerging area, which is why NICERC has
certainly made an impact in both the number of teachers, as
well as number of students reached, but it is an emerging area
of opportunity for curriculum development at the K-12 level, as
I think we heard Ms. Miller describe.
Dr. Siraj. So if I may add, the--I have seen firsthand the
impact of NICERC, and what NICERC does, it trains the teachers
and not just, you know, computer science teachers but teachers
teaching math, arts, sciences, STEM subjects, and it gives them
resources so that they can talk about and teach security in
their classes. So programs like that, I mean, I think they're
crucial for the success of K-12 cybersecurity education and,
you know, I cannot say more better things about that program.
Mr. Foster. We have an interesting situation in just STEM
generally that young women are outperforming young men all the
way through the end of high school in STEM fields, and then in
the first couple years of college, participation is dropping
off dramatically. I just--you know, when I go to robotics
competitions in my district, which I do all the time, what I--
what I'm told is that all the way through junior high schools
the--girls and boys are well-integrated, and then when you hit
high school for some reason the gender disparity emerges.
What--where--what's the situation in cybersecurity?
Dr. Siraj. So, as I stated before, in a couple of years
back it was 11 percent. Now, it's 20 percent. It needs to be 50
percent because, as we all know, diverse groups are--outperform
any homogenous groups.
But I think what's happening is, as young girls are
getting into high schools and colleges, what's preventing them
to be in cyber is the stereotypical image that cyber portrays.
You know, when you tell a young girl that, you know, if you go
into cyber, you're just going to work in a dungeon. That
doesn't, you know, sound very promising. But if you tell the
young girl that if you work in cyber, you're going to keep
peace in cyberspace, you're going to prevent chaotic situations
in our modern-day technological lives, that's speaks a lot. So
I think the lack of community, the lack of inclusive
environment, the lack of role models----
Mr. Foster. Yes, the role models is something I've been
told repeatedly in things like robotics competitions. For some
reason most of the coaches in robotics teams in junior high
school tend to be women, and then that's not true in high
schools. And so the role models may be difficult to calculate,
but it may be a huge effect.
Anyway, Madam Chair, if it's possible if--to have a second
round of questions, I would--I would appreciate it if that's
feasible.
Chairwoman Stevens. So we were going to have the--before
we brought the hearing to a close, we were going to have the
witnesses, as we're here in Congress, share a couple of
minutes. But what we can do, Dr. Foster, is open it up for a
second round. I'll claim my 5 minutes and cede them to you.
Mr. Foster. Very well. So you've done so?
Chairwoman Stevens. Yes.
Mr. Foster. All right.
Chairwoman Stevens. So I've yielded my time----
Mr. Foster. Well, thank you.
Chairwoman Stevens [continuing]. To my colleague.
Mr. Foster. I appreciate it.
I'd like to raise the issue of foreign workers in
cybersecurity. In 1980 just 7.1 percent of American computer
science jobs were occupied by foreign-born workers. That grew
to about almost 30 percent by 2010 because of the breakneck
growth in the tech sector, which became increasingly reliant on
high-skilled visa-holding immigrants. And, unfortunately,
President Trump's immigration policies have made it harder for
tech companies to bring highly skilled workers into the United
States. For example, in March 2017 the USCIS (United States
Citizenship and Immigration Services) announced that entry-
level computer programmers would no longer automatically
qualify to apply for the visa programs and--but instead of this
meaning that more jobs will actually be filled by Americans, it
has turned out that it's just more likely now that companies
will send the work overseas where there are, you know,
employees that are eligible to work. The problem is that there
just are not enough trained Americans to fill the growing
demand of computer jobs generally.
So in response to this, last year, I introduced the Keep
STEM Talent Act to provide permanent resident status to
international students who completed advanced STEM degrees in
the U.S. institutions and they're interested in continuing
their research in the United States. I believe we should be
encouraging these young scientists to remain in the United
States and join the American scientific and cybersecurity
workforces.
So, Ms. Miller, how reliant is IBM on foreign talent and
computer scientists, and are there instances when you've
actually had to move work offshore simply because of the
shortage of cyber talent in the United States?
Ms. Miller. Well, IBM Security specifically is operating
in over 130 countries, so we have talent all over the world. We
do rely to some degree on bringing talent into the United
States, but it could be everything from the experience, you
know, so cross-training or the experience that they bring from
someplace else to train people here, or we're grooming them and
we're--you know, they go back to their home country. So there's
a variety of reasons why we may rely on it.
