Nana Pokuaah studies for her cybersecurity classes at a local cafe in Chantilly, Va. (Measu Bellay/The Washington Post)
When Nana Pokuaah isn’t working at a pharmacy, she’s in school — though it might not look like it.
Eight hours a day, three days a week, Pokuaah, 31, sits in a French cafe in Chantilly, Va., with her laptop, taking an online class that could put her on the front lines of a battle in cyberspace that begins every time a person logs on to a computer. Pokuaah is studying to become a cybersecurity analyst trained in identifying and defeating cyberattacks.
The number of cyberattacks has almost doubled in the past five years — averaging 758,000 annually — according to the FBI’s Internet Criminal Complaint Center, also known as IC3. Those are the cases we know of. When the FBI infiltrated the Hive ransomware network in 2023, they discovered that only one in five victims had filed complaints with law enforcement.
The growing threat has created a booming job market for cybersecurity specialists. The Labor Department forecasts steady growth, and a widely circulated report by Cybersecurity Ventures says unfilled jobs in the industry more than tripled worldwide since 2013. Though the pace has leveled off — and the U.S. tech industry shed jobs last year — there are many vacant positions in the United States.
The need has been especially keen in the nation’s capital, as government agencies and private corporations compete for qualified people. Several local colleges, universities and private companies have expanded their computer science programs, adding continuing education courses and cybersecurity boot camps to their offerings.
Students can learn the technical aspects, including hardware and software inside computer networks, as well as the managerial “soft skills” and fast-growing legal and regulatory demands of cybersecurity.
People from all sorts of backgrounds have plunged in, often with little more than curiosity, a knack for solving puzzles and an interest in outsmarting the bad guys.
“You have to be the kind of person who stands in the shower and thinks, ‘Well, I know how it’s supposed to work, but if I were a bad guy, what would I do that nobody expected me to do that would get me in?’” said John R. Levine, a computer expert who wrote “The Internet for Dummies.”
“Would it be a technical attack or would it be some sort of social engineering attack where I call up and say, ‘Gee, I lost my password. Can you reset it for me?’ - which works astonishingly well. Or some combination of those.”
Pokuaah, whose family moved to Northern Virginia from Ghana when she was young, chose to learn about cybersecurity after seeing firsthand the importance of securing sensitive data while working as a pharmacy tech for Kaiser Permanente. She enrolled in classes designed by a company called Springboard for the University of Maryland Global Campus.
Clocking 25 hours per week — more than the minimum to finish within six months — she reads their texts, watches their videos and completes their exercises. Though the material at times seems overwhelming, chatting on Slack with other students and steady guidance from her assigned mentor helps.
Now comes the next step, she says: passing the test to obtain the basic certification that will help her find work in a job market that seems to be growing as fast as the cyberthreats around us.
Recent cyberattacks and the use of digital money highlight the need for better cybersecurity
In May 2021, millions of Americans on the Eastern Seaboard awoke to long lines at gas stations that looked eerily similar to photographs from the fuel crisis during the 1970s. Service stations began rationing gas. Panic-buying sent fuel prices rocketing higher. The ensuing shutdown lasted for five days.
The cause? A cybercriminal gang known as DarkSide had successfully launched a ransomware attack on Colonial Pipeline, one of the nation’s biggest fuel pipeline operators that supplies almost half the gasoline, diesel and other fuels to customers on the East Coast. It was just one of several high-profile attacks in recent years, albeit one of the largest, and it transformed the way we do business.
The White House designated the breach as a national security threat and Congress moved to enact stricter cybersecurity laws governing infrastructure. Cyberattacks have successfully penetrated and disrupted other large U.S. government or industrial targets. Their names read like a Fortune 500 list of top corporations: Facebook, Target, Equifax, Capital One and Yahoo — which has been hit twice by huge attacks - to name a few.
A hack of the Office of Personnel Management, the federal agency responsible for government employee payments and benefits, compromised the personal data of millions of people, a congressional report says. Even the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, which is charged with defending against cyberthreats, suffered the indignity of a hack, though a minor one.
“The days of our data being in a drawer or a filing cabinet or in a computer in the basement are over,” says Kai Degner, senior director of certificate programs at the University of Virginia’s school of continuing and professional studies.
