Summary
Section 549 of the Federal Aviation Administration Reauthorization Act of 2018 (P.L. 115-254) calls on the National Academies of Sciences, Engineering, and Medicine to examine the Federal Aviation Administration’s (FAA’s) cybersecurity workforce challenges, review the FAA’s current strategy for meeting those challenges, and recommend ways to strengthen the FAA’s cybersecurity workforce. Aspects under consideration include workforce size, quality, and diversity. This report provides the findings, conclusions, and recommendations of the National Academies’ Committee on the Cybersecurity Workforce of the Federal Aviation Administration on these matters.
The FAA is responsible for providing the “safest, most efficient aerospace system in the world,” as stated in its motto.1 Over the past decade, it has overseen significant upgrades to the technology used to manage aviation operations to increase the safety and efficiency of the National Airspace System (NAS). Though necessary to regular operations, these modern computing and communications systems provide a greater attack surface for criminals, terrorists, or nation-states to exploit and thereby increase the potential for cybersecurity threats to the NAS and its constituents. Expanding digitization and connectivity without adequate cybersecurity could have enormous consequences; disruption anywhere in the aviation sector can spread across borders, cause significant financial damages, and compromise safety. While this transition is ongoing, the FAA still needs to protect its legacy-based systems.
The future safety and security of air travel will rely in part on the ability of the FAA to build a workforce capable of addressing the evolving cybersecurity threat landscape. Securing the computers, networks, and data that underpin modern aviation depends in part on the FAA having enough cybersecurity professionals (capacity) with the right knowledge, skills, and abilities (capability). It also depends on the FAA’s workforce having sufficient diversity of backgrounds and experience. Such diversity is critical in analyzing cybersecurity problems and widely understood to be a “functional imperative” for effective cybersecurity programs.
The findings, conclusions, and recommendations contained herein derive from the academic literature, data received from the FAA, the committee’s professional expertise, and input collected at the committee’s five public meetings. Areas of professional expertise represented on this committee include relevant topical areas such as human capital management, organizational psychology, workforce diversity, industrial and systems engineering, and cybersecurity. Industry expertise was supplied by members who formerly served as senior managers of cybersecurity organizations. Government expertise was provided by a former deputy assistant administrator at the FAA.
___________________
1 More information is available at: https://www.faa.gov/airports/central/about_airports/CE_mission/.
The five public meetings provided opportunities for the committee to learn about challenges and best practices from government and private-sector enterprises alike. The committee learned about challenges in other aviation enterprises (e.g., the European Union Aviation Safety Agency), major logistics and transportation corporations (e.g., UPS), and other government agencies (e.g., the Department of Education and the United States Coast Guard).
In the course of its work, the committee reached a number of findings, conclusions, and recommendations to guide the FAA’s efforts. Chapters 2–4 of this report will present these along with supporting evidence and discussion. Chapter 5 reviews the committee’s findings, conclusions, and recommendations. The findings, conclusions, and recommendations are summarized here in the form of key challenges and opportunities to ensure the FAA’s cybersecurity workforce can continue to support the agency’s missions. The committee notes that the FAA will need to recognize that these challenges and opportunities require constant evaluation and support by senior leadership.
KEY CHALLENGES
Challenge 1. Expansion of the FAA’s digital footprint also increases vulnerability and risk, and so, increases the need for more robust cybersecurity due to these potential new threats. Cybersecurity is an essential element of fulfilling the agency’s mission of ensuring safety in air travel. It has become a critical priority for the FAA, as risk is compounded by growing digitization and connectivity of the National Airspace System and aviation sector. As alluded to above, the increasing digitization of aviation infrastructure, while necessary to improve FAA operations, also expands the attack surface of critical infrastructure and cyber-physical systems. In response to these changing dynamics, the FAA will need to introduce a range of skills and expertise into its cybersecurity workforce.
