Cybersecurity education initiative seeks training metrics

Coordinating interagency efforts to train aspiring cybersecurity specialists, federal employees and the public on data protection is a tall order for Ernest McDuffie, the lead manager for the National Initiative for Cybersecurity Education. Activities to promote safe Web surfing habits include a public awareness campaign, formal cybersecurity education programs, federal workforce training and a new Internet ID system. McDuffie is tracking agencies' progress on all this schooling.

"The problem of training and cybersecurity awareness is bigger than any one agency," he says. "My job has been to figure out what is going on [inside each program] and to bring the tracks into a single unified initiative."

Perhaps the hardest part of the monitoring is defining progress in the burgeoning field of cyber-security education. Indeed, one of McDuffie's goals is to develop performance benchmarks. "The measure is going to be, how is behavior changing across the country for the better," he says. "We're in the process right now of developing a comprehensive strategic plan that will lay out the beginnings of those types of metrics."

The strategy is due at the White House in March.

Some scientists argue cyber proficiency suffers from a lack of academic work. "The science [of cybersecurity] seems underdeveloped in reporting experimental results, and consequently in the ability to use them," stated a November 2010 report from JASON, a Defense Department advisory panel. "The research community does not seem to have developed a generally accepted way of reporting empirical studies so that people could reproduce the work and use the results."

McDuffie concedes the newness of the field presents certain logistical and bureaucratic issues, such as obtaining an accurate accounting of the total number of federal cyber specialists. A major goal is to cultivate a large, highly skilled cybersecurity workforce. But he doesn't have a target figure because no one knows which employees to count to assess current staffing.

"What does it mean to be a cybersecurity professional?" he says. "And what is your career path? Because the field is so new and keeps changing, it's hard to answer those questions in any definitive way."

Several vague figures have been bandied about. For example, a former CIA official estimates that about 1,000 security experts in the nation possess the skills to safeguard U.S. cyberspace, but the country needs about 30,000. Homeland Security officials say the number of cyber specialists working for DHS has increased about fivefold in the past two years. McDuffie says two-thirds of all federal employees who work in cybersecurity are at Defense, but he's never heard the number that "all" refers to.

"If I could tell you three years from now what those numbers are from the federal government, that would be a major accomplishment--that we had stable enough definitions about all those different terms," says McDuffie, who works out of the National Institute of Standards and Technology, an agency in the Commerce Department.%C2%A0

Critical to fleshing out those numbers are university graduates with the skills and desire to join the cyber workforce. He gives one cybersecurity education initiative high marks for turning out such individuals. The scholarship for service program that the National Science Foundation runs covers the cost of books, tuition, and room and board for students willing to concentrate in information assurance and then work in the government. "In return for a two-year free ride, they agree to work for the federal government for two years," McDuffie explains. While it's tough to keep track of students once they finish their rotations, all indicators suggest that many stay, he says.

And even if they eventually join the corporate world, that still is a measure of success because the private sector controls about 85 percent of the nation's critical IT infrastructure, he notes.

CompTIA, a trade association that works with NIST to boost the number of credentialed cyber personnel, estimates there are more than 60,000 information security professionals in the federal government certified through its program, not counting contractors. "We feel pretty confident as an industry that we can meet that need" for more sophisticated specialists, says Elizabeth Hyman, CompTIA vice president for public advocacy.

Several other federal departments, such as Homeland Security, coordinate with the private sector and NIST to heighten cybersecurity awareness outside government. NIST recently kicked off a public-private effort to provide consumers with secure online identities so they don't have to memorize a bunch of passwords. The National Strategy for Trusted Identities in Cyberspace aims to offer people a means of verifying who they are interacting with when they conduct online transactions.

Although the model hasn't been finalized yet, some industry officials say the government is making progress.

"The two most critical goals have been cleared," Phil Bond, president and chief executive officer of the trade group TechAmerica, said on Jan. 27 at a Silicon Valley forum sponsored by the Stanford Institute for Economic Policy, NSF's Team for Research in Ubiquitous Secure Technology and various industry groups. "It should be private sector-led," and it is "very important that Commerce was selected as the place to centralize this, Bond said. "Commerce is essentially the private sector's voice in the council of government at the federal government level. From there, listen, learn, help, lead."