By all accounts, protecting the information infrastructure of the United States and its allies ought to be a high growth area for scientists and engineers. While career opportunities in information assurance are growing in the private sector, scientists and engineers interested in national cybersecurity--the protection of the nation's information infrastructure--should look to government for opportunities, either working directly for public agencies or for companies hired to do the public's work. The private sector is interested in the topic and eager to help, but the government establishes the policies, sets the priorities, and spends most of the money.
A High-Stakes Balancing Act
The information infrastructure, with its millions of interconnected networks and servers, has become a pillar of the knowledge-based society, and one that the institutions of a modern economy--financial services, public utilities, manufacturing plants, distribution facilities, health-care providers, and government agencies--increasingly rely on. The high performance of the information infrastructure, however, is due in large part to its open and decentralized nature. These very strengths also expose profound weaknesses; the same ease of entry to these networks has the potential to degrade their security. Shutting down access is not an option. The information infrastructure must be both open and secure.
A 2002 white paper by four Microsoft security specialists warned about the growing threat they called the darknet, which makes use of legitimate and widely supported Internet tools for illegal file sharing, identity theft, and other malevolent purposes. The darknet, according to the authors,
. . . is not a separate physical network but an application and protocol layer riding on existing networks. Examples of darknets are peer-to-peer file sharing, CD and DVD copying, and key or password sharing on e-mail and newsgroups. The last few years have seen vast increases in the darknet's aggregate bandwidth, reliability, usability, size of shared library, and availability of search engines . . . . We speculate that there will be short-term impediments to the effectiveness of the darknet as a distribution mechanism, but ultimately the darknet-genie will not be put back into the bottle.
Put the darknet in the hands of terrorists, and the terrorist threat ratchets up significantly. The use of Web sites by jihadist cells for recruitment and propaganda is well-documented, but recent reports also suggest they now use this technology in more sophisticated ways -- credit card fraud, money laundering, and server break-ins to steal sensitive data, deface Web sites, or crash entire systems.
To counter these threats, government agencies and businesses that provide basic public services need a core of experts to protect against the darknet. These professionals need to know the technology as well (if not better) than the perpetrators, uncover the vulnerabilities in their systems, and build defenses against attacks. These experts also need to advise policy makers on measures to keep agencies and businesses protected, while still providing open access and respecting user privacy. This is a high-stakes game with no place for amateurs.
High-Level Recognition with Funding
The events of the past several years, beginning with the Y2K experience in the late 1990s, have opened the way for talented scientists and engineers to base their careers on the protection of cyberspace. The Cybersecurity Research and Development Act, ( Public Law 107-305) of 2002, based on President Clinton's National Plan for Information Systems Protection, authorizes financial backing for institutions to conduct advanced research and train what the plan calls the cadre of computer science/information technology specialists America needs.
The Act authorizes creation of university-based centers of excellence to encourage research and education in cybersecurity. The program, called Centers of Academic Excellence in Information Assurance Education ( CAE/IAE), now operates under the joint sponsorship of the National Security Agency and the Department of Homeland Security. These centers of excellence are expected to establish partnerships "with minority colleges and universities, 2-year community colleges, and technical schools." See the box below for a list of institutions designated as centers of excellence under CAE/IAE.
Institutions accepted into the CAE/IAE program can offer students funding under the Scholarship for Service ( SFS) program, established by NSF, also under the Cybersecurity Research and Development Act. With SFS, students can qualify for two-year full scholarships plus stipends to pursue academic programs in information assurance for the final two years of undergraduate study, for two years of master's-level study, or for the final two years of Ph.D.-level study.
Upon graduation, the recipients of SFS scholarships become part of the Federal Cyber Service of IT specialists, called Cyber Corps, responsible for ensuring the protection of the federal government's information infrastructure. After their two-year scholarships, the recipients will be required to work for a federal agency or at a U.S.-funded national laboratory for two years in fulfillment of their Federal Cyber Service commitment. NSF anticipates spending more than $16 million for SFS scholarships in fiscal year (FY) 2005. Department of Defense (DOD) has a similar program that trains experts for service in military agencies.
The SFS program also has what it calls a capacity-building component that funds programs to expand the number of schools outside the CAE/IAE program that offer courses in cybersecurity. CAE/IAE institutions can receive grants to develop workshops for training faculty, building labs, or developing curricula at other universities. The grants can range up to $150,000 for two years, with an additional $150,000 for programs involving historically Black or minority-serving colleges.
Information Assurance Education
Also as a result of the Cybersecurity Research and Development Act, the National Science Foundation established the Cyber Trust program to advance the state of the cybersecurity knowledge base. The Cyber Trust program funds a wide range of primarily university-based research in cybersecurity, covering systems software (i.e. operating systems), end-user configurations, and networks. Cyber Trust also funds research related to the social, legal, and business factors affecting cybersecurity. In FY 2005 (ending 30 September 2005), Cyber Trust anticipates funding some $30 million in cybersecurity research.
Training the Cybersecurity Cadres
Next Wave talked with three institutions designated as centers of excellence under CAE/IAE. Each university has degree programs and conducts research in cybersecurity, but each institution has its own areas of emphasis.
