The United States urgently needs a virtual cybersecurity academy to train cyber defenders for national security, according to the Internet Security Alliance (ISA).
It noted in a recent update to its National Defense Cyber Threat Report that the federal government needs to muster the resolve shown at the end of World War II when the U.S. established the Air Force Academy to ensure the nation had the trained personnel to defend it in the new air theater of operations.
“Today, the United States faces a nearly identical deficiency — this time with respect to digital conflict,” the ISA asserted. “The nation, including every critical infrastructure sector, is under constant cyberattack from well-financed nation-states, and we lack an adequate number of trained personnel required to defend both government and private-sector systems.”
It explained that despite high investment in cybersecurity, the workforce deficit is overwhelming, with 500,000 to 750,000 cybersecurity vacancies nationwide, including 35,000 unfilled positions in the federal government.
“The United States must respond with the same urgency shown after World War II,” it argued. “While there are some government programs to promote cybersecurity training in return for government service, as would the virtual academy, they are far too small. We need to address the problem at scale.”
Free Cybersecurity for Uncle Sam
The ISA outlined a plan by which academy graduates would be paid at a level similar to that of West Point and Annapolis graduates during their required government service.
Those salaries are far lower than the ones paid to independent contractors to do those jobs. The difference between what the government pays academy graduates and what it pays independent contractors is so significant that it would cover the full cost of training them. Essentially, this is free cybersecurity for the federal government, the ISA reasoned.
Moreover, it added, once the academy graduates complete their government service, they will likely enter cybersecurity jobs in the private sector, where they will continue to defend our nation against nation-state attacks.
Funding for the academy could come through the Cyber PIVOTT Act, a proposed law currently before Congress that aims to train 10,000 cyber recruits a year for government positions, the ISA explained.
“At Darktrace, we see firsthand the pressing need for a stronger cybersecurity workforce,” said Marcus Fowler, CEO of Darktrace Federal, a global cybersecurity AI company. There are massive numbers of unfilled cybersecurity roles across the United States, leaving businesses and government agencies vulnerable.
“The recent PIVOTT Act is a critical step toward closing this gap by creating smarter workforce development pathways, expanding access to hands-on training, and building a skills-based cybersecurity talent pipeline that meets the demands of today’s economy,” he told TechNewsWorld.
However, Fowler added, to achieve that goal, we’ll also need to ensure that security teams are trained on the most advanced tools so that technology can fulfill its potential to augment the workforce and act as a true force multiplier.
“We believe that a smarter federal cyber workforce policy, when combined with greater adoption of AI-powered cybersecurity technologies, marks the best path forward toward meeting America’s skills and capabilities needs and building a more resilient national cyber defense,” he said.
Funding Risks and Gaps
David Kertai, a research assistant with the Information Technology and Innovation Foundation, a science and technology think tank in Washington, D.C., maintained that it is clear that federal, state, and local governments across the U.S. need more cybersecurity professionals to prepare for and respond to the growing number of cyber threats and attacks.
For example, he noted, the CyberCorps: Scholarship for Service program provides scholarships in exchange for service in federal cybersecurity positions. “While this program is a step in the right direction, it should be expanded,” he told TechNewsWorld. A virtual cybersecurity academy could complement the CyberCorps program by connecting individuals with existing educational institutions to complete their degrees and enter the cybersecurity workforce.
A virtual cybersecurity academy could be valuable, but only if it avoids the pitfalls that have made other federal training programs ineffective, contended Morgan Peirce, a research assistant in the technology and national security program of the Center for New American Security, a Washington, D.C.-based think tank focused on U.S. national security and defense policy.
“The U.S. already operates several major cyber training programs, including CyberCorps SFS, NSA’s Centers of Academic Excellence, and various agency initiatives — and these programs are resource-constrained and structurally fragmented,” she told TechNewsWorld. This new virtual academy would need to fill specific gaps lacking in existing programs.
