Cybersecurity Workforce Preparedness: The Need For More Policy-Focused Education
Cybersecurity Workforce Preparedness: The Need For More Policy-Focused Education
Cybersecurity Workforce Preparedness: The Need For More Policy-Focused Education
With the Internet of Things, the computerization of cybersecurity workforce development. Specifically,
critical infrastructure and other essential processes, we argue that more programs are needed across
the ubiquity of computational technology has the country that produce graduates capable of
increased societal vulnerability. The complexity of answering questions such as:
cybersecurity questions has grown exponentially
as attacks from foreign powers, cybercriminals, What existing policies address pressing
cybersecurity threats? Where are there gray
and hacktivists have risen. However, as individuals
areas exploitable by malicious actors?
who can translate these politically-based technical
challenges into policy have become more essential,
Who has jurisdiction when a major cybersecurity
degree programs focusing on cybersecurity policy attack occurs?
have remained scarce.
What redundancies, contradictions, and gaps are
This report addresses the need to include revealed when examining local, state, and federal
cybersecurity policy training as a part of cybersecurity policy?
DIGITAL FUTURES PROJECT October 2017
What are the legal obligations towards policymakers and companies in emergencies and
citizens, clients, or partners when companies in everyday work, working on behalf of national
or governments are faced with tackling security, managing cybersecurity-focused software
cybersecurity problems? engineers, creating cybersecurity education,
deciding company information security, and shaping
What new challenges does the Internet of cybersecurity policy. However, most working in
Things (IoT) bring to the existing domestic and this field come to it in their mid-careers and are
international policy landscapes? self-trained, creating a shortage of workers. As an
industry member who works with us stated, The
What new organizational jurisdiction issues does
IoT pose? best we can get is someone with either 80 percent
policy knowledge and 20 percent technology
What are the different cyberattack strategies of knowledge or vice versaif we could even just
foreign powers, how can we predict their use, push that to 70/30 it would be helpful.
how might we hone our attribution methods, and
how should the U.S. respond? More comprehensive degree programs and
certificate opportunities are needed that stand at
What geopolitical risk information can inform the cross-section of policy and cybersecurity
cybersecurity threat preparedness? creating opportunities for students in technical fields
and social science fields alike. These programs
What international legal agreements help and must focus on applied experiences working on
hinder tackling cybercrime, including extradition,
real problems as defined by external partners
data sharing, and investigative cooperation?
from government and industry, simulations and
scenarios, and opportunities for making public
What types of bilateral and multilateral
cybersecurity agreements exist and how arguments about cybersecurity policy to leaders
effective are they? in all sectorsgovernment (agencies and elected
officials); small, medium, and large businesses;
As U.S. commerce grows increasingly reliant on nonprofit organizations; and civil society groups.
IoT technology and the accumulation of related
data, how should the U.S. government and The Cybersecurity
corporations navigate the movement of data Workforce Shortage
within and across borders?
While one of the major areas of cybersecurity
How do we explain the patterns of cyberattack by weakness is professionals with the technical
a nation-state on another nation-state? experience to secure our critical infrastructure,
there is also a shortage of individuals who can
What lessons can be learned from other move between the technology and policy world.
countries cyber-strategies?
The individuals who can navigate between the
Individuals who can answer these questions often technology and policy worlds will be able to
occupy crucial positions, translating between translate between them, shape sound policy
DIGITAL FUTURES PROJECT October 2017
It includes learning about HIPAA/FERPA, the Most other prominent cybersecurity policy courses
Computer Security Act of 1987, the Sarbanes- are offered through various centers and initiatives,
Oxley Act of 2002, the Gramm-Leach-Bliley Act, but lack a formal degree at the end or an organized
the Childrens Online Privacy Protection Act, pedagogy that links content and skills across
Payment Card Industry Data Security Standards, courses. For instance, such associated, but limited,
the US Patriot Act, the Americans with Disabilities courses exist at Berkeley, Harvard, MIT, Stanford,
ActSection 508, Bring your own device issues, and the University of Washington.
