1
Introduction
The mission of the Federal Aviation Administration (FAA) “is to provide the safest, most efficient aerospace system in the world.”1 In fulfilling this mission, the FAA faces significant cybersecurity challenges across its areas of responsibility, which range from air traffic control operations to aircraft safety certification. Underscoring the urgency of this challenge, a recent report by the National Academies of Sciences, Engineering, and Medicine concluded “the safety of life implications and the vital economic importance of air travel make the security of NextGen and the NAS (National Airspace System) critically important” (p. 9). The study conclusions urged the FAA to “strengthen its workforce in systems engineering and integration, digital communications, and cybersecurity” (NRC, 2015, p. 1).
It is against this backdrop of need and opportunity that the FAA requested the National Academies to conduct a subsequent study that specifically examines the cybersecurity workforce challenges and current strategy for meeting those challenges, so as to develop recommendations for enhancing that workforce. The cybersecurity workforce is composed of individuals in “work roles that have an impact on an organization’s ability to protect its data, systems, and operations…. A cybersecurity workforce includes not only technically focused staff, but also those who apply knowledge of cybersecurity when preparing their organization to successfully implement its mission” (NIST, 2017, p. 1).
Using this broad conceptualization of the cybersecurity workforce, the resulting assessment reported herein incorporates a range of considerations intended to guide the FAA’s ongoing efforts to strengthen the cybersecurity workforce and provides new recommendations for the future workforce development. The National Academies has performed similar studies for the FAA for modernizing the Air Traffic Control System and determining air traffic controller staffing needs (NRC, 2014, 2015). Additionally, the National Academies has studied ways to expand the professionalization of the cybersecurity workforce and foundational cybersecurity research strategies (NASEM, 2017; NRC, 2013).
STUDY BACKGROUND
This study attends to several challenges that may impact the continuation and future development of the FAA cybersecurity workforce. One broad challenge cited by many federal agencies and other organizations, including
___________________
1 More information is available at: https://www.faa.gov/airports/central/about_airports/CE_mission/.
the FAA, is that cybersecurity talent is in high demand and short supply nationwide. It is notoriously difficult to quantify such shortages; there is, however, general agreement that the market for cybersecurity talent is tight. In a survey conducted by the Center for Strategic and International Studies (CSIS), 82 percent of employers reported a skills shortage in cybersecurity. Likewise, the same study indicated that 71 percent of employers believed the skill shortage impacts cybersecurity performance and effectiveness. The CSIS survey revealed a number of additional factors impacting the shortage of a skilled cybersecurity workforce (CSIS, 2016).
Exacerbating actual and perceived shortages is ongoing turnover, which is widespread in fast-moving high-tech fields even when there is an adequate number of qualified workers available, and especially when there is not (Business-Higher Education Forum, 2017; NRC, 2013). Other factors that any organization must consider when dealing with supply and demand challenges include recruitment, selection, performance assessment, levels of job variety and autonomy, promotion opportunities, management practices, and how to foster teamwork.
In the committee’s judgment, supply and demand challenges are complicated by the way in which the field of cybersecurity integrates a variety of professions. Cybersecurity involves a range of professionals, from security architect to system administrator to personnel security manager, where the profiles of knowledge, skills, abilities, and interpersonal skills can vary significantly by profession. It also involves extensive collaboration with other professionals, such as when the operational implications of cybersecurity threats must be considered. Such variety must be considered when evaluating the complex cybersecurity challenges of the FAA and the workforce diversity enhancement efforts required to effectively address them. The cybersecurity workforce can be seen as a system in the context of recruiting, hiring, promoting, and retaining cybersecurity personnel. This system is complicated by the occupational breadth and independence of cybersecurity professionals.
Compared with the private sector (and federal agencies that have leveraged more flexible workforce management authorities), the FAA faces recruitment, training, and retention challenges reflecting factors, such as lower salaries; a highly specific and less cutting-edge technical environment; and citizenship, suitability, and security clearance requirements. On the other hand, many talented cybersecurity professionals work for federal agencies (Hernandez, 2020). Understanding why they chose this path and what obstacles to entry they faced may point to ways to improve recruitment and retention.
