National Academies Press: OpenBook

Terrorism: Reducing Vulnerabilities and Improving Responses: U.S.-Russian Workshop Proceedings (2004)

Chapter: Information Assurance Education in the United States

« Previous: Computer Security Training for Professional Specialists and Other Personnel Associated with Preventing and Responding to Computer Attacks
Suggested Citation:"Information Assurance Education in the United States." National Research Council. 2004. Terrorism: Reducing Vulnerabilities and Improving Responses: U.S.-Russian Workshop Proceedings. Washington, DC: The National Academies Press. doi: 10.17226/10968.
×

Information Assurance Education in the United States

Anita K. Jones

University of Virginia

To discuss education and training in information assurance, we first need to specify what the student is being prepared to be able to do. The range of material covered in courses in information assurance is broad because students are educated or trained for a number of quite different jobs or careers. They include the following:

  • information system (or Internet) administration

  • cyberattack response

  • information system design

  • cybersecurity research

  • security service provisioning

  • cryptography system implementation and administration

And, of course, different courses treat the material at different depths of understanding.

We use the term information assurance to describe the content area that others may call “information system security” or “cybersecurity.” Training will be discussed after we have discussed education at the university level.

UNIVERSITY PROGRAMS IN INFORMATION ASSURANCE

In the United States, the federal government does not determine what is taught by schools and universities. Our Constitution gives the individual states jurisdiction over education. At the university level, there are about 1,000 universities and colleges. Fewer than one-half are research universities that offer grad-

Suggested Citation:"Information Assurance Education in the United States." National Research Council. 2004. Terrorism: Reducing Vulnerabilities and Improving Responses: U.S.-Russian Workshop Proceedings. Washington, DC: The National Academies Press. doi: 10.17226/10968.
×

uate degrees. Some universities are public (or state) universities and are partially funded by tax revenue collected by the state in which they reside. Others are completely private.

It is the faculty in each university or college who determine the courses that are taught and the content material of each course. U.S. universities offer three levels of programs. At the undergraduate level, typically there is no degree program specifically focusing on information assurance. It is considered more important for the undergraduate student to receive a broad education. Several hundred universities do teach some sort of information assurance courses at the undergraduate level. A small number of those teach only courses in cryptography.

In the United States, most information assurance courses can be found in the curriculum for computer science. Sometimes material on information assurance is taught as just one module within a course on more expansive topics such as networks, operating systems, or databases. In other cases, there are complete courses, or even a sequence of courses, in information assurance. The subject of cryptography is often treated by itself with courses either in computer science or in mathematics. In the United States the subject of physical security is rarely—if at all—taught in a university.

At the graduate level, some universities offer master’s degrees. For example, Carnegie-Mellon University offers a master’s degree in information security technology and management. Most students take industrial positions after graduation. Entire degree programs in information assurance are relatively rare at the master’s degree level. At the Ph.D. level, about 900 doctorate degrees are awarded each year in computer science and engineering. I estimate that no more than 5 to 10 of those degrees are in information assurance. As a result, the United States is producing very few Ph.D. students who are capable of performing research in information assurance. Consequently, the capability of the United States to field new research programs in information assurance is limited by a lack of qualified personnel.

GOVERNMENT ENCOURAGEMENT OF INFORMATION ASSURANCE EDUCATION

The U.S. government encourages increased education in information assurance at the university level, but this is simply encouragement, not direction. First, the federal government offers scholarships to students who study information assurance. In one program, called the Federal Cyber Service Scholarships for Service, the government pays for two years of education, and in return the student works for the U.S. government in the area of security administration for two years after graduation. In 2003, 200 Cyber Service scholarship students will graduate from either undergraduate or graduate programs. In addition to this program, there are several other government-funded scholarship programs, as

Suggested Citation:"Information Assurance Education in the United States." National Research Council. 2004. Terrorism: Reducing Vulnerabilities and Improving Responses: U.S.-Russian Workshop Proceedings. Washington, DC: The National Academies Press. doi: 10.17226/10968.
×

well as some programs that fund university faculty to develop and teach new courses in information assurance.

A second kind of encouragement from the federal government is in the form of a certification program for Centers of Academic Excellence in Information Assurance Education. The purpose of this relatively new certification program is to encourage the teaching of more courses and the awarding of more specialized degrees in this field. The objective is to increase the number of professionals who are expert in information assurance.

This certification program is sponsored by the National Security Agency. Universities that decide to seek certification submit documentation describing both research and educational activities in information assurance. This documentation describes the content of the courses and research programs. It cites the research papers published by faculty in the literature, as well as programs for outreach (teaching students via the Internet or outside the grounds of the university). The government reviews the submitted documentation. Currently, more than 45 colleges and universities are certified as Centers of Academic Excellence in Information Assurance Education, including the University of Virginia. This program is described at http://www.nsa.gov/ia/academia/caeiae.cfm?MenuID=10.1.1.2.

