CCICADA Research Report on Cyber Security Education Offers a Preliminary Road Map to Get There
Read related articles:
To counter potentially disastrous cyber-attacks that could shut down US cargo ports and disable or destroy large container ships, the US Coast Guard and other agencies must work together to build a cyber-savvy workforce, a high-ranking official said at the Maritime Cyber Security Symposium held March 2-3 at Rutgers University.
“We are incredibly challenged in this area,” Vice Adm. Chuck Michel, Deputy Commandant for Operations of the US Coast Guard, said in his keynote address to an international audience of experts on cyber security and the maritime transportation system. “The key to this thing is not equipment. It is human beings.”
Speakers from industry and government said the nation is unprepared to deal with cyber-attacks on highly-automated ports and ships whose entire operations are networked online, making them vulnerable to hackers sponsored by terrorists, criminals, and enemy nation states. The symposium, the first of its kind in the nation, sought to start a national dialogue leading to solutions.
An essential part of preparedness, said Michel and other speakers, is creating a workforce at all levels of government and industry that is aware of the cyber threat and knows how to deal with it.
Michel’s remarks were amplified by CCICADA researcher Dennis Egan, co-author of a CCICADA Report on Cyber Security Education prepared for the Science & Technology Cyber Security Division, US Department of Homeland Security (DHS).
That report, completed in June 2014, uncovered what is currently being done in cyber security education and training in the United States and elsewhere and recommended further research to help DHS meet its cyber security responsibilities. One of CCICADA’s responsibilities, as a DHS University Center of Excellence, is to help train the next generation of homeland-security workers.
The Cyber Security Education report’s research team convened 53 experts on all aspects of cyber security, education, and related disciplines for a brainstorming workshop and did an extensive literature review. It solicited input from many other experts by phone and email. The report provides insights in four main areas:
- What are the implications of the evolving nature of cyber security threats and responses?
- What are the approaches to cyber security education and training in different communities and organizations?
- What principles of teaching and learning are applicable to cyber security education and training?
- How can the effectiveness of cyber security education and training be assessed?
In his symposium presentation, Egan said three important lessons about cyber security education emerged from the report:
Lesson 1: It’s Not Just About IT Courses
While maritime cyber security has some highly technical IT-centric concepts, cyber security content should be included in the curriculum of other education disciplines, including economics, history, political science, public policy and law.
“We have to be able to evaluate the economic consequences of cyber threats, understand what groups and nations are likely to pose these threats, and understand how protections and legal remedies differ across different countries,” Egan said.
Lesson 2: It’s Not Just for STEM Majors
Maritime cyber security concepts should be understood by everyone working in the maritime domain, not just those who studied science, technology, engineering or mathematics. The report found that multi-disciplinary, problem-solving teams, with students taking on different roles, worked well in cyber security education and training programs
“End users of all description are the weakest link. They need to be made aware of phishing, password protections, identity theft, and the like. They also need to be able to detect and diagnose when something is ‘not right,’ and to be able to talk with techies,” Egan said.
Lesson 3: It’s Not Just for “Students”
Because cyber threats are constantly evolving, it is not sufficient to educate and train traditional 18-23 year-old college students in cyber security and say, “You’re done.” Professionals who are already well into their careers also need cyber training and education. Egan made an analogy to education and training in medicine.
“For example, senior military officers are returning to schools that do not have well developed cyber curricula. It’s essential to provide certification programs for those in cyber-critical positions and to provide constantly updated refresher courses at all levels,” Egan said.
Egan concluded with the observation that cyber security education is “a huge national challenge,” and he encouraged audience members to read CCICADA’s Cyber Security Education Report on this issue.