Events Mapping the Future of US-Japan Cybersecurity Cooperation: Workforce Challenges and Opportunities

Loading Events

« All Events

  • This event has passed. However, the following provides highlights and event information.

Mapping the Future of US-Japan Cybersecurity Cooperation: Workforce Challenges and Opportunities

June 11, 2024 @ 8:00 am - 9:00 am

To download as a PDF, please click here.

Abstract

On June 11, 2024, the US-Japan NEXT Alliance Initiative convened a hybrid bilateral dialogue on cybersecurity workforce development. Senior Director Jim Schoff welcomed around 20 American and Japanese specialists to the event from both governments, think tanks, and the private sector. Mr. Andy Herrmann, Division Chief at the US Department of State, and Mr. Hiroshi Sasaki, Advisor at the Industrial Cybersecurity Center of Excellence (ICSCoE) at METI, led the event with comprehensive presentations on the current state of the cybersecurity workforce in both countries. Herrmann outlined the State Department’s strategies for cybersecurity recruitment, reskilling, and retention, highlighting various training programs designed to enhance the Department’s performance in each area. Sasaki addressed Japan’s cybersecurity workforce gap and the efforts to mitigate shortages through targeted training programs, stressing the potential value of US-Japan collaboration in tackling these challenges. The discussion segment delved into ways to enhance and expand cybersecurity workforce training through both domestic strategies and bilateral cooperation.

Opening Remarks

Mr. Andy Herrmann, Division Chief at the US Department of State, began the event with a presentation covering the current state of the cybersecurity workforce in the federal government. His presentation outlined a swath of cybersecurity training programs in various agencies, and how the US Department of State is approaching the recruitment, reskilling, and retention of IT human capital.

He opened by contextualizing the cybersecurity industry’s current state, noting the rise in state-sponsored attacks and the increasing cost and frequency of cybercrimes. Simultaneously as the industry comes under heightening strain, he highlighted how there are as many as four million cybersecurity vacancies. Even among those who are currently working, Herrmann explained that ISC2 – a non-profit organization which offers cybersecurity certification programs for professionals – found in a survey that 85% respondents were burnt out and considering leaving their job in the next year.

Herrmann then shifted to discussing how the State Department is approaching bolstering its own cybersecurity capabilities, and how important that is given how it is the most targeted federal agency by cyber actors. On strategic responses to confront these problems, Herrmann emphasized that they are doing disaster recovery drills, which are focused on restoring files to return to business after an attack, as well as improving detection of malware and data protection. He emphasized that such procedures are vital to improve, especially considering how other federal agencies such as the Department of Defense, USAID, and Peace Corps are also using cybersecurity systems in embassies and consulates around the world that the State Department must help to protect. However, he explained that making these procedures and systems more sophisticated will require acquiring and developing more talent.

On the recruitment side, he explained that it is hard to compete with the private sector for cybersecurity jobs due to the lengthy clearance process and lower salaries in the public sector. Instead, the federal government is focused on programs that can sell the mission of public service and diplomacy to students, mid-career professionals, and those in the military. Herrmann mentioned the CyberCorps program, which funds three years of cybersecurity or IT education in exchange for a three-year commitment in a cyber-related role within any federal agency, as one example. He also explained that with military, there is the Wounded Warrior to Cyber Warrior program that pays for a cybersecurity internship which eventually leads to a full-time job.

Herrmann also detailed the State Department’s initiatives, starting with the Foreign Affairs IT Fellowship. This program offers financial assistance and two internships to students in exchange for a five-year commitment as a Diplomatic Technology Officer. More on the reskilling side, he explained that the Foreign Service Institute offers a series of classes and training that prepares people to become Information and System Security Officers. This position, required in all embassies and consulates, focuses on cyber threats and managing cybersecurity teams.

Although these programs have aided recruitment and reskilling, Herrmann emphasized that retention remains a challenge. To address this, he explained that the Department of State established a retention unit two years ago to identify challenges employees face and understand the reasons behind their departure. As a supplement to this effort, the Cybersecurity Skills Incentive Program, which provides a 25% salary increase for three years upon obtaining an industry-recognized certification, as well as dedicated mentoring to help professionals have been offered.

