- CYBER SECURITY EDUCATION: MEETING THE NEEDS OF TECHNOLOGY WORKERS AND EMPLOYERS

[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]

CYBER SECURITY EDUCATION:
MEETING THE NEEDS OF
TECHNOLOGY WORKERS AND EMPLOYERS

=======================================================================

HEARING

BEFORE THE

COMMITTEE ON SCIENCE
HOUSE OF REPRESENTATIVES

ONE HUNDRED EIGHTH CONGRESS

SECOND SESSION

__________

JULY 21, 2004

__________

Serial No. 108-68

__________

Printed for the use of the Committee on Science

Available via the World Wide Web: http://www.house.gov/science

U.S. GOVERNMENT PRINTING OFFICE
94-834 WASHINGTON : 2004
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001

______

COMMITTEE ON SCIENCE

HON. SHERWOOD L. BOEHLERT, New York, Chairman
RALPH M. HALL, Texas BART GORDON, Tennessee
LAMAR S. SMITH, Texas JERRY F. COSTELLO, Illinois
CURT WELDON, Pennsylvania EDDIE BERNICE JOHNSON, Texas
DANA ROHRABACHER, California LYNN C. WOOLSEY, California
KEN CALVERT, California NICK LAMPSON, Texas
NICK SMITH, Michigan JOHN B. LARSON, Connecticut
ROSCOE G. BARTLETT, Maryland MARK UDALL, Colorado
VERNON J. EHLERS, Michigan DAVID WU, Oregon
GIL GUTKNECHT, Minnesota MICHAEL M. HONDA, California
GEORGE R. NETHERCUTT, JR., BRAD MILLER, North Carolina
Washington LINCOLN DAVIS, Tennessee
FRANK D. LUCAS, Oklahoma SHEILA JACKSON LEE, Texas
JUDY BIGGERT, Illinois ZOE LOFGREN, California
WAYNE T. GILCHREST, Maryland BRAD SHERMAN, California
W. TODD AKIN, Missouri BRIAN BAIRD, Washington
TIMOTHY V. JOHNSON, Illinois DENNIS MOORE, Kansas
MELISSA A. HART, Pennsylvania ANTHONY D. WEINER, New York
J. RANDY FORBES, Virginia JIM MATHESON, Utah
PHIL GINGREY, Georgia DENNIS A. CARDOZA, California
ROB BISHOP, Utah VACANCY
MICHAEL C. BURGESS, Texas VACANCY
JO BONNER, Alabama VACANCY
TOM FEENEY, Florida
RANDY NEUGEBAUER, Texas
VACANCY

C O N T E N T S

July 21, 2004

Page
Witness List..................................................... 2

Hearing Charter.................................................. 3

Opening Statements

Statement by Representative Sherwood L. Boehlert, Chairman,
Committee on Science, U.S. House of Representatives............ 13
Written Statement............................................ 14

Statement by Representative Bart Gordon, Minority Ranking Member,
Committee on Science, U.S. House of Representatives............ 14
Written Statement............................................ 15

Prepared Statement by Representative Nick Smith, Member,
Committee on Science, U.S. House of Representatives............ 15

Witnesses:

Mr. Chester ``Chet'' Hosmer, President & CEO, WetStone
Technologies, Inc.
Oral Statement............................................... 17
Written Statement............................................ 19
Biography.................................................... 23
Financial Disclosure......................................... 25

Mr. John R. Baker, Sr., Director, Technology Programs, Division
of Undergraduate Education, School of Professional Studies in
Business and Education, Johns Hopkins University
Oral Statement............................................... 25
Written Statement............................................ 27
Biography.................................................... 32
Financial Disclosure......................................... 36

Mr. Erich J. Spengler, Principal Investigator, Advanced
Technology Education Regional Center for the Advancement of
Systems Security and Information Assurance, Moraine Valley
Community College
Oral Statement............................................... 37
Written Statement............................................ 38
Biography.................................................... 42
Financial Disclosure......................................... 42

Second Lieutenant David J. Aparicio, Developmental Electrical
Engineer, Information Directorate, Air Force Research
Laboratory
Oral Statement............................................... 43
Written Statement............................................ 45
Biography.................................................... 47
Financial Disclosure......................................... 47

Ms. Sydney Rogers, Principal Investigator, Advanced Technology
Education Regional Center for Information Technology, Nashville
State Community College
Oral Statement............................................... 48
Written Statement............................................ 51
Biography.................................................... 66
Financial Disclosure......................................... 67

Discussion....................................................... 67

Appendix: Answers to Post-Hearing Questions

Mr. Chester ``Chet'' Hosmer, President & CEO, WetStone
Technologies, Inc.............................................. 82

Mr. John R. Baker, Sr., Director, Technology Programs, Division
of Undergraduate Education, School of Professional Studies in
Business and Education, Johns Hopkins University............... 83

Ms. Sydney Rogers, Principal Investigator, Advanced Technology
Education Regional Center for Information Technology, Nashville
State Community College........................................ 88

CYBER SECURITY EDUCATION: MEETING THE NEEDS OF TECHNOLOGY WORKERS AND
EMPLOYERS

----------

WEDNESDAY, JULY 21, 2004

House of Representatives,
Committee on Science,
Washington, DC.

The Committee met, pursuant to call, at 10 a.m., in Room
2318 of the Rayburn House Office Building, Hon. Sherwood L.
Boehlert (Chairman of the Committee) presiding.

hearing charter

COMMITTEE ON SCIENCE

U.S. HOUSE OF REPRESENTATIVES

Cyber Security Education:

Meeting the Needs of

Technology Workers and Employers

wednesday, july 21, 2004
10:00 a.m.-12:00 p.m.
2318 rayburn house office building

1. Purpose

On Wednesday, July 21, 2004, the House Committee on Science will
conduct a hearing to review efforts by academia, industry and
government to develop a cyber security workforce.

2. Witnesses

Mr. Chet Hosmer is the President & CEO of WetStone Technologies, Inc.
of Cortland, New York. Mr. Hosmer has taught Network Security and
Cyber-Crime and Computer Forensic courses at Utica College, and he is
the Research Advisor for the Computer Forensics Research and
Development Center of Utica College. Mr. Hosmer also is Co-chair of the
Electronic Crime and Terrorism Partnership Initiative's Technology
Working Group at the National Institute of Justice.

Mr. John Baker is the Director of Technology Programs for the Division
of Undergraduate Education of the School of Professional Studies in
Business and Education at the Johns Hopkins University in Baltimore,
Maryland.

Mr. Erich Spengler is the head of the Regional Center for the
Advancement of Systems Security and Information Assurance at Moraine
Valley Community College in Palos Hills, Illinois.

Second Lieutenant David Aparicio is an electrical engineer for the Air
Force Research Laboratory Information Directorate in Rome, New York.
Lt. Aparacio is a graduate of the ``Cyber Security Boot Camp'' run
jointly by the Air Force, Syracuse University, the New York State
Office of Science, Technology and Academic Research.

Ms. Sydney Rogers is the head of the Regional Center for Information
Technology at Nashville State Community College in Nashville,
Tennessee. Ms. Rogers is also the Vice President for Community and
Economic Development at the community college and her responsibilities
include workforce development, computer services and distance
education.

