About 50 miles northwest of Sioux Falls, South Dakota, sits Dakota State University, a small institution with enrollment just over 3,200. Despite its small class size and rural location, DSU has built a curriculum that has made the school one of the most successful in funneling cybersecurity professionals into the National Security Agency’s talent pipeline.
And the skills are quite specific. The defensive and espionage missions undertaken by the NSA require efforts from some of the top tech operators in the world, capable of performing some of the most complex cybersecurity operations to defend and infiltrate adversarial networks.
These operators must come from somewhere. And it’s no secret that the public and private sectors are strapped for cybersecurity talent — a problem pecking at federal government, no matter their line of work.
But the NSA has DSU. And, actually, the NSA has spent the last 20 years cultivating an interwoven network of universities and community colleges across the country capable of educating students in rigorous cybersecurity programs that are tailored to the needs of the agency.
The partner institutions — called Centers of Academic Excellence (CAE) — have grown from seven institutions in five states to 312 across 48 states, the District of Columbia and Puerto Rico, adding the Department of Homeland Security as a partner in 2004.
“We need lots of talent, and that talent needs to be diverse and reflect who we are as a country,” said Diane Janosek, the commandant of the NSA’s National Cryptologic School.
Institutions of higher education can receive the CAE designation in three different areas: cyber defense, cyber defense research and cyber operations. That’s an expansion from 20 years ago when the program focused on information assurance — aiming to “contribute to the growing demand for cybersecurity expertise in the intelligence community workforce.”
The designation is not easy: just 10 schools across the country have designations in all three categories, according to the NSA, and DSU is one of them. The shortage has only persisted, both for the federal government, state and local government and the private sector. According to Cyber Seek, which tracks the cybersecurity workforce shortage, there are nearly 314,000 cyber job openings across the country, while in the public sector 17,000 positions are unfilled.
“There’s economies of scale if you get outside the Beltway where we can actually operate more cost effectively,” said Wayne Pauli, professor of information systems and coordinator for the DSU doctorate program in cyber operations. “And we have young, talented people from every area in the United States that maybe just don’t want to move.”
But to adequately combat the expanding workforce gap, the program must produce talent with the right skillsets. NSA and DHS have set rigorous academic requirements, faculty requirements and community outreach mandates. Several NSA officials have said that the CAE program is also the NSA’s biggest driver of diversity. A spokesperson said that the demographic information wasn’t “available for public release,” but said that the 63 of the schools are classified as minority-serving institutions.
Foreign adversaries and cybercriminals are getting more aggressive and advanced. The mission, Janosek said, is no longer just to bring in talent to the NSA. The goal is to widen access to cybersecurity education as cyberthreats have become an “economic threat,” she said. Now, her goal is for students to “learn cybersecurity education that can be applied to more than just the defense and intelligence sector. It could be applied to the banking industry, the finance industry, the health care industry, manufacturing.”
To ensure that these sectors are matched with adequately prepared talent, the participating institutions must meet rigorous curriculum standards that evolve with the threat landscape. Every few years, universities must be redesignated as CAEs. Cyber operations remains one of the most exclusive designations, held today by only 21 schools.
Those courses “are hard to teach,” said Drew Hamilton, director of the Center for Cyber Innovation at Mississippi State University, which has a master’s program stamped as a CAE for cyber operations. “They are hard to grade, challenging for the students. [But] you get a better product.”
This year, DSU expects to graduate 200 undergraduate students in cyber operations and 120 in cyber defense, Pauli said. He added that typically 15-20 students end up going to the NSA, DHS or another federal government institution after graduation.
The process to receive the NSA’s approval stamp is so difficult that an educator at one school that reapplied for the designation recently called it “eight months of hell.” But it’s a designation that’s critical to NSA recruiting, Janosek said.
“We now can recruit in very key areas from the schools that we know have the caliber of the curriculum that we’re looking for,” Janosek told Federal Times.
A cliché in the cyber sector is “cybersecurity is a team sport.” While government officials say this all the time while struggling to break down communication barriers, the web of universities and community colleges across the country established a communication network that fosters real cooperation between the designated schools.
The CAEs are grouped by region throughout the United States. Across the nation, the NSA has designated schools as CAE national or regional resource centers. Regional resource centers help schools prepare for designation, while assisting the national resource centers with webinars, application review, information sharing, mentoring and professional development for faculty.
University of West Florida is dubbed a regional resource center for the Southeast, assisting institutions in Alabama, Florida, Georgia, Mississippi, Puerto Rico and South Carolina. Eman El-Sheikh, UWF’s cybersecurity program director, said what UWF wants is “to build a community, a collaborative community across the Southeast.”
The partnerships with universities across the country also expand facility access for the NSA. For example, DSU is developing a secure research facility for the government, called Madison Cyber Labs.
