Information Assurance Education in the United States
Anita K. Jones
University of Virginia
To discuss education and training in information assurance, we first need to specify what the student is being prepared to be able to do. The range of material covered in courses in information assurance is broad because students are educated or trained for a number of quite different jobs or careers. They include the following:
information system (or Internet) administration
information system design
security service provisioning
cryptography system implementation and administration
And, of course, different courses treat the material at different depths of understanding.
We use the term information assurance to describe the content area that others may call “information system security” or “cybersecurity.” Training will be discussed after we have discussed education at the university level.
UNIVERSITY PROGRAMS IN INFORMATION ASSURANCE
In the United States, the federal government does not determine what is taught by schools and universities. Our Constitution gives the individual states jurisdiction over education. At the university level, there are about 1,000 universities and colleges. Fewer than one-half are research universities that offer grad-
uate degrees. Some universities are public (or state) universities and are partially funded by tax revenue collected by the state in which they reside. Others are completely private.
It is the faculty in each university or college who determine the courses that are taught and the content material of each course. U.S. universities offer three levels of programs. At the undergraduate level, typically there is no degree program specifically focusing on information assurance. It is considered more important for the undergraduate student to receive a broad education. Several hundred universities do teach some sort of information assurance courses at the undergraduate level. A small number of those teach only courses in cryptography.
In the United States, most information assurance courses can be found in the curriculum for computer science. Sometimes material on information assurance is taught as just one module within a course on more expansive topics such as networks, operating systems, or databases. In other cases, there are complete courses, or even a sequence of courses, in information assurance. The subject of cryptography is often treated by itself with courses either in computer science or in mathematics. In the United States the subject of physical security is rarely—if at all—taught in a university.
At the graduate level, some universities offer master’s degrees. For example, Carnegie-Mellon University offers a master’s degree in information security technology and management. Most students take industrial positions after graduation. Entire degree programs in information assurance are relatively rare at the master’s degree level. At the Ph.D. level, about 900 doctorate degrees are awarded each year in computer science and engineering. I estimate that no more than 5 to 10 of those degrees are in information assurance. As a result, the United States is producing very few Ph.D. students who are capable of performing research in information assurance. Consequently, the capability of the United States to field new research programs in information assurance is limited by a lack of qualified personnel.
GOVERNMENT ENCOURAGEMENT OF INFORMATION ASSURANCE EDUCATION
The U.S. government encourages increased education in information assurance at the university level, but this is simply encouragement, not direction. First, the federal government offers scholarships to students who study information assurance. In one program, called the Federal Cyber Service Scholarships for Service, the government pays for two years of education, and in return the student works for the U.S. government in the area of security administration for two years after graduation. In 2003, 200 Cyber Service scholarship students will graduate from either undergraduate or graduate programs. In addition to this program, there are several other government-funded scholarship programs, as
well as some programs that fund university faculty to develop and teach new courses in information assurance.
A second kind of encouragement from the federal government is in the form of a certification program for Centers of Academic Excellence in Information Assurance Education. The purpose of this relatively new certification program is to encourage the teaching of more courses and the awarding of more specialized degrees in this field. The objective is to increase the number of professionals who are expert in information assurance.
This certification program is sponsored by the National Security Agency. Universities that decide to seek certification submit documentation describing both research and educational activities in information assurance. This documentation describes the content of the courses and research programs. It cites the research papers published by faculty in the literature, as well as programs for outreach (teaching students via the Internet or outside the grounds of the university). The government reviews the submitted documentation. Currently, more than 45 colleges and universities are certified as Centers of Academic Excellence in Information Assurance Education, including the University of Virginia. This program is described at http://www.nsa.gov/ia/academia/caeiae.cfm?MenuID=10.1.1.2.
The third kind of federal government encouragement is in the form of increased funding for research. In 2002, Congress authorized additional funds for new cybersecurity research centers and undergraduate program development grants.
In the United States the term education refers to courses taken in organized degree programs. For our purposes, education is found in colleges and universities. In addition, there is a need to train professionals who are already expert in some aspect of the information systems but who are unfamiliar with cybersecurity. Similarly, some professionals may need to refresh what they know about cybersecurity because the field changes so rapidly. Occasionally, such training courses are taught in university outreach programs, that is, in nondegree programs. More often, training is offered by community colleges, private industry, or professional associations, especially in the context of technical conferences.
As such, education and training in information assurance in the United States is not centrally designed, defined, or funded. And the material offered as part of university education or for professional training is defined by those who offer the specific courses. As a result, there are no nationwide standards for information assurance education.
In February 2003 the U.S. President issued a document entitled The National Strategy to Secure Cyberspace. It states three strategic objectives:
prevent cyberattacks against U.S. infrastructures
reduce national vulnerability to cyberattacks
minimize damage and recovery time from cyberattacks
This document does direct some government agencies to take specific actions. However, the document recognizes that except for government networks and computers, most of the cyberinfrastructure of the United States is owned and operated by private industry. The federal government does not have the authority to give explicit operational direction to that industry on how to protect the cyber infrastructure that is offered to the public for use and the cyber infrastructure that underpins industry’s ability to conduct business. So, much of the strategy in the document encourages, rather than directs, industry to be aware of the problem and to protect itself. This document is publicly available and can be found on the Internet at http://www.whitehouse.gov/pcipb.
In summary, cybersecurity is recognized as a very serious issue in the United States. While a wide variety of education courses are offered, many believe that too few professionals with expertise in information assurance are being graduated from our universities. More graduates are needed at all levels.
Many also believe that (both inside the government and inside private industry) more thought needs to be given to cybersecurity threats to U.S. information systems, as well as threats to other infrastructures that might be amplified using cyberattacks. The strategy for protecting cyber infrastructure requires a public and private partnership between government and the private sector. Many of the actions to be taken to reduce vulnerability and to minimize damage from cyberattacks will be taken by private industry. Other actions can only be taken through international cooperation. All such actions require the involvement of trained professionals with strong knowledge and skills in assuring cybersecurity.