Computers may not exactly control the world, but much of the world functions thanks to the help of computers — so securing them has become the next frontier in higher education.
“Everyone who serves their country in a diplomatic capacity must understand cybersecurity as an issue that affects all their programs at home and overseas,” said Thomas Kellermann, a professor at American University’s School of International Service and vice president of Cyber Security for Trend Micro.
Every issue from politics to economics to business has a cyber dimension to it and is influenced by, and can be manipulated by, computers, he said.
The public is increasingly aware of the issue thanks to a string of high-profile attacks. Groups such as Anonymous have been charged with hacking a range of websites, including credit card companies such as Visa and MasterCard. The Syrian Electronic Army recently took credit for bringing down the New York Times website. And earlier this year, the private security company Mandiant revealed the extent of Chinese hacking, much of it likely state-sponsored, against American interests ranging from major conglomerates such as Coca-Cola to government agencies. A few months later, the Obama administration publicly blamed China for launching attacks against government computer systems and defense contractors.
Of course, the United States isn’t an innocent bystander in the world of cyber warfare. U.S. cyber warriors helped to develop the malicious Stuxnet software to sabotage Iran’s nuclear program. And more recently, Edward Snowden’s leaks about the National Security Agency’s mass surveillance programs exposed just how deeply the spy agency is able to penetrate into the world wide net.
Governments around the planet should be aware that cyberspace is an increasingly dangerous new world, where security voids threaten the individuals, companies and countries that are inextricably linked to the net. Attackers are becoming more sophisticated, and many are not playing games to provoke disruption or send a political message, but rather they deliberately seek financial gain and profit.
“Cyberspace is an extremely hostile environment today,” said Kellermann. “There are a multiplicity of actors in the free fire zone, many competing interests, and lots of friendly and unfriendly fire being leveraged.”
The list of critical functions around the world that are vulnerable to cyber tampering is sobering: banking and transportation systems, civilian, government and industry networks, commerce, energy and power grids, government security and public policy documents, infrastructure, trade secrets and weapons designs.
Cybercrime not only hits governments and big businesses, but individuals as well. In fact, the financial losses associated with identity theft actually surpass those of physical theft globally, said J. Alberto Espinosa, chair of the Information Technology Department and professor of information technology at American University’s Kogod School of Business. “This provides ample evidence that we must safeguard our systems.”
Cybercrime is illegal according to the Budapest Convention on Cybercrime, which came into force in July 2004 but was only ratified by the United States two years ago. As of September 2013, 40 countries signed and ratified the doctrine and 11 have signed but not yet ratified it.
Many governments haven’t signed on and don’t have legislation against cybercrime because they see hacking and cyber espionage as a way of boosting their nation’s industrial growth and making economic and technological advances — the easy way.
“Savvy hackers keep finding more effective ways to profit from cyber theft,” said Espinosa. “In the old days a hacker had to be a competent programmer to get into your computer and do harm. Not any more. New forms of vulnerabilities, coupled with more sophisticated and easier-to-use tools of attack, translate into more risk. Hackers today can penetrate a system without you knowing it and without doing visible harm; they can simply get in, stay there, collect data and you’ll never know. That’s what’s so scary.”
Cyberspace is not secure because security has not been adequately built into systems.
“That takes money and slows down product development, and we haven’t been willing to build it in. Until now, enough people haven’t thought it necessary,” said Lance J. Hoffman, a computer science professor and founder of the Cyberspace Security Policy and Research Institute at George Washington University.
“But now is a crucial time because we’ve reached the point that most leaders in the public and private sectors realize we have a serious, widespread problem that must be addressed immediately, broadly and with our full capabilities and ingenuities,” he said.
The bottom line is we aren’t producing enough professionals, said Hoffman, although the discipline is still young, added Angelos Stavrou, a computer science professor at the Volgenau School of Engineering at George Mason University.
A recent report by the National Research Council — a private, independent nonprofit institution of the National Academy of Sciences — addressed the challenges in advancing the professionalization of the cybersecurity workforce.
“The cybersecurity workforce includes a broad range of occupations,” said Diana L. Burley, an associate professor at George Washington University’s Graduate School of Education and Human Development and co-chair of the committee that looked at the professionalization of the cybersecurity workforce and wrote the report.
The report concluded that although there is a shortage of cybersecurity professionals across the country, the exact nature of the shortage is unclear. “Addressing the workforce challenge is complicated because we tend to talk about cybersecurity work as if it represents a single occupational category. It does not, and we risk exacerbating the workforce shortages by applying blanket professionalization strategies to the range of occupations as if the deficiencies were single faceted,” said Burley.
