Report Provides National Framework for Cyber Education at All Levels
If America wants to protect itself from cyber threats and attacks by criminals, terrorists, and enemy nation states, it needs one thing more than anything else—a cyber-savvy citizenry at all levels of business, government and academia.
At the March 2015 Maritime Cyber Security symposium hosted at Rutgers University by CCICADA and the American Military University, cyber security experts repeatedly underscored the importance of training current and future generations in how to deal with the technical, operational, legal, and policy aspects of cyber attacks on all US institutions and critical infrastructures, not just on the maritime transportation system.
“End users of all description are the weakest link. They need to be made aware of phishing, password protections, identity theft, and the like.”
Dennis Egan, CCICADA research professor
“We are incredibly challenged in this area,” Vice Adm. Chuck Michel, Deputy Commandant for Operations of the US Coast Guard, said in his keynote address. “The key to this thing is not equipment. It is human beings.”
Fortunately, CCICADA has already prepared and delivered a report to the US Department of Homeland Security on how to approach this enormous task. The CCICADA Report on Cyber Security Education, prepared for DHS’s Science & Technology Cyber Security Division, was presented by CCICADA researcher Dennis Egan at the symposium. One of CCICADA’s responsibilities, as a DHS University Center of Excellence, is to help train the next generation of homeland security workers.
The research report, completed in June 2014, reveals what is being done in the area of cyber security education and training in the United States and other countries. It also makes recommendations for further research to help DHS meet its cyber-security-education responsibilities.
The Cyber Security Education Report has a broad scope, going well beyond maritime cyber security, which is a relatively new area of concern. The report discusses both the development of a talented team of cyber security experts and the overall cyber security education of the nation’s workforce, since it is the nontechnical users of cyberspace who often lead to the biggest cyber breaches. The report’s research team convened 53 experts on all aspects of cyber security, education, and related disciplines for a brainstorming workshop and did an extensive literature review. It solicited input from many other experts by phone and email. The report provides insights in four main areas:
- What are the implications of the evolving nature of cyber security threats and responses?
- What are the approaches to cyber security education and training in different communities and organizations?
- What principles of teaching and learning are applicable to cyber security education and training?
- How can the effectiveness of cyber security education and training be assessed?
In his symposium presentation, Egan said three important lessons about cyber security education can be gleaned from the report:
Lesson 1: It’s Not Just About IT Courses
While cyber security has some highly technical IT-centric concepts, cyber-security content should be included in the curriculum of other education disciplines, including economics, history, political science, public policy and law.
“We have to be able to evaluate the economic consequences of cyber threats, understand what groups and nations are likely to pose these threats, and understand how protections and legal remedies differ across different countries,” Egan said.
Lesson 2: It’s Not Just for STEM Majors
Cyber security concepts should be understood by everyone working in our highly cyber-centric world, not just those who studied science, technology, engineering or mathematics. The report found that multi-disciplinary, problem-solving teams, with students taking on different roles, worked well in cyber-security education and training programs
“End users of all description are the weakest link. They need to be made aware of phishing, password protections, identity theft, and the like. They also need to be able to detect and diagnose when something is ‘not right,’ and to be able to talk with techies,” Egan said.
Lesson 3: It’s Not Just for “Students”
Because cyber threats are constantly evolving, it is not sufficient to educate and train traditional 18-23 year-old college students in cyber security and say, “You’re done.” Professionals who are already well into their careers also need cyber training and education.
“For example, senior military officers are returning to schools that do not have well-developed cyber curricula. It’s essential to provide certification programs for those in cyber-critical positions and to provide constantly updated refresher courses at all levels,” Egan said.
Finally, we have to educate the population at large, including children (perhaps as young as kindergarden age), about secure cyber behavior and cyber security as a career option.