IA Need

Envision the following two scenarios.  It’s a regular day in your middle school. The students have filed into the computer lab and have logged in. One computer doesn’t seem to be connecting to the network, so the technology instructor works to re-establish the network connection.  Meanwhile, a few students in the back of the room use a proxy server to check their social networking site and email. One student clicks on an attachment marked “Go Ravens” which is actually a Trojan. It pops up a pornographic website on his computer, and sends a similar message to every person in his contact list.  Just then, the technology coordinator walks in to help with the network, sees the website, and tells the student to take off his headset and shut the monitor. “Not again” she thinks.  Meanwhile, the principal comes in to request an updated list of software installed on the school computers as the district has detected too many copies of a language learning program installed at the school.  With only one technology teacher and one technology coordinator to help resolve the technology problems at the school, how will she manage to keep the school computers running, secure and virus free, software compliant, while also having to deal with the parent who is calling because her child received a text with a sexually explicit picture of another student at the school?

You’ve just sat down at your terminal at the Cyber Command.  You look over your monitors showing status of various networks you are monitoring.  All green.  You check the main servers, and they show a process running you don’t recognize.  It has connected to one of the DoD email servers and is transferring data outside the network.  You shutdown the outgoing traffic, and lock down the server so it can’t contaminate another server.  You track its origin and it seems to have come from an outside server originating in a foreign country.  I guess it looks like another interesting day.  You sigh, alert your supervisor and settle down to tracking the source, and minimizing the damage from another hacker trying to penetrate the US DoD infrastructure.

While the above cases may seem extreme, both are typical in the day and life of personnel in the field of information assurance (IA). These scenarios present the reader with a potential conundrum related to both general citizenship awareness about cyberethics, safety and security and the growing need for a trained workforce in the IA, information systems and digital forensics field; often referred to as CyberSecurity . Unfortunately, few students know about the field and in many cases educators, parents, and career counselors are not informed of the career tracks available, requirements for and even what the jobs entail. For this proposal, we will refer to the various fields in this workforce area as CyberSecurity .

The Director of National Intelligence (DNI) recently testified before Congress, stating: “The growing connectivity between information systems, the Internet, and other infrastructures creates opportunities for attackers to disrupt telecommunications, electrical power, energy pipelines, refineries, financial networks, and other critical infrastructures. The Intelligence Community assesses that a number of nations already have the technical capability to conduct such attacks” [1, p. 39].The globally-interconnected digital information and communications infrastructure known as “cyberspace” underpins almost every facet of modern society and provides critical support for the US economy, civil infrastructure, public safety, and national security. CyberSecurity risks pose some of the most serious economic and national security challenges of the 21st Century. These challenges are captured in US Bureau of Labor Statistics (BLS) employment projections. Overall, the BLS estimates total US employment to increase by 10 percent from 2008 to 2018. However, cyber related jobs are expected to grow at significantly higher rates.  The need for network systems and data communications analysts is expected to grow by 53.4%, and the need for computer software engineers is expected to grow by 34% over the same time period.  The BLS attributes this growth to the increased need for workers with information security skills-the group which SECURE IT targets. Overall, the BLS estimates computer and mathematical science occupations will grow by 22.2%.  This parallels similar data for almost all STEM fields [2]. Clearly, the available workforce is not growing with the demand.

The 2005 Base Realignment and Closure (BRAC) effort will result in over 45,000 new federal and private sector jobs in Maryland (directly impacting the two partnering school districts). Most of these will involve high-technology. Of these, there is an estimated in-migration of 5,717 military, civilian, and embedded contractor positions to Fort Meade and an estimated 400 to Andrews Air Force Base (AAFB). In addition, over the next 5 years, an estimated 1,500 new positions per year are projected to be created by the National Security Agency (NSA), Fort Meade’s primary tenant [3]. (Furthermore, 10,000 new positions are anticipated at Fort Meade through Extended Use Lease and 2,000 in Department of Defense growth over the next 5-7 years. Less than 12% of the new positions created by the growth at Ft. Meade are military. The gap between supply and demand in STEM and particularly in the growing CyberSecurity field is both a local and a nationwide problem.

At the same time, there has been an exponential growth in cybercrimes reported to the FBI since 2000. In 2000, 16,383 were reported; in 2008, 275,284 crimes were reported. The most frequent crime was credit/debit card fraud however intrusion, spam, and child pornography were also frequently reported. Commercially, losses attributed to computer security issues averaged more than $230K per organization in 2008 [4] with over 60% of the losses being attributed to non-malicious actions by insiders. The FBI, CERT, and (ISC)2 prioritize education and awareness before technical interventions in protecting users and infrastructure.

Indeed, increasing public awareness about cybersecurity and increasing the US technologically advanced workforce are two priorities spelled out in the President’s 60 Day Cyberspace Policy Review (2009) [5]. As referenced in the report, the US should initiate a K-12 cybersecurity education program for digital safety, ethics, and security; expand university curricula; and set the conditions to create a competent workforce for the digital age [6]. To achieve these goals, the report suggests: 1) initiation of a national public awareness and education campaign to promote cybersecurity risk awareness for all citizens; 2) changes in the educational system that will help enhance the understanding of cybersecurity and allow the U.S. to retain and expand upon its scientific, engineering, and market leadership in information technology; and 3) development of educational opportunities and strategies that will expand and train the workforce to protect the Nation’s competitive advantage, including attracting and retaining cybersecurity expertise in the Federal government [5].The report goes on to state, “The Federal government, with the participation of all departments and agencies, should expand support for key education programs and research and development to ensure the Nation’s continued ability to compete in the information age economy. Existing programs should be evaluated and possibly expanded, and other activities could serve as models for additional programs.” [5, p.14]

References

[1] Cyberspace Policy Review (2009). Assuring a Trusted and Resilient Information and Communications Infrastructure http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf

[2] Additionally, a study in 2008 by the National Science Foundation found that the number of graduates with science and engineering degrees, at the bachelor's level or higher, increased by an average rate of 1.5 percent a year from 1980 to 2005. But the average employment growth for such jobs each year over the same period was 4.2 percent.

[3] Maryland Subcabinet for Base Realignment and Closure. (2007).  State of Maryland BRAC Action Plan Report 

[4] Richardson, R. (2008). 2008 CSI computer crime & security survey: The latest results from the longest-running project of its kind, Computer Security Institute.  

[5] Cyberspace Policy Review (2009). Assuring a Trusted and Resilient Information and Communications Infrastructure. http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf

[6] Pruitt-Mentle, D. (2008) National Cyberethics, Cybersafety, CyberSecurity Baseline Study. http://staysafeonline.mediaroom.com/index.php?s=67&item=44.