This is the third in a series of posts about particular proposals in the recent US cybersecurity report.

Action Item 4.1.5 states, “The federal government, SLTT governments, and private-sector organizations should create an exchange program aimed at increasing the cybersecurity experience and capabilities of mid-level and senior-level employees.”

This item seeks to remedy a perceived shortage of cybersecurity experience in the private sector. The Report takes the view that providing government and industry workers with on-the-job experience is one of the best ways to remedy this shortage and proposes that individuals rotate between government and private sector jobs to receive cybersecurity training. “This exchange program should embrace innovative approaches to workforce management,” the Report explains, “including support for virtual employment exchanges.” The Report cautions that program facilitators should be aware of potential barriers to participation in the program, including security clearance processing, existing/potential contract relationships, and regulatory actions. What would the implementation of an exchange program mean for companies? There are, of course, practical problems. Companies will need to identify individuals who have the interest and capacity to participate in exchanges. Companies will also need to weigh the benefits of exchanges against the downsides—like the disruption of having employees cycle in and out of the company. Companies may also want to consider potential consequences for employee retention, as employees exchanged (or "seconded") to other institutions often tend to find permanent positions at their adoptive workplaces and leave their original employers.

There may be broader legal issues, too. Conflicts of interest and confidentiality are two concerns that come immediately to mind whenever one considers employee exchanges. In this regard, it will be important to be clear on how reporting lines will operate during such an exchange. Conflicts/confidentiality concerns are heightened when sitting across from the table from the government. Will the presence of government workers within a company raise the risk of government scrutiny, expose confidential information, and give regulators a backdoor way to meddle with operations? On the flip side, will employees placed at government agencies really get the exposure they need, or will they tend to be "walled off" from important activities in response to perceived conflicts of interest or fear of regulatory capture? A lot of this will depend on program design. One can imagine that exchanging IT security professionals between a private manufacturer and the Defense Department—for example—may not present these concerns. The US Department of Defense doesn't, on the whole, regulate private US companies. (The key exception is defense contractors.) By contrast, if the program contemplates cybersecurity exchanges between banks and banking regulators or between medical device manufacturers and the FDA, conflict of interest and confidentiality concerns could become quite acute.