The Role of the Community College in Educating the Cybersecurity Workforce

1
The Role of the Community College in Educating
the Cybersecurity Workforce
ACM TYCEC Presenters Robert D. Campbell, Rock
Valley College, Rockford, IL Elizabeth K.
Hawthorne, Union County College, NJ Karl J.
Klee, Alfred State College, NY
2
National Strategy to Secure Cyberspace

• June 2002, National Science Foundation (NSF)
  supported a workshop
• Hosted by the American Association of Community
  Colleges (AACC)
• The Role of the Community College in
  Cybersecurity Education
• ACM Two Year College Education Committee (ACM
  TYCEC)
• Workshop dissemination team
• www.acmtyc.org

3
Setting the Stage before the Workshop
2002 Computer Security Institutes Computer
Crime and Security surveyed large corporations
and governments 90 detected computer security
breaches within the preceding 12 months 85
detected computer viruses 80 acknowledged
financial losses due to computer breaches 78
detected employees abuse of Internet access
privileges (e.g., downloading pornography or
pirated software, or
inappropriate use of e-mail systems) 75 cited
their Internet connection as a frequent point of
attack 33 cited their internal systems as a
frequent point of attack
4
Setting the Stage before the Workshop
2001 Computer Emergency Response Team
(CERT)Coordination Center at Carnegie Mellon
University handled a total of 52,658 computer
security incidents. 2000 Approximately HALF
the number as handled in 2001.
5
Setting the Stage before the Workshop

• The tragic events of September 11, 2001 only
  accelerated long standing concerns about the
  vulnerability of the nations critical
  infrastructure.

6
Setting the Stage before the Workshop

• Executive orders in both the Clinton and Bush
  administrations established leadership efforts to
  protect information systems that support the
  nations critical infrastructure
• Telecommunications
• Transportation
• Energy
• Healthcare
• Banking and financial services
• Emergency services
• Manufacturing
• Water supply systems

7
Educational Challenge

• Challenge extends to all levels of education
• Specialized training for computer experts
• Supplemental training for existing workforce
• Computer security literacy for all citizens

8
The Workshop
9
Recommendations

• For
• Educational institutions
• Business
• Industry
• Government
• Other stakeholders
• To
• Improve cybersecurity education
• Build the nations technical workforce

10
7 Key Questions

• What cybersecurity jobs are available that people
  with an appropriate two-year degree or
  certificate could fill, and what knowledge and
  skills are needed for these jobs?
• What relevant courses and programs already exist
  at community colleges, and what courses and
  programs need to be developed as models?
• What is the proper role of skill standards and
  professional certifications in education for
  cyber-security occupations?
• What role can community colleges play in
  retraining current workers in aspects of
  cybersecurity?

11
7 Key Questions

• What connections should be made between community
  college programs and university programs in
  computer science and information assurance?
• What partnerships should community colleges forge
  with business and industry in order to build
  appropriate programs?
• What resources would enable and encourage
  community colleges to broaden their offerings in
  information technology, forensic science, and
  other relevant subjects to address workforce
  needs in cybersecurity?

12
5 Overarching Issues

• Certifications and skills standards
• Cybersecurity programs at community colleges
• Topics, courses, curricula, programs
• Preparation for cybersecurity positions
• Advancing the role of community colleges in
  cybersecurity education Stakeholders

13
The IT Workforce
14
Mappings Between Career Strata Education

• Various education paths provide multiple sources
  of Information Technology (IT) workers
• The IT workforce can be separated into strata
  based on principal functionality
• Question What is the relationship between these
  two ideas?

15
Mappings Between Career Strata Education

• Education paths for IT workers
• University
• ? BA/BS degree program
• ? Masters degree program
• ? Ph.D. program
• Community College
• ? AA/AS transfer degree program
• ? AAS terminal degree program/certificate
  program
• ? professional development
• High School

16
Mappings Between Career Strata Education

• Strata of principal functionality among IT
  workforce
• - Conceptualizers
• - Developers
• - Modifiers/Extenders
• - Supporters/Tenders
• Reference The Supply of IT Workers in the US
  www.cra.org

