5
Key Challenges and Opportunities
The Federal Aviation Administration (FAA) is responsible for providing the “safest, most efficient aerospace system in the world.”1 It has been significantly upgrading the technology used to manage aviation operations to increase the safety and efficiency of the National Airspace System (NAS). However, the modern computing and communications systems being introduced by the FAA, out of necessity magnify the cybersecurity threats to the NAS and its constituents, thereby providing a greater attack surface for criminals, terrorists, or nation-states to exploit. The FAA takes this seriously, recognizing that the consequences of this increasing digitization and connectivity without adequate cybersecurity could be enormous: disruption anywhere in the aviation sector can spread across borders, cause significant financial damages, and compromise safety.
Securing the computers, networks, and data that underpin modern aviation depends in part on the FAA having enough cybersecurity professionals (capacity) with the right knowledge, skills, and abilities (capability). It also depends on the FAA’s workforce having sufficient diversity of backgrounds and experience. Diversity is critical in analyzing cybersecurity problems and is widely understood to be a “functional imperative” for effective cybersecurity programs (Levine, et. al., 2014). The future safety and security of air travel will rely, in part, on the ability of the FAA to build a workforce capable of addressing the evolving cybersecurity threat landscape.
Members of the committee represented expertise in related topical areas such as human capital management, industrial-organizational psychology, workforce diversity, industrial and systems engineering, and cybersecurity. Industry expertise was reflected in members who formerly served as senior managers of cybersecurity organizations, and government expertise was provided by a former deputy assistant administrator at the FAA.
The findings, conclusions, and recommendations contained herein derive from the academic literature, data received from the FAA, the committee’s professional expertise, and input collected at the committee’s five public meetings. At these meetings, the committee sought to learn about challenges and best practices from government and private-sector enterprises alike. The committee considered challenges in other aviation enterprises (such as the European Union Aviation Safety Agency), major logistics and transportation corporations (such as UPS) and other government agencies (such as the Department of Education and the United States Coast Guard). The preceding chapters provide committee’s analysis, supporting evidence, and detailed findings, conclusions, and recommendations.
___________________
1 More information is available at https://www.faa.gov/about/mission/.
KEY CHALLENGES
Challenge 1. Expansion of the FAA’s digital footprint also increases vulnerability and risk, and so, increases the need for more robust cybersecurity due to these potential new threats. Cybersecurity is an essential element of fulfilling the agency’s mission of ensuring safety in air travel. It has become a critical priority for the FAA, as risk is compounded by growing digitization and connectivity of the NAS and aviation sector. As alluded to above, the increasing digitization of aviation infrastructure, while necessary to improve FAA operations, also expands the attack surface of critical infrastructure and cyber-physical systems. This led the committee to conclude (Conclusion 2-2) that “the cyber landscape of the FAA is continuously evolving. Accordingly, the future FAA cybersecurity workforce will need to adapt in order to simultaneously support traditional enterprise infrastructure and security operation center needs, as well as provide subject matter expertise and program oversight of cybersecurity integration into all aspects of FAA’s missions.” The profusion of digital technologies and the growing threat surface to the FAA’s systems and operations add to the challenge by multiplying the number of skills needed to effectively manage cybersecurity risk. As the committee found (Finding 3-1) in Chapter 3, “the complexity of challenges that cybersecurity professionals address requires a workforce with a diversity of experiences and cognitive approaches, making diversity a functional imperative of cyber operations.”
Challenge 2. The cybersecurity labor market is highly competitive within the federal sector, nationally, and globally—and likely to become more so. Cybersecurity professionals are highly sought after, and competition among employers for the limited applicant pool is likely to grow more acute. Despite a multitude of initiatives to address the cybersecurity workforce imperative, the nation still faces a significant shortage of qualified cybersecurity professionals. In Chapter 2, the committee found (Finding 2-5) that “the pool of qualified cybersecurity talent is limited and recruitment challenges will persist.” The demand for talent is particularly severe in the public sector, because federal agencies must compete with private-sector firms that often can provide better compensation. As the committee found in Chapter 3, one of the current FAA cybersecurity workforce challenges is difficulty competing with commercial entities that have higher compensation packages. Nevertheless, federal employers (Finding 3-4) are able to recruit and retain personnel with the critical skills needed to accomplish their missions, by offering “incentives, such as recruitment, relocation, and retention incentive payments; student loan repayments; annual leave enhancements; and scholarships” to attract the necessary talent.
The FAA’s workforce challenge is further compounded by its need for employees to have a deep understanding of a highly specialized mission and technology infrastructure alongside an ability to defend against both cyber and security threats. This confluence of labor market trends and specialized knowledge required to fulfill the agency’s mission presents a substantial challenge to an agency whose recruitment capabilities, as discussed in Chapter 3, are presently insufficient to identify and recruit cybersecurity personnel aligned with FAA mission compared to foreseeable future needs. Furthermore, the FAA will have to integrate cybersecurity professionals and cybersecurity practices into the agency’s strong existing safety culture.