“Adding a new program, rather than expanding existing programs, may fragment funding further,” she said. While the virtual element increases convenience, it will be important not to sacrifice training that requires an in-person element.
Hybrid Academy
If an academy were established, it would need to rethink current pedagogical approaches to information security. The traditional cybersecurity education model cannot scale to address the roughly 500,000 unfilled positions in the U.S. alone, contended Michael Bell, CEO of Suzu Testing, a provider of AI-powered cybersecurity services, in Las Vegas.
“A virtual academy removes geographic barriers while enabling hands-on training through virtual labs and simulated threat exercises that can actually be more effective than traditional classroom lectures,” he told TechNewsWorld.
The risk is that these training pipelines become certificate mills rather than genuine educational institutions, so any national academy must have rigorous standards, real-world capstone requirements, and employer validation to ensure graduates are actually qualified to defend critical systems, he said.
Bell envisioned the academy combining asynchronous coursework with live virtual labs, mentorship from practicing professionals, and real-world capstone projects with government and private-sector partners.
Think of a hybrid model, he observed, with a foundational curriculum covering network security, incident response, threat intelligence, and secure architecture, paired with specialization tracks: offensive security, cloud security, OT/ICS security, and AI security.
Critically, it needs partnerships with employers who commit to hiring graduates, creating a direct pipeline from education to employment, he added. The military’s existing virtual training infrastructure could serve as a foundation — although it would need to be vastly improved, scaled for civilian use, and integrated with community college credentialing programs, like those in the PIVOTT Act.
Limits of Current Training Models
Any academy should require hands-on training in large simulated corporate environments and guidance from senior professionals who would instruct and exercise the trainees, advised Ian Amit, founder and CEO of Gomboc, a provider of automated cloud infrastructure security solutions, in New York City.
“The key elements of the work a cybersecurity professional does involve tight coordination with other stakeholders,” he told TechNewsWorld. It’s not about proficiency with specific tools or languages, but more about experience working on incidents and coordinating response.
However, Amit argued that we don’t need more entry-level workers in the cybersecurity industry. It’s already overflowing with those who have a hard time breaking into the workforce — especially as more advanced tooling is offered to help fill the tasks performed by entry-level workers.
This seems to be a government view on the macroeconomy. While skilled professionals are in short supply, initiatives that provide virtual education to fill entry-level roles are simply misguided, he maintained.
While it’s absolutely the case that there is a major cyber professional and workforce pipeline deficit which is problematic, given escalating cyber tensions and incursions from adversaries sponsored or supported indirectly by Iran, Russia, North Korea and China, training alone can’t solve the deficit problem, added Jeff Le, managing principal at 100 Mile Strategies, a government affairs and emerging technologies consulting firm in Washington, D.C.
There needs to be a concerted investment and specific matchmaking to reduce the certification glut and emphasize skills-based expertise and apprenticeship models, he told TechNewsWorld.
National Security Warning
The ISA’s emphasis on national cybersecurity as a shared public-private responsibility is spot-on, noted Rosario Mastrogiacomo, chief strategy officer at Sphere Technology Solutions, a data governance software and services company, in Hoboken, N.J.
“But workforce challenges won’t be solved with policy alone,” he told TechNewsWorld. “We need scalable, sustainable infrastructure for continuous learning, better alignment between compliance and real risk reduction, and tools that enable security teams to focus on prevention, not paperwork.”
“The ISA report is a wake-up call,” added Ensar Seker, CISO of SOCRadar, a threat intelligence company, in Newark, Del. “It reframes cybersecurity not as a cost center or an IT silo but as a pillar of national strength,” he told TechNewsWorld.
We need systemic reforms, yes, but we also need to humanize the workforce challenge, he continued. Burnout, fragmentation, and talent bottlenecks are solvable, but only if we treat cyber professionals not just as defenders, but as strategic assets worth investing in.