3. Overarching Questions

The hearing will address the following overarching questions:

How are academia, industry and government working
together to meet the Nation's cyber security education and
training needs?

What are the strengths and weaknesses of existing
cyber security education and training programs?

What new and emerging challenges need to be addressed
in this area? How can the Federal Government contribute to this
effort?

4. Brief Overview

Information technology systems play a critical role
in today's economy, yet they are vulnerable to security
breaches and attacks. Adequately protecting these systems
requires, among other things, a well-trained cyber security
workforce to block, detect and counter any threats to vital
computer systems and networks.

In 2002, the President signed into law the Cyber
Security Research and Development Act (P.L. 107-305), which
originated in the Science Committee. The Act effectively
designated the National Science Foundation (NSF) as the lead
agency for civilian cyber security research and education, and
it authorized $216 million over FY 2003-FY 2007 for NSF cyber
security education and training programs. The Act also
authorized advanced cyber security education and training
programs at the National Institute of Standards and Technology
(NIST), but these programs have never been funded.

The National Security Agency (NSA) also is engaged in
cyber security education and training. In addition, the
Department of Homeland Security (DHS) supports public awareness
and outreach on cyber security vulnerabilities and
countermeasures, and it helps coordinate private-sector efforts
with those of the Federal Government.

As the challenges of cyber security emerge and
evolve, so too do the courses and programs of cyber security
education and training. From programs in traditional settings,
like two- and four-year colleges and universities, to other
programs, like the Cyber Security Boot Camp, the cyber security
education and training continuum is growing and becoming more
standardized in its effort to meet the needs of technology
workers and employers.

5. Background

Estimates of annual economic losses caused by computer virus and
worm attacks and to hostile digital acts in general run from about $13
billion (worms and viruses only) to $226 billion (for all forms of
overt attacks). While the precise figures are open to question, there
is no doubt that cyber security intrusions result in significant losses
due to downtime, lost productivity, and expenses related to testing,
cleaning and deploying patches to computer systems.
Experts increasingly point out that improving cyber security
requires cyber security training for technicians and users, in addition
to promulgating sound security practices and deploying sophisticated
technology. As one security professional explained, you can be
``bristling with firewalls and IDS (intrusion detection systems), but
if a naive user ushers an attacker in through the back door, you have
wasted your money.''
Education and Training Needs
Many system failures and security breaches occur because of human
error. Employees may fail to install a patch, or configure a firewall
incorrectly, or otherwise leave a system open to intrusion. Such errors
occur, in part, because responsibility for security traditionally has
fallen to non-security workers who may lack the time, training and
focus to handle such responsibilities.
A 2002 report by the National Workforce Center for Emerging
Technologies and the Computing Technology Industry Association
(CompTIA) found that many security organizations were beginning to seek
security professionals, deciding that it was no longer acceptable just
to buy a firewall package, install it, and let it run.
Industry is also increasingly interested in fostering concern with
cyber security at all the levels of the workforce dealing with
computers from administrative workers (such as network administrators,
technicians, and help desk staff) to engineers (including software
developers) to system architects.
Responding to that interest, cyber security education and training
is increasingly being offered through degree-granting programs at both
two- and four-year colleges and universities, but also through shorter,
credit and non-credit programs that provide certificates or provide
background for students to pass certification exams.

Federal Support for Cyber Security Education and Training
National Science Foundation
Federal Cyber Service: Scholarship for Service (SFS)--The program
has two aspects--a ``Scholarship Track'' that provides grants to
colleges and universities for student stipends, and a ``Capacity-
Building Track'' that provides grants to colleges and universities to
improve their ability to provide courses in cyber security.
The Scholarship Track provides four-year grants to colleges and
universities, which, in turn, use the money to provide as many as 30
two-year scholarships. In exchange for two years of stipends ($8,000
per year for undergraduate students and $12,000 for graduate students)
and a summer internship at a federal agency, participating students are
required to work for two years in the Federal Cyber Service for a
federal agency. Since 2001, 391 individuals have participated in the
scholarship program.
The Capacity Building Track provides two-year grants of up to
$150,000 per year for such activities as adapting and implementing the
use of educational materials, courses or curricula; offering technical
experience; developing laboratories, and offering faculty development
programs. (An additional $150,000 per year is available to partnerships
that include minority serving institutions.)
The SFS program was funded at $16.1 million in Fiscal Year (FY)
2004, and the Administration request for FY 2005 is $16.2 million. A
list of colleges and universities participating in the SFS program is
provided in Appendix II.
Advanced Technology Education (ATE)--ATE is NSF's program to
improve technical education at two-year colleges. Grant awards may
involve partnerships between two-year and four-year institutions.
One aspect of ATE is the funding of regional centers (such as the
two giving testimony at this hearing), which are designed to create
model programs in specific areas, such as cyber security, to adapt
those programs to local needs, provide professional development for
college faculty, and help recruit, retain and place students.
The ATE program, which received $45.23 million in FY 2004, of which
about $3.7 million will be invested in cyber security education and
training (although the breakdown for cyber security is a very rough
estimate).

National Security Agency
The National Security Agency (NSA) established the Centers of
Academic Excellence in Information Assurance Education (CAE/IAE)
Program in 1998 to increase the number of professionals with
information assurance expertise in various disciplines. The CAE/IAE
Program endorses qualified four-year and graduate information assurance
degree programs (including those at Johns Hopkins, which is testifying
at this hearing).\1\ Currently, there are 59 universities in 27 states
that are designated as CAE/IAE (see list in Appendix III). Being
designated a CAE/IAE does not guarantee an institution funding, but it
is a ``seal of approval'' that facilitates applying to grant programs,
and it makes institutions eligible for certain NSA programs.\2\
---------------------------------------------------------------------------
\1\ Prospective institutions must meet rigorous standards to
receive the national recognition and the CAE/IAE designation, including
courseware that is certified under the National Security
Telecommunications and Information Systems Security Standards as well
as ten other criteria describing dimensions, depth and maturity of the
information assurance program.
\2\ NSA competitively awards a small amount of funding (a few
million dollars) for capacity building--curriculum development,
purchase of infrastructure for courses--at CAE/IAE schools.
---------------------------------------------------------------------------
NSA also manages an SFS program in information assurance for the
Department of Defense (DOD). This program is similar to the one run by
NSF, with scholarships provided for study at a CAE/IAE in return for a
student's service at a DOD agency. Currently 82 students are
participating in the NSA SFS program.

Department of Homeland Security
The Department of Homeland Security (DHS) is working to increase
cyber security awareness, foster cyber security training and education
programs, and promote private sector support for well-coordinated,
widely recognized professional cyber security certifications. In these
areas, DHS plays a supporting role, consulting on the efforts and
programs underway in other government agencies, at universities, and in
the private sector.

6. Witness Questions

Questions for Mr. Hosmer

In your experience, what knowledge and skills are
currently needed in the cyber security workforce? Have cyber
security education and training programs been sufficiently
flexible to respond to these needs as well as the needs of
traditional and returning students?