Patrick Kelly, a former George Washington University student who is now an instructor of a cybersecurity and governance course at the school and a government employee, said the workforce and pipeline issue is of increasing concern to the public and private sectors because we’re all part of the same interconnected network.
Stavrou agrees and believes that people are increasingly realizing the significance of losses in product delivery and intellectual property to their operations and companies. Unfortunately, only after something bad happens is the need for cybersecurity recognized, the George Mason professor said.
“If we’re all vigilant and educated, we will become less prone to being exploited and therefore less prone to being used as a stepping stone to attack others,” said Stavrou.
Academic Sea Change
“The demand for cybersecurity professionals is growing and growing exponentially and is increasingly becoming a board room issue,” said Frank J. Cilluffo, an associate vice president at George Washington University, where he leads its Homeland Security Policy Institute.
“Surveys of corporate business executives show that intellectual property theft, cybercrime and cyber attacks top the list of concerns that keep them up at night. The losses to their bottom line, economic competitiveness and reputation are significant and becoming increasingly expensive,” he said.
The consensus of experts in the field is that cybersecurity needs to be integrated in large organizations at the highest levels. “Part of our problem now is that the technically competent workers who are capable of providing solutions can’t explain the need for cybersecurity from the business incentive perspective to the senior people,” said Stavrou. “What’s needed are professionals who are both technically competent and can articulate the risks.
“We need to harmonize cybersecurity as an integral component of business operations — not just as an ad-hoc response to an attack, but as a part of the business strategic operations that will also repel future attacks,” Stavrou added, noting that once a system is compromised, it’s too late to fight because vulnerabilities have been breached and information stolen.
There’s also a huge shortage of skilled professionals with a combination of computer science savvy and business backgrounds managing large departments and companies, said Cilluffo. To help fill this void, George Washington University recently launched an executive MBA in cybersecurity aimed at pulling these disciplines together to incorporate a strong international component, said Cilluffo.
The significant shift in thinking about educating a cyber workforce has taken place partly because the field of cybersecurity is no longer viewed as simply a technical specialty.
It’s recognized today as a multidisciplinary profession requiring both computer competence and business managerial skills. That’s why schools in the Washington area are linking computer science classes to business, law, criminology, public policy and international affairs programs to produce a professional workforce that can prevent cyber theft and convince corporate leaders of the need to invest in cybersecurity.
“Cybersecurity is both a technical and a people issue,” said Kelly.
That’s also why cyber professionals need diplomatic skills, said Hoffman. “Part of life is reading newspapers to know what’s going on in the world, who and what group is likely to become a hacker, what’s happening with trade agreements and global financial banking. More and more of the global economy is in play.”
The University of Maryland even addresses the issue of cyber ethics.
In the Advanced Cybersecurity Experience for Students (ACES) program, associate professor Michel Cukier, ACES director and associate director for education in the Maryland Cybersecurity Center, teaches students how to deal with privacy and safety infringement issues.
“He gives us situations such as, if you’re a company and want to create more relevant online ads, is it OK to track a user’s activity on other websites, or how do you make sure you’re safe online and not infringing on others’ rights when you create a new program,” said Ryan Eckenrod, a freshman in the class.
The goal of these cyber courses is to build a cadre of professionals who can talk to people on both the business side and technical side with knowledge and conviction.
“We try to educate our students so that whoever they talk to, whether a CEO, programmer in a bullpen or CFO [chief financial officer], they can present a convincing case for cybersecurity and the necessary investment required,” said Hoffman of George Washington University.
Teachers also approach classes from a business and political perspective and try to prepare students to understand what vulnerabilities exist in the digital realm and what the best practices are to mitigate those risks.
Failure to understand the rapidly changing nature of cybersecurity has real-world consequences.
“In my course, crime, espionage and warfare, it’s not my intent to create IT specialists, but rather educate master’s of international affairs candidates on how international relations and international development has been forever altered due to cyberspace,” said Kellermann. “Both crime and espionage have evolved dramatically online. Non-state actors now can download cyber weaponry which endows them with asymmetrical capabilities that can pose a real threat to regimes.”
Added Cilluffo: “The beauty and challenge of cyberspace is that it transcends traditional disciplines and ways of doing business, diplomacy and security, since the internet knows no boundaries. One cannot look at cybersecurity through a national lens alone, as solutions will require working with allies to address the dark side of the threat.”
About the Author
Audrey Hoffer is a contributing writer for The Washington Diplomat.