and two very broad categories titled State,
US, and International Standards/Jurisdiction Case Study: Washington State Higher Education
and Laws and Authorities. While many of the
Using Washington State as a case study, there
knowledge units contain very broad categories of
are six schools that are designated Department of
required informationsuch as legal information
Homeland Security (DHS) and National Security
within the Cyber Threat categorythe lack of
Agency (NSA) certified National Centers of
specificity in concept categories such as state,
Academic Excellence in Cyber Defense (CAE-CD). To
US, and International Standards/Jurisdiction
earn this designation, they conform to standardized
make it unclear what content and skills programs
cybersecurity educational best practices. To be
should provide and what students will actually
designated as a CAE-CD school, degree programs
learn from these knowledge units.
must closely align with specific cybersecurity-
If a non-computer science student wanted to focus related knowledge units.
on cybersecurity policy, or if a computer science
Washington States six schools are: University of
student wanted to add a specialization in policy,
Washington, Bothell; University of Washington,
there are limited opportunities to do so in the U.S.
Seattle; University of Washington, Tacoma; Highline
A review of the top 20 public policy schools in the
College; City University of Seattle; and Whatcom
United States reveals that only four have science
Community College. The programs offered are
and technology programs, all at the graduate level.
listed below:
Of these, only two focus on information policy
(University of Michigan and Carnegie Mellon University of Washington, Bothell offers a M.S.
University) and of those, only Carnegie Mellon in Cyber Security Engineering program. Students
explicitly focuses on cybersecurity policy. Of the entering this program are expected to have
top 20 law schools, only Yale, Harvard, Stanford, previously obtained a B.S. in Computer Science
and NYU have any focus on information policy. and Software Engineering or equivalent.
Information schools have more cybersecurity
programs that focus on policy, but even among University of Washington, Seattle offers B.S.
information schools it is only the minority that and M.S. computer science degrees. It also
have programs, all graduate, that focus on offers a Professional & Continuing Education
cybersecurityDrexel University, Georgia Institute Program Certificate in Information Systems
of Technology, Pennsylvania State University, and Security. The certificate is designed for,
University of Pittsburg. software developers and analysts, or people
DIGITAL FUTURES PROJECT October 2017
The certificate should incorporate the National Langston, J. (2015). Microsoft dedicates $10M Gift to New UW
Centers of Academic Excellence in Cyber Defense Computer Science & Engineering Building. UW Today. June 12,
Knowledge Unitsmaking students conversant http://www.washington.edu/news/2015/06/12/microsoft-dedicates-
in the technology even if they were not computer 10m-gift-to-new-uw-computer-science-engineering-building/
science students. Coursework should cover the
National Initiative for Cybersecurity Careers & Studies. Interactive
Policy Knowledge Unit and related units such as
National Cybersecurity Workforce Framework. Accessed
Cyber Threats. Students would not need computer
September 1, 2016 at https://niccs.us-cert.gov/training/framework
science degrees to understand and be conversant
in the implications of different types of attacks, such Slaughter, A. & Weingarten, E. (2016). Anne-Marie Slaughter: The
as Distributed Denial of Service attackslikewise, National Security Issue No One is Talking About. Time.com. April
computer science students would be able to 12, http://time.com/4290563/women-in-cybersecurity/
discuss the complexities of international Internet
governance as it relates to elements such as the Williams, T. (2016). An Inside Look at the Fast-Growing IT
Sources
Cyber Seek. Accessed August 1, 2017 at http://cyberseek.org/
Jessica Beyer
Jessica Beyer is a lecturer in the
University of Washingtons Jackson
School of International Studies and co-
directs the International Policy Institutes
Cybersecurity Initiative.
Sara Curran
Sara Curran is Professor of International
Studies, Sociology, and Public Policy
The Wilson Center and Governance at the University of
wilsoncenter.org Washington. With Dr. Beyer, she co-
directs the International Policy Institutes
facebook.com/WoodrowWilsonCenter
Cybersecurity Initiative.
@TheWilsonCenter
202.691.4000