17
Mappings Between Career Strata Education
18
The Role of Certifications Skill Standards
19
Certification Defined

• Assessment of an applicants qualifications as
  measured by performance on a standardized test
• Mechanism for establishing articulation
  agreements between and among institutions
• Way to encourage the formation of education/
  business/industry partnerships
• System for continuing on-going professional
  development and life-long learning

20
Skill Standards Defined

• Recommend foundational elements for programs and
  provide a set of core competencies
• Assist in the definition of the field
• Provide uniformity across institutions
• Map programs to specific jobs
• Provide guidelines that assist educational
  programs in evolving and adapting to changes in
  the field and in job requirements

21
Recommendations

• Create collaborative initiatives to establish
  qualifications for cybersecurity professionals
  and to assist in the local articulation
  agreements between and among programs and/or
  institutions
• Integrate standards and certification
  requirements into courses and programs

22
Recommendations continued

• Ensure that cybersecurity professionals are
  qualified upon completing the program and
  entering the workforce or going on to other
  education programs
• Provide resources and support for remaining at
  the forefront of the field

23
Establishing Maintaining Cybersecurity Programs
at Community Colleges
24
Requirements

• Commitment from high level administrators
• Initial and on-going investment
• Collaboration among two-year and four-year
  institutions, business, industry, and government
  to assist in securing resources
• Streamlined process for updating curricula
• Dedicated and state-of-the-art facilities

25
Requirements continued

• Access to educational and training opportunities
  through diverse modes of instructional delivery
  systems
• Continuous opportunities for professional
  development
• Student recruitment and support systems
• Systems to ensure students obtain the
  prerequisite body of knowledge and are properly
  placed
• Advertising and marketing of new programs

26
Recommendations

• Strong partnerships between two-year and
  four-year colleges and universities, business,
  industry, and government entities for generating
  revenue and for developing local articulation
  policy and procedures
• Partnerships with large industries (e.g.
  insurance, healthcare, banking, etc.) that are
  vast consumers of technology and deal with
  security issues on a daily basis
• Recognition and support systems for rewarding
  cybersecurity faculty and staff

27
Recommendations continued

• Local and state government financial support and
  cooperation in the program approval process
• Vendor and manufacturer donations for
  professional development and skill enhancement.
• Support from foundations and professional
  societies
• Industry and business sponsorships of faculty and
  students
• Program support from federal agencies

28
Topics, Courses, Curricula, Programs
29
Framework of Six Core Areas

• Security Issues
• Survey of computer security literacy issues,
  awareness, and ethics
• Scope of security in relation to today's
  technologies
• Need for security policies
• Glossary of terms
• Confidentiality, integrity, availability,
  authentication, authorization, and
  non-repudiation
• TCP/IP (Transmission Control Protocol/Internet
  Protocol)

30
Framework of Six Core Areas

• Business and Economic Issues and Security
  Policies
• Economic impact and planning
• Business based security including knowing the
  users and clients
• Business and institutional structures,
  strategies, and policies
• Know what a security policy is
• Policy, standards, guidelines (e.g., acceptable
  use, methods and procedures)
• Risk-based assessments

31
Framework of Six Core Areas

• Law, Ethics and Standards
• Legal implications of security measures and
  breaches
• Ethical aspects of cybersecurity
• Standards and international organizations
• Legal and regulatory aspects including
  understanding of the judicial system,
  investigative processes, evidence chain, and
  incident reporting
• Forensics guidelines and protocols

32
Framework of Six Core Areas

• General Knowledge and Skills
• Accounting
• Written and oral communications
• Telecommunications
• Ethics
• Discipline
• Strategic and tactical thinking
• SCANS skills
• Planning and allocating resources
• Working with others as part of a team
• Acquiring and using information
• Understanding complex interrelationships
• Working with a variety of technologies

33
Framework of Six Core Areas

• Internet and Cybersecurity Skills and Knowledge
• Software, Hardware, and Operating Systems
• Operating systems (need to know more than one)
• Unix
• Cryptography
• Programming
• Network Security
• Networks (e.g., in telecommunications network
  security knowledge of networks, servers, systems,
  databases, signaling networks and gateways,
  network and element management systems, and
  network elements)
• Basic network security, information security,
  database security, system security,
  communications security, etc.

