U.S. Strategy to Develop a Superior Cybersecurity Workforce | Victor Piotrowski

Ep. 48 | Reimagining Cyber | U.S. Strategy to Develop a Superior Cybersecurity Workforce | Victor Piotrowski

Rob Aragao: All right, Stan, who do we have joining us for this episode?
Rob, our guest today is Dr.Victor Piotrowski, who is the lead program director for the National Science Foundation's CyberCorps Scholarship for Service Program. He's also a program officer in the Secure and Trustworthy Cyberspace program, supports training based workforce development for advanced cyber infrastructure and supports the Cyber Infrastructure for Susstained Scientific Innovation program.  Victor's very busy. But today we're just gonna focus on the CyberCorps Scholarship for Service Program program and how it helps address the growing gap and the supply and demand for cybersecurity workers in the United States, and specifically in the US federal government.
 Stan Wisseman: Victor, it's great to have you with us. Is there anything else you'd like to add about your background for our listeners? 
Victor Piotrowski:. Maybe just a couple of things. I'm originally from Poland. Came here just before the Berlin Wall fell down in 1989.
 Victor Piotrowski: And spend a long time at the University of Wisconsin. Started with the government about 15 years ago and been leading efforts on cybersecurity education workforce at the National Science Foundation I also work internationally. Specifically, I was a cybersecurity fellow in the US Embassy in Latvia, working with Baltic countries and Scandinavia.
 Rob Aragao: One of the things obviously we'll be talking about today is just kind of what we're seeing out there and how you're helping with the cybersecurity workforce in general. You know, and in previous episodes we've had this kind of topic of discussion many times. An example of that was Marion Merritt, the deputy director at NICE, [EP 20 Reimagining Cyber]and she was actually sharing with us, you know, some recruiting capabilities and the website that you're familiar with, I'm sure called Cyber Seek.
 And when you look at CyberSeek over 45,000 cyber opening in the public sector within the US alone. If we kind of flip that over to you and some of the things you're doing with the CyberCorp SFS program, you know, as it was established to help respond to  some of these challenges in recruiting and retaining cyber talent, specifically to the government per se.
Rob Aragao: Maybe take us through and help us understand more of a summation of the program, the history, kind of where it came from, all the way to kind of the point in time where you're at today. 
] Victor Piotrowski: you're absolutely right. I didn't know. It's already 45. I like, oh, I say 40. But it still means that roughly one in three positions in, in federal government is unfilled.
Victor Piotrowski: We have 700,000 need nationwide outside in, of just public sector. So that's, this is. A very, very huge challenge on the top of other areas that experienced the shortage. So the program was established very early I would say probably 10 years before any other country even thought about boosting cybersecurity
 Victor Piotrowski: workforce, so that, that goes back to 1997. That was the efforts related to commission on critical infrastructure protection. And at that time, two  big initiatives started. One was Center of Academic Excellence at National Security Agency, and then the other one was Cyber core Scholarship for Service at National Science Foundation.
Victor Piotrowski: So we've been running this actively supporting universities anand students since 2000. So 23 years this year. The program originally was established as a collaboration between NSF and the Office of Personell Management, but after Department of Homeland Security was established sometime around 2003 that had joined us.
 Victor Piotrowski: So this is really currently three agencies working together. 
Stan Wisseman: So Victor, my understanding is, and, and granted it's a limited understanding of the cyber core SFS program, is it has two tracks. One that provides funding to universities to award scholarships, and then another track to help actually increase the capacity of our US higher education.
 Stan Wisseman: to produce cybersecurity professionals? 
] Victor Piotrowski: That's correct. So our position, even if we are charged to run a scholarship program, our position as, as National Science Foundation was we cannot have a high quality scholarship program if we do not invest in faculty curricular. training of faculty, extracurricular activities, support, competition, support transition from cutting research to education, and so on and so on.
 Victor Piotrowski: So you're absolutely right. I would say about 20% of our funds go to support that what we call capacity building in the United States Education enterprise. It, it starts at K-12. We invest in K-12 starting with middle school and high school, joint effort National Security Agency, and FBI  is called Gem Cyber.
It's like the next generation cyber starts. It's, it's summer activities about 150 camps each summer, one week long to  essentially expose students in K-12 to cyber security, to profession. 
Stan Wisseman: They get a taste for it. Right. They look at that as possibly being a career path. 
 Victor Piotrowski:. We have to counterbalance, you know, that cliche view.
Victor Piotrowski: You know, working in cyber means you are in your hoodie in the basement, right? We have to sell it to parents. This is the good profession, as good as lawyer or doctor. And, and very well paid. And, and with, with the needs. Right? And you have to hook those students, giving him, you know, exciting experiential things.
Little hacking, maybe, you know, ethical hacking, let's say this way. Maybe I will, I will try to hack the system and read what is pressure in you. In, in your tire, in your car, , or maybe I will try to get control of your little drone or something like this. You know, everything in that ethical way, you know, supported, obviously don't do this in a non-ethical way, but we expose them to those experiential activities and then we go through community colleges.
