The Partnership for Peace Consortium offers a guide for cyber security education
By Sean Costigan and Michael Hennessy
Today’s news headlines regularly refer to commercial data hacks and breaches, electronic fraud, the disruption of government service or critical infrastructure, intellectual property theft, exfiltration of national security secrets, and the potential of cyber destruction. What used to be the domain of electronic warfare, information warfare and network security experts — often labeled “information operations” or “information warfare” — is transforming into a much broader domain referred to as cyber security. This emerging field of study and practice has challenged defense education institutions to consider topics and methods that traditionally fell outside standard defense education.
With that awareness shift in mind, the rapid and unrelenting pace of changes and challenges in cyber security prompted the Partnership for Peace Consortium (PfPC) Emerging Security Challenges Working Group to request the development of a new cyber security curriculum for defense academies.
The resulting curriculum, published in the spring of 2016, is the work of a multinational team of over 30 volunteer academics and researchers from 14 nations associated with the PfPC of Defense Academies and Security Studies Institutes. Our effort aimed to produce a flexible and comprehensive approach to cyber security by offering a logical breakdown by specific categories, suggesting the level of knowledge needed by various audiences and indicating useful key references so that each adopting state could adapt this framework to its needs.
Security and risk education
Security measures are most often informed by evaluating threats and risks. In this new curriculum, both concepts are explored at length. However, in simple terms, cyberspace is full of threats but measures to mitigate threats need to be informed by measures of risk. The International Standards Association defines risk as “the effect of uncertainty on objectives.” The effect may be a positive or negative deviation from what is expected. Measures taken to “secure” must be commensurate with the amount of risk that is acceptable. As such, securing cyberspace entails a number of considerations to mitigate risks and threats while encouraging open communication across various types of interconnected networks.
Establishing the necessary balance between access, usability and security is the challenge. This new curriculum explores approaches to threat and risk assessment, identification and mitigation at the technical and policy levels of agencies and governments. It explores recommended best practices and comparisons to known policies of particular states or organizations.
This curriculum seeks to provide a coherent launching point to develop or enhance the teaching of cyber security issues to senior officers or civil servants and midlevel military and civilian staffs. Like other curricula developed by the PfPC, the aim of the document is conservative. It does not present a single master course outline for all to follow. It is not exhaustive in content, details or approaches. However, we believe it will furnish a useful heuristic approach to the various domains, constituting a comprehensive introduction to the spectrum of issues involved with cyber security. Those with little technical background will find an introduction at a manageable level of complexity and gain a better appreciation of where technical depth is required and why. Those with technical backgrounds may find the material a useful overview of areas they are familiar with and an introduction to broader issues of international, national and legal policies and practices.
This proposed curriculum is presented through a series of four broad themes:
- Cyberspace and the fundamentals of cyber security
- Risk vectors
- International cyber security organizations, policies and standards
- Cyber security management in the national context
It is assumed that institutions adopting this curriculum will work together with an expert team to identify national policies and procedures at a level of detail required for the target audience. Rote knowledge of transitory technical matters may be necessary, but the objective of this curriculum is to establish a broader understanding of cyber security challenges across the spectrum.
This new cyber security reference curriculum is not a single or proposed course structure. Rather, it is a key reference providing a broad outline of issues and topics. It may serve as a guide for technical staffs to identify their particular focus. Similarly, it may guide introductory courses for senior national security policymakers, providing them technical context to shape national policies.
While drafting the curriculum, we canvassed PfPC member institutions, other defense colleges and reviewed military training programs of NATO and PfPC partner countries to establish what is being taught. We sought to identify gaps and shared approaches that cut across traditional boundaries of governmental and military structures. Country workshops were instrumental to the curriculum team, helping them acquire a deep understanding of the different challenges each country faces when grappling with cyber security.
Across the board, the largest single gap we observed was the lack of sufficient understanding of cyber-security-threat and risk-mitigation practices among national-security and defense-policy leaders. A similar gap was identified among technical experts’ understanding of national policy frameworks. The boundaries between these groups are not simply represented by military or bureaucratic rank; thus, we have not compartmentalized this reference curriculum into blocks according to the potential rank of students.
Additional lessons were noted in several key areas, particularly:
- Gender — The cyber security field remains largely a male enterprise. Defense education institutions have the opportunity to narrow this gap.
- Age — The concept of being “born digital” continues to present cognitive problems for policy leaders who perceive cyber security to be a young person’s field instead of a critical domain for policymakers of any age to understand.
- Technical Capability — Far too few cyber security labs exist across Eastern Europe. Western defense institutions would do well to help create better labs for students.
- Policy Understanding — Many different points of view, some cultural, must be taken into account when discussing national cyber security issues. A number of countries have developed their own terminology and eschewed some widely used terminology as a matter of informed choice.
- International Differences — Some countries are attempting to take advantage of perceived ambiguity to push agendas that run contrary to the best interests of democracies and the global exchange of information.
- Misplaced Emphasis on Technical Matters — Cyber security isn’t exclusively a technical field, yet it is generally treated as one by educators and policymakers alike. If cyber security is to become a normal part of the policymaker’s portfolio, the two fields must be integrated to a certain degree.
- Legal Landscape — There is wide variation in how states address cyber security within domestic law. The attribution challenge — the difficulties associated with tracking the source of malign, threatening or illegal cyber activity — compounds problems in both the domestic and international spheres. There is no one-size-fits-all solution.
- Whole of Government — Approaches to managing cyber security differ significantly among countries, but cyber security cuts across many institutional and organizational boundaries. The best solutions must be built on a comprehensive whole of government approach.