To elucidate how the State Department has prioritized cyber-related issues at an institutional level, Herrmann elaborated on the newly established Bureau of Cyber Diplomacy and Policy. He emphasized that defining the norms of cyberspace, especially with partners like Japan, has been a priority of this Bureau. More recently, it has also done a lot on capacity building in developing nations that are digitalizing their economies. Herrmann highlighted a program in Costa Rica as the flagship model of this, where the Bureau has provided training, equipment, and a person on the ground to assist its government with cyber capacity building.

Mr. Hiroshi Sasaki, Advisor at the Industrial Cybersecurity Center of Excellence (ICSCoE) at METI, gave his presentation, highlighting the significant cybersecurity workforce gap in Japan and the efforts to address it through training programs. He discussed the importance of US-Japan collaboration in scaling cybersecurity training programs and the differences in the workforce markets between the two countries.

Sasaki kicked off his presentation highlighting the huge cybersecurity workforce gap increase that is being seen in Japan. To explain what is being done to confront this issue in Japan, he began by explaining what the ICSCoE is. Established in April 2017, the purpose of the center is to provide a one-year program for study of technology management and business primarily for critical infrastructure operators in industries such as electricity, gas, chemicals, oil, and others. He emphasized that the program has produced 350 graduates after six years of programming.

On the ability for US-Japan collaboration to scale such cybersecurity training programs, Sasaki highlighted how differences of the maturity level between the cybersecurity workforce market in both countries needs to be considered. He explained that the National Initiative for Cybersecurity Education Cybersecurity Workforce Framework (NICE) is the most popular cybersecurity workforce framework in the US and in other countries, defining seven cybersecurity categories, 33 specialty areas, and 52 work roles. The goal of this categorization is to assist job matching and ensure that the framework corresponds to certifications provided by private sector vendors such as SANS and ICS2.

But, in contrast to the dynamic and flexible cybersecurity environment in the US, Sasaki explained that Japan’s market is less developed and more rigid. As a result, the NICE framework, which is widely adopted in the US, is too advanced for Japan’s current cybersecurity landscape. He emphasized the importance of a simplified job matching framework to facilitate a dynamic workforce exchange between the US and Japan’s cybersecurity industries. To show how simpler frameworks are not necessarily uncommon in high-income countries, Sasaki drew attention to the UK and EU cybersecurity workforce frameworks, which only define 16 and 12 different roles respectively.

Sasaki then shifted his focus to the Digital Skills Standard published by the Information-technology Promotion Agency of Japan. This framework defines five key roles, with the ultimate goal of facilitating collaboration among individuals to drive forward digital projects. Sasaki highlighted a common pitfall, where business architects often overlook cybersecurity considerations in the early stages of a project, prioritizing cost reduction and agility instead. However, this approach can lead to cybersecurity issues being neglected until the operational phase, resulting in costly consequences. To mitigate this risk, Sasaki emphasized the importance of collaboration between cybersecurity professionals and other stakeholders, such as business architects, designers, and data scientists. Moreover, he stressed that this framework helps develop fundamental cybersecurity skills across various roles, fostering a culture of cybersecurity awareness and best practices.

He continued on to acknowledge that while these standards would not necessarily cause a direct increase of the cybersecurity workforce, it is nonetheless a realistic way for strengthening cybersecurity readiness and reducing risk. Sasaki explained that this sort of collaboration between security colleagues and domain people from Operational technology (OT), Internet of Things (IoT), and other business areas is important for recruitment, reskilling, and retention of the cybersecurity workforce.

Discussion Summary

During the discussion segment, participants built upon the presentations with a thoughtful exchange and constructive comments. The conversation largely centered on various government and private sector cybersecurity workforce training programs, exploring ways to enhance and expand them through both domestic strategies and bilateral cooperation.

The discussion began with a response to Sasaki’s presentation. An American participant suggested that an exchange program between the US and Japan could embed a cybersecurity professional in the military or other law enforcement organs. He noted that such a program would enhance mutual capabilities and provide participants with a valuable opportunity to gain a broader perspective on cybersecurity issues, as Japan and the US face different challenges in this realm. Additionally, the participant recommended building on the Cyber and Digital Policy Bureau’s capacity-building initiatives. He explained that what Japan excels at may differ from what the US is best at, so when partnering to help other countries with their cybersecurity infrastructure, the US and Japan could focus on securing the systems they are best at (e.g., US on maritime cybersecurity and Japan on control systems).

