The Remediation Series — Part 5

Reconstructing the Education Pipeline

As the cybersecurity industry grows into young adulthood, serious consideration must be given when imagining the future. While new tools and techniques are developed to improve the quality of organizational cyber security, the advancement of technology will be meaningless without the existence of a workforce capable of deploying and maintaining such assets. The decentralized nature of the industry has delayed the creation of a common lexicon and taxonomy, sowing further confusion, and preventing many from attaining proper employment. Numerous organizations have responded to this disconnected state by constructing, and attempting to implement, various frameworks that unify the language of the industry. Industry reform alone, however, is insufficient to solving the employment gap. To effect total change, the education pipeline must also undergo reform so newly minted graduates will be prepared to undertake the vacant roles and responsibilities that await them.

The education pipeline as it currently exists, produces candidates who fall short of the skills and knowledge industry managers are in dire need of. Schools too often focus on the theory of cybersecurity, homing in on topics such as policy, law, and compliance[1]. While these subjects are important, misallocating educational emphasis on such topics draws away from the opportunity to study and master the technical aspects of cybersecurity. The lack of technical education leaves one with a poor understanding of the fundamentals of computer science and information security. In fact, roughly 77% of schools fail to properly educate students in the field’s technical areas[2]. How is this possible? To answer that question, let us first examine the National Centers for Academic Excellence Cyber certification system.

The CAE, co-sponsored by the National Security Agency (NSA) and Department of Homeland Security (DHS), was established to meet the increasing need for qualified cybersecurity professionals in both the public and private sectors[3]. Its chief purpose is to formally recognize colleges and universities for their robust cybersecurity programs. Beginning in 1999, the CAE began with the Cyber Defense (CD) certification program. The goal of the Cyber Defense program is to reduce the nation’s information infrastructures vulnerability by promoting education and research in cyber defense, leading to the production of cyber defense experts. Currently, there are 272 total institutions that possess this certification in the United States[4]. This leads us to the second certification: Cyber Operations.

Cyber Operations was developed in direct response to criticism of the Cyber Defense program[5]. The chief criticisms were the programs lack of rigor and technical expertise, leading a DHS task force to recommend the discontinuance of the Cyber Defense certification[6]. The task force discovered that the quality of CAE schools varies wildly, with only the Cyber Operations designated schools being capable of guaranteeing complete student preparedness. Despite this recommendation, both certifications continue to exist, with only 21 institutions having attained CO-designation[7]. To understand the divergence in quality, one need only view the requirements of both programs to see where the contrast lies.

Both programs share some commonality, with both requiring member institutions to display degree curriculum and how it overlaps with NICE Framework Knowledge Units (KUs), student participation rates, conference of officially recognized degrees, student access to faculty and industry resources and participation in outreach programs, and active faculty contribution to the cybersecurity industry’s body of knowledge[8][9]. Yet, even within this common ground there is a measure of divergence. The CD certification process provides a greater degree of flexibility when it comes to institutions proving they meet listed expectations by using a variable point system. Achieving different requirements results in the assignment of points in accordance with the degree these requirements were met. For example, the program criteria call for “Student Skill Development and Assessment” with a mandatory minimum of 18 points and a potential maximum of 29 points. To meet this min/max range, the criteria lists six different subcategories each with either 1, 3, or 5 point minimum requirements. Inevitably, this flexible structure allows for the noted variance in educational quality[10].

Another major difference is the degree structure itself. The Fundamental Criteria for Cyber Operations mandates the material be taught within a computer science, electrical engineering, or computer engineering degree or a degree of equivalent technical depth that has accreditation such as that of ABET[11]. Furthermore, the lessons must be integrated into the foundational courses of those respective curricula. As opposed to cyber tools, techniques, and principles being taught separately, these topics are integrated into the computer science, IT, math, business, and law classes (among others) of the degree whenever appropriate[12]. Even when instances arise where it is more prudent to teach cyber subject matter in a standalone fashion, the CO program encourages integrating information from other subjects into these individual classes. Building on this heavily integrated style is the requirement of students to participate in research projects, industry conferences, have papers published, and contribute to the development of technologies and techniques related to specialized operations such as collection, exploitation, and response[13]. The product of this style of program is a professional that the DHS considers a near guarantee in preparedness and qualification[14].

