Mark Green: ROTC-Like Program, Automation Can Impact Federal Cyber

A new bill proposes an ROTC-style scholarship program approach to hiring cybersecurity talent, a move among Rep. Mark Green’s cybersecurity policy priorities that include filling a workforce shortage, reducing compliance burdens and disincentivizing threat actors.

“If you want to increase the flow through the pipe that production pipe to produce those cyber experts, you have to increase the diameter of the pipe,” House Homeland Security Committee Chairman Green said Thursday at CyberScape Summit in Bethesda, Maryland, about his Cyber PIVOTT Act. “If you go and get a two-year degree and get the technical skills, we’ll pay for that in a scholarship. We’re going to get 10,000 of those a year, and then you pay back by working in any level of government.”

The chairman discussed the proposed legislation as one solution to several challenges the federal government is facing with regard to combatting increased cyber adversaries that threaten national security. For Green, whose committee oversees the Department of Homeland Security, cybersecurity is top of mind.

“Our No. 1 [priority] now is really cyber,” Green said at the event.

In addition to the workforce component, he outlined how policy could impact streamlining compliance and addressing economic models that facilitate bad actors.

“A $3,000 laptop and a kid in Russia can do a lot of harm, and the cost benefit to that guy or gal is very favorable, whereas for the businesses that are protecting themselves it’s just the opposite,” he said.

Green believes the current approach to compliance requirements are decreasing the ability for organizations to focus on what matters.

“We can fix some things like that SEC rule basically says you have to report a breach within 4 days, when it takes an average of 7 to 11 days or more to patch a breach, so that’s sort of like announcing to the world that we’ve got an open door,” he said.

He touted automated scorecards as taking the human out of the loop and reducing compliance burdens.

“We need a compliance scorecard that’s automated, that measures all the things that the government requires, and boom, it’s done. So the vision starts with defining what that is, and then building systems that will accomplish it in as efficient manner as possible,” he said.

“With policy, we get very specific and say, for example, in compliance that equipment has to meet a certain standard. Of course, technology runs very quickly — a lot faster than Congress — and so we wind up tying the hands,” he added. “We have to be very careful about what policy we implement and make sure that it leaves the agility in place because when it comes to cyber defense, it’s all about agility. There are things we can do, but we want to just be very careful.”