I don't think we have an overabundance of reliance on
that, but that's one of the reasons why in the United States
we're so focused on the skills-first approach to really
bringing in more cybersecurity professionals from here,
grooming that talent, providing a lot of resources to help--
free resources, curriculums on badges, external digital badges,
and the people can--people can attain to demonstrate their
proficiency and other tools so that we have the talent here and
we're continuing to groom that talent. So that's our main
focus. It's not to bring the talent from other countries
necessarily but to grow the talent here. And the new-collar
approach that we're taking is helping us do that.
Mr. Foster. Now, if you look at future needs in
cybersecurity, you know, something like half of all
cybersecurity instances have to do with someone impersonating
someone else online. And so then a lot of the reason that
you're focusing on soft skills is to train people simply to
operate their authentication properly. And there are
interesting proposals out there that the Federal Government
allows citizens who wants a means to digitally authenticate
themselves online--so this would--in its simplest form would be
simply, you know, if you get a Real ID card, you're also given
a digital means to assert that ID.
And so that is something that I know a lot of industries
are enthusiastic about being able to add onto as part of the
way of making sure that you don't have identity fraud, which
is, you know, the biggest single component of cyber insecurity
in our country. And so this is going to have a big impact if
people have good technical means to authenticate themselves.
And is that going to really change the nature of the
cybersecurity workforce so that you'll be more focused on, you
know, device security, program security rather than training
people to feed the systems properly?
Ms. Miller. I'm not sure I'm qualified to actually comment
on that. What I will tell you is that in the cybersecurity
space cyber criminals, they continue to evolve, and it's hard
to keep up with them. We were kind of joking yesterday that we
wished we understood the workforce strategy of these threat
actors and how they're findings such, you know, great talent
that's out there making us have to keep up, making us have to
continue to chase and understand what they're doing. But I
can't comment specifically on what technology and the effects--
--
Mr. Foster. Well, that's what makes it so tough for STEM
training generally. You know, I think 15 years ago we were
trying to teach all kids to learn HTML so they could, you know,
maintain their own webpages, and now, you know, we've got 3
billion webpage maintainers who maintain their Facebook page,
and it's--the nature of technology is that the training is when
you're planning 15 years out.
Now, just a last point if I could about the national labs.
You know, as I mentioned a few times on this Committee, I'm a
proud Co-Chair of the National Labs Caucus, and we're visiting
all 17 of the DOE (Department of Energy) labs. We just finished
visiting Oak Ridge National Lab. So, Dr. Siraj, in your
testimony you highlighted that Tennessee Tech University
faculty and graduate students have been conducting research
with the scientists and engineers at Oak Ridge National Lab and
on various DOE-funded research projects. Could you just say a
few words about that?
Dr. Siraj. So the way it came about because, you know, Oak
Ridge National Lab is just 1 hour away from us, and so we have
a couple of faculty in computer science who are working with a
couple of groups in Oak Ridge National Lab to work on security
research projects that I mentioned in my testimony. Plus, we
also have partnership where professionals there who don't have
a Ph.D. degree, they're working, they're going into doctoral
studies at our school, and our faculty are also going there to
teach security classes. There are professionals also coming to
our campus to teach security classes.
But, you know, this partnership is, you know--it's a win-
win situation for both entities, for the national lab and for
us for our students. It provides, you know, big opportunity to
speak to the scientist and the role models and learn from them
because, you know, what professors know, so----
Mr. Foster. Yes. Well, you know, one of my favorite events
of the year is to go to Argonne National Lab in my district,
which hosts the DOE-sponsored cybersecurity contest where the--
--
Dr. Siraj. Yes, CyberForce competition.
Mr. Foster. CyberForce competitions where college teams
come in from all over the country and try to hack each
other's----
Dr. Siraj. Yes.
Mr. Foster [continuing]. Equipment and it's----
Dr. Siraj. So----
Mr. Foster. It's a lot of fun. And, you're right, they do
enjoy interacting with the----
Dr. Siraj. Yes, so----
Mr. Foster [continuing]. Scientists there. Anyway, my----
Dr. Siraj [continuing]. Our students do that, too.
Mr. Foster. I think my time is expired, so I will yield
back.
Chairwoman Stevens. OK. Dr. Baird, you'll be recognized
for 5 more minutes of questioning.