What are the current strengths and weaknesses in
cyber security education and training programs? Do model
programs exist and, if they do, are they being adapted to meet
local cyber security needs?

What partnerships should two-year and four-year
colleges and universities forge with business and industry to
build appropriate programs? In your opinion, is there
sufficient collaboration with industry at the administration
(advisory committees), faculty (return-to-industry) and student
(internship) levels to accommodate rapid changes in these
professional and technical areas?

What can the Federal Government do to improve cyber
security education and build the Nation's technical workforce?

Questions for Mr. Baker

What are the various levels of cyber security
education and training, e.g., systems administration, systems
engineering, and systems architecture? What role does your
university play in this education and training continuum? How
do two- and four-year colleges and institutions collaborate--if
at all--to identify and fill cyber security educational needs?

What are the current strengths and weaknesses of
cyber security education and training programs? What courses
and programs currently exist? And what programs need to be
developed and more broadly implemented?

What are the challenges to faculty preparation,
recruitment and retention in cyber security? How has your
university attempted to address these challenges?

What can the Federal Government do to improve cyber
security education and build the Nation's technical workforce?

Questions for Mr. Spengler

What role do community colleges play in the training
of new workers and the retraining of current workers? What
employment opportunities in cyber security are available for
individuals with a certificate or a two-year degree?

What are the current strengths and weaknesses of
cyber security education and training programs? What ``model''
courses and programs currently exist? And what types of courses
or programs need to be developed or more broadly implemented?

What are the challenges do you face in recruiting and
training cyber security faculty? What type of programs or
opportunities do you provide to help keep faculty current?

What can the Federal Government do to improve cyber
security education and build the Nation's technical workforce?

Questions for Lt. Aparicio

How did your experience at the ACE change your view
of cyber security issues? Is this a good way to recruit
engineering and other science and technology students into the
field? How did your experience in the course influence your
career plans?

Do you think that the combination of education,
problem solving and immersion is an effective model for other
education and training programs? Why or why not?

In your opinion, what can the Federal Government do
to improve cyber security education and build the Nation's
technical workforce?

Questions for Ms. Rogers

What are the challenges do you face in recruiting and
training cyber security faculty? What type of programs or
opportunities do you provide to help keep faculty current?

What can the Federal Government do to improve cyber
security education and build the Nation's technical workforce?

Appendix I: NSF ATE Award Abstracts

Tennessee Information Technology (TN IT) Exchange Center

Start Date: September 15, 2002

Expires: August 31, 2005 (Estimated)

Expected Total Amount: $1,798,803 (Estimated)

Investigator: Sydney U. Rogers [email protected] (Principal
Investigator current))

Sponsor: Nashville St Tech Community College, 120 White Bridge Rd.,
Nashville, TN 37209-4515; 615/353--3236

The Tennessee Information Technology (IT) Exchange Center provides
an effective workforce capacity building system by increasing the IT
educational strength in a consortium of two year colleges, four year
colleges, secondary schools and industries in North Central Tennessee.
The goal is to develop a sustainable Center to meet the needs of
industry for a qualified IT workforce by creating real world scenarios
based on industrial needs and using them as the basis for instruction
in IT courses. The learning strategies are developed in workshops at
the Center for Learning and Teaching at Vanderbilt University. The
cases are used in high school academies to interest high school
students in IT careers. A web site provides information about the
availability and content of education and training programs in the
region, a clearinghouse of job opportunities and regular communications
among partners. Regional stakeholder forums bring industry and
educators together to develop a shared vision based upon research for
effective delivery of instruction. The audience includes both students
in educational institutions and re-careering workers.

Center for the Advancement of Systems Security and Information
Assurance (CASSIA)

Start Date: September 1, 2003

Expires: August 31, 2007 (Estimated)

Expected Total Amount: $2,997,615 (Estimated)

Investigator: Erich Spengler [email protected] (Principal
Investigator current)

Sponsor: Moraine Valley Community College, 10900 South 88th Avenue,
Palos Hills, IL 60465-2175; 708/974-4300

This regional center for information technology (IT) security and
data assurance serves a five-state area of the Midwest and focuses on a
field which is critical to homeland security and which has a large
demand for qualified workers. The center builds on a previous Advanced
Technological Education project at Moraine Valley Community College,
``Applied Internet Technology: Curriculum and Careers'' (NSF Award No.
9950037; see http://www.fastlane.nsf.gov/servlet/
showaward?award=9950037 and http://www.morainevalley.edu/nsf/), which
concluded in 2002. The following educational institutions are
collaborating in the operation of the center: Moraine Valley Community
College, Rock Valley College, University of Illinois at Springfield,
Lakeland Community College, Washtenaw Community College, Inver Hills
Community College, and Madison Area Technical College. Other
organizations from business, industry, and government are also advising
the center and participating in its activities.
The center is collecting, adapting, and enhancing curricula in
cyber security, offering certificate and degree programs, and providing
professional development for college faculty in the region. In
particular, the center is establishing an A.A.S. degree and a
certificate in IT security and data assurance; a concentration in IT
security and data assurance within a B.S. degree program in computer
science; an Internet-accessible laboratory environment that
demonstrates and simulates security technologies; ``train the trainer''
summer workshops and externship opportunities for faculty from regional
community colleges and four-year institutions; an internship program
for students in the A.A.S. and B.S. degree programs; and a
comprehensive outreach and support program to increase the number of
students from under-represented groups who pursue IT careers.

Appendix II. Institutions Involved in NSF's Cyber Security Scholarships
for Service Program

Institutions with Students in NSF's Cyber Security Scholarships for
Service Program\3\
---------------------------------------------------------------------------
\3\ NSF does not directly fund students in the Scholarships for
Service program. Instead, funding is provided to institutions who
select the scholarship recipients.

---------------------------------------------------------------------------
Carnegie Mellon University

Clark Atlanta University

Florida State University

George Washington University

Georgia Institute of Technology

Idaho State University

Iowa State University

Jackson State University

Johns Hopkins University

Morehouse College

Mississippi State University

Naval Postgraduate School

New Mexico Institute of Mining & Technology

Norwich University

Polytechnic University

Purdue University

Spelman College

SUNY at Stony Brook

Syracuse University

University of Idaho

University of Nebraska at Omaha

University of North Carolina at Charlotte

North Carolina A&T University

University of Tulsa

Institutions Receiving Capacity Building Grants via NSF's Cyber
Security Scholarships for Service Program

Adelphi University

Amherst College

California State at Long Beach

Carnegie Mellon University

Clark Atlanta University

CUNY Brooklyn

CUNY Borough of Manhattan Community College

CUNY NYC College of Technology

Embry Riddle Aeronautical University

Florida Agricultural and Mechanical University

Florida State University

George Washington University

Georgia Institute of Technology

Hampshire College

Indiana University of Pennsylvania

Illinois Institute of Technology

Indiana University

Iowa State University

Jackson State University

John Jay College of Criminal Justice

Kentucky State University

Mississippi State University

Mount Holyoke College

Murray State University

Naval Postgraduate School

New Mexico Institute of Mining and Technology

North Carolina Agricultural and Technical State University

North Dakota State University at Fargo

Pennsylvania State University

Polytechnic University

Purdue University

Smith College

Stevens Institute of Technology

SUNY Albany

SUNY at Stony Brook

Texas A&M

University of Alaska-Fairbanks

University of Denver

University of Houston

University of Idaho

University of Kansas

University of Louisville Research Foundation

University of Massachusetts at Amherst

University of Missouri

University of North Carolina at Charlotte

University of Pittsburgh

University of Rhode Island

University of Southern California

University of South Carolina at Columbia

University of Washington

University of Wisconsin-Stevens Point

University of Wisconsin-Parkside

University of Wisconsin-Milwaukee

Towson University

Utica College

Wichita State University

Appendix III: NSA Centers of Academic Excellence in Information
Assurance Education