“The real force driving the increase in demand for security professionals starts at the basis of the incredible acceleration in the digitalization of not just the economy, but every aspect of society at this point,” says CISA deputy assistant director Trent Frazier.
From hospitals to educational institutions, multinational corporations to small business, whole libraries of data have been computerized and stored with electrons instead of paper. “And I don’t think most people realize the pace at which we’re digitalizing our everyday lives.”
Texting, emails, online banking, shopping, filing tax returns - almost every aspect of American life has moved online or into the cloud. But the same technology that allows consumers to apply for credit cards or buy a pair of shoes from Sweden has opened up new vistas for state-sponsored hackers, organized crime and other criminals to exploit.
Their aims are as varied as the criminals and spies behind them. They seek ways to steal corporate or government secrets, conduct surveillance or empty someone’s bank account. They steal personal information like Social Security numbers or piggyback on an unsuspecting person’s computer access to penetrate a government or commercial organization.
Universities and colleges expand the number of classes
Many people begin their cybersecurity careers with a basic certification such as CompTIA’s Security+ certification. More advanced certifications include a Certified Information Systems Security Professional.
George Washington University, which is one of the Department of Homeland Security’s certified Centers of Excellence in the field, expanded its class offerings in cybersecurity, including a partnership with Northern Virginia Community College that awards degrees or helps students work toward basic certification. The program includes cybersecurity boot camps that compress a lot of information into a short period of time.
“It is really a great way to put your toe in the water in the industry because it gives you a broader understanding of what this field is and what it involves and what the opportunities are, but also some initial skills so that you can try that on for size,” said Liesl Riddle, an associate business professor and dean of George Washington University’s college of professional studies.
Legal liability for breaches and government regulations has also driven demand for cybersecurity professionals, especially regulations issued by the Securities and Exchange Commission that require publicly owned companies to disclose any cyberattack that might have a material impact on the business.
The SEC’s directive has caused some confusion about what must be disclosed but also led to a surge in hiring for cybersecurity professionals who specialize in compliance. The Bureau of Labor Statistics now estimates that demand for cybersecurity specialists will grow by nearly a third within a decade, increasing by about 16,800 openings a year. The jobs often pay more than $120,000 a year.
“Cybersecurity now is really touching every single sector, every single domain in industry that we have,” said Angel J. Jones, an instructor at the University of Virginia’s school of continuing and professional studies. “These organizations must understand that they have their fiduciary duties to protect their shareholders and their customers.”
Virginia is the top state with the highest employment level, not only in overall numbers but in the ratio of jobs to others, with 4.64 such jobs per thousand. The Washington, D.C. metropolitan area also has the top three rankings in the highest employment level and concentration of jobs for information security analysts. (The state of Washington, which is home to Amazon, Microsoft, Google, Meta and others, is the top paying state according to the Bureau of Labor Statistics.)
The Biden administration views the hundreds of thousands of cyber job vacancies” not just as an economic opportunity, but a national security issue. The White House updated its plan this month on a variety of programs that aim to give all Americans a basic level of cyber literacy, announcing a host of cybersecurity incentives and setting aside funding for education and training.
Version two of the National Cybersecurity Strategy Implementation Plan involves several agencies and seeks to address medium and long-term cyber workforce needs, focusing especially on underserved communities, and expanding both the private sector and federal cybersecurity workforces.
The initiative, which builds on the National Cybersecurity Strategy, calls for teaching all Americans basic cyber skills and supporting educational programs through scholarships and grants, including K-12, community colleges, vocational schools and universities.
This includes efforts by the National Security Agency’s National Centers of Academic Excellence in Cybersecurity to add additional clinics at higher educational institutions around the country, including grants to set up clinics in Nevada, Minnesota, Louisiana and Virginia, with a goal of 460 by the end of 2024. And there are various partnerships between federal agencies and the tech industry to provide additional training.
“We are very focused on fostering the development of the cybersecurity workforce,” CISA’s Frazier said.
Cybersecurity jobs attract people with diverse backgrounds
At a cybersecurity conference organized by FutureCon Events at a Baltimore hotel earlier this year, nearly 150 people - mostly men - milled around display tables with corporate swag bearing futuristic logos and names: Veritas Alta, Magna5, ThreatLocker and Proofpoint.