Mr. Baird. Mr. Petersen, last May, President Trump issued
America Cybersecurity Workforce Executive Order, which directed
the Secretary of Commerce and the Secretary of Homeland
Security, along with the heads of other appropriate agencies,
to implement the recommendations from their 2017 report on how
to support growth and sustainment of the Nation's cybersecurity
workforce in both the public and the private sectors. So could
you tell us if you're involved in implementing these
recommendations, and if so, how? And are these recommendations
informing the development of NICE's strategic plan for the next
five years?
Mr. Petersen. Yes, thank you for that question. We are
absolutely involved, as we were in both the development of the
recommendations, as well as the implementation. There were five
imperatives, multiple recommendations and actions, and we are
beginning by prioritizing some of them. So, for example, the
first one spoke to having a national call for action to make
sure that both the public and private sector were recognizing
the importance of cybersecurity.
And by way of example, another reason that I've worked
closely with IBM is several companies have come together as
part of the Aspen Cybersecurity Group to issue a set of
principles that they want companies to follow. And one of those
principles is to use the NICE Cybersecurity Workforce
Framework, but other principles are things like career
discovery or doing skills-based hiring and the like. And so
working collaboratively with the private sector and industry in
this case to raise the importance and elevate this is one way
that we are implementing it.
When I talked earlier about transforming the learning
process, including more of a focus on skills and less than just
traditional credentials, that's another example of an emerging
theme in our next strategic plan. We're learning, as many of
you have described, it includes not only the K through 12, the
high school diploma, the community college, college degree, but
also certifications or apprenticeships or the other multiple
pathways to a career in cybersecurity.
And finally, as I indicated, the Workforce Policy Advisory
Board, which is part of that President's National Council on
America's Workforce, will be talking more about the multiple
pathways to all types of careers but cybersecurity especially
where it could be that transitioning veteran that you described
earlier that after a 20-year military career, then enters
cybersecurity, or it could be an IT worker who's going to
transition to a cybersecurity role. So we are actively working
on both prioritizing and implementing them to the extent that
we can.
Mr. Baird. Thank you. Ms. Miller, one last question.
Maybe, could you elaborate on how IBM has utilized their
apprenticeship program and how you use that to recruit and
retain cybersecurity workforce?
Ms. Miller. Sure. So we started the apprenticeship program
about four years ago, and what we do is we've actually--
especially in the security--the cybersecurity organizations
have really looked at what are the right roles that we can
really bring in talent without the 4-year degrees, so looking
at the soft skills, making sure that they have those right
critical skills, and leading with skills first and the
capabilities over the credentials, right? And then looking at
what are the right roles to bring them in, so a security
operations center analyst is one, pen testers, another example,
technical writers.
We've been bringing people in into those types of
positions as a way to, one, test them, make sure that they
can--that they have the technical capabilities as we continue
to train them up, sponsor them for certifications, et cetera.
So as they come in, there is a curriculum that's built out for
the first year for them that they go through and dedicated
resources to support them. So it's really looking at this from
a skills-first basis, and it allows us to get the--you know,
those that have 4-year degrees, they tend to not be
representative of the overall U.S. population demographically,
right? So if we're able to bring in and really leverage the P-
TECH programs, the apprenticeship programs, et cetera, we're
able to get into--tap into that underrepresented talent,
whether it be based on race, gender, even veterans, et cetera.
So this is definitely a way that--and the question was
asked earlier. This is a way that in the future people will be
able to look up and see people that look like them at the top
of the house. So it's very important to us.
Mr. Baird. Thank you. And I see I'm out of time. I yield
back.
Chairwoman Stevens. Thank you. And now we'll recognize Dr.
Lipinski for 5 minutes of questions.
Mr. Lipinski. Thank you, Chairwoman. Thank you for holding
this hearing. We all know how important this issue is. And,
unfortunately, it doesn't receive nearly as much attention as
it should.
I'm happy to follow the Democrat before me, Bill Foster.
We share Argonne National Lab, and appreciate the great work
that's being done there on cybersecurity.
One particular issue I have is how medium and small
manufacturers struggle to keep up with the rapid evolution of
cyber attacks. It's something I hear about all the time from
these manufacturers in my district.
I was the Democratic lead on the NIST Small Business
Cybersecurity Act, which was signed into law in 2018. The bill
directed NIST to develop voluntary guidelines to help small
businesses identify, manage, and reduce cybersecurity risks.
NIST has since developed the Small Business Cybersecurity
Corner to provide resources on this topic to small businesses.
