We need trained soldiers for a new kind of war.
On a new global battlefield, countries, criminals, and commercial competitors can effectively leverage technology to steal from or attack target organizations. Corporate intellectual property is at risk of breach as most everyone seeks to gain advantage in the innovation race. Military and government information faces the same risks with consequences for national security, digitized assets, and international affairs. The most dangerous hackers are no longer solitary, discontented teenagers working from their basement bedrooms, but instead are highly skilled professionals employed by corporate offices or military bases.
A scan of the headlines confirms the seriousness of the issue: media reports attribute a recent spike in cyber attacks against U.S. banks to an army of Iranian hackers; Congress reports that China is ramping up cyber warfare capabilities that could threaten the U.S. electrical grid and transportation and logistics networks. Threats to information security have now led to a virtual Cold War among nations.
As in any war, preparing a world-class fighting force is critical. The growing demand for trained security experts has been a call to action for U.S. educators. This high-stakes business game requires a highly trained workforce.
Cyber security expert Art Coviello, chairman of RSA Security, one of the nation’s top security companies and a featured speaker at Techonomy 2012, articulates the challenge:
“Organizations around the world today are dealing with a deluge of digital information. The velocity of sharing information is skyrocketing as well—driven by web-based applications, mobile devices, social networks, and cloud computing. As a result, we all are interconnected as never before.
This new openness to computing infrastructures is creating greater opportunities for collaboration, communication, and innovation; it’s also creating new vulnerabilities that cyber criminals, ‘hacktivist’ groups, and nation states have learned to exploit. Attackers are taking advantage of gaps in security created by complex and disparate technology solutions with increased speed, agility, and cunning … easily outflanking perimeter security defenses, such as antivirus software and intrusion detection systems.”
Emergent private sector information technology (IT) practice areas now include digital and computer forensics, intrusion detection and incidence response, and cryptography. At Kaplan University—a higher education institution that lives largely on the Web—we take information security education very seriously. We’re preparing students in a variety of new ways to employ both defensive and offensive strategies in programs ranging from certificates to graduate degrees. A look at the current scope of our curriculum gives an idea of the skills that will be needed to keep pace. We are expanding and focusing on five areas of IT security education:
1. Mobile Web Networks. Mobile device security is rapidly emerging as a major source of threats. Mobile security risks are so serious that many U.S. corporations and governmental agencies—as described by N. Perlroth in a recent New York Times article—will not allow their employees to carry mobile devices to China or Russia.* At Kaplan University, we are increasingly focused on educating students in wireless and cellular security methods.
2. Stronger Perimeters Through Better Security Policies. While understanding hacking techniques is certainly important, security policies and access control are crucial. Beyond firewalls and proxy servers, students are trained to apply business continuity, disaster recovery planning, risk management, and other tools at the platform and network level. Students taking information security courses practice a variety of defensive techniques, such as configuring access control and designing comprehensive security policies, and learn how to properly conduct an organizational security audit to identify security breaches and other alerts.
3. Intrusion Detection. Intrusion detection and incidence response training is expanding as well. We teach professionals how to fend off cyber attacks using proactive monitoring, detection, and containment of attacks at the application, network, and platform levels. Well-prepared personnel can prevent malicious circumvention of supply chain processes within brick-and-mortar, click-and-mortar, and plug-and-play e-tailer organizations.
4. Digital Forensics. Digital and computer forensics is another rapidly emerging area of study. Curricula include file signature analysis, hash analysis, and other forensic techniques. As integrators of complex systems, telecommunications and hardware manufacturers are especially in need of these skills.
5. Reconnaissance Techniques. The protection workforce requires astute knowledge of active and passive reconnaissance techniques combined with ethical hacking competencies, as evidenced by a recent telecommunications vendor’s job ad. At the graduate level, we incorporate hands-on labs that deliver real-world experience for students in this and other emerging areas—a sort of IT boot camp. IT externships also augment this real world training.
Continuous education and training is critical for U.S. industries to adequately combat and withstand cyber attacks. As information warfare threats evolve, IT curriculum must continuously and aggressively evolve along with them to meet this growing challenge. If it doesn’t, the consequences to business and government could be dire.
This article was written by Lynne Williams, PhD, and Jenelle Davis. Williams is a professor and Davis is a faculty member at Kaplan University School of Information Technology.