Education's Critical Role in Cybersecurity

©2009 Larry Clinton

EDUCAUSE Review, vol. 44, no. 5 (September/October 2009): 60–61

On May 29, 2009, President Barack Obama became the first U.S. head of state in history to devote a major address solely to the need for improved cybersecurity. Accompanying the President's address was the release of the report Cyberspace Policy Review.¹ This document contains six chapters outlining the administration's aggressive program for improving the nation's cybersecurity. Chapter 1 deals with what the President and the White House need to do. Chapter 2 deals with what the nation's education community needs to do.

The Problems(s)

Although the economy, health care, and wars in Afghanistan and Iraq, as well as tensions in Iran and the rest of the Middle East, have dominated headlines of the early Obama administration, from the beginning President Obama has recognized the critical need for the country to upgrade its cybersecurity defense.

In his address, the President noted several chilling facts:

• The nation's defense systems have been compromised by foreign governments through cyberattacks.²
• The nation's critical infrastructure — including the electric grid, banking, and communications systems — is vulnerable to cyberattack and shutdown.³
• In any future war, the nation's offensive and defensive systems would be dominated by cybersystems.⁴
• The nation's economic system loses one trillion dollars a year as a result of cyberattacks.⁵
• The nation's fundamental democratic assumptions — ranging from the functioning of the free market to the exercising of civil rights — will be altered by cybersecurity issues.

Shortly after taking office, President Obama had directed Melissa Hathaway, of the National Security Council, to conduct a sixty-day "clean-slate" review of both the public sector's and the private sector's cybersecurity. Though not a detailed strategy document (the report recommends such a document be created by the end of 2009), Cyberspace Policy Review provides a sophisticated blueprint for developing comprehensive cybersecurity policy.

At its core is the realization that cybersecurity is not simply a technical security issue and that solutions must embrace economic realities as much as technical security issues. As a result, the report calls for a senior-level administration cybersecurity coordinator, with direct access to the President but with coequal relationships to the National Economic Council and the National Security Council (CPR, p. 7).

Structurally, the administration's Cyberspace Policy Review urges a partnership between government, industry, and academia. The approach laid out in the document's Executive Summary both begins and ends by citing a series of recommendations made by the Internet Security Alliance calling for a "Social Contract" characterized by promoting security through incentives, as opposed to a traditional regulatory framework for cybersecurity.⁶

Finally, the President's Cyberspace Policy Review prominently features cyber-education as a central component. No less than five of the twenty-four specific items laid out in the near- and mid-term action plans identified by the President relate specifically to the education community, with several other items of direct relevance to this community (CPR, pp. 37-38).

Major Issues for Education

Increasing General Public Awareness

Item 6 in the list of near-term actions for improved cybersecurity in the Cyberspace Policy Review is to "initiate a national public awareness and education campaign to promote cybersecurity" (CPR, p. 37). The report cites the "National Cyberethics, Cybersafety, Cybersecurity Baseline Study" of 2008, which concluded that education on cyberethics, cybersafety, and cybersecurity is inadequate (CPR, p. 13 n. 39). As a result, the report proposes that "the Federal government, in partnership with educators and industry, should conduct a national cybersecurity education and awareness [campaign]" (CPR, p. 13).

These efforts will presumably be built on and expand several recent initiatives in this area. For example, the Protecting Children in the 21st Century Act was signed into law by President George W. Bush in 2008 and contained a number of the same goals as identified in the Obama recommendations.

Expanding the Information Technology Workforce

Even before officially taking office, President-elect Obama was being counseled that there was a critical need to upgrade the nation's cyber-education system. In November, Pradeep Khosla, dean of Carnegie Mellon University's College of Engineering and founding director of CMU's CyLab, wrote: "The problem begins with an extreme shortage of highly qualified U.S. graduate students. The educational system must produce more students with strong skills in mathematics and science. Ultimately, we need more candidates interested in pursuing masters and graduate degrees in cyber security. . . . There is a need to continually expand the human supply chain of well trained individuals who will keep us ahead on the technology stage. . . . We need to build up a critical mass of people who are expert in this area and will continue to work on these issues here in the United States."⁷

The Obama administration seems to have taken this counsel to heart: it has established three different action items that address portions of this recommendation:

• Expand support for key education programs and research and development to ensure the Nation's continuing ability to compete in the information age economy.
• Develop a strategy to expand and train the workforce, including attracting and retaining cybersecurity expertise in the Federal government.
• Encourage collaboration between academic and industrial laboratories to develop migration paths and incentives for the rapid adoption of research and technology development innovations. (CPR, p. 38)

Promoting Cybersecurity as an Enterprise Leadership Responsibility

One of the most progressive concepts in the Cyberspace Policy Review is the recognition that cybersecurity is not an issue to be relegated to the "geeks who understand this stuff." Rather, this is — for both government and industry — an enterprise-wide risk management issue that must be addressed as such. The report notes: "It is not enough for the information technology workforce to understand the importance of cybersecurity; leaders at all levels of government and industry need to be able to make business and investment decisions based on knowledge of risks and potential impacts. State, local, and tribal governments face similar issues" (CPR, p. 15).

Fortunately, industry seems to have already begun to embrace this approach. In October 2008, the American National Standards Institute and the Internet Security Alliance published the results of their year-long project The Financial Impact of Cyber Risk: 50 Questions Every CFO Should Ask. This publication approaches the cybersecurity issue from a financial risk-management perspective, segmenting the issue into the legal, operational, communications, corporate risk management, and compliance dimensions and providing an architecture for all of these dimensions to become integrated by the corporate CFO.⁸

Protecting Civil Liberties

Finally, though not an education issue per se, it is important to note that the Obama report goes to substantial lengths to address the civil liberties issues that lie at the heart and soul of academic institutions.

The very first page of the Executive Summary declares that the United States "faces the dual challenge of maintaining an environment that promotes efficiency, innovation, economic prosperity, and free trade while also promoting safety, security, civil liberties, and privacy rights" (CPR, p. iii). Many observers consider this to be one of the most difficult issues the Obama administration will have to address.

The report also includes a number of specific action items related to protecting civil liberties while simultaneously improving cyberdefense. For example, the report calls for the creation of a privacy and civil liberties official designated to the National Security Council Cybersecurity Directorate. In addition, the report calls for building an identity management vision and strategy that addresses privacy and civil liberties (CPR, p. 37).

Conclusion

Despite historic crises in numerous areas, the Obama administration has focused on the critical issues surrounding the nation's cybersecurity weaknesses. Its comprehensive sixty-day review has resulted in a sophisticated outline charting a new direction for both the public and the private sectors.

Education is a central tenet of the administration's cybersecurity policy. The educational community needs to prepare itself for new challenges; opportunities and funding will be channeled in this direction. Although basic R&D will likely continue to receive a substantial amount of cybersecurity education funding, emphasis will also be placed on practical, immediate, and effective behavior change resulting from education programs designed to keep the United States safe, secure, and productive while retaining its core principles of liberty, privacy, and free expression.

1. Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure, <http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf>, hereafter cited in the text as CPR.
2. Heather Wilson, "A Weak Spot in Our Defenses," Washington Post, June 23, 2009, p. A23, <http://www.washingtonpost.com/wp-dyn/content/article/2009/06/22/AR2009062202485.html?hpid=opinionsbox1>.
3. "Comments of the IT Sector Coordinating Council on Project 12 of the Comprehensive National Cyber Initiative," unpublished document, October 2008.
4. Wilson, "A Weak Spot."
5. Unsecured Economies: Protecting Vital Information (Santa Clara, Calif.: McAfee, 2009), <http://www.cerias.purdue.edu/assets/pdf/mfe_unsec_econ_pr_rpt_fnl_online_012109.pdf>. Projection based on Purdue University's Center for Education and Research in Information Assurance and Security.
6. The Cyber Security Social Contract: Policy Recommendations for the Obama Administration and the 111th Congress (Arlington, Va.: Internet Security Alliance, 2008), <http://www.isalliance.org/images/stories/The_Cyber_Security_Social_Contract_122008.pdf>.
7. [Pradeep Khosla], "Higher Education," in ibid., pp. 22, 23.
8. American National Standards Institute and Internet Security Alliance, The Financial Impact of Cyber Risk: 50 Questions Every CFO Should Ask (New York: ANSI, 2008), <http://www.isalliance.org/index.php?option=com_content&task=view&id=171&Itemid=333>.