Challenge 2. The cybersecurity labor market is highly competitive within the federal sector, nationally, and globally—and likely to become more so. Cybersecurity professionals are highly sought after, and competition among employers for the limited talent pool is likely to grow more acute. Despite a multitude of initiatives to address the cybersecurity workforce imperative, the nation still faces a significant shortage of qualified cybersecurity professionals. The demand for talent is particularly severe in the public sector, because federal agencies must compete with private-sector firms that often can provide better compensation. Compared to private employers, the FAA may not pay as highly but offers more stable employment and an attractive culture. It was noted in the committee’s focus groups that there are instances where the FAA pay grades are above the rest of government for similar jobs and that this was an effective recruiting inducement. However, the FAA has further unique needs for its cybersecurity workforce, such as the need for employees who have a deep understanding of a highly specialized mission and technology infrastructure alongside an ability to defend against both cyber and security threats. Furthermore, the FAA will have to integrate cybersecurity professionals and cybersecurity practices into the agency’s strong existing safety culture.
Challenge 3. The FAA faces a future wave of retirements in its cybersecurity workforce. Like many federal agencies, the FAA has a significant portion of employees who are or soon will be eligible for retirement. This means that within a relatively short timeframe, the FAA may have to replace a significant portion of its cybersecurity workforce amidst increasing competition for talent and ensure that the agency can retain the highly specialized, mission-specific knowledge of its retiring cybersecurity workforce.
Challenge 4. To achieve greater diversity within the cybersecurity workforce and meet its future needs, the agency must make better use of existing programs that promote workforce diversity. The FAA’s diversity track record is on par with federal agencies and broader trends in terms of diversity of its workforce and its success in recruiting and retaining underrepresented minorities and women. But the FAA lags other parts of the federal government in taking advantage of existing programs for enhancing diversity. Increased diversity is vital to the FAA’s future cybersecurity workforce for several reasons:
- Cybersecurity as a discipline incorporates a broad range of skills and knowledge, and thus an effective cybersecurity workforce will need to be diverse across a number of axes—a consideration that includes both
- Greater diversity represents an opportunity to grow the talent pool and anticipate changing national demographics. Growing this talent pool will allow the FAA to keep pace with other organizations that have made diversity a recruitment priority.
- Adversaries present a changing set of threat activities that challenge the imagination. To manage these tactics, a diverse and multiview cybersecurity defense is required as a critical part of the workforce.
traditional diversity strategies, such as increased engagement of underrepresented minorities and women, and other strategies, such as encouraging applicants from a range of different educational institutions, previous employers, and geographic locations.
Challenge 5. The FAA’s current recruitment capabilities are not robust enough to meet future demand in an increasingly competitive environment. The FAA will need to be more effective in recruiting a cybersecurity workforce of sufficient capability and capacity in the face of worldwide competition for cybersecurity talent, the need to be ready to replace a wave of retirees, and the need for greater diversity in its cybersecurity workforce.
The challenges associated with building a diverse cybersecurity workforce of sufficient capability and capacity are in constant flux and under pressure as the FAA expands its digital footprint. It is the committee’s hope that the opportunities summarized below and discussed in-depth in the rest of this report will help illuminate the steps that the FAA can take to strengthen its cybersecurity posture.
KEY OPPORTUNITIES
Opportunity 1. Leverage FAA’s compelling mission as a recruitment tool. The FAA offers potential employees a work environment that combines cybersecurity operations with a unique mission (Finding 3-3). Through enhanced job fair materials, more compelling job descriptions, and engagements such as those identified in Opportunities 2-4, recruitment efforts can better highlight the opportunities to apply cybersecurity skills to the mission and within a unique operational environment (Finding 3-7).
Opportunity 2. Broaden the talent pipeline by building sustainable relationships with educational and industry partners and enhancing college recruitment. In order to help respond to the national imperative to grow the capability and capacity of the national and federal cybersecurity workforce and meet its own future needs, the FAA should consider investments in enriching educational curricula and scholarship programs and mining industry-based talent pools. A number of federal agencies have developed successful, replicable partnership activities that provide research opportunities, scholar-in-residence positions for federal cybersecurity practitioners, and student internships. Successful engagement can infuse the FAA with new cybersecurity talent. To realize this goal, the FAA will need to take full advantage of existing scholarship programs as well as explore new partnerships. The FAA should (1) evaluate the use of existing and future internship programs as a valuable tool to create a more diverse cybersecurity workforce (Recommendation 3-1); (2) organize and expand its reach and partnerships with universities around cybersecurity preparation efforts in academic and research areas in order to assist in the development of a talented cybersecurity workforce (Recommendation 3-3); and (3) set internal targets for the number of Scholarship for Service students recruited and/or hired to internships and permanent positions within the agency (Conclusion 3-5).