Alabama

Auburn University
California

Naval Postgraduate School

Stanford University

University of California at Davis
Florida

Florida State University
Georgia

Georgia Institute of Technology

Kennesaw State University
Idaho

Idaho State University

University of Idaho
Illinois

University of Illinois at Urbana-Champaign
Indiana

Purdue University
Iowa

Iowa State University
Maryland

Capitol College

Johns Hopkins University

Towson University

University of Maryland, Baltimore County

University of Maryland University College
Massachusetts

Boston University

Northeastern University

University of Massachusetts, Amherst
Michigan

University of Detroit, Mercy

Walsh College
Mississippi

Mississippi State University
Nebraska

University of Nebraska at Omaha
New Jersey

New Jersey Institute of Technology

Stevens Institute of Technology
New Mexico

New Mexico Tech
New York

Pace University

Polytechnic

State University of New York, Buffalo

State University of New York, Stony Brook

Syracuse University

U.S. Military Academy, West Point
North Carolina

North Carolina State University

University of North Carolina, Charlotte
Ohio

Air Force Institute of Technology
Oklahoma

University of Tulsa
Oregon

Portland State University
Pennsylvania

Carnegie Mellon University

Drexel University

East Stroudsburg University

Indiana University of Pennsylvania

Pennsylvania State University

University of Pennsylvania

University of Pittsburgh

West Chester University of Pennsylvania
South Dakota

Dakota State University
Texas

Texas A&M University

University of Dallas

University of North Texas

University of Texas, Dallas

University of Texas, San Antonio
Vermont

Norwich University
Virginia

George Mason University

James Madison University

University of Virginia
Washington

University of Washington
Washington, D.C.

George Washington University

Information Resources Management College
Chairman Boehlert. The hearing will come to order. Let me
explain to our witnesses that both parties had morning
conferences, party conferences, and they were running a little
bit later than expected, so the Committee is more important
than the party, and that is why Mr. Gordon and I are here to
welcome you.
It is a pleasure to welcome everyone here this morning for
a hearing on cyber security, a subject that has consumed the
Committee over the past couple of years. We have focused on
this topic for good reason. Information and communication
systems underpin our government, and they ensure the smooth
functioning of our industries, financial institutions, and
transportation systems. They touch nearly every aspect of our
lives, but they are fragile, vulnerable to intrusions and
attacks.
We continue to focus on new tools to prevent devastating
attacks, and we will undoubtedly revisit the federal investment
in cyber security research and development in the future, the
very near future. But today, we will focus on another cyber
security challenge, the education and training of a cadre of
professionals in computer security and information assurance.
As the cost of security breaches rise and attacks increase
in frequency and sophistication, business and industry are
recognizing the need to invest in technology as well as
training. And education and training programs are springing up
to meet that need. Some of these programs, including those that
will be discussed here today, are particularly innovative. But
the field of cyber security education and training is still
developing. You might say it is in its infancy, and we need to
see that it goes to full maturity. We need to learn how to help
our colleges and universities respond rapidly and intelligently
to a field that continues to evolve. We need to identify ways
to attract and retain skilled faculty, and we need to work with
higher education institutions, businesses, and other
organizations to ensure that education and training courses and
programs translate into employment.
If I might give a parenthetical thought for a minute, I am
a senior Member on the House Committee on Intelligence, and we
are on the eve of the report of the 9/11 Commission. And that
report will emphasize something that we are going to emphasize
here today: the importance of the investment in human capital.
A few years ago, a friend summed up the challenges of cyber
security in this way: ``New technologies and enhanced security
practices are like sun screen: they offer you some protection,
but sooner or later, you are going to get burned.'' By
increasing the quality and quantity of cyber security education
and training programs, a new generation of technicians and
technology professionals can enhance the SPF of our information
and communication systems and create a more secure future. And
that would provide a very sunny outlook, indeed.
Chairman Boehlert. With that, let me recognize the
distinguished gentleman from Tennessee, the Ranking Member, Mr.
Gordon.
[The prepared statement of Chairman Boehlert follows:]

Prepared Statement of Chairman Sherwood Boehlert

It is a pleasure to welcome everyone here this morning for a
hearing on cyber security--a subject that has consumed the Committee
over the past couple of years.
We have focused on this topic for good reason. Information and
communication systems underpin our government and they ensure the
smooth functioning of our industries, financial institutions and
transportation systems. They touch nearly every aspect of our lives,
but they are fragile, vulnerable to intrusions and attacks.
We continue to focus on new tools to prevent devastating attacks--
and we will undoubtedly revisit the federal investment in cyber
security research and development in the future--but today we will
focus on another cyber security challenge: the education and training
of a cadre of professionals in computer security and information
assurance.
As the costs of security breaches rise and attacks increase in
frequency and sophistication, business and industry are recognizing the
need to invest in technology as well as training. And education and
training programs are springing up to meet that need.
Some of these programs, including those represented here today, are
particularly innovative, but the field of cyber security education and
training is still developing. We need to learn how to help our colleges
and universities respond rapidly and intelligently to a field that
continues to evolve. We need to identify ways to attract and retain a
skilled faculty. And we need to work with higher education
institutions, businesses and other organizations to ensure that
education and training courses and programs translate into employment.
A few years ago, a friend summed up the challenges of cyber
security in this way: New technologies and enhanced security practices
are like sun screen. They offer you some protection but, sooner or
later, you are going to get burned. By increasing the quality and
quantity of cyber security education and training programs, a new
generation of technicians and technology professionals can enhance the
SPF of our information and communication systems and create more secure
future.
And that would provide a very sunny outlook indeed.
Mr. Gordon.