We have a huge investment in community colleges going through four year school graduate students doctoral students going all the way What we call generally K to gray. You know, going to professional development of, of people that are already in the workforce or going to the older population with security awareness.
 So our students might go with outreach to some residential areas and, and help do programs and libraries and places like that. Exactly, exactly. Think about the population that didn't grow up with iPhones in their hand. Right. They need help to understand this digital. And so that's, that's the capacity building and the scholarship is easier to describe.
 The scholarship part is essentially a fantastic scholarship package, but has  strings attached. So essentially we offer students up to three years, fantastic package,  that means we cover all tuition. If it's 20,000, we cover a year. If it's 60,000 a year, we cover it absolutely a hundred percent. We provide in the range of 27 to 37,000 cash every year, depending on the student's status, undergraduate versus graduate, but money for professional development  and in exchange of this, the students are required to work in the cybersecurity mission of the government agency for as long as they receive the support. That means two yeas support you work two, two years, you can leave three years support, you work three years, you can leave.
 Rob Aragao: How many students are you seeing actively at this point in time within the program, and kind of walk people through what that process is of being accepted into the actual program itself.
 Victor Piotrowski: To date, we accepted somewhere around 5,500 students. We have about close to a thousand of them on an active scholarship. We graduate around 400 students a year. The way we work is decentralized. That means we don't have a central place at the government agency. Apply here for scholarship. Rather, we have a competition of universities.
That means every year, say 50 universities will submit applications to us and say, I would like to be one of your cyber core schools. We select some of those schools, and those schools will receive multimillion multi-year funding to recruit students. To run them through the proper curriculum to be sure they are connected to agencies, choose the students who can obtain security clearances and so on and so on.  So the students do not apply to the federal government. The student apply to  one of the 98 SFS schools 
Stan Wisseman: So they're 98 participating universities in the program right now. Do you track which one? You know, are most successful as far as getting scholarship students. 
 Victor Piotrowski: If I can mention maybe top five.
That will be Dakota State University. Very tiny university in South Dakota. 3000 students total, but 600 of them major in cyber operations. Focusing just on, on cyber operations, high level cybersecurity, right. This, these are like really advanced skills used in a, not just defensive side, but offensive side.
 University of Tulsa was consistently at the top. And then Florida State University, California State, San Bernardino and Naval Post-graduate school. And again, every year we add new schools, right? So this, year, for example, in January we added nine new schools. So we are now present, I believe, in 39 states plus Puerto Rico and DC
 Stan Wisseman: which is an indicator of, I guess, the expansion of the capacity too, cuz these, you know, number of universities, whether they actually get graduates through that program, your program or not hopefully they have the faculty to. With the education and the cybersecurity area
Rob Aragao: so, so as they've  gone through now the program and they're looking to see where they can find opportunities to work within the government, what are some of the examples of kind of in the past they can take and, and how do they find those different opportunities within the federal government
 Victor Piotrowski: To date, we had, you know, close to 5,500 students. So we created obviously a supporting structure in the program and that includes something, what we call job fairs. We have a virtual event and we have face-to-face events as a closed events. We usually get about hundred booths. Maybe 300 hiring officials in big place.
 Victor Piotrowski: In addition to this. Many schools develop over the years specific connections to some agencies. Like for example, if I graduate over the last 10 years, you know, whatever certain students and those students are in some agencies, they will natural connection for me. They will come to my, my university for recruitment.
They will establish way before our job fairs. You know, some students already are connected. The one challenge is that this requires two things. Students have to be US citizens or permanent residents, and that's narrows our selection, right? In many computer science classes, especially if you go to graduate level, you have very high percentage of non-citizens.
 70, 80, 90% even in doctoral programs, right? So our selection narrows. And the second one is, this little invasive to your privacy because most of those positions will require high level clearance. Some of them, like NSA or CIA, will require also polygraph. But the one common mistake I think is people think if I use maybe some not fully legal symptoms in high school, I can never get clearance.
Victor Piotrowski: This is absolute fallacy. The main thing is you don't. You tell, you put everything on the table and we had cases I remember one case that I saw that students tried every possible substance in high school and still obtain clearance.
Stan Wisseman: My understanding is that while you're focusing on trying to fill positions in the US Federal government, your job fair is open for state and local as well and tribes?
Victor Piotrowski: correct. We have little restrictions because the program's intention was to create a support for federal government over the years that positioned little softened because you know, the system is as strong as the weakest link. And, and obviously we are allowed to send to state, local, tribal government.
 Victor Piotrowski: However,  the law tells us at least 70% of students have to go to the executive branch, not even federal government, executive branch of federal government, and then not more than 20% can go to like catch all what will be state, local, tribal, territorial, also non-executive branch. It might be supporting Supreme Court or supporting the Sergeant at Arms.
 Victor Piotrowski: Right. These are non-executive branches  
 Stan Wisseman: Over the  legislative branch. Right, 
 Victor Piotrowski: exactly. 20% back, but also federal government is very complicated. Actually, every December there is a manual issued. What is a federal government? You have semi quasi government corporations. You have inter state agencies.
