What’s it going to take to strengthen cybersecurity in the U.S.? Explaining to an 80-year-old grandmother that she downloaded spyware when she played online games? Teaching middle-schoolers good cyber hygiene and cyber etiquette, along with the math and science fundamentals they will need to understand how tablet PCs, smartphones and wireless networks work? Outlining cybersecurity competencies and required certifications for a system administrator job description? Persuading Fortune 500 companies and mom-and-pop-shops to be as protective of their business intelligence and client information as federal defense agencies are of national security?
Yes, all that and more.
The National Initiative for Cybersecurity Education (NICE), currently involving more than 20 federal government departments and agencies, aims to address these issues through a comprehensive education program that encourages the nation to use sound cyber practices to enhance the nation’s security.
This interagency effort is led by the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) in Gaithersburg, Md. It is an outgrowth of the Comprehensive National Cybersecurity Initiative (CNCI), a program launched in 2008 by President George W. Bush to improve the federal government’s cybersecurity strategy and practices. In March 2010, President Obama established NICE, broadening the cybersecurity initiative beyond federal agencies to state, local and tribal governments, as well as the private sector. In addition, NICE’s cybersecurity education mandate reaches through the entire education channel, from K-12, into vocational and higher education programs.
“In general, we want to see a trajectory of improvement, in awareness and penetration, of all things cybersecurity—from improved cyber hygiene to increasing the professionalism of the cybersecurity field,” said Dr. Ernest McDuffie, the NICE program lead.
NICE has four components: national cybersecurity awareness, cybersecurity education, cybersecurity workforce structure, and cybersecurity workforce training and professional development. NICE’s strategic plan—goals and objectives for the next five years—will be published on the NICE website in late July/early August. NICE’s presence on Facebook and Twitter is to launch in late summer, early fall.
NICE aims to influence the public and private sector in coming years via interrelated sub-initiatives, including:
Cybersecurity Awareness Campaigns: The Department of Homeland Security’s “Stop. Think. Connect.” campaign launched last October is an early part of NICE’s efforts to increase cybersecurity awareness. “Awareness brings attention,” explains Margaret “Peggy” Maxson, director of the U.S. Department of Homeland Security’s National Cybersecurity Education Strategy. “We’re changing the culture of the nation so that cybersecurity is second nature.”
Cybersecurity Workforce Framework: Leaders from the NICE cybersecurity workforce training and professional development program are slated to publish a draft cybersecurity specialty area framework on the NICE website in late July. Created by NICE participants from the U.S. Departments of Defense, National Intelligence and Homeland Security, the framework links each specialty area in the cybersecurity workforce to specific tasks, knowledge, skills and abilities. “Getting that (framework) adopted within the federal government is our first big step,” said McDuffie. NICE also will advocate use of the cybersecurity specialty area framework as a best practice to state, local and tribal governments, as well as to the private sector.
High-quality, Cybersecurity Training Catalog: NICE aims to create a training catalog that uses a common system of terms to present course information. The catalog would map its courses to the specialty areas and knowledge, skills and abilities in the cybersecurity workforce framework. A common vocabulary provided by the specialty area framework and the training catalog will help the entire workforce pipeline—not only employers, but also students, jobseekers, employees, academia, training companies, and certification organizations, Maxson said. “This is something that will benefit everyone in the nation in that we will have understanding of the kinds of skills needed to be a cybersecurity professional”
Cybersecurity Web Portal: At NICE’s Sept. 20-22 workshop on cybersecurity education, the initiative is slated to present a mock-up of a web portal that would provide searchable access to cybersecurity awareness, training, and education resources and career opportunities available across the country. A pilot version is slated to go live in 2012.
Analysis of and Recommendations for Cybersecurity Workforce: NICE also plans to analyze the extent to which the cybersecurity workforce has the skill-set to meet current and future needs and will suggest ways to address any deficiencies. A two-year review cycle will help improve NICE, its workforce framework, training catalog and web portal on an ongoing basis.
Partnering For Change
NICE is leveraging public-private collaboration, McDuffie said. “We see the federal government being enablers and advocates, providing a framework, top-down guidance and best practices that we can promote to the private sector.” NICE is working closely with CompTIA and other groups to develop best practices for certification. McDuffie encourages all CompTIA members, and their employees, to become friends of the “Stop.Think.Connect.” campaign by signing up here. In addition, CompTIA vendors can present information about their cybersecurity product or service by becoming a sponsor of NICE’s September workshop on cybersecurity education, he said. NICE will require years to accomplish its goals, but McDuffie expects NICE to withstand any changes in the political winds. “Cybersecurity has never been a Democratic issue or a Republican issue; it’s a national security issue,” he said.