You Call This an Army? The Terrifying Shortage of U.S. Cyberwarriors

Demand for cyber labor is far outstripping supply.

When the Soviet Union launched the first satellite in 1957, it set off an intellectual arms race that led to more than $1 billion of federal investment in science education. Within a decade, Americans were sending their own expeditions to outer space. Presidents and other public figures since then have made a tradition of referring to Sputnik to push their political agendas. But just because it's a convenient rhetorical lever doesn't invalidate the analogy. And when it comes to cybersecurity, it hits pretty close to the truth.

The United States doesn't have nearly enough people who can defend the country from digital intrusions. We know this, because cybersecurity professionals are part of a larger class of workers in science, technology, engineering, and math--and we don't have nearly enough of them, either. We're just two years into President Obama's decade-long plan to develop an army of STEM teachers. We're little more than one year from his request to Congress for money to retrain 2 million Americans for high-tech work (a request Republicans blocked). And it has been less than a month since the Pentagon said it needed to increase the U.S. Cyber Command's workforce by 300 percent--a tall order by any measure, but one that's grown even more urgent since the public learned of massive and sustained Chinese attempts at cyberespionage last month.

Where are Cyber Command's new hires going to come from? Even with so many Americans out of work, it isn't as though there's a giant pool of cyber professionals tapping their feet, waiting to be plucked up by federal agencies and CEOs who've suddenly realized they're naked in cyberspace. In fact, over the next couple of years, the manpower deficit is only going to get worse as more companies come to grips with the scale of the danger.

Demand for cyber labor is still far outstripping supply, Ron Sanders, a vice president at Booz Allen Hamilton, told National Journal in a phone interview. "With each headline we read," he said, "the demand for skilled cyber professionals just increases."

The number of industry employees is already growing at double-digit rates. A new report released Monday finds that the number of people working in the cyber field is going to grow worldwide by 11 percent every year for the next five years. In North and South America, according to the paper--published by the International Information System Security Certification Consortium (ISC2)--that will mean almost a million more workers in the field by 2017. Many of them will be highly qualified. But not all of them will be in the employ of U.S. entities, to say nothing about working in the United States itself.

Here's another way to look at the supply of cyber labor. Every year since 2008, U.S. colleges have graduated some 38,000 computer-science majors. But, according to Education Department figures, that annual number has actually shrunk from a peak of nearly 60,000 in 2004. We graduate more than twice as many artists every year than computer scientists. And for every computer-science degree, the country gives out two in journalism or communications. The media industry's hurting, sure, but not for a lack of people. Not like this.

Some 12,000 cyber professionals responded to ISC2's annual global workforce survey. Of those, 57 percent reported working from the Americas. As this was a voluntary and self-reporting sample, the actual number of cyber workers based in North and South America could be higher. But it's safe to do at least some back-of-the-envelope calculations with these numbers. Even if we assumed all 6,840 of these respondents were U.S. citizens (which they're almost certainly not), and assuming the Pentagon could grant instant security clearances (which it can't), filling Cyber Command's 3,100 open positions tomorrow would still leave behind a rather large hole.

It gets worse. To become a cyber professional working in government, your record has to be exceptionally clean. That rules out pretty much any U.S. teen who's written a malicious script or vandalized a website. America's cyber competitors, meanwhile, aren't nearly so scrupulous down in HR.

"We do exclude individuals who cross the line, especially advertently," said Sanders. "We should be letting them know there are things you shouldn't do if you expect to go into cybersecurity."

To snag kids before they stray into trouble, as well as to raise interest in STEM jobs generally, recruiters are beginning to reach for younger and younger prospects. Two years ago, Microsoft released a study finding that 80 percent of current STEM students at universities chose their field when they were in high school, or even earlier. A fifth said they'd made up their minds as early as in middle school.

"One of the things we've been doing," said ISC2's foundation director, Julie Peeler, "has been working on reaching down into the secondary education level--and even looking at ways we can affect primary education" with outreach programs to young children. These are built upon what Peeler calls a "common body of knowledge" and ascends all the way to the university level, where over 100 postsecondary institutions now offer "information assurance" programs accredited by the National Security Agency. Forty-two states have certified Centers for Academic Excellence schools. Among them are New York's West Point and the U.S. Naval Academy in Annapolis, Md.

In the (very) long run, those institutions will pay off. But right now? We don't have enough cybersecurity professionals to make up for the deficits of the last five years, let alone meet the growing demands of the next five. At the pace we're training our digital soldiers, government and the private sector won't be working together to secure the country--they will be too busy fighting each other for what little manpower's coming out of the university system. And that's just as scary.