April 08, 2025

ROTC for Hackers: Developing a Pipeline of Cyber Talent for National Defense

Insight from The Pitch 2024: A Competition of New Ideas

By: Matthew Hauwiller

This commentary piece is part of CNAS’s The Pitch: A Competition of New Ideas. The author, Matthew Hauwiller, won the Institutions and People Power Heat at the 2024 competition.

As the world becomes even more digitized, offensive and defensive cyber capabilities lie at the core of 21st-century war strategy. Even in times without active conflict, adversarial powers leverage cyber capabilities to extract sensitive information and compromise the critical infrastructures of their competitors. Unfortunately, compared to the cyber efforts of the Cyberspace Administration of China and Russia’s Foreign Intelligence Service, the U.S. cyber force, spread across the Department of Defense (DoD) and intel communities, is massively understaffed. The United States needs to create a new pipeline of cybersecurity talent through a college initiative modeled on existing Reserve Officers’ Training Corps (ROTC) programs.

Recent DoD efforts, including accelerating time-to-hire and implementing cyber talent exchange programs, decreased cyber vacancies in the department by 4.8 percent in 2024. However, Mark Gorak, principal director for resources and analysis at the DoD’s Office of the Chief Information Officer, said in November 2024 that the civilian DoD vacancy rate is still 16.2 percent. During his testimony to the House Select Committee on the Chinese Communist Party in January 2024, Federal Bureau of Investigation (FBI) Director Christopher Wray said, “If each one of the FBI’s cyber agents and intelligence analysts focused exclusively on the China threat, China’s hackers would still outnumber FBI cyber personnel by at least 50 to 1.” Although advances in artificial intelligence (AI) will enhance the productivity of individual workers and enable automated defense, it is hard to imagine the United States getting far enough ahead of China on AI to overcome such a staggering talent gap.

The United States needs to create a new pipeline of cybersecurity talent through a college initiative modeled on existing Reserve Officers’ Training Corps (ROTC) programs.

The United States is home to the top computer science and engineering universities in the world, but existing pipelines between science, technology, engineering, and mathematics (STEM) and the DoD are not strong enough. Based on the author’s experience in chemistry graduate school and the microelectronics industry, STEM students often do not feel like they would fit in a Defense Department culture and think that military service could even derail their career. Military services have cultivated a reputation for bravery, physical strength, and hands-on adventure, but cyber roles behind a computer require completely different skillsets and interests. Both types of warriors are essential to U.S. defense, but attracting and retaining them requires a different pipeline. Cyber talent gaps are not a new concern, but most previous efforts focused on bringing cyber talent into the existing defense pipeline rather than creating a new pipeline.

Develop A New Talent Pipeline

The highly successful ROTC program on college campuses provides a template for creating a cyber talent pipeline. In the ROTC, students commit to serve in the U.S. military following graduation in exchange for tuition support. In addition, they train in a cohort of peers with a similar motivation of service to their country and personal improvement. The U.S. Space Force can start similar cyber training programs on college campuses, providing up-front value of college support in exchange for the commitment to serve. Receiving commitments at the start of the college journey enables cyber defense organizations to influence students’ development and guarantees that the students will spend at least four years working for government cyber organizations upon graduation, rather than at high-paying Silicon Valley firms. Additional defense-specific training and joint exercises with other branches of the military can help participants learn how to work and communicate with more traditional warfighters.

Cyber is distributed across multiple branches of the military and intel communities, so the ROTC for Hackers program would undoubtedly expand beyond the Space Force. The Department of Defense has extensive experience running the ROTC program, and the Space Force has a new brand and association to technology that would help create the new STEM-focused culture of ROTC for Hackers. After successful demonstration of the program, other branches may start their own programs or, ideally, enroll their cyber recruits in the established Space Force program. Having all participants in the same program would provide economies of scale and a large cohort of like-minded peers. The ROTC for Hackers program could also expand beyond the DoD to include participants from the FBI, Central Intelligence Agency, Cybersecurity and Infrastructure Security Agency, and State Department, building further positive connections between various nodes of cyber in the U.S. government.