The FAA has been taking steps to address its cybersecurity workforce challenges. Recently it completed a transition from the old (computer specialist) to new (IT management) personnel series, thereby introducing much-needed cybersecurity specialties and making these positions more visible to job seekers (FAA, 2020). Recognizing its difficulty in competing for experienced cybersecurity talent, the agency has adopted a strategy emphasizing upskilling of its technical workforce to meet its cybersecurity needs. The present study looks at the effects these changes have had and considers more broadly how the job market and requirements of the field impact ongoing efforts to enhance cybersecurity in the FAA.
CHARGE TO THE COMMITTEE
The FAA sought the assistance of the National Academies to examine its cybersecurity workforce challenges and to develop new cybersecurity workforce recommendations. This request was a congressional requirement in Section 549 of the FAA Reauthorization Act of 2018 (P.L. 115-254). The specific charge from Congress to the FAA is shown in Box 1-1.
The committee’s overall task was to examine the FAA’s cybersecurity workforce challenges, review FAA’s current strategy for meeting those challenges, and recommend ways to strengthen the FAA’s cybersecurity workforce, including consideration of its size, quality, and diversity. Members of the committee represented expertise in related topical areas such as human capital management, industrial-organizational psychology, workforce diversity, industrial and systems engineering, and cybersecurity. For additional committee members, industry expertise was reflected in members who serve as senior managers of cybersecurity organizations, and former government employees. With regard to size, the committee considered the FAA’s ability to meet current and anticipated future cybersecurity needs. In assessing the quality of the FAA’s cybersecurity workforce, the committee sought to provide the FAA with recommendations to ensure the agency has enough cybersecurity workers (capacity) with the right knowledge, skills, and abilities (capability) (NRC, 2013). The committee took a similarly broad view of diversity
and used the Ford Foundation definition to position diversity as “the representation of all our varied identities and differences (race, ethnicity, gender, disability, sexual orientation, gender identity, national origin, tribe, caste, socio-economic status, thinking and communication styles, etc.), collectively and as individuals.”2 The committee was tasked with considering cybersecurity workforce needs across the FAA’s mission areas and considering how these needs are likely to evolve. The evidence base, analysis, findings, conclusions, and recommendations will be discussed in more detail throughout the report. The committee’s full statement of task is in Box 1-2.
COMMITTEE APPROACH
It was necessary to structure an appropriate committee to achieve the study goals and collect information on the scope and complexity of the FAA’s cybersecurity workforce challenges, review the FAA’s current activities for managing these challenges, and develop conclusions, findings, and recommendations that were responsive to the statement of task. To perform this task, the National Academies formed a committee of members with relevant expertise across a wide range of domains. The committee comprised 12 members, including two co-chairs. Specific expertise was provided on industrial-organizational psychology; human resource management (with emphasis on IT workers and related industries); diversity and inclusion; workforce development, staffing, and training; workforce systems; cybersecurity; cybersecurity education; computer and information science and engineering; software and information technology systems; and labor and workforce projections for cybersecurity. The committee was drawn from industry, the FAA, academia, and consulting organizations.
The committee’s approach to its charge consisted of a review of the evidence in the scientific literature and several other information-gathering activities. In reviewing the literature and formulating its conclusions and recommendations, the committee considered all the presentations, literature searches, and committee knowledge.