These suggestions received positive responses from the participants, who also offered some comments. An American participant noted that the liaison officer approach was reminiscent of existing programs like the Mansfield Fellowship and suggested leveraging these programs more extensively to address cybersecurity needs. However, another American participant expressed caution about dramatically expanding exchanges, pointing out that exchanging individuals might not lead to a net gain in workforce capacity, despite the potential for learning and capacity-building. They highlighted that one area especially ripe for bilateral cooperation is sharing lessons on how to integrate AI and cybersecurity. They emphasized that AI could either alleviate workforce issues or exacerbate them, depending on the need for training to effectively utilize increasingly sophisticated tools.

A private sector participant from the US then chimed in, saying that one of the biggest issues for both countries is the lack of a common language around cybersecurity hiring. At this moment, the government uses a 2210 skill code that identifies all IT jobs so that when people apply with IT skills, they can identify which are more tech-related. However, the participant explained that this language the government uses for hiring and communicating needs is different from how the private sector classifies jobs using the NICE framework. They expressed that aligning this language between the private sector and government in the US is important, and coordinating this process with Japan could be helpful.

Continuing on, the same participant described the investments of private sector technology companies in supporting the cyber workforce. They explained that Google established cyber clinics and a certificate program designed to share internal expertise and provide practical, hands-on training, which may not be available in university programs. On that point, the participant suggested that universities must do more to include cybersecurity training in their computer science curriculums. They emphasized that while 23,000 students are graduating with cybersecurity degrees, 60,000 are graduating with computer science degrees. By incorporating some cybersecurity education in computer science curriculums, the number of people with at least some experience in cybersecurity could potentially triple. Another American participant echoed this emphasis on education, explaining the positive proliferation of primary schooling programs to teach kids how to code in the US. A Japanese participant added that Japan has similar programs to engage and teach the youth, particularly the Giga School Program.

The discussion then shifted to capacity-building and critical infrastructure programs that train individuals in other countries. An American participant asked a Japanese participant about Japan’s engagement with Southeast Asian countries. The Japanese participant explained that Japan, along with the US and EU, hosts an annual Cybersecurity Week in Tokyo, a week-long training program focused on providing hands-on training to participants from the Indo-Pacific region, including many from Southeast Asia, on protecting Industrial Control Systems from cyber threats.

After discussing these various programs, one participant emphasized the need for better coordination among the numerous cybersecurity initiatives across the Japanese government to make sure these programs do not have too many unnecessary overlaps. They also stressed the importance of building on successful initiatives, rather than just creating new ones. An American participant agreed, noting that the US should adopt a similar approach. They highlighted the need to expand successful programs like the CyberCorps program, which currently supports 1,800 students annually, despite a workforce gap of around 480,000. They emphasized that significant investment is necessary to ensure these programs grow large enough to be more effective.

A Japanese participant made final comments, noting that many of the workforce issues discussed today are similar to those faced 30 years ago. However, they pointed out that the US has been more successful in private sector investment and supporting higher education and training at the university level. They emphasized that Japanese tech companies do not invest to the same extent as US firms, suggesting that pairing Japanese companies with US firms to invest in cybersecurity training in higher education in Japan could help alleviate the workforce gap and share lessons.

NEXT Steps

Senior Director Schoff closed the event by thanking the participants for their insightful comments and good discussion. This sixth roundtable comes as NEXT continues its effort to map out the US side of the cybersecurity infrastructure landscape, to build its “Alliance Mapping Tool” on the NEXT Alliance Initiative page of the Sasakawa Peace Foundation USA website.

The US-Japan NEXT Alliance Initiative is a forum for bilateral dialogue, networking, and the development of joint recommendations involving a wide range of policy and technical specialists (in and out of government) to stimulate new alliance connections across foreign, security, and technology policy areas. Established by Sasakawa Peace Foundation USA with support from the Nippon Foundation, the goal is to help improve the alliance and how it serves shared interests, preparing it for emerging challenges within an increasingly complex and dynamic geostrategic environment. Launched in 2021, the Initiative includes two overlapping lines of effort: 1) Foreign & Security Policy, and 2) Technology & Innovation Connections. The Initiative is led by Sr. Director Jim Schoff.

Details

Date:
June 11, 2024
Time:
8:00 am - 9:00 am
Event Categories:
, ,

2024 Sasakawa USA | Privacy Policy | Sitemap

Custom WordPress Design, Development & Digital Marketing by time4design