Alec Ross, senior adviser for innovation at the State Department, has a piece of advice for students tasked with the nerve-rattling problem of choosing a college major.
“If any college student asked me what career would most assure 30 years of steady, well-paying employment,” Ross said, “I would respond, ‘cybersecurity.’ ”
That’s because cybersecurity is a field where the rules of the recession seem flipped: There’s plenty of jobs, but relatively few qualified applicants.
The government needs to hire at least 10,000 experts in the near future and the private sector needs four times that number, according to Tom Kellermann, vice president at Trend Micro and former member of President Obama’s cybersecurity commission. Booz Allen Hamilton, a private security firm in McLean, has hired nearly 3,000 cybersecurity experts in the past two years, and that trend is expected to continue.
Cyberattacks generally come in two varieties: state-sponsored intellectual capital theft and strikes against critical digital infrastructure, such as power grids and banking systems.
Both kinds are being carried out thousands of times a day. No one knows the precise cost; some experts put the dollar figure in the billions and others say it could reach hundreds of billions or more. Defense Secretary Leon E. Panetta has said that the threat of cyberattacks against infrastructure targets keeps him up at night, and former National Security Agency director Mike McConnell recently warned that the U.S. government isn’t equipped to detect and deflect a catastrophic attack.
“We’re going to have a catastrophic event [in cybersecurity]. Some of these tools already being built are going to leak or be sold or be given to a group that wants to change the world order, and we’re incredibly vulnerable at the infrastructure level,” said Adm. Mike Mullen, former chairman of the Joint Chiefs of Staff.
How can the government become better prepared? It needs more “white hats” — the good guys of the Internet, experts say. But not enough digital experts are entering the cybersecurity field to meet the ever-growing demand.
“It’s tough going out there,” said Edwin Kanerva, vice president at Booz Allen Hamilton. “Every company in [the area] is looking for the same thing. There’s just not enough of them. The gene pool is small.”
Recruiters for the company visit colleges across the country, but that may not be enough. According to a 2009 study from the Georgetown University Center on Education and the Workforce, college graduates earning degrees in computers and mathematics represented just shy of 6 percent of all graduates. Of those, only 36,500 of them, or 2 percent, earned a degree directly related to cybersecurity.
Why is that percentage so low? Kanerva said many college students who train in computer science are attracted to fields other than security, such as software development or computer engineering, which are considered more appealing and can sometimes offer six-figure starting salaries. The median salary for a graduate earning a degree in security was $55,000 in 2009, compared with $75,000 for computer engineering.
“All of the big corporations — the Googles, the Microsofts, the Oracles — all have offices on campus, and they’re in competition with one another and with us. It’s difficult to compete with that as a defense contractor or security firm and convince Johnny or Mary to come to central Maryland and work in government.”
The key to training more cybersecurity experts, Kanerva said, is exposing students to STEM education — science, technology, engineering and mathematics — as well as adding some cybersecurity training in high school.
“I think we need to get kids interested,” Kanerva said. “Kids get basic computer knowledge because they’re video-game geeks. They sit at home with a PlayStation 3 and learn the basics without even realizing they’re learning.”
The U.S. government also recognizes the need for more STEM education.
“We’re not preparing enough people to work in information technology, period,” said Janice Cuny, program director for computing education at the National Science Foundation (NSF). “We’re producing about two-thirds of the IT people that we need nationwide, and we’re way behind in cybersecurity.”
Cuny also said the problem should be fixed at the high school level.
“We do a horrible job teaching computer science in high school,” she said. “Students graduate high school knowing what biology is and what history is. But most high schools don’t teach computer science at all.”
The NSF has an ambitious plan to change that: fund 10,000 computer science classes in public high schools by 2016. Two pilot courses, introductory “Exploring Computer Science” and a more advanced “Computer Science Principles,” are being financed through NSF grants.
Neither course would be sufficient to train the next generation of cybersecurity experts, but Cuny said right now they’re about sparking interest rather than expertise.
“What I’d like for kids to see is that cybersecurity is intellectually stimulating; it’s a great field,” she said.
Alexander Fitzpatrick is a writer for Mashable, a news Web site covering digital culture, social media and technology.