The committee also held open public information-gathering sessions, which occurred through five planned meetings between February and November 2020. These meetings covered data accumulation and development of findings and recommendations, with the balance moving from former to latter as the meetings unfolded. The original intent for meetings two and three was to hold site visits, but due to the COVID-19 pandemic, all the committee’s meetings were held virtually except meeting one. These data-gathering sessions included speakers from the FAA, other comparable organizations and agencies, airport representatives, and experts in cyber staffing, management, and organization. The FAA sponsor staff attended these open sessions to hear the information
___________________
2 Definition taken from Ford Foundation; available at: https://www.fordfoundation.org/about/people/diversity-equity-and-inclusion/#:~:text=Diversity%20is%20the%20representation%20of%20all%20our%20varied,and%20communication%20styles%2C%20etc.%29%2C%20collectively%20and%20as%20individuals.
received by the committee, and to learn of the cybersecurity workforce challenges and opportunities to address them that other organizations employ. The committee also heard from multiple presenters on both the importance of and strategies for building and maintaining diversity in the workforce. The range of factors that define the diversity of an ideal workforce has been described in other settings as providing “the social context of decision making,” wherein “diversity facilitates friction that enhances deliberation and upends conformity (Levine et al., 2014).” The social context of decision making at any organization demands that a broader conception of diversity is taken into account in the recruitment and hiring process.
Based on the range of information gathered during those meetings, the committee decided to explicitly define diversity for this report as found in Box 1-3.
REPORT STRUCTURE AND SUMMARY
The report is divided into five chapters. The current chapter provides an overview of the problem as described in the statement of task (Box 1-1) as well as the approach taken by the committee. Chapter 2 examines the FAA’s current and future cybersecurity landscape and challenges. Chapter 3 provides a discussion of human resource and management approaches relative to a diverse and effective FAA cybersecurity workforce, using the employee lifecycle model. Chapter 4 continues using the adapted employee lifecycle model and describes the organizational structure, workforce strategies, best practices, and lessons learned that can be applied to the FAA’s cybersecurity workforce. Chapter 5 uses the findings, conclusions, and recommendations presented in the earlier chapters to articulate the key challenges for the FAA and present action items for several key opportunities. Appendix A lists the agendas and speakers from the various data-gathering workshops and open meetings that were held to fulfill the statement of task. The committee member’s biographies can be found in Appendix B.
REFERENCES
The Business-Higher Education Forum. 2017. Invest to Improve: The Cybersecurity Talent Deficit. Available: https://www.bhef.com/sites/default/files/bhef_2017_invest_to_improve.pdf.
CSIS (Center for Strategic and International Studies). 2016. Hacking the Skills Shortage: A Study of International Shortage in Cybersecurity Skills. Available: https://www.mcafee.com/enterprise/en-us/assets/reports/rp-hacking-skills-shortage.pdf.
FAA (Federal Aviation Administration). 2020. “The FAA Cybersecurity Workforce Overview.” Presentation to Committee on Cybersecurity Workforce of the Federal Aviation Administration by FAA Cybersecurity Steering Committee (CSC) and FAA AHR Representatives. February 19, 2020. Washington, DC.
Hernandez, S. 2020. Government Cyber Workforce Challenges. Presentation to Committee on Cybersecurity Workforce of the Federal Aviation Administration. February 20, 2020. Washington, DC.
Levine, S.S., Apfelbaum, E.P., Bernard, M., Bartelt, V.L., Zajac, E.J., and Stark, D. 2014. Ethnic diversity deflates price bubbles. Proceedings of the National Academy of Sciences, 111(52), 18524–18529.
NASEM (National Academies of Sciences, Engineering, and Medicine). 2017. Foundational Cybersecurity Research: Improving Science, Engineering, and Institutions. Washington, DC: The National Academies Press. doi: 10.17226/24676.
NIST (National Institute of Standards and Technology). 2017. National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. NIST Special Publication 800-181. Gaithersburg, MD: NIST. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181.pdf?trackDocs=NIST.SP.800-181.pdf.
NRC (National Research Council). 2015. A Review of the Next Generation Air Transportation System: Implications and Importance of System Architecture. Washington, DC: The National Academies Press. doi: 10.17226/21721.
NRC. 2014. The Federal Aviation Administration’s Approach for Determining Future Air Traffic Controller Staffing Needs. Washington, DC: The National Academies Press. doi: 10.17226/18824.
NRC. 2013. Professionalizing the Nation’s Cybersecurity Workforce?: Criteria for Decision-Making. Washington, DC: The National Academies Press. doi: 10.17226/18446.
This page intentionally left blank.
