THE RESPONSE OF HIGHER EDUCATION
TO INFORMATION WARFARE
By Dr. Charles W. Reynolds
Director, Department of Computer Science, and
Interim Dean, College of Integrated Science and Technology
James Madison University
There is a growing demand for information security professionals in an era when "malicious vandalism, criminal activity, and international information warfare" all may threaten the nation's information infrastructure, says Dr. Charles Reynolds. He describes how the academic community is collaborating with government and industry to meet that need through an initiative launched in 1997 called the National Colloquium for Information Systems Security Education (NCISSE). The author, 1998 chairman of NCISSE's executive committee, also outlines James Madison University's efforts to respond to emerging national priorities in countering the threats to U.S. information networks.
The Need For Information and Communication Infrastructure Protection
All aspects of our lives and all aspects of our social, economic, and political systems are becoming increasingly dependent on our information and communications infrastructure. Our financial systems, our transportation systems, our water and electrical utilities, and all other critical infrastructures have become dependent on our information and communications infrastructure. Yet this infrastructure is the most vulnerable of all our infrastructures to malicious vandalism, criminal activity, and international information warfare -- all of which may threaten it and so threaten all other infrastructures that are dependent on it. The security and assurance of our information and communication infrastructure is therefore a national priority.
To counter the threats of the new era in information technology, our nation needs an information-literate work force that is aware of the emerging vulnerabilities of critical infrastructures, as well as a cadre of information security professionals who are knowledgeable about the recognized "best practices" available in information security and information assurance.
A National Dialog with Higher Education
In response to the need to protect the nation's critical infrastructures, the National Colloquium for Information Systems Security Education (NCISSE) was created in May, 1997, to provide a forum for dialog among key figures in government, industry, and academia on ways to work in partnership to define current and emerging requirements for information security education. NCISSE also seeks to influence and encourage the development and expansion of information security curricula, especially at the graduate and undergraduate levels.
At its second annual meeting in June, 1998, at James Madison University in Harrisonburg, Virginia, the Colloquium agreed that NCISSE would strive to foster development of academic curricula that recognizes the needs expressed by government and industry, and is based on recognized "best practices" available in the field.
The Colloquium's goals also focus on the need to assist educational institutions by fostering the continued development and sharing of information security education resources. NCISSE encourages educational institutions to teach appropriate information systems security courses in various curricula to meet the needs of 21st century consumers and to offer courses to meet the growing demand for information systems security professionals.
At its 1998 annual meeting, the NCISSE issued a wide-ranging agenda for action by its various constituents. These included tasks for government, industry, and institutions of higher education to undertake both individually and in cooperation with each other.
Especially important among the joint actions needed is clarification of the knowledge, skills, and attitudes that define an information security professional and thus develop standards for what information security professionals should know and be able to do. Because information security is itself still coalescing as a body of knowledge, we need to identify current "best practices" for inclusion in professional standards in a way that can continue to evolve. Finally, all three constituents of the Colloquium must overcome the resistance among information security personnel to standards because it is adherence to the discipline embodied in standards that is expected of any profession.
Also outlining recommended actions for private industry, the Colloquium said the industrial sector should provide educational institutions with funding, equipment, and software, and help with the maintenance of computer systems on university campuses; provide on-site training for university faculty, including those who have not previously worked in information security; and fund internships for students to work in the information security area.
The NCISSE urged government to develop and share course work in information security and to encourage the development of university Centers on Infrastructure Protection modeled after the Materials Centers sponsored by the National Science Foundation and the Transportation Centers sponsored by the Department of Transportation.
Colloquium members called on information security professionals throughout the nation to improve networking among faculty, sponsor more conferences on information security, launch more Web sites, and publish more journals related to the protection of U.S. information networks. They also underscored the need to establish a formal system of recognition for outstanding educational programs in information security.
Focusing on institutions of higher education, the NCISSE encouraged educational institutions to increase programs with concentrations in information security and include security courses in core curricula of all college graduates.
Especially important is the inclusion of curricula that address the ethical and cultural issues that arise in modern information systems. Questions here include both how traditional values are preserved in the modern information era and how they may need to change.
Since many ethical and cultural values are formed early in life, institutions of higher education are encouraged to develop information security curricula for and in collaboration with secondary education.
In recognition that higher education is itself a profession guided by standards, educational institutions were encouraged to solicit guidance from accreditation organizations for appropriate placement of information security within their curricula.
Finally, because education is a life-long concern in a rapidly evolving technological society, higher education was encouraged to provide continuing educational programs for information security professionals who are already working in the field.
The Colloquium recommended that information security educators develop and share practical laboratory exercises in information security, design computer games that express appropriate values for a responsible and information literate work force, develop a place to share instructional materials, and write more textbooks, especially on practical issues.
The NCISSE's agenda for action also called on specialists in legal education to help U.S. lawyers understand information security.
Internet-Based Instructional Methods
The national critical need for information security professionals is typical of the modern technological world. As technology changes rapidly, professionals must be committed to life-long learning that constantly renews and extends their skills. And all professionals must be prepared to reorient their careers and acquire new skills as changing technology drives changing work-force needs.
