The United States needs to urgently establish a virtual cybersecurity academy to train cyber defenders essential to national security, according to the Internet Security Alliance (ISA).
In a recent update to its National Defense Cyber Threat Report, the ISA argued that the federal government must show the same determination it demonstrated after World War II, when it created the U.S. Air Force Academy to ensure the nation had skilled personnel to defend a new domain of warfare.
“Today, the United States faces a remarkably similar shortfall — this time in the realm of digital conflict,” the ISA stated. “The country, including every critical infrastructure sector, is under continuous cyberattack from well-funded nation-states, yet we lack sufficient trained professionals to protect both public and private systems.”
The organization noted that despite significant investment in cybersecurity, the workforce gap remains staggering, with an estimated 500,000 to 750,000 unfilled cybersecurity jobs nationwide, including about 35,000 vacancies within the federal government alone.
“The United States must respond with the same urgency it showed after World War II,” the ISA insisted. “Although some government programs exist to promote cybersecurity education in exchange for public service, they are far too limited. This challenge must be addressed at scale.”
Free Cybersecurity for the Federal Government
The ISA proposed that graduates of the academy would receive compensation comparable to that of graduates from West Point and the Naval Academy during their mandatory government service.
Those salaries are significantly lower than what the government currently pays private contractors for similar work. The cost difference, the ISA argued, would effectively cover the full expense of training academy graduates — resulting in what is essentially free cybersecurity labor for the federal government.
In addition, once graduates complete their public service obligations, many are expected to move into private-sector cybersecurity roles, where they would continue defending the nation against state-sponsored cyber threats.
Funding for the academy could come through the Cyber PIVOTT Act, pending legislation in Congress that seeks to train 10,000 cyber professionals annually for government roles, the ISA explained.
“At Darktrace, we see firsthand the urgent need for a stronger cybersecurity workforce,” said Marcus Fowler, CEO of Darktrace Federal. He noted that widespread staffing shortages leave both businesses and government agencies exposed.
“The PIVOTT Act is a vital step toward narrowing this gap by creating smarter workforce pipelines, expanding access to practical training, and building a skills-based talent pool aligned with today’s economic needs,” Fowler told TechNewsWorld.
However, he emphasized that success will also require ensuring that security teams are trained on advanced tools, allowing technology to amplify human capabilities and act as a true force multiplier.
“A more intelligent federal cyber workforce strategy, combined with broader adoption of AI-driven security technologies, offers the best path toward meeting America’s capability needs and strengthening national cyber resilience,” he said.
Funding Risks and Structural Gaps
David Kertai, a research assistant at the Information Technology and Innovation Foundation, said it is evident that federal, state, and local governments need far more cybersecurity professionals to respond to the growing threat landscape.
He pointed to programs like CyberCorps: Scholarship for Service, which offers scholarships in exchange for federal cybersecurity service. “While this initiative is a positive step, it needs to be expanded,” he told TechNewsWorld. A virtual academy, he added, could complement CyberCorps by linking students with existing educational institutions and accelerating their entry into the workforce.
Morgan Peirce, a research assistant at the Center for New American Security, cautioned that a virtual cybersecurity academy would only be effective if it avoids the shortcomings that have limited other federal training programs.
“The U.S. already operates multiple cyber training initiatives — including CyberCorps SFS, NSA Centers of Academic Excellence, and various agency programs — and they are underfunded and fragmented,” she told TechNewsWorld. Any new academy would need to address gaps not covered by existing efforts.
“Creating an entirely new program instead of expanding current ones could further dilute funding,” she warned. And while a virtual format improves accessibility, some forms of training still require in-person components.
A Hybrid Academy Model
If created, the academy would need to rethink traditional approaches to cybersecurity education. According to Michael Bell, CEO of Suzu Testing, current models cannot scale to fill the roughly 500,000 open cybersecurity roles in the U.S.
“A virtual academy eliminates geographic barriers and enables hands-on training through virtual labs and simulated threat scenarios, which can be more effective than conventional classroom instruction,” he told TechNewsWorld.
Still, Bell warned against turning the academy into a certification factory. To be credible, it must enforce rigorous standards, include real-world capstone projects, and involve employer validation to ensure graduates are truly job-ready.
He envisioned a hybrid structure combining self-paced coursework with live virtual labs, mentorship from experienced professionals, and applied projects in partnership with government and industry. The curriculum would cover core areas such as network security, incident response, threat intelligence, and secure architecture, alongside specialized tracks in offensive security, cloud protection, OT/ICS security, and AI security.
Crucially, Bell said, the academy must partner with employers committed to hiring graduates, creating a direct pipeline from training to employment. Existing military virtual training systems could provide a foundation, though they would require significant expansion and integration with civilian credentialing programs like those outlined in the PIVOTT Act.
Limits of Existing Training Approaches
Ian Amit, founder and CEO of Gomboc, argued that any academy must emphasize hands-on experience in large-scale simulated enterprise environments, guided by senior professionals.
“Cybersecurity work depends heavily on coordination with multiple stakeholders,” he told TechNewsWorld. “It’s less about mastering specific tools and more about responding to incidents and managing collaboration.”
Amit also contended that the industry doesn’t suffer from a lack of entry-level workers. Instead, it is already crowded with junior candidates struggling to gain traction, particularly as automation increasingly replaces entry-level tasks.
From this perspective, he argued, government efforts to produce more entry-level talent through virtual education are misguided. The real shortage lies in experienced professionals.
Jeff Le, managing principal at 100 Mile Strategies, echoed that concern. While acknowledging a severe cybersecurity talent deficit amid rising threats from adversaries linked to Iran, Russia, North Korea, and China, he said training alone won’t solve the problem.
What’s needed, he argued, is targeted investment, better talent matching, fewer redundant certifications, and a stronger focus on skills-based development and apprenticeship models.
A National Security Wake-Up Call
The ISA’s framing of cybersecurity as a shared public-private responsibility is accurate, said Rosario Mastrogiacomo, chief strategy officer at Sphere Technology Solutions.
“Policy alone won’t fix workforce challenges,” he told TechNewsWorld. “We need scalable systems for continuous learning, better alignment between compliance and real risk reduction, and tools that let security teams focus on prevention instead of paperwork.”
Ensar Seker, CISO of SOCRadar, called the ISA report a warning signal. “It positions cybersecurity not as an IT expense, but as a core element of national strength,” he said.
Systemic reforms are necessary, he added, but so is a more human-centered approach. Burnout, fragmentation, and talent bottlenecks can be addressed — but only if cyber professionals are treated not just as defenders, but as strategic assets worthy of long-term investment.