The United States is experiencing a serious shortage of trained cybersecurity personnel as hostile nation-state actors increase their digital attacks, according to a new alert from the Internet Security Alliance (ISA). In its updated National Defense Cyber Threat Report, the group called on the federal government to create a large national virtual cybersecurity academy, referred to as “Cyber U,” to train the next generation of cyber defenders in line with the current threats.
The ISA points out that the U.S. should learn from history, especially the creation of the U.S. Air Force Academy after World War II, which provided the skilled personnel needed for a new kind of warfare. As digital conflicts grow, the group believes that a similar national mobilization is necessary to tackle adversaries who use cyberspace as their main battlefield.
“Today, the United States has a comparable shortfall—this time regarding digital conflict,” the ISA wrote. “The nation, including every critical infrastructure sector, is constantly targeted in cyberattacks by well-funded nation-states, and we lack a sufficient number of trained individuals to defend both government and private systems.”
A Workforce Crisis, Despite Rising Cybersecurity Investment
The United States continues to pour money into cybersecurity technologies, AI-based threat detection systems, and new standards for operators of critical infrastructure. However, the gap in the workforce remains one of the nation’s most pressing weaknesses in cybersecurity. The ISA reports that there are currently between 500,000 and 750,000 unfilled cybersecurity jobs across the country, with nearly 35,000 of those vacancies in the federal government.
This ongoing shortage has left agencies and operators of critical infrastructure relying on private contractors, who often receive salaries much higher than those in the public sector. The ISA warns that this imbalance cannot go on.
“The United States must react with the same urgency shown after World War II,” the ISA stated. “Although government programs encourage cybersecurity training in exchange for government service, they remain far too limited. We need to tackle the problem on a larger scale.”
A “Free Cybersecurity Workforce” for the Federal Government?
One of the ISA’s most striking points is that a virtual cybersecurity academy could pay for itself. The group’s argument relies on the salary difference between academy-trained personnel and private contractors.
Under the ISA’s plan, graduates would earn salaries similar to those of West Point or Naval Academy alumni, which are significantly lower than what private cybersecurity contractors earn. The federal government spends vast amounts on contractor services—often several times more than what it would cost to hire comparably trained federal employees.
The ISA claims that the savings alone could entirely fund the academy’s tuition, teachers, and operations. Essentially, the group argues that the government could receive “free cybersecurity” by hiring academy-trained personnel to fulfill their service obligations instead of relying heavily on contractors.
Additionally, these graduates would eventually work in the private sector, enhancing national resilience by increasing the country’s pool of cybersecurity talent. Many would go on to join critical infrastructure operators-like energy utilities, hospitals, transportation systems, and telecommunications providers-where cybersecurity is a growing national security concern.
The Cyber PIVOTT Act: A Potential Funding Pathway
Funding for the virtual academy could come through the Cyber PIVOTT Act, legislation currently under consideration in Congress. The bill aims to train 10,000 new cybersecurity recruits each year for government service, and although not yet approved, its goals closely mirror the ISA’s proposal.
Industry leaders have voiced strong support for the initiative. Marcus Fowler, CEO of Darktrace Federal, emphasized the urgency of strengthening the nation’s cyber workforce:
“There are massive numbers of unfilled cybersecurity roles across the United States, leaving businesses and government agencies vulnerable,” Fowler said. “The PIVOTT Act is a critical step toward closing this gap by creating smarter workforce development pathways and expanding access to hands-on training.”
Fowler also noted that training must incorporate advanced technologies, including AI-driven cybersecurity tools that are becoming central to modern defense strategies. “A smarter federal cyber workforce policy, combined with greater adoption of AI-powered cybersecurity technologies, represents the most effective path toward building a more resilient national cyber defense,” he added.
Support for Expansion-and Skepticism About Federal Fragmentation
The academy proposal has garnered support from analysts who believe the U.S. government is overstretched. David Kertai of the Information Technology and Innovation Foundation noted that existing programs like CyberCorps: Scholarship for Service provide a solid foundation but need to be expanded.
“CyberCorps should be scaled,” Kertai said. “A virtual cybersecurity academy could enhance it by connecting individuals with educational institutions and enabling more people to enter the cybersecurity workforce.”
However, experts caution that repeating past mistakes could undermine the academy’s mission. Morgan Peirce of the Center for a New American Security warned that new federal cybersecurity initiatives often suffer from fragmentation.
“The U.S. already runs several significant cyber training programs, including CyberCorps SFS and NSA’s Centers of Academic Excellence,” she said. “These initiatives face resource limitations and are structurally fragmented.” She argued that creating another program might further stretch limited funding unless it is designed specifically to fill existing gaps.