Broaden the Cyber Talent Pool

Cyber organizations already engage with college campuses through career fairs and information sessions, but establishing an ROTC-like program would forge deeper connections with the university communities. Not only could U.S. cybersecurity organizations build a presence at top-ranked STEM programs, such as the Massachusetts Institute of Technology and Stanford, but they could enhance their geographic and racial diversity by starting programs at Historically Black Colleges and Universities and Hispanic-Serving Institutions. The ROTC for Hackers program could also work with K–12 STEM organizations like Girls Who Code and Code Savvy to enhance gender diversity in cybersecurity. The tuition support would additionally supply opportunities for low-income STEM students to pursue higher education. The ROTC for Hackers program would provide partnership opportunities with organizations that have pipelines of diverse, young talent that traditional military recruitment cannot reach.

Provide Opportunities for Private-Public Partnership

A shortage of cyber talent is not unique to the government. According to the National Institute of Standards and Technology (NIST), the United States had 1.1 million cybersecurity employees in 2023 but 660,000 cybersecurity job openings. Like participants in other ROTC programs, many in ROTC for Hackers may transition to the private sector after completing their service—to the benefit of both the companies and the government. Ideally, participants would choose to continue working in government beyond their initial commitments, but even in the improbable scenario where every participant leaves after their four years of service, that would statistically lead to a 25 percent attrition rate. That worst case scenario is not much worse than the cybersecurity industry attrition average of 18.5 percent, which is higher than the technology industry attrition rate of 13.2 percent. Technology companies will likely want to participate in the program to create positive brand recognition and attract the talent that chooses to leave the government sector, and potential partnership opportunities during the program around training, mentorship, sponsorship, and exposure to new technologies would further enhance the appeal of the program to students. The ROTC for Hackers program could help improve the at-times tense relationship between technology workers and the U.S. military, enabling much-needed future collaboration.

Build a Brand for U.S. Cybersecurity

Making cybersecurity attractive to teenagers requires showcasing a person or team that they can aspire toward. The Navy has the SEALs, and the U.S. fighter pilot community receives priceless promotion from the Top Gun movies. What is the equivalent for U.S. cybersecurity? The top ROTC for Hackers participants can work to be chosen for an elite hacking team that will represent U.S. cybersecurity on the national and international competition stage. Cyber hacking competitions are popular in the technology community, and if the ROTC for Hackers program were to truly develop the top cybersecurity talent, participants should succeed in prestigious hacking challenges. Winning in venues that are revered by young hackers would help U.S. government cybersecurity organizations develop a reputation for being elite and “cool.”

The future does not need to be one where the United States fears being outnumbered and outmaneuvered by China when it comes to cyber competition. The current defense pipelines were optimized to attract and develop the warfighter of the 20th century. Reaching the level of cyber talent needed to counter China in the 21st century requires an entirely different pipeline. If the ROTC for Hackers program were adopted and implemented successfully, American children of every background could grow up aspiring to join the elite squad of U.S. defense hackers.

About the Author

Matthew Hauwiller is passionate about the development and impact of new technologies, from the atomic to the global scale. As a senior engineer at Seagate Technology, he employs AI and advanced characterization techniques to drive innovation of more cost-effective and sustainable data storage technologies. In his role developing academic-industry partnerships, Hauwiller fosters collaborations with universities and research centers both in the United States and internationally. Hauwiller earned his BS in chemical engineering and chemistry at the University of Minnesota, completed his PhD in chemistry at the University of California–Berkeley, and conducted postdoctoral research in materials science and engineering at the Massachusetts Institute of Technology. He was a 2024 Aspen Security Group Rising Leader and currently resides in Minnesota.

Acknowledgments

Thank you to everyone who has helped this midwestern scientist get up to speed with the workings and culture of D.C. and government agencies, including Soo Lodge, Adam Schwarze, Allegra Richards, Eliza Mace, and Debjyoti Dwivedy. Thank you to my wife, Mariana Verdugo, who always helps me generate new ideas through dinner conversations about public policy and foreign relations. Finally, thank you to Valeria Allende and CNAS for offering this opportunity to pitch a new idea and become part of the conversation. This report was made possible with general support to CNAS.