Challenge 3. The FAA faces a future wave of retirements in its cybersecurity workforce. Like many federal agencies, the FAA has a significant portion of employees who are or soon will be eligible for retirement. As discussed in Chapter 2 (Finding 2-2), the committee found that “a growing proportion of the cybersecurity workforce of the FAA is reaching retirement eligibility and, as a result, the agency is vulnerable to losing a significant portion of its cybersecurity workforce to retirement.” This means that within a relatively short timeframe, the FAA may have to replace a significant portion of its cybersecurity workforce amidst increasing competition for talent and ensure that the agency can retain the highly specialized, mission-specific knowledge of its retiring cybersecurity workforce. The cybersecurity workforce will need to adapt to the agency’s adoption of internet protocol connectivity and the imposition of zero-trust networking authentication mechanisms. Employee retirement, at the end of the employee lifecycle model, “offers organizations the opportunity to rethink organizational needs and required skill sets, which in turn helps refocus talent recruitment and the next iteration of the employee lifecycle” (Recommendation 4-4).
Challenge 4. To achieve greater diversity within the cybersecurity workforce and meet its future needs, the agency must make better use of existing programs that promote workforce diversity. In Chapter 2 (Finding 2-1), the com-
mittee determined that the FAA could do more to grow both female and minority representation in its cybersecurity workforce. While the agency is better than average with diversity workforce trends for women, it may be lagging behind with regard to underrepresented minorities. This is somewhat uncertain due to incomplete data that may not fully reflect the presence of all minority groups among the FAA’s workforce. The FAA’s diversity track record is on par with federal agencies and broader trends in terms of diversity in the workforce and its success in recruiting and retaining underrepresented minorities and women. But the FAA lags other parts of the federal government in taking advantage of existing programs for enhancing diversity. For instance, as discussed in Chapter 4, many federal agencies, but not the FAA, have developed institutional partnerships with Minority-Serving Institutions (MSIs), which “can both expand the talent pool for high-demand positions and ensure diversity in the workforce for the long term” (Finding 4-3).
Increased diversity is vital to the FAA’s future cybersecurity workforce for several reasons:
- Cybersecurity as a discipline incorporates a broad range of skills and knowledge, and thus an effective cybersecurity workforce will need to be diverse across a number of axes—a consideration that includes both traditional diversity strategies such as increased engagement of underrepresented minorities and women, and other strategies such as encouraging applicants from a range of different educational institutions, previous employers, and geographic locations.
- Greater diversity represents an opportunity to grow the talent pool and anticipate changing national demographics. Growing this talent pool will allow the FAA to keep pace with other organizations that have made diversity a recruitment priority.
- Adversaries present a changing set of threat activities that challenge the imagination. To manage these tactics, a diverse and multiview cyber defense is required as a critical part of the workforce.
Challenge 5. The FAA’s current recruitment capabilities are not robust enough to meet future demand in an increasingly competitive environment. The FAA will need to be more effective in recruiting a cyber workforce of sufficient capability and capacity in the face of worldwide competition for cybersecurity talent, the need to be ready to replace a wave of retirees, and the need for greater diversity in its cybersecurity workforce. As noted above in Challenge 2 and in Chapter 4, the FAA has insufficient capabilities to identify and recruit cybersecurity personnel aligned with the FAA mission compared to foreseeable future needs. This includes insufficient engagement with existing sources of talent and organizational practices, each of which inhibits recruitment. For instance, the FAA has not partnered with universities to shape cybersecurity programs and curricula (Finding 3-10), a strategy that both provides students with the skills the agency anticipates needing in the future and builds relationships with faculty that can increase awareness of the FAA as an attractive employer for young cybersecurity professionals.
Additionally, the FAA does not take advantage of programs that other agencies use to recruit cybersecurity professionals into federal service (Finding 3-13), nor has it partnered with the Scholarship for Service program to effectively recruit cyber talent to the organization (Finding 3-9). While the agency’s high retention rate among cybersecurity staff has thus far allowed for a relative lack of emphasis on identifying sources of new cybersecurity talent, this will need to become a higher operational priority as much of the cybersecurity workforce reaches retirement age.
Better organizational practices could help improve talent recruitment at the FAA. Even when talent is identified, FAA hiring practices can make the task of hiring in-demand cyber talent unnecessarily difficult, as the FAA is currently under-utilizing flexibilities in personnel management and hiring authority, such as direct-hire authority (Finding 2-6).
The challenges associated with building a diverse cybersecurity workforce of sufficient capability and capacity are in constant flux, and under particular pressure as the FAA expands its digital footprint. The opportunities summarized below and articulated in the previous chapters of this report provide some initial first steps that the FAA can take to strengthen its cybersecurity workforce.
KEY OPPORTUNITIES
Opportunity 1. Leverage the FAA’s compelling mission as a recruitment tool. The FAA offers potential employees a work environment that combines cybersecurity operations with a unique mission (Finding 3-3). Through enhanced
job fair materials, more compelling job descriptions, and engagements such as those identified in Opportunities 2-4, recruitment efforts can better highlight the opportunities to apply cybersecurity skills to the mission and within a unique operational environment (Finding 3-7).
