The Cybersecurity Workforce Has an Immigration Problem

Nick Merrill directs the Daylight Lab at the UC Berkeley Center for Long-Term Cybersecurity.

3.5 million. That’s how many unfilled jobs there are in the cybersecurity profession worldwide, per Cybersecurity Venture’s Cybersecurity Jobs Report.

How will we fill them?

July 31 marks the one-year anniversary of US President Joe Biden’s Cyber Workforce Strategy. This policy document aimed to alleviate the pervasive shortage of cybersecurity workers in the US economy. One technique noted in Biden’s strategy is the clinic model pioneered by the UC Berkeley Center for Long-Term Cybersecurity, through which students are trained to provide digital security assistance to nonprofits, city governments, and other public interest organizations. The cybersecurity clinic approach has proved successful, and there are now 33 clinics in 23 US states, with four new clinics coming online in Taiwan.

Here’s the problem: there just aren’t enough young people. According to research from the US Chamber of Commerce, only 1.8 million people will enter the workforce in the next seven years. Of the 3.5 million unfilled jobs, 750,000 will be in the United States. To fill them, we’d need to train 40% of all new workforce entrants in cybersecurity.

The situation is even more dire in other parts of the world. While the US population continues to grow (for now), many others are shrinking. Japan’s population has been declining since 2010, and Taiwan’s will start to decline soon. In the European Union, deaths have outnumbered births since 2012.

Pundits and researchers have discussed such demographic decline at length, but what does it mean for our cybersecurity workforce shortage? More importantly, what can we do about it?

Immigration pathways

We need skilled immigration pathways for cybersecurity professionals. A targeted immigration pathway for individuals with demonstrated experience in cybersecurity could significantly alleviate the workforce shortage in the Global North. In the US, this pathway would require substantial immigration reform. The H1-B visa program has an annual cap of 85,000 visas, including 20,000 for those with advanced degrees from US institutions. Even if all H1-B visas go to cybersecurity workers, the result would fall far below the 750,000 unfilled cybersecurity jobs in the U.S.

Creating a skilled immigration pathway for cybersecurity will require new policies. Chief among them is a mechanism to verify that applicants have relevant cybersecurity skills. One approach is allowing people to identify themselves by bringing forth previously unidentified bugs. This strategy is a natural way to prove aptitude and has the additional benefit of requiring no formal expertise or expensive testing. However, it would also require safe harbor provisions to protect individuals from prosecution under the Computer Fraud and Abuse Act.

Leveraging foreign talent

Without formal immigration pathways, expanding ways for US-based firms to work with foreign talent could also ease the burden. The Dutch government has pioneered an innovative policy to take advantage of the global connectivity of today’s workforce: if someone — anywhere in the world — hacks into networks managed by the Dutch government and responsibly discloses how they did it, the government sends them a t-shirt that reads, “I Hacked the Dutch Government and All I Got Was This Lousy T-Shirt” (along with a signed letter from the Dutch National Cybersecurity Center). This is a cost-effective way to incentivize global talent to contribute productively to our nation’s cybersecurity. According to my conversations with Dutch government officials, the Cybersecurity Center receives dozens of tips from all over the world, particularly from India. (Imagine how many more contributions the Netherlands — or the US — would receive if such tips also came with an immigration pathway.)

Our enemies’ weakness, our strengths?

The West’s adversaries may also play a counterintuitive role in a cybersecurity workforce solution. Recent work from Eugenio Benincasa at ETH Zurich highlights the strength of China’s cybersecurity workforce. How many Chinese hackers might be tempted to immigrate to the West, if invited, for better pay and greater political freedom? While politically sensitive, a policy that allows foreign-trained cybersecurity experts to immigrate to the US (on an O-1, or “extraordinary ability” visa) could enhance the West’s workforce while depriving its adversaries of offensive talent.

At the same time, such immigration programs must be measured and targeted to avoid adding tension to a world in which geopolitical conflict is already rising. At the recent Cyber Civil Defense Summit, a convening hosted by the Center for Long-Term Cybersecurity that brought together cyber defenders, academics, and policymakers, participants like Reps. Eric Swalwell (D-CA) and Marc Veasey (D-TX) identified the global crunch for talent spurring zero-sum dynamics — perhaps even leading some countries to punish others for poaching their workforce. Our Cybersecurity Futures 2030 scenarios identified similar dynamics.

The cybersecurity workforce crisis is a pressing issue that requires immediate and innovative solutions. By creating skilled immigration pathways, leveraging global talent, and tapping into adversarial expertise, we can make significant strides in addressing this challenge.

The stakes are immense. Cybersecurity threats continue to grow in scale and sophistication, posing risks to our economic stability, national security, and personal privacy. By taking proactive steps now, we can build a robust cybersecurity workforce that is capable of defending against these threats and securing our future.