Mr. Gordon. Thank you, Mr. Chairman.
I am pleased to join you in welcoming our witnesses to this
hearing on efforts to improve education and training of cyber
security professionals. The President's strategy for security
in cyberspace highlighted that a lack of trained personnel and
inadequate certification programs for security professionals is
complicating the task of reducing the vulnerabilities of the
Nation's network information systems. This committee also
recognized the problem and attempted to address it in the Cyber
Security R&D Act, which was enacted during the last Congress.
In addition to new research programs at NSF and NIST, it
authorized educational programs at NSF to improve cyber
security education at undergraduate institutions, including
two-year colleges. These are the education programs that
produce the computer and network specialists who are
responsible for ensuring that cyber systems are operating
safely and reliably.
Today, the Committee will get a progress report on these
NSF programs from those in the field who are carrying them out.
We also hope to gain a better understanding of the overall
state of cyber security education and training. I am interested
in whether the federally-sponsored education and training
programs are focused on industry's requirements, are meeting
the demand that exists for cyber security professionals, and
receiving funding that is adequate to ensure that the programs
are effective and of sufficient size to meet the need.
Again, I want to welcome the witnesses today and look
forward to our discussion.
[The prepared statement of Mr. Gordon follows:]

Prepared Statement of Representative Bart Gordon

Mr. Chairman, I am pleased to join you in welcoming our witnesses
to this hearing on efforts to improve the education and training of
cyber security professionals.
The President's Strategy to Secure Cyberspace highlighted that a
lack of trained personnel and inadequate certification programs for
security professionals is complicating the task of reducing the
vulnerabilities of the Nation's networked information systems.
This committee also recognized the problem and attempted to address
it in the Cyber Security R&D Act, which was enacted during the last
Congress.
In addition to new research programs at NSF and NIST, the Act
authorized education programs at NSF to improve cyber security
education at undergraduate institutions, including two-year colleges.
These are the education programs that produce the computer and network
specialists who are responsible for ensuring that cyber systems are
operated safely and reliably.
Today the Committee will get a progress report on these NSF
programs from those in the field who are carrying them out. We also
hope to gain a better understanding of the overall state of cyber
security education and training.
I am interested in whether the federally sponsored education and
training programs are focused on industry's requirements, are meeting
the demand that exists for cyber security professionals, and are
receiving funding that is adequate to ensure the programs are effective
and of sufficient size to meet the need.
Again, I want to welcome our witnesses today, and I look forward to
our discussion.

[The prepared statement of Mr. Smith follows:]

Prepared Statement of Representative Nick Smith

The type of computer systems that banks, universities, government,
the military, and large corporations depend on, are immense and
extremely complex. It saves time and money the more closely connected a
system is internally, and to external systems that it needs to interact
with. Because the usefulness of computer systems depends in large part
on interconnectedness, they are vulnerable to outside ``hackers'' who
can take advantage of the level of openness that the system must
maintain in order to be effective. In addition to the threat of
electronic attacks, we must not lose sight of the physical security of
central servers.
So the need for a highly trained cyber security workforce is
obvious. And in some ways, the work that the Federal Government needs
to do in this area is similar to what we are doing to ensure that we
produce a sufficient number of workers with technical skills and a math
and science background. A few examples of these similarities include
supporting the development of innovative new strategies for exciting
kids about math and science in K-12 schools, providing funding so that
universities and community colleges can take the math and science
talent developed in those K-12 schools and focus it towards specific
areas of focus, and helping post-graduate programs attract and educate
enough talented students to meet growing workforce needs.
But it seems to me that training this workforce gives us a paradox
similar to the one that developers of computer systems face in making
sure that they are open enough to be effective, but not so open that
hackers can take advantage of them. In order to defend a network it is
necessary to know how it works and where its vulnerabilities lie. If we
want to maintain a cyber security workforce large enough to meet
growing need, this information needs to be made widely available. By
facilitating this, we make it easy for someone with sinister intentions
to obtain the training that he or she would need to wreak the kind of
havoc that we are trying to prevent. As we move forward in the area of
cyber security education, this is an issue that must be addressed.

Chairman Boehlert. Thank you very much.
And our witnesses today, a very distinguished list of
witnesses, I want to thank you in advance for agreeing to be
facilitators and educators for this committee. We take great
pride in the quality of witnesses that are invited before this
committee, and we also take great pride in the fact that more
often than not we listen. It is easy for the elected officials
like us to sit up here and pontificate and talk a lot, but we
don't learn much when we are talking. We learn an awful lot
when we hear from people like you. And it is a very diverse
panel.
Mr. Chet Hosmer, President and Chief Executive Officer for
WetStone Technologies, Inc. in Cortland, New York. Mr. John
Baker, Director, Technology Programs, Division of Undergraduate
Education, School of Professional Studies in Business and
Education, Johns Hopkins University. Mr. Erich Spengler, and
for the purpose of an introduction, the Chair will recognize
the distinguished Chair of the Subcommittee, Ms. Biggert.
Ms. Biggert. Thank you, Mr. Chairman, for the opportunity
to introduce Mr. Erich Spengler.
With a Master's degree in Business from Loyola University,
Mr. Spengler is the Director of the NSF Regional Center for the
Advancement of Systems Security and Information Assurance at
Moraine Valley Community College in Palos Hills, Illinois.
While the school lies just outside my district, I am here today
because Mr. Spengler is almost a constituent and because
Moraine Valley truly is an educational asset to the entire
Chicago land area, and I think that he is to be congratulated
for all that he has accomplished at Moraine Valley and
certainly has contributed and will contribute this morning to
our discussion of cyber security education. And that is why it
is my privilege to welcome Mr. Spengler to the hearing of the
House Science Committee today.
Thank you, Mr. Chairman.
Chairman Boehlert. Our next witness is Second Lieutenant
David Aparicio. Lieutenant, it is good to see you here. He has
got an exciting story to tell. Lieutenant Aparicio is a
graduate. As a matter of fact, he was the valedictorian of the
Advanced Course in Engineering Cyber Security boot camp, and,
boy, that is an interesting story, Mr. Gordon and my
colleagues, I want you to hear about. And he is joined to his
rear by Dr. Kamal Jabaar who is director of the cyber security
boot camp. Doctor, it is good to have you here with us. And Mr.
Aparicio, I can't resist the temptation. As you probably know,
this weekend the most important event taking place any place in
the world is taking place in my home district of New York.
Cooperstown, the National Baseball Hall of Fame, it is the
induction ceremony this weekend. A couple of greats from the
past, Dennis Eckersley and Paul Molitor, are being inducted.
But one of the popular inductees of many years ago was Louie
Aparicio, and so I just want to say it is good to see another
Aparicio here.
And for the purpose of an introduction, the Chair
recognizes Mr. Gordon.
Mr. Gordon. Thank you, Mr. Chairman.
It is my pleasure to introduce Ms. Sydney Rogers who is
Vice President for Community and Economic Development at
Tennessee State Technological Community College. I also want to
welcome her as a fellow graduate of Middle Tennessee State
University and thank her belatedly for voting for me for
student body president some years back. Ms. Rogers is
responsible for workforce development, student services,
computer services, and grants, and development at Nashville
State Technical Community College. Previously, she served as
interim Vice President for Academic Affairs, Dean of
Technologies, and Department Chair and Associate Professor for
Computer Information Systems for 20 years. Of particular
interest for today's hearing, Ms. Rogers is the lead principal
investigator for the Center for Information Technology
Education, a regional center funded by the National Science
Foundation Advanced Technology Education Program. Her work has
focused on the reform of technological education to create a
more adaptable workforce suited for the new century. Ms. Rogers
serves on three NSF national visiting committees and several
local Boards and has 30 years of leadership experience in
technology education and workforce development.
Once again, welcome to our committee.
Chairman Boehlert. Thank you very much, Mr. President.
And now the witnesses. And the general rule in the
Committee is that we ask that you summarize your opening
statement, which will be made part of--the full opening
statement, part of the official record in its entirety. But we
ask for the summary in five minutes or so, and the Chair is
never arbitrary, because in addition to the very distinguished
witnesses we have today, we are used to hearing from Nobel
Laureates and astronauts and I can't help but recall yesterday
was the 35th anniversary of the Apollo 11 Moon landing. We have
had Neil Armstrong, with whom I had a good conversation last
night, and Buzz Aldrin. And so to have people travel from afar
and offer expert testimony, it seems to me sometimes almost
sinful that we ask you to summarize in 300 seconds or less. But
while the clock will be on, and at four minutes it will--the
little sign there will be yellow and in five minutes, it will
go red, don't stop mid-sentence, mid-thought, mid-paragraph.
Continue on. There will be some leeway, and then there will be
opportunity for questions.
With that, Mr. Hosmer, it is a pleasure to welcome you
here.

