Government // Cybersecurity
Commentary
6/12/2014
12:52 PM
W. Hord Tipton
W. Hord Tipton
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

Academia: Government's Biggest Cyber Security Ally?

Federal cyber security programs need access to fresh talent. They can boost the quality of that talent by bolstering cyber security training in colleges and universities.

"Technology is advancing so rapidly that a student starting a technical degree will by his junior year find that half of what he learned his first year is outdated," reported the New York Times in a recent article, "Is College Worth It? Clearly, New Data Say."

With that in mind, it's easy to understand why colleges and universities are looking to professional organizations for education content, partnerships, and so on. They want to stay as current as possible. Conversely, I don't believe that the federal government has realized the full potential of its relationship with academia and its rising stake in the national cyber security game.

Until recently, academia has not necessarily been at the top of the government's list of collaboration targets, perhaps because universities and K-12 institutions did not bring so much to the table by way of advancing government security programs. After all, agencies need professionals with experience and no longer have the luxury of time to teach "newbies" the complexities of how to defend systems from sophisticated attacks. So, what does a strong partnership with academia now offer to government CIOs and CISOs?

The value of partnering with academia became very clear to me after my organization launched its new Global Academic Program (GAP). The program offers (ISC)² educational content drawn from the certification Common Bodies of Knowledge (CBKs) to accredited colleges and universities around the world that are interested in enhancing cyber-content within their security, computing, IT, or other relevant course offerings. The content can be tailored for both undergraduate and post-graduate requirements. Specific to government, the program helps to equip academic institutions striving to meet the certification requirements of the NSA/DHS Centers of Academic Excellence (CAE) program. Within a month of announcing the program, we had approximately 70 schools contact us about joining.

[Are smart technologies the solution to agency security challenges? See Government Advances Continuous Security Monitoring.]

In order to tackle the government's cyber security challenges, I believe it's critical to introduce security at the academic level, rather than beginning at the early stages of one's career. Bringing cyber security education into schools creates the fundamental building blocks for a successful career in this booming industry that's desperate for new talent. I liken it to another problem we're actively working to combat in the software community by building in security throughout the entire software development lifecycle with the Certified Secure Software Lifecycle Professional (CSSLP) credential. To make tangible improvements, we have to start at the early stages so it becomes a core part of their educational upbringing. In the near future, I hope to see cyber security given the same credence in academic curricula as mathematics or history.

I think we're on the road to progress. Based on the academic community's response to the (ISC)2 GAP program (and to others such as the NICE Framework), academia is clearly stepping up its investment in developing cyber leaders of the future and should be considered our next biggest ally in the fight to keep the government's systems secure. As agency security programs come to a halt due to the shortage of skilled cyber security professionals, educational institutions (at all levels) are beginning to offer a way to refuel progress with students who bring a solid foundation in information security-specific education, who have gained experience through internships, mentoring programs, etc., and who are highly motivated to enter the field.

As government leaders increasingly come to terms with the fact that they don't have the answers to the government's cyber challenges, the use of buzzwords such as "collaboration," "information sharing," and "public-private partnerships" will continue to flood the memos and executive orders. While I agree that collaboration with industry is vital to securing our government's cyber-assets and data, I would like to hear the federal CIO, OMB, Congress, and the White House encourage federal information security managers to prioritize their alliance-building efforts with academia. We have an ally in our midst, one that is increasing in strength and focus. It's time for the government to step up its investment in this partnership.

New standards, new security, new architectures. The Cloud First stars are finally aligning for government IT. Read the Cloud Hits Inflection Point issue of InformationWeek Government Tech Digest today.