The third kind of federal government encouragement is in the form of increased funding for research. In 2002, Congress authorized additional funds for new cybersecurity research centers and undergraduate program development grants.

In the United States the term education refers to courses taken in organized degree programs. For our purposes, education is found in colleges and universities. In addition, there is a need to train professionals who are already expert in some aspect of the information systems but who are unfamiliar with cybersecurity. Similarly, some professionals may need to refresh what they know about cybersecurity because the field changes so rapidly. Occasionally, such training courses are taught in university outreach programs, that is, in nondegree programs. More often, training is offered by community colleges, private industry, or professional associations, especially in the context of technical conferences.

As such, education and training in information assurance in the United States is not centrally designed, defined, or funded. And the material offered as part of university education or for professional training is defined by those who offer the specific courses. As a result, there are no nationwide standards for information assurance education.

NATIONAL STRATEGY

In February 2003 the U.S. President issued a document entitled The National Strategy to Secure Cyberspace. It states three strategic objectives:

Suggested Citation:"Information Assurance Education in the United States." National Research Council. 2004. Terrorism: Reducing Vulnerabilities and Improving Responses: U.S.-Russian Workshop Proceedings. Washington, DC: The National Academies Press. doi: 10.17226/10968.
×
  1. prevent cyberattacks against U.S. infrastructures

  2. reduce national vulnerability to cyberattacks

  3. minimize damage and recovery time from cyberattacks

This document does direct some government agencies to take specific actions. However, the document recognizes that except for government networks and computers, most of the cyberinfrastructure of the United States is owned and operated by private industry. The federal government does not have the authority to give explicit operational direction to that industry on how to protect the cyber infrastructure that is offered to the public for use and the cyber infrastructure that underpins industry’s ability to conduct business. So, much of the strategy in the document encourages, rather than directs, industry to be aware of the problem and to protect itself. This document is publicly available and can be found on the Internet at http://www.whitehouse.gov/pcipb.

In summary, cybersecurity is recognized as a very serious issue in the United States. While a wide variety of education courses are offered, many believe that too few professionals with expertise in information assurance are being graduated from our universities. More graduates are needed at all levels.

Many also believe that (both inside the government and inside private industry) more thought needs to be given to cybersecurity threats to U.S. information systems, as well as threats to other infrastructures that might be amplified using cyberattacks. The strategy for protecting cyber infrastructure requires a public and private partnership between government and the private sector. Many of the actions to be taken to reduce vulnerability and to minimize damage from cyberattacks will be taken by private industry. Other actions can only be taken through international cooperation. All such actions require the involvement of trained professionals with strong knowledge and skills in assuring cybersecurity.

Suggested Citation:"Information Assurance Education in the United States." National Research Council. 2004. Terrorism: Reducing Vulnerabilities and Improving Responses: U.S.-Russian Workshop Proceedings. Washington, DC: The National Academies Press. doi: 10.17226/10968.
×
Page 121
Suggested Citation:"Information Assurance Education in the United States." National Research Council. 2004. Terrorism: Reducing Vulnerabilities and Improving Responses: U.S.-Russian Workshop Proceedings. Washington, DC: The National Academies Press. doi: 10.17226/10968.
×
Page 122
Suggested Citation:"Information Assurance Education in the United States." National Research Council. 2004. Terrorism: Reducing Vulnerabilities and Improving Responses: U.S.-Russian Workshop Proceedings. Washington, DC: The National Academies Press. doi: 10.17226/10968.
×
Page 123
Suggested Citation:"Information Assurance Education in the United States." National Research Council. 2004. Terrorism: Reducing Vulnerabilities and Improving Responses: U.S.-Russian Workshop Proceedings. Washington, DC: The National Academies Press. doi: 10.17226/10968.
×
Page 124
Next: Technical Protection of Electronic Documents in Computer Systems »
Terrorism: Reducing Vulnerabilities and Improving Responses: U.S.-Russian Workshop Proceedings Get This Book
×
Buy Paperback | $61.00 Buy Ebook | $48.99
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

This book is devoted primarily to papers prepared by American and Russian specialists on cyber terrorism and urban terrorism. It also includes papers on biological and radiological terrorism from the American and Russian perspectives. Of particular interest are the discussions of the hostage situation at Dubrovko in Moscow, the damge inflicted in New York during the attacks on 9/11, and Russian priorities in addressing cyber terrorism.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    Switch between the Original Pages, where you can read the report as it appeared in print, and Text Pages for the web version, where you can highlight and search the text.

    « Back Next »
  6. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  7. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  8. ×

    View our suggested citation for this chapter.

    « Back Next »
  9. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!