It's conventional wisdom among cybersecurity experts that both the U.S. government and many industries have underinvested in cybersecurity, even as the number and scale of threats have visibly grown.
But now that appears to be changing, as many institutions are now ramping up hiring, and the next generation of cybersoldiers is stepping up.
"We have seen interest from students in cybersecurity and cyberpolicy. CS in general is one of the most popular majors on campus, and the most popular among female undergraduates," said Allison Berke, who is the executive director of the Stanford Cyber Initiative.
"A newly launched student group called Practical Cybersecurity formed this quarter to teach students practical hacking, computer security and cyberpolicy analysis skills," she said. "We don't work directly with government agencies for training, but the student group is planning to enter competitions like the Atlantic Council's cyber 9/12 challenge."
It's the same story at Purdue University's Center for Education and Research in Information Assurance and Security, which has the oldest U.S. degree program in information security and is the largest producer of Ph.D.s in the field.
"We have seen a steady increase in the number of students interested in cybersecurity over the last few years," said Purdue professor Gene Spafford, a veteran of cybersecurity education who has also advised government agencies including the NSA, FBI and Air Force. Spafford noted though that — as with most graduate school programs — most of his students are not U.S. citizens.
"It is difficult to get U.S. citizens to apply for grad school in CS or information security," he said. "Government wants to hire people but really isn't into helping support academia in training them, obtaining current equipment, or developing good curricular material."
Many graduates of the program take jobs with government agencies or work as contractors but Spafford said CERIAS has "effectively zero support from government agencies to expand our program or offer better education."
And as the field attracts more students, cybersecurity firms are reporting an uptick in interest from prospective employees.
"It is the hottest field to go into and plays to the strengths of the younger generations who have grown up online," said Ben Johnson, a former NSA employee who is now chief security strategist at Bit9 + Carbon Black, a company that helps government agencies and enterprises secure computer systems and respond to attacks.
"We have seen an increase in qualified individuals and the desire by students to gain the necessary skills to fight terrorists using cyberwarfare," said Morey Haber, vice president of technology at BeyondTrust, a cybersecurity firm that aims to eliminate data breaches from hack attacks and insider privilege abuse.
Pravin Kothari, founder and CEO of CipherCloud, a Silicon Valley-based cloud security firm concurred. "While there has been a shortage of cybersecurity talent in the past few years, it has also become an attractive career option for students and professionals. We expect to see more interest in STEM careers as well as more students pursuing security coursework out of a sense of patriotism."
This may be music to the ears of Secretary of Defense Ashton Carter, as he reaches out to Silicon Valley to mend fences and solicit help fighting an increasingly technologically sophisticated and connected army of hackers and terrorists.
The DOD recently opened its first outpost in the valley, the Defense Innovation Unit Experimental, to strengthen and build relationships with innovators and scout for breakthrough technologies. Carter is quoted on the DIUX homepage saying, "If we are going to leverage these technologies to defend our country and help make a better world, the DOD cannot do everything in all of these areas alone."
In doing so, Carter has drawn praise from venture capitalists such as Marc Andreessen and Ben Horowitz.
On March 13 of this year Carter told employees of Cybercom and the NSA at the U.S. Cyber Command Workforce at Forte Meade, Maryland, how much they are valued. (The address was Carter's first appearance at a troop event)
"The domain that you protect, cyberspace, is presenting us with some of the most profound challenges," he said. "While you may not be at risk in the way that the forces are — physical risk in the way our — in Afghanistan, we are requiring from you a comparable level of professionalism, excellence, dedication. And I know you show all that, but we count on it, because you really are on the front lines."
"We understand that this mission area is one we cannot afford not to keep investing in," said Carter. "A big priority of mine is going to be to make sure that you're getting the training and the equipment and the resources you need," he said.
Carter is well-aware of the massive shortfall in much-needed tech talent, and he's courting the next generation of hackers, vying with the industry to attract and retain top talent.
"I don't want you being hired away either," Carter half-joked at the address. "I can't stop you."
"By most estimates we have a shortage of over 1 million cybersecurity specialists in the IT workforce," said Jeff Schilling, chief security officer of Armor, a company that researches, aggregates and analyzes threat data from global sources to identify active adversaries and their ever-changing techniques.
"The government, and most organizations, have an incredible shortage of cyberdefenders, including some companies that have 300 open positions just for security analysts," said Johnson. "The numbers are staggering. The uptick in applications to be cybersecurity soldiers and defenders is not keeping pace with the need, which means we are falling further and further behind."
Something both the U.S. government and companies — from small cybersecurity start-ups to security giants like Intel Security — hope they can change.