The need for information security professionals has mushroomed in recent years. This demand for skilled professionals, in turn, has generated demand for educational opportunities that supply new professionals and reorient current professionals in a new direction. Yet, it is unreasonable to expect that these professionals seeking continuing education will interrupt their current careers and family life to attend a traditional on-campus university. It is for this reason -- the need for ongoing education for adult professionals that does not interrupt their careers or family life -- that there is so much interest in Internet-based education. James Madison University has responded to this need and to Internet technology with an Internet-based graduate professional program in information security.
The curriculum is offered as an Internet-based learning program through contracts with organizations that can ensure the integrity of the testing procedures for their employees.
The program is structured in 13 courses of seven weeks each and spans slightly more than two years. A group of students called a "cohort" enter the program together and complete all 13 courses together in sequence.
The Internet-based learning program combines independent study with guided instruction and group collaboration that are coordinated by a central facility that provides a network of services. Professors and technology provide a delivery system that maintains high academic standards while being flexible and considerate of participants' needs. Electronic discussion groups examine, discuss, and critically evaluate information security concepts. Each course consists of a sequence of readings and problems to be solved.
Internet presentations of concepts can be viewed on any Internet workstation from anywhere in the world at any time. Projects in each class offer practical orientation to concepts and materials learned.
The Information Security Program at James Madison University
Participants who complete the Information Security Program at James Madison University earn a master of science degree in computer science with a concentration in information security. The program is based on a standard endorsed by the National Security Agency and is designed to develop the knowledge and skills necessary to understand the interrelationships between information security and information technology and to relate both the technical and human components of information security and information technology.
The basis for the courses conducted by James Madison University faculty centers on the administration, management, evaluation, and implementation of computer technology with emphasis on information security. The management of information security programs includes the preservation and protection of information confidentiality, integrity, availability, authenticity, and utility within acceptable limits of risk.
The program members, working in teams:
Develop the knowledge and skills
necessary to understand the relationship between information
security and advancing the information systems technologies
needed to implement crime protection and detection programs;
Develop advanced competencies associated
with technical, supervisory, policy, and related positions in
information security and computer technology with regard to
vulnerabilities, threat, and risk assessment;
Gain perspectives required of effective
information security analysts, managers, administrators, and
practitioners in planning, evaluating, and implementing
information security techniques and programs;
Relate the technical and human
components of information security and computer technology in the
protection of information systems;
Develop core competencies in data-base
and information systems design, in operating systems and
networks, and in application software development to enhance
crime prevention and investigation responsibilities.
|
The Information Security Curriculum at James Madison
University
The information security program at James Madison University includes the following courses organized into segments: 1. Computer Science Core Segment Operating Systems and Networks -- Concepts and principles of multiple user operating systems. Memory, CPU (central processing unit), I/O (input/output) device allocation, scheduling, and security. Memory hierarchies, performance evaluation, analytic models, simulation, concurrent programming, and parallel processors. Data-base Management Systems -- Types of physical storage and access methods; data models; relational algebra and calculus, and definition and query languages; dependencies, decomposition, and normalization; data-base design; recovery; consistency and concurrency; distributed data bases. Examples from commercial data bases. Application Software Development -- The software development life cycle, software project management, development tools and methods, software quality assurance, programming language paradigms and their use in software development. 2. Information Security Technical Segment Introduction to Information Security -- Overview of threats to the security of information systems, responsibilities, and basic tools for information security, and for the areas of training and emphasis needed in organizations to reach and maintain a state of acceptable security. Trusted Systems -- Definition of a "Trusted System," and considerations pertaining to the design, evaluation, certification and accreditation of trusted systems, including hardware considerations, software considerations such as developmental controls, validation/verification, assured distribution and other assurance issues. Implementation, configuration management, and systems administration of trusted systems. Importance of understanding the psychology and the successful modus vivendi of the attacker to generating and maintaining a powerful defense. Cryptography -- This course provides the student with an understanding and the ability to implement major encryption protocols. It deals with the design and analysis of systems that provide protection for communications or resist cryptographic analysis. 3. Information Security Management Segment Information Systems Vulnerability, Risk, and Analysis -- Vulnerabilities and risks inherent in the operation and administration of information systems are identified and explored. Information Security Audit Controls -- Students develop plans and conduct an information security audit to include an in-depth physical security survey. They develop and implement standards for monitoring the normal activities of an information system. Policy, Procedures, Legal Issues, and Ethics -- Development, evaluation, and implementation of administrative security policies and procedures in a UNIX system in a secure environment. Preparation of a Security Administrative Guide or an annex for such a document. 4. Information Security Capstone Project A final capstone project integrates the whole program with a project that challenges participants to analyze the security of an information system, to survey and analyze the effectiveness of available options for enhancing that security, to review the broader legal and ethical context of those options, and to select and propose an implementation procedure for one of the options. Preparatory Classes -- Students not ready to begin the core segments may enroll in a preparatory sequence of three classes: Accelerated Fundamentals of Computer Programming, Advanced Fundamentals of Computer Programming, and Accelerated Fundamentals of Computer Systems. |
U.S. Foreign Policy
Agenda
USIA Electronic Journal, Vol. 3, No. 4, November
1998