STATEMENT OF MR. CHESTER ``CHET'' HOSMER, PRESIDENT AND CEO,
WETSTONE TECHNOLOGIES, INC.

Mr. Hosmer. Thank you, Mr. Chairman and Members of the
Committee, for the opportunity to speak with you today on a
topic that is very, very important to me personally and to our
company.
For many years now, since 1998, we have been involved in
cyber security research and development at WetStone
Technologies, and a critical part of that process has been the
integration of and cooperation between many colleges and
universities throughout our great State of New York.
Congressman Boehlert, the Chairman, and myself, actually, are
both alum of Utica College of Syracuse University. And that
program in economic crime investigation that was started there
back in 1988 is one of the oldest in the country in this
particular area. And it was at a time where it took great
vision in order to be able to create a program in an area
where, at the time, no one knew we really had a problem. And we
have been working with that program and with the program at
Tompkins Cortland Community College to develop programs that
can basically better prepare our young people for careers in
cyber security.
I can't stress enough how important it is for our
cooperation between business and industry and colleges and
universities in order to be able to build and structure these
programs. The reason is that as you look at this field of
study, it is emerging and it is changing on a daily basis. And
sometimes we call it, at Internet speed, the threat and the
cyber weapons that are against us are changing. Therefore, the
curriculums that have to be provided for those students that
are coming up in this particular area need to be flexible. They
need to be expandable. They need to be modifiable. They need to
be able to be delivered in multiple forms.
So we kind of took an approach to try to work with those
colleges and universities to help develop those programs. And I
am happy to say that we think it has been a great success. Many
members of our staff have spent countless hours actually
teaching in those programs as adjunct faculty. And we believe
that brings a lot, both to the students and the faculty at
those universities that we work with. And one of the real
primary objectives of that relationship between our staff and
our people and the universities is to build internship programs
for those students to be able to move into this field of study.
I can't stress enough how important internships are to this
process. The reason is that at a university or a college level,
a lot of theory is taught. But unfortunately, in this
particular area, practical experience is absolutely essential.
One of the reasons is that cyber security, especially in the
form of digital investigation, requires knowledge both in the
social sciences as well as the computer science area. And the
bridging of the gap of those two things requires a great deal
of work, because they tend to be taught in two different areas
of most universities and colleges. So our ability to bridge
that gap, to bring social scientists and computer scientists,
criminal justice and computer science folks, together is
absolutely critical in order to advance this. And we have done
that through internship programs.
I am proud to say that we have been able to hire 14 interns
over the last 31/2 years at our company from Utica College,
Tompkins Cortland Community College, Syracuse University,
Binghamton University in order to bring those into our
organization. Over half of them have been offered and accepted
full-time employment with our company after graduation. Many
others have gone on to other careers in law enforcement,
intelligence defense, and corporate security. And our ability
to be able to continue that program, to be able to advance that
educational model of internship, is absolutely critical.
There are many programs out there that are being trained by
vendors, by folks that are in the commercial sector that are
providing training for folks that are already in law
enforcement, in cyber education, and cyber security that have
to go on afterwards. And that training is very expensive. It
does not end after graduation from college. In many cases, the
folks that are actually on the front lines protecting us on a
day-to-day basis are law enforcement professionals that
actually did not come up through the computer science track.
They actually came up through the criminal justice track. But
now, virtually every case that they work with involves some
sort of cyber or computer evidence or computer investigation is
required. So they have had to go back and take courses in order
to basically bring themselves up to speed to be able to do this
kind of investigation.
I want to tell this committee that every single week we get
requests from those individuals to come to our training courses
that are seeking education, and in many cases, those young men
and women that are in those services are paying for that
training themselves. They are taking time off from their job
using their vacation to basically go get trained in this area,
because it is that important. They are giving up time with
their family and their hard-earned money in order to be able to
perform that training, and it is something that we need to
support them with.
So I have many more things to say, but I am going to yield
to the next member, and I appreciate this opportunity to convey
some of the thoughts and some of our experience.
[The prepared statement of Mr. Hosmer follows:]

Prepared Statement of Chester Hosmer

Mr. Chairman and Members of the Committee: My name is Chester
Hosmer; and I am a co-founder and the President and CEO of WetStone
Technologies, Inc.
I would like to thank you for the opportunity to testify regarding
Cyber Security Education. This area has been, and continues to be a
focal point of our work at WetStone from many perspectives. I will
focus my remarks on our practical experience with Cyber Security
Education as an employer, educator, and trainer, and I will limit my
focus to the areas that we are intimately involved in digital
investigation and cyber defense. I hope that our ``hands-on''
perspective will provide an interesting frame of reference for this
committee.
WetStone was established in 1998 and is headquartered in Cortland,
New York. We perform advanced research and development in cyber
security for government and corporate customers. We also develop
commercial software products that aid in digital investigation and
cyber defense, and we provide advanced training for digital
investigators. During the past two years, our focus has been on cyber
security training which includes advanced courses in Steganography and
Malware Investigation, two technologies used extensively by cyber
criminals. During that time we have delivered training to over 1,000
federal law enforcement agents, DOD information warriors, State and
local law enforcement investigators and corporate security
professionals. The demand for training in these advanced areas has
grown rapidly over the past two years to the point where we are
typically conducting two or three trainings per month, both in our
Cortland training facility, in conjunction with cyber security
conferences and at customer's on-site locations.

What knowledge and skills are currently needed in the cyber security
workforce?

Those tasked with investigating cyber crime or defending against
cyber threats require knowledge of the domain, specialized skills and
practical experience. The need is currently both wide and deep. A
thorough basis and understanding of investigation techniques either
from a criminal justice or law enforcement background, or a formal
education program is required. However, when investigating cyber crime,
a strong operational and procedural technical knowledge rooted in the
computer science field, is also necessary. Unfortunately, most Criminal
Justice university programs are offered out of the Social Science
departments at universities, where Computer Science a hard science, out
of the math or computer science departments. Building programs that
cross domains is quite difficult for many reasons, and the student
typically lacks depth in either area, and is ill prepared for digital
investigation after graduation. We are however, beginning to see an
increase in specialized Computer Forensics programs which give students
the background necessary for advanced digital investigation.
Many of the current investigators have come through the traditional
law enforcement track and learned basic investigation techniques by
working task force assignments (narcotics, homicide, child
exploitation, etc.). As their cases began to include more and more
computer based evidence, the investigators sought training programs
that would allow them to seize, extract, examine, analyze and give
related testimony about digital or cyber evidence.
Many colleges and universities are attempting to meet the needs of
the cyber first responder by offering evening classes or special
workshops. However, the colleges and universities are not equipped to
offer the advanced ``hands-on'' training courses needed. In many cases
to properly teach these skills, special technology, dedicated
laboratories, field knowledge, and extensive preparation is required.
Further complicating college based offerings, is the rapid evolution of
both the cyber threats and the defenses necessary to counteract them.
This instability in curriculum content makes it very difficult for
colleges and universities to develop programs under traditional models.