CyLab at Carnegie Mellon University (CMU)
Carnegie Mellon University, in Pittsburgh, Pennsylvania launched, CyLab in October 2003 as a center for research and education in national cybersecurity that now involves more than 200 faculty, students, and staff. CMU also houses the CERT Coordination Center, a partner of CyLab and a principal authority on computer system vulnerabilities, which monitors live cybersecurity threats and incidents. CERT stands for Computer Emergency Readiness Team. US-CERT, a related incident-reporting center that focuses on protecting the national information infrastructure, is also a CyLab partner.
Pradeep Khosla, Ph.D., Dean of CMU's College of Engineering and a co-founder of CyLab, says the program came about because of the need for more research into cybersecurity threats, as well as better-trained professionals to counter those threats. Khosla notes that the technical aspects of cybersecurity address only part of the problem. "Computer science is an enabler, also electrical engineering," said Khosla. "CyLab brings in a policy component as well."
Khosla says CyLab has more than 100 students in its four masters-degree programs, including one specifically on information-security policy and management, offered in conjunction with CMU's Heinz School of Public Policy and Management. While CyLab has no Ph.D. programs of its own, Khosla notes that a number of Ph.D. candidates from the CMU's academic departments make use of CyLab. Khosla said CyLab has 15 private sector partners, adding that the private companies recognize the importance of protecting their information systems. "IT systems are not going away. And making these systems more trustworthy and survivable is the future."
Pradeed Khosla (left) and Dena Tsamitis of CMU's Cylab.
Credit: CyLab, Carnegie Mellon University.
Dena Tsamitis, who heads CMU's Information Networking Institute (INI), serves as CyLab's director of education, training, and outreach. Two of CyLab's masters degree programs -- information networking and information security -- are offered through INI. Tsamitis says graduates from these programs are highly sought after, and many of the participants receive multiple job offers.
"Most students want to work for federal agencies," says Tsamitis. "While motivations vary among students, many of them want to build secure networks. They see [the program] as a great opportunity." Tsamitis notes that the high rate of placement with Federal agencies stems in part from CyLab's selection as a CAE/IAE institution and its participation in the SFS scholarship program.
CERIAS at Purdue University
The Center for Education and Research in Information Assurance and Security ( CERIAS, pronounced "serious") at Purdue University in West Lafayette, Indiana, was an early CAE/IAE designee, and has funded 21 students through SFS. Jennifer Kurtz of CERIAS says its program, like the one at CMU, recognizes the importance of spanning traditional disciplines to attack cybersecurity issues. "We have multiple academic partners at CERIAS that cut across academic departments and even across Purdue campuses," said Kurtz. She adds, "This multi-disciplinary model is needed because there are so many dimensions to information security. No single discipline has the entire solution."
According to Kurtz, Purdue graduated the first Ph.D. in information security, and over the past three years has contributed a quarter of all Ph.D.s in this field. This emphasis on advanced academic study is mirrored in its research. Kurtz says that CERIAS recently received two grants from NSF's Cyber Trust program (CMU also received recent Cyber Trust awards).
In addition to its university programs, CERIAS encourages end-users throughout Indiana to practice secure computing. The institute works through the public schools and prepares resources for parents and teachers to better prepare children for their online experiences. Kurtz says CERIAS reaches some 120,000 students in Indiana, working with 6,000 educators and 20,000 parents. CERIAS supplements these outreach efforts with an online resource, the Indiana Information Security Web, with sections devoted to home, school, and business users.
CIS at University of Tulsa
University of Tulsa in Oklahoma, a CAE/IAE institution, has active degree and research programs in its Center for Information Security ( CIS). Like CMU and Purdue, Tulsa's CIS has students with SFS/Cyber Corps scholarships, but Tulsa takes part in both the NSF and Defense Department scholarship programs. As of spring 2004, CIS had 61 students who had received NSF scholarships and 16 with DOD awards. Of the scholarship students, 17 came from underrepresented minorities, and five students were veterans.
In addition to the traditional academic degrees, CIS offers specialized certificate programs designed to train candidates to meet standards for federal information systems security professionals. John Hale, director of CIS, says they "recognized early on the importance of addressing national information security standards in the curriculum." The certificate programs, says Hale, attract all kinds of participants. "Some of our certificate participants are grad students. Others are people coming back to re-skill." Hale notes that people from industry have specific skill needs, and the certifications act as credentials that document those skills.
Defeating the Darknet
While the Cyber Corps will train the federal information security specialists, taking on the darknet will require strong buy-in from outside the academic and government worlds. All three universities gain support for their efforts from the private sector, and one of them, Purdue/CERIAS, extends its advocacy of secure computing practices into the surrounding community.
Purdue's Kurtz says the need for this kind of expertise throughout society is growing. "With local governments now providing more e-government services, the need for trained specialists will spread across government levels." She notes that up to now organizations would take extra precautions only after a security breach, but now companies and agencies need to be better prepared. "It will take a lifestyle change," says Kurtz. "This is becoming a foundational idea."