While CD-certified institutions share some of the above requirements, the innate flexibility of the criteria allows for most of the practical aspects of the program, such as labs, papers, competitions, and outreach to take on a more insular role. It is the difference in degree structure, however, that is the most crucial difference. Cyber Defense programs, while encouraged to adopt a multidisciplinary structure, fail to incorporate technically demanding subject material. This can be seen in the uptick of cybersecurity degree graduates despite a stagnating attendance rate for computer science degrees. In essence, people can get into cybersecurity without any formal technical education[15].

How can this be fixed? The first issue is how the education pipeline interacts with the cybersecurity industry. Educational institutions are slow to react to industry changes in general and this delay is exacerbated to the tune of several years in the case of cybersecurity[16]. Before any discussion of reform that would affect over two hundred institutions can take place, it must first be established that both theaters, education and industry, must improve the speed and quality of communication[17]. Currently, there is a desperate need for better collection of data and metrics that can be used to improve cybersecurity policies and strategies by measuring effectiveness[18]. As the industry moves to establish a common lexicon and taxonomy, a set of common metrics for performance can be created that will serve as a baseline for the collection of data. Understanding what tools, techniques, and principles fall under each role will give researchers the necessary framework in which to collect, analyze, and disseminate information. This information can then be communicated by industry leaders to the CAE, which will adjust its criteria (as it does with the Cyber Operations program) by which educational institutions must abide. Industry leaders would also be encouraged to interact directly with colleges and universities to a greater degree to encourage cooperation and competition.

Assuming proper communication has been established, let us finally review what potential changes would occur within a given college or university. Due to the disproportionate distribution of institutions amongst the CD and CO programs, the DHS task force recommendation to remove the CD program outright may do more harm than good. While some institutions may improve standards to meet the CO program requirements, many will fall short. As a result, the number of opportunities available for students to pursue cybersecurity-related degrees will decrease, exacerbating the manpower problem the industry is facing. The better option may be the reformation of the CD program, an option the task force addressed specifically[19]. By mimicking the CO programs pattern of starting with low-level programming and progressing onward to reverse engineering, networking, and defense, the CD program can continue to be a viable option for educational institutions[20]. Another critical addition is the implementation of extensive practical training such as Capture-the-Flags, Hackathons, and Cyber Ranges to provide students with real-world experience[21].

Of course, such changes will take time and the threat landscape will continue to grow in both size and complexity regardless of any reforms (or lack thereof) that the industry undergoes. If such changes fail to take hold or develop over too great a period of time, organizations must look to other measures to assist in mitigating cyber threats. The next and final article will discuss recommended measures entities can take to minimize their dependence on a jobs gap reversal.

[1] Crumpler, W., & Lewis, J. A. (2019, January 29). The cybersecurity workforce gap. Center for Strategic & International Studies. https://www.csis.org/analysis/cybersecurity-workforce-gap

[2] Crumpler, W., & Lewis, J. A. (2019, January 29). The cybersecurity workforce gap. Center for Strategic & International Studies. https://www.csis.org/analysis/cybersecurity-workforce-gap

[3] National Centers of Academic Excellence in Cyber Defense. (2020). CD Fact Sheet. National Security Agency. https://www.nsa.gov/Portals/70/documents/resources/students-educators/centers-academic-excellence/Cyber%20Defense%20CAE%20Overview.pdf?ver=2019-06-04-150623-417