Have cyber security education and training programs been sufficiently
flexible to respond to these needs as well as the
needs of traditional and returning students?

The current state-of-the-art of cyber security education and
training is varied. Many colleges and universities are now offering
both courses and curriculums that range from Junior colleges programs
offering A.A.S. degrees, undergraduate education offering B.S. and B.A.
degrees, and graduate degree programs offering both Master's and
doctorial degrees that relate to cyber security. I have personally been
involved in three specific programs being offered at two colleges. At
Utica College of Syracuse University, I have been privileged to teach
in both the Economic Crime Investigation undergraduate program, and the
Economic Crime Management Master's level program. Currently, I serve as
the Director of the Computer Forensic Research and Development Center
at Utica College and I guest lecture in both the computer security and
computer forensic classes. At Tompkins Cortland Community College
(TC3), a Junior college of the State University of New York, I had the
pleasure of working with the administration and department heads to
help establish the first Associates Degree program in Computer
Forensics in the United States, and I continue to guest lecture in this
program today.
Many commercial vendors are offering training programs that
typically relate to their own specialized technology or product and
service offerings. In most cases these classes are cost prohibitive for
individual purchase and often place a hardship on limited department
budgets. Training programs of this type vary widely in price, however a
good rule of thumb is about $750-$1,000 per day not including expenses.
Advanced training courses typically run 2-5 days in duration.
Investigators spend about 1-2 weeks per year on the training required
to keep up to date with the state-of-the-art. Compounding the high cost
of the training itself, is the time required away from the job. Those
working in more rural communities must incur additional travel expenses
on top of the high cost of the training. Since these costs recur every
year based on the rapid changing landscape of cyber security, a minimum
investment of $25,000 to $35,000 per year, per investigator is
necessary. Distance learning would seem to be an obvious option that
could mitigate some of these costs. This does offers a promise for the
future, however, to date only a handful of cyber security training
courses are offered in this manner and additional study, research and
development is needed.

What are the current strengths and weaknesses in cyber security
education and training programs?

Strengths--During the last several years new college based
curriculums have been developed to address the demand for cyber
security professionals. These programs are being offered at every level
of secondary education, and the expertise of the faculty and curriculum
development continue to rapidly advance. Options for Associates,
Undergraduate and Graduate degree programs offer both new students and
those wishing to advance their careers several options from which to
choose. Also, many of these curriculums are offered in a ``continuing
education environment,'' allowing those currently working to
participate as well.
Training offered by private companies, and conference and workshops
are providing excellent content today. This type of training has many
positive characteristics. First, the content tends to be well aligned
with the current threats and solutions due to the competitive nature
this environment offers. In addition, the quality of both the trainers
and content is sound due to the demand of customers, organization
members or conference participants. We see this clearly as the largest
area of expansion over the past several years. Conference participants
can now attend advance training course, receive college credits, take
examinations for industry certifications, stay abreast of emerging
trends and network with colleagues during a typical five-day
conference.
Weaknesses--Although the education programs have quickly ramped up
to develop curriculums and degree offerings to help meet the needs, the
graduates of these programs require significant training on practical
cyber security matters after graduation, and throughout their careers.
In addition, typical college and university based programs have a
difficult time staying abreast of current trends. Unfortunately, in the
business of cyber security, the trends are changing so rapidly that
crafting curriculums to meet the needs is a challenge. This not only
goes to the curriculum, but also the tools and technologies and
expensive laboratory equipment and software necessary to expose the
students to the latest methods.
The majority of the training programs currently being offered to
provide practical skills by both private and non-profit organizations
are non-standardized, ad hoc and mostly difficult to qualify or assess.
This makes the selection of these programs for training extremely
difficult, and the satisfaction level of the attending student low.
Unfortunately, due to the rapid evolution in the cyber threat, training
is a recurring consideration for both new hires and veteran employees.
No uniform certification process for training courses or trainers is in
place today to help assess the quality and/or value of the training
programs offered. Many organizations utilize colleges and universities
to ``accredit'' their course offerings and deliver continuing education
credits to those that complete the training classes. Students then have
a number of CEU credits from a variety of colleges and universities
with no way to combine those for a degree. In many cases students end
up with 100's of hours of seemingly unrelated course credit, when in
fact they have acquired more knowledge than most four-year college
students attending a traditional academic program.

Do model programs exist and, if they do, are they being adapted to meet
local cyber security needs?

The National Security Agency (NSA) has created The Centers of
Academic Excellence in Information Assurance Education (CAEIAE)
program. Established in November 1998, this endeavor helps NSA partner
with colleges and universities across the Nation to promote higher
education in Information Assurance (IA). This program is an outreach
effort that was designed and is operated in the spirit of Presidential
Decision Directive 63 (PDD 63), the Clinton Administration's Policy on
Critical Infrastructure Protection, dated May 1998. The program is now
jointly sponsored by the NSA and Department of Homeland Security (DHS)
in support of the President's National Strategy to Secure Cyberspace,
February 2003. The goal of CAEIAE is to reduce vulnerability in our
national information infrastructure by promoting higher education in
information assurance (IA), and producing a growing number of
professionals with IA expertise in various disciplines.'' \1\ In New
York, Pace University, Polytechnic, SUNY Buffalo, SUNY Stony Brook,
Syracuse University and the U.S. Military Academy, West Point have been
certified.
---------------------------------------------------------------------------
\1\ http://www.nsa.gov/ia/academia/caeiae.cfm
---------------------------------------------------------------------------
Numerous options for training are available at the federal level,
including FBI Quantico, the Federal Law Enforcement Training Center
(FLETC), the Secret Service Training Center and many others. State and
local law enforcement typically with smaller budgets, receive training
from private for profit or non-profit organizations such as the High
Technology Crimes Investigation Association (HTCIA), InfraGard, the
National White Collar Crime Center, the National Law Enforcement
Training Center (NLETC) along with many others. In many cases the
investigators and officers pay for membership and training out of there
own pocket. At WetStone we have first hand experience with this
phenomena and receive multiple requests weekly to attend our training
by these individuals paying with their own funds to stay current with
the emerging threats.

What partnerships should two-year and four-year colleges and
universities forge with business and industry to
build appropriate programs? In your opinion, is
there sufficient collaboration with industry at the
administration (advisory committees), faculty
(return-to-industry) and student (internship)
levels to accommodate rapid changes in these
professional and technical areas?