“We fully intend to have defense contractors and government entities that will actually do work at our location and it will be much more cost effective being out here,” Pauli said.
“We have a tagline that we say: ‘All this in the middle of a cornfield.’”
Notable Events (Source: NSA)
- 1999: Beginning of the Centers of Academic Excellence
- 2001: Introduction of the Department of Defense Information Assurance Scholarship Program
- 2004: The addition of the Department of Homeland Security as a partner
- 2008: The addition of the research designation
- 2010: Community colleges added
Signaling to employers
The workforce shortage is not shrinking: in fact, it’s reaching what experts describe as crisis levels. One estimate from Cybersecurity Ventures says the shortage will reach 3.5 million open cybersecurity positions worldwide by 2021.
The designation provides assurances to employers “that we’re following strict guidelines on our curriculum and that these students are going to be prepared to go to work when they come on,” said Stephen Miller, director of the Cybersecurity Center of Excellence at Eastern New Mexico University - Ruidoso Branch Community College, a school with around 1,000 students. ENMU-Ruidoso has a two-year program in cyber defense.
In the two decades of the CAE program, the most significant change made was allowing community colleges to receive the CAE designation, Janosek said. Community colleges are a critical piece of boosting the cyber workforce because of the lower barrier to entry for students.
That’s an important piece of the mission at ENMU-Ruidoso, which is considered one of the most affordable colleges in the West. El-Sheikh said that the limited cyber workforce is a national security issue and the outreach needs to include different types of schools, and even different career skillsets, such as technical operators or cybersecurity lawyers and ethicists.
“To continue to be a leader globally in cybersecurity, that innovation needs qualified professionals and it needs diverse qualified professionals,” El-Sheikh said. “Because the more that you bring diverse perspectives, diverse experiences and diverse backgrounds to the mission and to the conversations, the more we’re going to keep ahead of the game.”
The NSA also considers schools’ community outreach programs as an integral part of the evaluation to become a designated CAE. Janosek said that the most successful schools are the ones that are “really connected to their communities.”
The community colleges will host youth events, like Girls Who Code, or Girl Scout troops working toward their cybersecurity badge. Community college engagement can produce long-term return on investment, engaging students from a young age who then go through the cybersecurity education process.
“We’re trying to create this cyclical process,” Janosek said. “And what we have found are pockets across the country that are doing it really, really well.”
There are also immediate benefits for state and local governments, as well as local industry, in the areas these CAE schools are located. Students who graduate from programs, if they don’t work for the government, often end up working for local hospitals or school districts, sectors that have been devastated by the ransomware epidemic that has closed schools and hospitals.
And with military installations across the country, there are also benefits from the program for the government, even if they don’t send students directly to work for agencies in Washington.
Greg Randall, CAE program manager at Snead State Community College in northeast Alabama, said many of his students end up working at Redstone Arsenal, an Army post in Huntsville, Alabama, or for local defense contractors. According to Randall, one of his former students is a top cybersecurity official at Redstone’s local bank.
“Without being a [CAE], we would not be where we are today; the access that you get to programs, technology, all that, is very important to our success,” Randall said.
Benefits of participation
There is one glaring hole in the federal government’s partnerships with these universities: no funding goes to the designated universities, though there are grant opportunities for the schools to apply for and scholarships available to students.
Federal Times asked several program directors what the incentive was to participate given the lack of funding. Several said degrees with the NSA’s CAE stamp made their schools more competitive and set their students apart when applying for jobs. Some pointed to the grant and scholarship opportunities.
None of the program directors interviewed for this story decried the lack of funding, all saying that the designation has been transformative for their students and schools and has provided tangible support for the cyber community.
“It is that distinction that employers are looking for, that parents and potential students are looking for,” said El-Sheikh. “It’s really, within the higher-ed world, the gold standard of quality.”
Janosek also pointed to the network of CAEs across the country as another incentive to participate in the program. The benefits she listed include assistance with grant applications, career fair participation and shared resources.
While cybersecurity practices differ from agency to agency and information can sit in closed-off stovepipes, the standardized, rigorous education curriculum mandated to receive the designation also establishes a qualified starting point for cyber education.
“You’ve got a baseline from which all people can go ahead and move forth,” said Tom Polliard, a professor in the computer information systems department at Estrella Mountain Community College in the Phoenix suburbs. “So, you have a really good idea of what those people are going to know and don’t know.”
With the cyber workforce gap only growing, governments from the federal level down to the municipal and tribal levels are going to have to pull cybersecurity professionals from across the country.
“In the area of cybersecurity, the need is so great,” said Hamilton. “Just from a national perspective, you can’t afford to leave anyone out.”
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.