[4] National Centers of Academic Excellence in Cyber Defense. (2020). CD Fact Sheet. National Security Agency. https://www.nsa.gov/Portals/70/documents/resources/students-educators/centers-academic-excellence/Cyber%20Defense%20CAE%20Overview.pdf?ver=2019-06-04-150623-417

[5] Crumpler, W., & Lewis, J. A. (2019, January 29). The cybersecurity workforce gap. Center for Strategic & International Studies. https://www.csis.org/analysis/cybersecurity-workforce-gap

[6] Homeland Security Advisory Council. (2012). CyberSkills Task Force Report. US Department of Homeland Security. https://www.dhs.gov/sites/default/files/publications/HSAC%20CyberSkills%20Report%20-%20Final_0_0.pdf

[7] National Security Agency Central Security Service. (2020). Centers of academic excellence in cyber operations. National Security Agency. https://www.nsa.gov/resources/students-educators/centers-academic-excellence/cae-co-centers/

[8] National Security Agency Central Security Service. (2020). Criteria for measurement for CAE in cyber operations fundamental. National Security Agency. https://www.nsa.gov/resources/students-educators/centers-academic-excellence/cae-co-fundamental/#3

[9] National Centers of Academic Excellence. (2020). Criteria for Measurement CAE-CDE. National Security Agency. https://www.iad.gov/NIETP/documents/Requirements/CAE-CDE_Criteria_2020.pdf

[10] National Centers of Academic Excellence. (2020). Criteria for Measurement CAE-CDE. National Security Agency. https://www.iad.gov/NIETP/documents/Requirements/CAE-CDE_Criteria_2020.pdf

[11] National Security Agency Central Security Service. (2020). Centers of academic excellence in cyber operations. National Security Agency. https://www.nsa.gov/resources/students-educators/centers-academic-excellence/cae-co-centers/

[12] National Security Agency Central Security Service. (2020). Centers of academic excellence in cyber operations. National Security Agency. https://www.nsa.gov/resources/students-educators/centers-academic-excellence/cae-co-centers/

[13] National Security Agency Central Security Service. (2020). Centers of academic excellence in cyber operations. National Security Agency. https://www.nsa.gov/resources/students-educators/centers-academic-excellence/cae-co-centers/

[14] Homeland Security Advisory Council. (2012). CyberSkills Task Force Report. US Department of Homeland Security. https://www.dhs.gov/sites/default/files/publications/HSAC%20CyberSkills%20Report%20-%20Final_0_0.pdf

[15] Libcki, M. C., Senty, D., & Pollak, J. (2014). Hackers Wanted (RR-430). RAND Corporation. https://www.rand.org/pubs/research_reports/RR430.html

[16] Libcki, M. C., Senty, D., & Pollak, J. (2014). Hackers Wanted (RR-430). RAND Corporation. https://www.rand.org/pubs/research_reports/RR430.html

[17] Department of Commerce, & Department of Homeland Security. (2018). Supporting the Growth and Sustainment of the Nation’s Cybersecurity Workforce. Department of Homeland Security; Department of Commerce. https://www.nist.gov/itl/applied-cybersecurity/nice/resources/executive-order-13800/report

[18] McAfee. (2016). Hacking the Skills Shortage. https://www.mcafee.com/enterprise/en-us/assets/reports/rp-hacking-skills-shortage.pdf

[19] Homeland Security Advisory Council. (2012). CyberSkills Task Force Report. US Department of Homeland Security. https://www.dhs.gov/sites/default/files/publications/HSAC%20CyberSkills%20Report%20-%20Final_0_0.pdf

[20] Crumpler, W., & Lewis, J. A. (2019, January 29). The cybersecurity workforce gap. Center for Strategic & International Studies. https://www.csis.org/analysis/cybersecurity-workforce-gap

[21] McAfee. (2016). Hacking the Skills Shortage. https://www.mcafee.com/enterprise/en-us/assets/reports/rp-hacking-skills-shortage.pdf