Can higher education fix the cybersecurity shortfall?
While the economy may only be slowly nursing itself back to health and remains marred by an elevated unemployment rate, the job market for computer security experts is booming.
The relatively young field of cybersecurity is flourishing as threats to critical infrastructure, such as power plants and the electric grid proliferate. Couple that with the increasing reliance on the Internet for financial transactions, medical records and other sensitive information, and the demand for cybersecurity experts in both the public and private sectors is far outpacing the development of the talent pool, making for a hyper-competitive labor market. And universities are only beginning to catch up.
"The shortfall is real," said S.K. Bhaskar, assistant dean of undergraduate studies at University of Maryland University College (UMUC), where he heads up the school's recently launched cybersecurity degree program.
"What's happened is cybersecurity is still an emerging field," he said. "Universities have been a little bit behind."
But Bhaskar noted that more and more schools have been rolling out robust degree and certificate programs in cybersecurity and related disciplines, such as information assurance. That shift has seen cybersecurity increasingly regarded as a distinct course of study, as opposed to the more traditional approach that has viewed it as a subset of computer science.
UMUC launched its bachelor's and master's programs in cybersecurity last fall, offering students the option of completing the programs entirely online or in a hybrid format that would combine Internet instruction with face-to-face sessions in the classroom. UMUC's bachelor's program pairs the technical and policy aspects of cybersecurity, and the school offers two master's programs with specializations in those fields.
The curriculum was developed through a collaborative effort that included participation of industry leaders, highly placed government officials and certification bodies, such as the International Information Systems Security Certification Consortium, or "ISC-squared." The curricula advisory committee was chaired by Lt. Gen. Harry Raduege (Ret.), who also serves as the chairman of consulting firm Deloitte's Center for Cyber Innovation.
"The Internet has changed the way we live, work and prosper through an online infrastructure that is increasingly vulnerable and subject to attack," Raduege said. "The threat presented by cyber espionage, identity theft, data theft and denial-of-service attacks must be countered by properly trained professionals, highlighting a tremendous need in this vital and growing field."
UMUC is not alone in offering an independent degree program in cybersecurity, but it remains one of a relatively small field of schools. Other institutions with cybersecurity degree programs include Utica College and Mercy College.
"Cybersecurity is a field that is multi-disciplinary," Bhaskar said, noting that it draws on far-ranging subject areas, including computer science, psychology, ethics and management.
UMUC's designated cybersecurity programs grew out of the information assurance program the school has had in place since 2002. UMUC notes that the two disciplines are closely interrelated, but cybersecurity tends to focus on coordinated solutions while information assurance takes a more individual approach in examining technologies and policies, such as access control, encryption and compliance. The school opted to replace its bachelor's program in information assurance with the cybersecurity program, but continues to offer an IA master's degree.
A growth industry
UMUC, located in Adelphi, Md., a suburb between Washington, D.C., and Baltimore, notes that its master's program in cybersecurity policy produces experts in an area of keen interest around the nation's capital as regulators and lawmakers continue to formulate the programs and rules geared to protect the nation's critical infrastructure. The school estimates that in the Baltimore-Washington area alone, some 30,000 new positions are expected to become available in the cybersecurity field.
Much of that growth stems from the increased government activity. Civilian and military agencies have been ramping up their cybersecurity staff, while the policy debate simmers in Congress about where authority for protecting non-military networks and digital infrastructure should be housed. Cyber Command, a new agency the Department of Defense created last May, has said it is looking to create more than 20,000 cybersecurity positions worldwide. The Department of Homeland Security, which the White House wants to endow with the authority for protecting civilian government systems, has also been working to pad the ranks of its cybersecurity professionals and strengthen its partnership with the industry.
"No single technology--or single government entity--alone can overcome the cybersecurity challenges our nation faces," Sean McGurk, director of the National Cybersecurity and Communications Integration Center at DHS, said recently in testimony before a House subcommittee. "Consequently, the public and private sectors must work collaboratively."
In the private sector alone, the cybersecurity field is expected to grow by more than 25 percent in the near term, according to the Center for Strategic and International Studies, a Washington think tank.
In an effort to spur along the development of the cybersecurity profession, the Obama administration has launched the National Initiative for Cybersecurity Education (NICE), a program under the auspices of the Commerce Department's National Institute of Standards and Technology. The NICE program is organized into four tracks, including one that specifically tasks the Department of Education and the National Science Foundation with promoting formal cybersecurity education programs across K-12 schools, universities and vocational institutions.
"What the government is trying to do is come up with curriculum standards," Bhaskar said. "That is lacking in cybersecurity because it's still an emerging field."
He added, "It is working toward a professionalization of the field."
Still, there remain troubling signs that indicate how far away cybersecurity is from the mainstream of education. A recent study from the National Cyber Security Alliance, a nonprofit group that partners with DHS, highlighted a dramatic shortfall in teachers with any form of cybersecurity training in K-12 schools, for instance.
But agencies across the government continue to partner with educational institutions in an effort to bolster and standardize computer security programs. DHS and the National Security Agency jointly administer a certification program for universities with strong programs in information assurance. To qualify for admission into the National Centers for Academic Excellence in IA Education (CAE/IAE) or CAE-Research programs, schools must undergo a lengthy review of their programs, which are measured against a detailed set of criteria, including course load, number of IA faculty members and the program's level outreach and collaboration.
The CAE certification lasts for five years, and entitles students of the credentialed institutions to apply for Department of Defense scholarships and grants, though it does not carry any promise of NSA or DHS funding. A full list of the certified programs by state is available here.
Many companies in the private sector also partner with universities to promote cybersecurity education, a natural move given their own interest in expanding the talent pool. Deloitte, for instance, is the national sponsor of the National Collegiate Cyber Defense Competition, a cyber tournament founded by the University of Texas at San Antonio's Center for Infrastructure Assurance and Security. The challenge, now in its sixth year, pits teams of undergraduate and graduate students from various schools against one another in exercises that include securing and maintaining systems in the face of attacks from an opposition team.
"These exercises are vital to training for people who will be safeguarding the nation's systems and infrastructure," Raduege said, noting that the contest "plays a vital role in building the nation's future workforce."