34
Framework of Six Core Areas

• Internet and Cyber-security Skills and Knowledge
  (continued)
• Security Protocols
• Strong authentication and secure credentials
  exchange
• Development and assurance of compliance with
  HIPAA
• Installation of centralized antivirus software
• Fluency with firewalls (IDS, VPN) installation
  of firewalls
• Antivirus, anti-Trojan, scanning, and back-up
• Threat Management
• Styles of attack/
• Psychosocial aspects of security
• Identifying threats
• Access and environmental management requirements
• Policy and procedures security development

35
Framework of Six Core Areas

• Knowledge of Industry Hiring Practices
• Run backgrounds checks to look for malicious
  hacking history, history of drug use, and credit
  ratings.
• Companies want to make sure cybersecurity
  workersare not vulnerable to blackmail
• Place a high value on maturity, ethics, and
  integrity.
• "No hackers, crackers, or phreakers

36
Recommendations

• Prepare students for immediate employment and
  continued career advancement
• Use existing and available modules to assemble
  and adapt into coherent curriculum
• Create clearinghouse of existing resources,
  possibly with the support of NSF
• Train faculty in cybersecurity
• Incorporate case studies of computer crimes into
  courses
• Offer student support/advising systems

37
Recommendations continued

• Align and adapt content with a focus on outcomes
• Jointly develop programs to ensure that programs
  are aligned (this requires constant dialogue
  between community colleges and four-year
  institutions)
• Create bridge programs for students who need
  additional analytical and theoretical work
• Ensure that all courses accepted for transfer are
  not just counted as core or electives, but that
  some are part of the four-year technical degree

38
Preparation for Cybersecurity Positions
39
Prepare Wide Range of Security Professionals

• Train entry-level workers
• Provide workers with opportunities to maintain
  high levels of skills and knowledge
• Serve workers who are trying to change jobs
• Prepare students for transfer programs
• Students need to have a clear understanding of
  their options, responsibilities, and the goals of
  the programs in which they are enrolled

40
A Two-Year Degree

• Can serve as a prerequisite for many
  industry-endorsed certifications
• Can be combined with a liberal arts or other
  technologically-oriented baccalaureate degrees
• Can be used as a basis for continuing education
  and training

41
Existing Cybersecurity Jobs for Two-Year Degree
Holders

• Entry-level person for customer service
  operations and help desk operations
• Entry-level security administrator
• Network administrator
• Systems administrator
• Operator
• Paraprofessional IT occupations including
  graphics designers, Web developers and digital
  content designers
• Security telecommunications technician who
  performs tasks related to surveillance such as
  tracing calls and issuing subpoenas

42
Advancing the Role of Community Colleges in
Cybersecurity Education Stakeholders
43
Stakeholders Include

• Community colleges
• Four-year colleges and universities
• Business and industry
• Professional and trade associations
• Local, state, and federal governments (National
  Science Foundation)

44
Recommendations for Stakeholders

• Have a responsibility for advancing the role of
  community colleges in cybersecurity education and
  training
• Utilize the National Security Agency
  categorization of security positions as a
  framework for the development of program
  requirements
• Develop collaborative activities across
  institutions to promote careers in cybersecurity
• Mount a campaign to encourage students to
  participate in co-curricular activities that are
  attractive to future employees and/or graduate
  schools
• Pressure government agencies to provide
  descriptions of cybersecurity positions and
  guidelines for salaries

45
Contents Availabilityof the Report
46
Table of Contents

• Recommendations
• 5 overarching issues already discussed
• White Papers
• Listed on next slide
• Appendixes
• Workshop Agenda
• Keynote Speaker Biographies
• Cybersecurity Education Resources
• Workshop Participants

47
White Papers in the Report

• Cybersecurity Education in Community Colleges
  Across America A Survey of Present and Planned
  Implementations (Campbell Hawthorne)
• Case Study Creation of a Degree Program in
  Computer Security
• Trustworthy Computing by Microsoft
• IT Security Specialist Integrating Academic
  Credentials with IT Professional Certifications
• Adapting Commercial Training Materials for Use at
  the Community College

48
Report Available Online _at_

• http//www.aacc.nche.edu/cybersecurity/
• Executive Summary also available
• Any Questions . . .