Opportunity 3. Enhance diversity by leveraging existing best practices. Other federal agencies have developed best practices that help to improve workforce diversity. For instance, several agencies have developed partnerships with minority serving institutions (MSIs),2 similar to those discussed in Opportunity 2, that simultaneously attract young talent and improve organizational diversity. However, the FAA has not yet explored similar arrangements.
___________________
2 The U.S. Department of Education’s Minority-Serving Institutions Program includes the following organizations: Historically Black Colleges and Universities (HBCUs); Hispanic-Serving Institutions (HSIs); Tribal Colleges and Universities (TCUs); and Asian American and Pacific Islander-Serving Institutions (AAPISIs).
To address this shortfall, the FAA can (1) explore opportunities to develop meaningful and sustainable relationships with MSIs in order to access upcoming cybersecurity graduates via internships and employment opportunities (Recommendation 3-3); and (2) train its cybersecurity leadership on best practices in building a diverse and inclusive organizational culture (Recommendation 3-7).
Opportunity 4. Leverage federal hiring programs, nonsalary financial incentives, and flexibilities to attract and retain talent. Although subject to a number of requirements around federal hiring, the FAA could take better advantage of existing flexibilities, such as spot hiring authority (allowing employers to extend offers to qualified candidates without public posting requirements), which would allow it to more easily and nimbly recruit cybersecurity talent. While the FAA, like other federal agencies, cannot realistically hope to match the salaries of private-sector employers, the agency can better use certain nonsalary incentives such as increased quality of work-life balance and targeted geographic opportunities to compete for talent more effectively with other federal agencies. The FAA should compare its use of hiring flexibilities with those of other federal agencies, both highlighting currently existing flexibilities that are underused by the FAA and identifying other agency flexibilities and practices that could be incorporated into FAA hiring processes (Recommendation 2-4).
Opportunity 5. Promote and invest in training and reskilling. Given the wide range of skills relevant to its cybersecurity practice, reskilling current employees—including current cybersecurity staff, noncybersecurity information technology staff, and operations staff—can provide the FAA with a readily available talent pool of future cybersecurity talent. As the committee concluded, reskilling the existing workforce can be an important component of developing the needed future cybersecurity workforce of the FAA. To make best use of reskilling, the FAA should ensure that all efforts to upskill and evolve the cybersecurity workforce (Recommendation 3-5).
Opportunity 6. Anticipate the coming wave of retirements. The demographics of the FAA’s cybersecurity workforce suggest that the agency will need to replace a significant portion of cybersecurity professionals in a relatively short timeframe. Although doing so will be challenging, the retirements also present an opportunity for FAA leadership to replace currently defined roles with ones that better reflect the future cybersecurity needs of the agency. To proactively address the challenges of anticipated retirements, the FAA should (1) implement cybersecurity workforce planning strategies that will protect the agency against the potential for sudden and mass retirements (Recommendation 2-1), and (2) provide professional development opportunities to refresh skill sets of current cybersecurity employees and ensure sharing of key institutional and mission-specific knowledge with newer cybersecurity staff (Recommendation 4-2).
Opportunity 7. Ensure that the FAA’s chief information security officer (CISO) has sufficient authority and access to agency leadership. Mirroring private sector trends that have bolstered the role of CISOs, the FAA should consider providing the CISO role with more authority and access to agency leadership. This would allow the FAA to better identify and direct responses to cybersecurity challenges and foster an organizational culture in which cybersecurity professionals and other employees can be most effective in doing so. One option could be instituting a CISO’s reporting structure to support a strong governance model, which ensures that the CISO has both the independence and access required to effectively manage the FAA’s cyber risk posture (Recommendation 4-3).