Attendees watched live presentations with titles such as “You Will Be Breached: Contain the Inevitable Breach which was not Detected” and many presenters used jargon that seemed to mix bureaucratic or militaristic acronyms with robotic science fiction: script kiddies; cyberattack kill chains; and API stacks (Application Programming Interfaces).
Several themes emerged. No business is too small to be a target. Data is the lifeblood of any modern company. People cannot be too paranoid - or too prepared. Attacks come from all over, including Russia, Iran, China and inside the U.S.
“You need very smart people to counter the very smart people in China who are hacking our systems. They’re not dumb bunnies over there that are doing this,” said David C. Flynn, a cybersecurity architect who lives in Laurel and works at Cambridge Cloudworks.
He said that even though there’s demand, the job market is competitive. Besides certification in cybersecurity, Flynn said obtaining security clearances boosts one’s career prospects, too, and offers some security of its own.
“Most of the people who are employed now in the Biden administration are in the ‘cleared’ world,” said Flynn who uses his spare time to write religion-inspired science fiction, submit papers to scientific journals on his theory of Dark Matter or travel with his wife in an RV outfitted with solar panels, an audiovisual system and other modern conveniences. “Everything else is getting cut.”
More than a few cybersecurity professionals have edged in to the field after careers in the telecom industry or other tech companies in the early days of computing, often having been self-taught. “It was the wild, wild West,” said Gregg Earnhart, a senior cybersecurity sales engineer for Next DLP. “‘Cybersecurity manager’ — that wasn’t even a position. Somebody asked me, ‘Hey, what do you know about firewall technology?’ So I had just read the O’Reilly’s book on firewall technology, so I’m now your expert.”
Like Earnhart, who was an Army medic, many attendees were former military or current government employees. Gemma Mills, 47, who entered the cybersecurity field midcareer, was in the Army until her discharge in 2002. Her first job after the Army was at a military base working as a sonogram technician. But after years - and relatively stagnant pay - she was ready for something new.
“I was, like, ‘I’m not a geek; I’m not a nerd.’ I know about IT but I’m just not there with coding and all that extra stuff,” Mills said. She enrolled in the computer studies program at Montgomery College, using Veterans Affairs benefits to pay tuition, and eventually found a job at the National Oceanic and Atmospheric Administration in cybersecurity compliance. With on-the-job training and another cybersecurity course, Mills aimed toward becoming certified.
It wasn’t easy. Mills failed the certification test twice, doing well with the theoretical questions but stumbling with hands-on problem sets. On the third try, she passed. Once certified, she was promoted. She is the first woman and the first person of color on her team.
Greg Mesniaeff, a veteran Wall Street analyst, made a sideways jump into cybersecurity. Feeling cooped up during the pandemic, Mesniaeff, who is in his 60s, started taking online education classes and cybersecurity seemed like a good fit. He had seen how companies like Sony had data stolen or were victimized through careless online business practices that resulted in government fines or private lawsuits.
“What really scares me is the ease with which your personal information can be compromised and accessed and stolen,” Mesniaeff said. “We’re living in an age of complete digital transparency.” He also knew that cybersecurity concerns, once a side issue in IT, had become a top priority in the C-suite.
Mesniaeff, who lives in Sharon, Conn., chose UVA’s school of continuing and professional studies where he could attend classes remotely. He also liked that UVA didn’t distinguish between in-state or out-of-state tuition for the classes. Several students were federal employees, including someone from the FBI, and the class was diverse in age, ethnicity, race and gender.
“You’re basically in class once a week in the evening on Zoom with the professor, with a lot of Q&A and a lot of class discussion,” Mesniaeff said. “And then you write papers and you submit them. There are take-home exams, but they’re not easy. So it’s like going to any graduate course in person, except you’re doing it through Zoom.”
Brandy Lynn Smith, 41, enrolled in UVA’s program for cybersecurity analysts to advance in her field. She had chosen information technology in high school because there were very few girls interested in the classes and she knew colleges were keen to enroll women in STEM programs. After college she worked for Longwood University and later UVA in IT.
“It had the ring of something out of CSI,” Smith said about the reason she chose cybersecurity. She likes the talk about “threat actors” and cyberforensics. “I wanted something different.”