 Stan Wisseman: Yeah, you mentioned that. I mean, I used to work at Fannie Mae and you consider them a quasi government agency. Even if they think of themselves as being more private sector, guess what? They're under conservatorship. And FDIC is another. 
 Victor Piotrowski: Yeah, even, even Feds Federal Reserve even too.
 Stan Wisseman: Which of  these agencies over time do you think has really consumed the most graduates of the program? 
Victor Piotrowski: About 740 students. Out of our 4,500 that we graduated today went to National Security Agency. This is the, what we call signal intelligence. In the old days was like radio signals or any other signals.
Victor Piotrowski: Right? But these days signals on the internet wire are important signals. Right? So a lot of those students go to NSA. Other, top recruiting agency are related to DOD, department of Navy. Then we have of the Army, Homeland Security, Air Force and then Department of Justice means, you know, FBI, obviously, and CIA a.
Victor Piotrowski: That's, that's probably the, the most students go to those agencies, but we send them to hundred, I think last time I count in my spreadsheet, hundred 34 lines. That's explains you how many of those department agencies. And different kind like structures that you never heard of. For example, there is one agency that consists of seven people, but was established by Congress in 1960s.
 Victor Piotrowski: They g hired one student because they need one and it's theirs right 
 Rob Aragao: Let's double click on that a little bit further. When you look at the actual students, right, the requirement is that they're gonna work for the government for kind of, here's the time you were educated for on our dime in essence, and now we expect that time.
 Rob Aragao: How about tracking to see how long they actually stay moving forward, whether it's federal, whether it's state and local, it doesn't matter, like have you looked at those type of metrics 
Victor Piotrowski: Up to fulfilling their obligation. We have a hundred percent responses and we know exactly what's happening after the obligation.
Victor Piotrowski: Once we mark them in, you know, OPM database, you fulfill the obligation. We still survey them for eight at additional years, but the response somehow declines. Understandably, right? Maybe 80% of people who respond one year after clear with all the obligation by the end of the eight years, maybe only 40%.
Victor Piotrowski: So it's not a complete data. But definitely what we are getting from those surveys is that students don't quit government the day after they fulfill the obligation. They stay longer, sometimes, much longer. So about 72% students stay with the government
Stan Wisseman: Yeah. Going back to the beginning of our, of our episode here where we're talking about the numbers, you know, we still have like 45,000 or so openings in the US government for cybersecurity kind of positions.
Stan Wisseman: You've made a, a big impact with your [00:17:00] program starting in 2000. You've gotten thousands of people through and graduated through this program. That's great. But the numbers are, are still relatively small based on compared to the need if, if you receive more funding, you know, would that by itself help you scale up your program and get more graduates?
 Victor Piotrowski: The short answer is obviously there is funding is always the proportionally related to  the number of students, but the answer is not that simple. And so let me just maybe put two comments here. The first. , if we put somewhere at a university, 5 million grand. That's what happened with Dakota State University back in 2010.
 Victor Piotrowski: A tiny university got 5 million grand and then decide that cyber is our future. So that means the impact of our dollar is not only on those students that we recruit on the scholarship because the number is limited. ,but that university now create a [00:18:00] major in cyber operations. Higher faculty create courses.
 Victor Piotrowski: So there are dozen and then dozen and dozens other students sitting in the classroom. Mm-hmm. in addition to maybe 10 or 12 around the scholarship. So this is, I think, a big impact that's puts cyber security as attractive area to the Dean or the Provost, you know, the university administration, state government, and so, Like, we don't have any school currently in Wyoming or Utah or Montana.
 Victor Piotrowski: You know, additional funding eventually will, create school there also will bring that attention, right? And, and then cybersecurity attractive area in that state or that university. The second thing is, the biggest bottleneck that I perceive for last at least three years is the shortage of faculty based on the Computer Research Association in North America.
Victor Piotrowski: We have about 140 doctoral students graduating every [00:19:00] year, but only about 14 of them. End up as university professors, very limited. Yes. It's, it, it'll be barely to replace retirement. Right. But if you think about expanding this and creating, you know, new schools, new programs, new states, 14 is a very, very small number.So that's a big challenge currently. 
Rob Aragao:, You've shared a lot and I think, again, thank you from us to you and putting together the program and the energy and the passion behind. We know it's a critical need. This helps tremendously. And I think getting the word out, hopefully this is another kind of form of, of sharing with people who are interested in getting to cyber, that this opportunity also exists.
Rob Aragao: And then the term that you used, I love it. K to Gray. And I think that's the way you have to think about cyber in general, right? As early as possible. Start kind of thinking about and understanding the implications of cybersecurity. But also there's the other generations that we have to consider.
 Rob Aragao: You know for myself many times having those conversations with parents and. What they're dealing with and kind of, do I click on this, do I not? Right. So, so again, very  holistic based approach. Thank you for coming on and sharing. We really appreciate your time. Thank you. 
 Victor Piotrowski: Thank you for the opportunity, and if anybody's interested, sfs.opm.gov for prospective students.
 Stan Wisseman: Thanks again for all your work in this area. Thank you.