So I want to ask Mr. Petersen. Can you describe the National
Initiative for Cybersecurity Education's contributions to these
resources for small businesses?
Mr. Petersen. Thank you for that question. So we actually
have one of our team members, from our small team, that is
assigned part-time to help support the small and medium
business outreach. One is because her regular role with NICE is
to do industry engagement. And again, we want to be sensitive
to both the needs of large enterprises, as well as small and
medium businesses. So she can bring both that expertise, as
well as kind of introduce workforce and education-related
topics into that small and medium business outreach.
The reality is we talk about a small team like my own, the
small and medium businesses have smaller teams especially
devoted to IT and cybersecurity and are often reliant on third-
party providers, service providers as well, so making sure
that, for example, our NICE Cybersecurity Workforce Framework
doesn't just speak to the kind of workforce they need but the
kind of workforce that service providers need to bring to them
as well as a way we try to translate that for small to medium
businesses.
Mr. Lipinski. Thank you. I wanted to follow up on that.
Looking more generally at both for cybersecurity education and
manufacturing, in 2018 the Administration put out the Strategy
for American Leadership in Advanced Manufacturing. This was the
result of a bill that I had written, that this Committee had
passed, and it was passed into law. And so it--that strategy
talks specifically about bolstering cybersecurity education and
manufacturing.
So in response, the Department of Defense launched a
National Center for Cybersecurity Manufacturing in 2018 at MxD
(Manufacturing times Digital), which is in Chicago. The center
focuses on ensuring small- and medium-size manufacturers are
taking the necessary precautions to protect themselves from
cyber attacks and subsequent data breaches and IP (Internet
Protocol) theft.
So, Mr. Petersen, I wanted to ask, as you've discussed in
your testimony the National Initiative for Cybersecurity
Education is beginning the process of updating their 5-year
strategic plan, so how will the framework leverage work done in
manufacturing institutes like the cybersecurity center at MxD
to accelerate and enhance NIST cybersecurity workforce
development?
Mr. Petersen. So one of the roles that NICE plays is being
aware of the ecosystem that's happening across the United
States, not only geographically but by critical infrastructure
sectors. There are other economic sectors. And NIST also, as
you know, is home to the Manufacturing Extension Partnership
that helps to administer some of the manufacturing programs
across the United States.
And so, fortunately, in the context of my relationship
with the NIST MEP (Manufacturing Extension Partnership) office,
they brought the workforce program of MxD to our attention, and
we have engaged with them directly. Primarily, as they go down
a path of developing a workforce framework for manufacturing to
create a skilled cybersecurity workforce to recognize that the
NICE Cybersecurity Workforce Framework is a resource to them,
it's a reference resource upon which all the critical
infrastructure sectors can leverage and modify and adapt to
meet their needs. But also we're trying to create a
standardized environment across the Nation for cybersecurity
work that can help education and training providers, as well as
employers, to have that common taxonomy. So I'm glad to say
we've worked with them very collaboratively and try and
encourage them to use our existing framework as the foundation
for what they do.
But second, as you indicate, both as we update our NICE
framework and our next strategic plan, that any feedback or
input that they have to provide to us, that we're more than
happy to receive that as well. We did just complete a request
for comment period and are going to be looking at the comments
received as a way to collect that public input.
Mr. Lipinski. Thank you. And I want to thank you, Mr.
Petersen, and all of our witnesses today for your testimony but
also for your continued work on this very, very critical issue.
I yield back.
Chairwoman Stevens. Thank you, Dr. Lipinski. And I second
your comments of gratitude. So many amazing things that we
touched on in just this 90-minute period. Dr. Siraj, your
statements of anyone can be in cybersecurity, anyone can solve
these problems in this cross-functionality and this real place
of opportunity for growth.
Obviously, a lot going on in Congress today, but this is
submitted for the official record. And our record is going to
remain open for a couple of weeks for additional statements
from Members or questions that they might have, so those might
come your way as well. And we're going to keep the conversation
rolling, as well as the commitment that Congress will continue
to serve as an effective steward and partner in filling our
workforce needs, getting rid of the mistrust and obviously the
risk that not only impacts our national security, our financial
security, for individuals and our overall economy. And it's a
job opportunity for us as well to promote the cybersecurity
workforce.
So thank you all so much. The witnesses are now excused,
and the hearing is adjourned.
[Whereupon, at 11:40 a.m., the Subcommittee was
adjourned.]
[all]