Opportunity 2. Broaden the talent pipeline by building sustainable relationships with educational and industry partners and enhancing college recruitment. In order to help respond to the national imperative to grow the capability and capacity of the national and federal cybersecurity workforce and meet its own future needs, the FAA should consider investments in enriching educational curricula and scholarship programs and mining industry-based talent pools. Several federal agencies have developed successful, replicable partnership activities that provide research opportunities, scholar-in-residence positions for federal cybersecurity practitioners, and student internships. Successful engagement with these and similar programs can infuse the FAA with new cybersecurity talent. To realize this goal, the FAA will need to take full advantage of existing scholarship programs as well as explore new partnerships. The FAA should (1) evaluate the use of existing and future internship programs as a valuable tool to create a more diverse cybersecurity workforce (Recommendation 3-1); (2) organize and expand its reach and partnerships with universities around cybersecurity preparation efforts in academic and research areas in order to assist in the development of a talented cybersecurity workforce (Recommendation 3-3); and (3) set internal targets for the number of Scholarship for Service students recruited to internships and permanent positions within the agency (Conclusion 3-5).
Opportunity 3. Enhance diversity by leveraging existing best practices. Other federal agencies have developed best practices to improve workforce diversity. For instance, several agencies have developed partnerships with MSIs, similar to those discussed in Opportunity 2, that simultaneously attract young talent and improve organizational diversity. However, the FAA has not yet explored similar arrangements. To address this shortfall, the FAA can (1) explore opportunities to develop meaningful and sustainable relationships with MSIs to access upcoming cybersecurity graduates via internships and employment opportunities (Recommendation 3-3) and (2) train its cyber leadership on best practices in building a diverse and inclusive organizational culture (Recommendation 3-7).
Opportunity 4. Leverage federal hiring programs, nonsalary financial incentives, and flexibilities to attract and retain talent. Although subject to a number of requirements around federal hiring, the FAA could take better advantage of existing flexibilities, such as spot hiring authority (allowing employers to extend offers to qualified candidates without public posting requirements), that would allow it to more easily and nimbly recruit cyber talent. While the FAA, like other federal agencies, cannot realistically hope to match the salaries of private-sector employers, the agency can better use certain nonsalary incentives such as increased quality of work-life balance and targeted geographic opportunities to compete for talent more effectively with other federal agencies. The FAA should compare its use of hiring flexibilities with those of other federal agencies, both highlighting currently existing flexibilities that are underused by the FAA and identifying other agency flexibilities and practices that could be incorporated into FAA hiring processes (Recommendation 2-4).
Opportunity 5. Promote and invest in training and reskilling. Given the wide range of skills relevant to its cybersecurity practice, reskilling current employees—including current cybersecurity staff, non-cybersecurity information technology staff, and operations staff—can provide the FAA with a readily available talent pool of future cybersecurity talent. As the committee concluded, reskilling the existing workforce can be an important component of developing the needed future cybersecurity workforce of the FAA. To make best use of reskilling, the FAA should ensure that all efforts to upskill and evolve the cybersecurity workforce (Recommendation 3-5).
Opportunity 6. Anticipate the coming wave of retirements. The demographics of the FAA’s cybersecurity workforce suggest that the agency will need to replace a significant portion of cybersecurity professionals in a relatively short timeframe. Although doing so will be challenging, the retirements also present an opportunity for FAA leadership to replace currently defined roles with ones that better reflect the future cybersecurity needs of the agency. To proactively address the challenges of anticipated retirements, the FAA should (1) implement cybersecurity
workforce planning strategies that will protect the agency against the potential for sudden and mass retirements (Recommendation 2-1) and (2) provide professional development opportunities to refresh skill sets of current cybersecurity employees and ensure sharing of key institutional and mission-specific knowledge with newer cybersecurity staff (Recommendation 4-2).
Opportunity 7. Ensure that the FAA’s CISO has sufficient authority and access to agency leadership. Mirroring private-sector trends that have bolstered the role of CISOs, the FAA should consider providing the CISO role with more authority and access to agency leadership, allowing the FAA to better identify and direct responses to cybersecurity challenges and foster an organizational culture in which cybersecurity professionals and other employees can be most effective in doing so. One option could be instituting a CISO’s reporting structure to support a strong governance model, which ensures that the CISO has the independence and access required to effectively manage the FAA’s cyber risk posture (Recommendation 4-3).
With this report, the committee hopes to provide FAA leadership with the information and tools necessary to ensure the continued success of the agency’s cybersecurity workforce as it seeks a new generation of talent in an increasingly competitive market. The above opportunities represent a key subset of recommendations that, in the committee’s estimation, will catalyze initial action toward meeting the prevailing challenges to the agency.
REFERENCE
Levine, S.S., Apfelbaum, E.P., Bernard, M., Bartelt, V.L., Zajac, E.J., and Stark, D. 2014. Ethnic diversity deflates price bubbles. Proceedings of the National Academy of Sciences, 111(52), 18524–18529.
This page intentionally left blank.
