Cybersecurity Education:The Way ahead

So Many Possibilities

Dr. Vic Maconachy Chris InglisCapitol Technology University U. S. Naval Academy

CAE Community Meeting, - Columbia, MarylandAccreditations and Designations Working Session

November 4, 2014

TODAYWhat we know:

Huge and growing demand for educated cybersecurity workers

Huge and growing threats and vulnerabilities

What we are doing now:A good, wholesome and fitting response from government; provide initial & sustained leadership, examples and incentives. Similar to 1950’s National Defense Fund after Sputnik.

We recognize that currently there are certifications for training and “recognition” for education programs. We need both.

We are already seeing employers favor students, from traditional disciplines, who also have education and experience in cybersecurity.

For the Future:

A. As the discipline maturesa. Industry need will grow, beyond government’sb. Industry and government currently look for graduates from

nationally accredited programs: Start getting cybersecurity content into those programs

Discipline National Accrediting BodyEngineering & Computer Science ABETBusiness IACBEFinance AACSBIT CAHIIMEducation NCATELaw ABA

1 Commission on Accreditation for Health Informatics and Information Management Education

Why Accreditation?

Accreditation is both a process and a statusAccreditation is a means to assure and improve higher

education quality, assisting institutions and programs using a set of standards developed by peers.

Currently, 80 recognized organizations accredit more than 7,000 institutions and 19,000 programs serving more than 24 million students. (1)

Accreditation:Assists with student mobility (assists with credit transfer)Promotes accountabilityEncourages confidence an institution’s program of education is

described in a fair and accurate mannerSignals prospective employers that an educational program has

met widely accepted educational standards

Council on Higher Education. The Value of Accreditation. Washington, D. C. 2010.

Multiple PathsSustain current government “recognition”Promote inclusion of cybersecurity in criteria

updates with current national accreditors.Begin studies on feasibility and validity to

possible new national accreditation in cybersecurity. (Major role for industry and academia)

Pursue cybersecurity in the context of “Cyber Science”

Sustain Government “Recognition”Continue active government leadership and

resourcingSimilar to 1950’s National Defense ActStill inherently government functionResponse to state of national cyber insecurity

Inclusion in Existing AccreditationsProduce workforce with greater sense that

designing and implementing cybersecurity is a critical part of their job.

Puts cybersecurity capability directly into business, industry, government and the critical infrastructures.

Example already exists

Begin studies on possible future interdisciplinary cybersecurity degree national accreditation. WHY: We Must keep Improving

a. Truly confirm interdisciplinary nature of cybersecurityb. Study/Confirm need for generalists as Bachelor’s levelc. Explore potential for “Deep Dive” into specialty areas of

cybersecurity at graduate level. New NSA approach serves as a model.

Cyber Science1. Scope Definition – Right now, the concept of “cyber” is being thrown around without any explicitscope definition or restrictions. We need to define what it is that we are talking about.2. Process – Based on the IT historical exemplar that we have been loosely considering as a potentialmodel for this effort, there are three major components of the process to get from concept to a setof accreditation criteria:a. Identification of the professional community – This is important for three key reasons. First,it is the professional community and/or constituents that define the related Body ofKnowledge. Second, accreditation criteria are necessarily community driven. And third, inpractice a professional society needs to “own” the accreditation criteria.b. Identification of a Body of Knowledge (BOK) for the discipline – Of course, to have a BOK,one must first define the scope of the discipline and then determine a BOK for that scope.There have been some attempts to address this, but each seems to get bogged down by theall-too broad scope of the loosely defined term cyber. Without a proper scope definition, itis impossible to canonize any existing work as appropriate for CEP.c. Development of a set of ABET program criteria –

Just As Technology Does not Stand Still, So Does the Expertise of Those Who Would Do us Cybernetic Harm

The APTs Will Get Worse:

Study where and what are those “professionals and practitioners” learning as tradecraft.

Remember !“Train the way you fight”

Train & educate better than

the adversary

What next?Education Cannot Be the Weakest LinkAchieving this complete integration of

cybersecurity across current academic disciplines will take time, effort, collaboration, and advocates.

Until this integration is achieved, and even beyond, it is the role, responsibility and national expectation that government will lead in assuring our national cyber defense includes robust, evaluated, and recognized programs of study.

For TodayIn groups examine and report on:

Seeking national accreditationEmergence of “cyber” as a science of studyRelationship of national accreditation to

current CAE Program

We will reconvene before the end of the session and review results.

Group 1: Seeking national accreditation

Some questions to consider:Which current national accrediting bodies

should be approached? Why?How can industry & academia move this

forward?Is there a priority order for approaching those

bodies?Select one area of accreditation and outline

some of the proposed new areas of study. (Example: Computer science – Secure Coding)

Group 2:Emergence of “cyber” as a science of studySome questions to consider:

It what ways is this similar to the move to establish “computer science” as a discipline of study?

List potential stakeholders in this movement?What would you expect a person graduating

with a degree in Cyber Science to know and be able to do?

Group 3:Relationship of national accreditation to current CAE Program

Some questions to consider:Is providing guidance and leadership in this

area still (in whole or part) inherently a government function?

What elements of the CAE program can any national movements towards accreditation use/build upon?

Given the current state of national cyber security what role do you see government performing with regards to program recognition / accreditation?