W. Hord Tipton, CISSP-ISSEP, CAP, CISA, CNSS, is currently the executive director for (ISC)2, the not-for-profit global leader in information security education and certification. Tipton previously served as chief information officer for the U.S. Department of the Interior ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Apprentice
6/12/2014 | 5:12:03 PM
Tit for Tat
I'll make this one brief.  I agree, sure, that our academics are a rich resource.  MIT has produced many innovators who moved the software industry forward.  For many of these individuals, however, they had the privilege of having access to resources few people in the United State have.  Thank God, too, because hackers like me who built an entire career off Free and Open Source Software (FOSS) skills, would never have had a career were it not for the creators of FOSS (many, though not all) being able to afford schools with resources.

As soon as the Government catches on to your point, they better well give tit for tat.  I believe in the free sharing of knowledge and feel that the "industry" that is education can only offer what our Government, what our citizens, need if the education is a quality one, the resources are offered to everyone without prejudice, and money no longer is a factor in obtaining an education.

Many of the most brilliant hackers I know are not college educated, started life as poor as I did, are not Caucasian (which I happen to be), and have boundless creativity.  How can the government take advantage of academia if that resource is a stale pool?  Some of the most brilliant technological minds will never be known because of the way our society is built, how education is run, and the elitism of the academic environment.

Yes, you have a valid point.  But much must change before that point can be put to practical use.

Disclaimer:  I didn't go to college, though I spend most of my salary making sure my daughters are well educated and do go; and when they graduate, I fully expect them to be at the forefront of the type of change I have described.

 
PedroGonzales
100%
0%
PedroGonzales,
User Rank: Ninja
6/12/2014 | 9:00:12 PM
Re: Tit for Tat
that is a great point. Also, I think that by government and academia partnering together then can guide student better to more marketable careers.  I know of many students who aren't sure why they are at school for or postpone the real world by continuing their education with major that do not offer many job prospects.  If they are provided with the guidance that a job in the security field is a something worth pursuing I'm sure government will help reduce the deficit of professional in this area
David F. Carr
50%
50%
David F. Carr,
User Rank: Author
6/13/2014 | 11:10:14 AM
Re: Tit for Tat
So should the government be recruiting the really smart college students to drop out and start hacking right away?
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Apprentice
6/13/2014 | 12:47:41 PM
Re: Tit for Tat
@David F. Carr

Not to steal thunder from @PedroGonzales (I'm going to like his response, I feel it), but I understand that there is not one "box" for every thinker, so if some kids want it, and they can benefit long-term from it, and it is their passion, I think leaving college to hack for the government is fine.  Especially if that talent and the knowledge obtained by that hacker had nothing to do with their college experience.  But I absolutely abhor the thought of only a limited percent of talented kids being able to even get to college to have that choice.  I'm not saying every poor smart kid who can't get a good education is going to become a criminal, but I know for me growing up very poor, I got off on the wrong foot due to the kids I hung out with, and what they all thought was the best use for my talents. 

And it isn't all about money, either - it's academics not acknowledging the wide variety of learning styles.  If education was more accessible to everyone, there would be more minds to choose from in the pool of talented hackers.  Maybe those who have what it takes to do the Ph.D could be left to do so, and those who aren't quite cut out for that could step out of college to do what they are best at.  But the current infrastructure for education 1) costs too much and 2) is not academically lenient such that companies and government agencies looking for talent may not be finding the innovators they really need to move forward.  Until, that is, they encounter them on the black hat side of the industry...

 

 
Mike_Acker
100%
0%
Mike_Acker,
User Rank: Apprentice
6/13/2014 | 7:45:25 AM
"Sea Change" required

there are two fundamental changes in thinking needed in the IT industry, if there is any wish to establish trust.

First, it must be understood that the software must be protected from un-authorized modifications before there can be any meaningful discussion of encryption or protecting transactions and data-bases. This is noted in Phil Zimmerman's original documentation on PGP back in 1992. It's not something I made up.

Second the pen&ink process we have used for authentication of documents in our paper based systems does not work in a digital network environment. we must learn to use PGP and to establish trust models using public keys. again this is not something i made up. it's mentioned by Whitfield Diffie in his testimony for New Egg in their proceedings v TQP Holdings

Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Nov. 10, 2014
Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.