As a research and policy institution committed to the highest standards of organizational, intellectual, and personal integrity, CNAS maintains strict intellectual independence and sole editorial direction and control over its ideas, projects, publications, events, and other research activities. CNAS does not take institutional positions on policy issues, and the content of CNAS publications reflects the views of their authors alone. In keeping with its mission and values, CNAS does not engage in lobbying activity and complies fully with all applicable federal, state, and local laws. CNAS will not engage in any representational activities or advocacy on behalf of any entities or interests and, to the extent that the Center accepts funding from non-U.S. sources, its activities will be limited to bona fide scholastic, academic, and research-related activities, consistent with applicable federal law. The Center publicly acknowledges on its website annually all donors who contribute.

About the Pitch

CNAS began The Pitch: A Competition of New Ideas in 2020 to elevate emerging and diverse voices in national security. Students and early-career professionals from across a variety of sectors submit innovative policy ideas to meet new challenges in U.S. national security policy. Selected applicants pitch their ideas in front of a distinguished panel of judges and a live audience. The judges and audience select heat winners, the audience choice winner, and best in show. Competitors will also have their ideas featured in official CNAS products and social media.

  1. “Behind the Facade of China’s Cyber Super-Regulator,” DigiChina, Stanford University, August 2, 2022, https://digichina.stanford.edu/work/behind-the-facade-of-chinas-cyber-super-regulator; “SVR Cyber Actors Adapt Tactics for Initial Cloud Access,” Cybersecurity and Infrastructure Security Agency, February 26, 2024, https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-057a; and The CCP Cyber Threat to the American Homeland and National Security: Hearing Before the House Select Committee on the Chinese Communist Party, 118th Cong. (2023) (statement of Christopher Wray, director of the Federal Bureau of Investigation), https://www.fbi.gov/news/speeches/director-wrays-opening-statement-to-the-house-select-committee-on-the-chinese-communist-party.
  2. “As Part of Cyber Workforce Development, DOD Lowers Time-to-Hire for Civilians ,” U.S. Department of Defense, November 8, 2024, https://www.defense.gov/News/News-Stories/Article/Article/3961267/as-part-of-cyber-workforce-development-dod-lowers-time-to-hire-for-civilians.
  3. The CCP Cyber Threat to the American Homeland and National Security (statement of Christopher Wray).
  4. Elisabeth Maria Schlagberger, Lutz Bornmann, and Johann Bauer, “At What Institutions Did Nobel Laureates Do Their Prize-Winning Work? An Analysis of Biographical Information on Nobel Laureates from 1994 to 2014,” Scientometrics 109, no. 2 (2016): 723–767, https://doi.org/10.1007/s11192-016-2059-2; The Royal Swedish Academy of Sciences, “The Novel Prize in Physics 2024,” press release, October 8, 2024, https://www.nobelprize.org/prizes/physics/2024/press-release.
  5. Kristen A. Renn, “The Influence of Peer Culture on Identity Development in College Students,” Journal of College and Character 21, no. 4 (2020): 237–243, https://doi.org/10.1080/2194587X.2020.1822879.
  6. “Cybersecurity Workforce Demand,” National Institute of Standards and Technology, June 2023, https://www.nist.gov/system/files/documents/2023/06/05/NICE%20FactSheet_Workforce%20Demand_Final_20211202.pdf.
  7. “The State of US Cybersecurity Employment: Analyzing Growth, Demand, and Retention Challenges,” STI Group, April 5, 2024, https://stig.net/the-state-of-us-cybersecurity-employment-analyzing-growth-demand-and-retention-challenges; Paul Petrone, “See the Industries with the Highest Turnover (and Why It's So High),” LinkedIn, March 19, 2018, https://www.linkedin.com/business/learning/blog/learner-engagement/see-the-industries-with-the-highest-turnover-and-why-it-s-so-hi.
  8. Scott Shane and Daisuke Wakabayashi, “‘The Business of War’: Google Employees Protest Work for the Pentagon,” The New York Times, April 4, 2018, https://www.nytimes.com/2018/04/04/technology/google-letter-ceo-pentagon-project.html.
  9. Davey Winder, “Samsung Galaxy S24 Smartphone Hacked During $1 Million Zero Day Spree,” Forbes, October 26, 2024, https://www.forbes.com/sites/daveywinder/2024/10/26/samsung-galaxy-s24-smartphone-hacked-during-1-million-zero-day-spree.