Peirce stressed that virtual training should not replace in-person or hands-on learning, especially for skills requiring teamwork and high-pressure decision-making.
Toward a Hybrid Academy: Virtual, Scalable, Hands-On
Supporters of the academy concept, including executives from cybersecurity companies, argue that a modern hybrid learning model is vital. Michael Bell, CEO of Suzu Testing, stated that the traditional cybersecurity education system cannot keep pace with the U.S. workforce gap.
“A virtual academy eliminates geographic limitations while providing hands-on learning through virtual labs and simulated threat exercises,” Bell said. “These exercises can sometimes be even more effective than standard lecture-based learning.”
Bell cautioned, however, that without strict standards, the academy could turn into a “certificate mill.” To prevent this, he envisions a system that includes:
- Asynchronous coursework
- Live virtual labs
- Mentorship from active security professionals
- Capstone projects developed in partnership with federal agencies and private organizations
Bell proposed specialized tracks that meet urgent national needs, such as offensive cybersecurity, cloud security, operational technology and industrial control systems (OT/ICS), and AI security. He also emphasized the importance of partnerships with employers to create direct pathways from education to job placement.
Beyond Theory: The Need for Real Operational Training
Some experts contend that practical experience, not just credentials, should be the academy’s primary focus. Ian Amit, CEO of Gomboc, stressed that many cybersecurity roles require work in complex, real-world situations involving multiple stakeholders.
“The key elements of cybersecurity work involve close coordination with other stakeholders,” Amit said. “It’s not about being proficient with specific tools or languages but having experience managing incidents and coordinating responses.”
Amit expressed concern that the cybersecurity industry already has too many entry-level workers who cannot find jobs due to hiring bottlenecks and automation. He warned that if the academy does not address advanced training, it could worsen the imbalance.
Training Alone Cannot Solve the Workforce Shortage
Jeff Le, managing principal at 100 Mile Strategies, argued that while tensions from cyberattacks sponsored by Russia, Iran, China, and North Korea make workforce development crucial, training alone cannot fix the underlying issues.
The current cybersecurity labor market faces:
- An oversupply of certifications that do not meet industry needs
- A lack of apprenticeship or mentorship programs
- Burnout among mid-level professionals
- Limited advancement opportunities within government cyber roles
“There needs to be a collective investment and specific efforts to reduce the certification oversupply and emphasize skills-based expertise,” Le said. He highlighted the importance of apprenticeship models that place new hires directly into operational environments.
A National Security Imperative, Not an IT Issue
Many cybersecurity leaders believe the ISA’s proposal redefines cybersecurity as a vital part of national defense, rather than just an IT function. Industry veteran Rosario Mastrogiacomo of Sphere Technology Solutions stated that the report highlights a significant shift in how the U.S. should approach cyber readiness.
“The ISA’s focus on national cybersecurity as a shared responsibility between public and private sectors is spot on,” he said. “We can’t solve workforce challenges with policy alone. We need scalable, sustainable infrastructure for ongoing learning.”
Mastrogiacomo emphasized that cybersecurity teams must have tools that prioritize prevention over paperwork and that education programs must be updated accordingly.
Ensar Seker, CISO of SOCRadar, called the ISA’s report a “wake-up call.”
“It reframes cybersecurity not as a cost center or an IT silo but as a pillar of national strength,” Seker said. He noted that burnout and workforce fragmentation are still major obstacles that need to be addressed with the same seriousness as technical weaknesses.
A Nation Under Persistent Digital Siege
The ISA report comes at a time when cyberattacks have become a regular part of American life. Attacks on water systems, energy grids, hospitals, state and local governments, and private businesses have grown more frequent and sophisticated. Federal officials have continually warned that Russia, China, Iran, and North Korea are expanding their digital capabilities and probing U.S. critical infrastructure with increasing aggression.
This new era of digital conflict needs not only advanced tools but also a workforce capable of understanding the tactics of adversaries and defending against them in real-time. Supporters argue that the academy proposal reflects the scale and urgency required to develop that workforce.
The Road Ahead
The federal government must now decide if a national virtual cybersecurity academy—modeled on the Air Force Academy but designed for the digital age—is the right solution for America’s cyber workforce crisis. Supporters say the stakes are too high to wait: the U.S. is already years behind adversaries investing aggressively in cyber talent.
As nation-state attacks increase and the workforce gap widens, the ISA’s proposal urges the United States to rethink how it trains, deploys, and supports the cyber defenders who protect the country’s most essential systems. Whether Congress acts—and the scale of that action—remains the central question.