The experiences over the course of my 20+ years in this industry,
both in and out of the classroom have provided me with a very
interesting perspective regarding not only the needs but the progress
that has been made. First, I must say that the young men and women
seeking education in these areas are some of the best and brightest I
have had the privilege to work with. I learn more every time I enter
the classroom either in an academic or training setting than I could
possibly repay. During the very early days of WetStone, we launched an
aggressive internship program for those working on degrees in cyber
security. This program is still in full swing today. The idea was two
fold, first to be directly involved in the education process by
teaching in the classroom; and second to provide internship
opportunities for students that had interests in pursuing a career in
cyber security research and development. I am happy to report to this
committee that this approach has been a stellar success. To date we
have executed 14 internships in cyber security, involving students from
every college level. Over half of these students have accepted full-
time employment with our company after graduation. In addition to the
internships at the college level, in June of 2003 we initiated a high
school internship program for high school juniors and seniors
considering a career in cyber security. Our first high school intern
Jeff Olson of Cortland High School is with us again this summer. Jeff
graduated in June and will be going on to the Rochester Institute of
Technology RIT where he will be studying computer engineering. Based on
the success of the high school program we are expanding this internship
in the fall to include two additional high school students.
The advancement and availability of education, training and
internship programs is paramount if we are to strengthen our nation's
cyber security workforce. For example, education at the undergraduate
level must include practical as well as theoretical aspects. In this
field of study, the state-of-the-art is changing daily and those
engaged in education must keep abreast of current trends
(technological, legal and operational). In addition, I believe it is
important that internships should be a requirement for those working in
this field. Without functional internships students graduating will
continue to lack practical skills that are a requirement for success.
This recommendation should not be taken lightly. A serious commitment
by the student, the college or university, and the private sector is
necessary to make this endeavor successful. One metric that we have
developed for our own cyber security internship program is the 2-for-1
rule. For every two cyber security interns we hire, we need to dedicate
one-full time staff member to direct and mentor the interns--a
significant commitment for large or small companies. In many cases
employers consider only the labor cost of the interns when making an
intern program decision, when in fact the cost is many times higher.
However, long-term commitments are necessary, and your ability to
mentor these students during their junior and senior years will pay
significant dividends after graduation--as they step directly into the
organization and begin producing and contributing immediately. Also,
the colleges and universities are required to commit staff hours to
monitor the process the internships in the field. These monitors need
to be selective as to the environments that students consider--again
requiring extensive planning and follow-up for an already overloaded
schedule. However the payoff here again can be considerable. By
interfacing directly with prospective employers, educators are able to
identify gaps in their curriculum, get feedback as to the student's
preparation, and directly improve the overall programs.
Colleges and universities must forge partnerships with both the
public and private sector. In my opinion the internship model is one
that should be considered. This model provides all the elements
necessary to better prepare students for the workforce and to garner
direct feedback throughout the life cycle of the cyber security
curriculum development. As new issues and threats are revealed, this
feedback will be focused and swift. The internship opportunities also
allow the colleges and universities to build relationships with
employers that will better define and characterize the jobs these new
cyber warriors take on. This understanding will again help shape the
curriculum as a whole, along with shaping the syllabus of specific
courses. One other benefit of this approach will be the access to local
experts that are willing to guest lecture in the classroom. These local
experts educate everyone in this environment (professors, students and
colleagues) not to mention what they may learn while interacting with
the next generation workforce. I realize that in writing this one may
think there must be and easier way, because this sounds like hard work.
Unfortunately, I'm not sure there is a silver bullet, as the
responsibility for advancing the cyber security of the country should
fall to everyone's shoulders. In almost all cases, we have forged these
relationships--one student, one professor, one college, one department
head at a time. We must all take a passionate interest in advancing our
capabilities against the ever increasing cyber threat and get our hands
dirty, and give back what we learn and know about every aspect of this
threat. Today, the criminals and terrorists communicate and they share
information about weaknesses, system vulnerabilities, our critical
infrastructures, social engineering, stolen passwords, credit card
numbers, malicious code and the latest cyber weapons freely and
virtually unchecked over the Internet. We must do the same. And I
believe education and training are the basis and the first critical
step. At WetStone we adopted a quote as our company's vision in 1998.
The quote came from a different time when our nation was facing a
different adversary, but as often happens, the words of great men
withstand the test of time. Robert Kennedy said in 1960, ``If we do not
on a national scale attack organized criminals with weapons and
techniques as effective as their own they will destroy us.'' By
dedicating ourselves to the transfer of knowledge in cyber security to
those that are defending, or will defend us, we can train the workforce
of the future and begin making a difference today.

What can the Federal Government do to improve cyber security education
and build the Nation's technical workforce?

I feel that the Federal Government can have direct impact on the
advancement of education and training in cyber security from several
perspectives.
First and foremost, cyber security training and education can be
made more accessible to our men and women in law enforcement who today
can only advance their education and training in this area by spending
their personal funds, trading their vacation time, or giving up time
with their families to attend a training course that will ultimately
help them defend our nation. Offering them assistance to participate in
qualified education and training programs will accelerate the process
for those already investing in our future and encourage those that
today do not have access.
Second, incentives to colleges, universities and the private sector
to create internship opportunities in cyber security can be increased.
The cost required to carry out this endeavor is staggering today,
however, in my opinion this is an investment that we cannot afford to
overlook.
Third, national accreditation of cyber security education and
training programs that would allow those to combine credits and
experience to obtain higher education degrees in a flexible, fair and
non-traditional form is urgently needed. We need to not only attract
today's young people entering college into this field, we must also
encourage those that have many years of street experience in law
enforcement to gain the recognition based on their years of investment
in our future. When they step on the street tomorrow, they may
encounter ``cyber evidence'' that could in-fact hold critical
information that would preempt a crime, a pending terrorist action, or
the exploitation of a child. Their preparedness, I believe, should be
our paramount concern.
I would like to thank the Committee for this opportunity to present
my experience, thoughts, views and perspective on cyber security
education and training.

Biography for Chester ``Chet'' Hosmer
Chet Hosmer is a co-founder, and the President and CEO of WetStone
Technologies, Inc. He has over 25 years of experience in developing
high technology software and hardware products, and during the last 15
years, has focused on research and development of information security
technologies, with specialty areas including: cyber forensics, secure
time, and intrusion detection and response.
Chet is a co-chair of the National Institute of Justice's
Electronic Crime and Terrorism Partnership Initiative's Technology
Working Group, and was one of five international steganography experts
interviewed by ABC News after the 9/11 al-Qaeda attacks. Chet has been
quoted in numerous cyber security articles, and has been invited to
present as both a Keynote and Plenary speaker numerous times over the
course of his career.
Chet is a member of the IEEE and the ACM, and holds a B.S. degree
in Computer Science from Syracuse University. Chet is also the Director
of the Computer Forensics Research and Development Center of Utica
College.

Selected Publications and Speaking Engagements:

``Steganography Detection: Finding Evidence in Plain Sight,'' 15th
Annual ACFE Fraud Conference and Exhibition, July 12, 2004
``Scanning-Detecting-Eradicating--and Recovering from the Malware
Invasion,'' Techno Security 2004, June 8, 2004
``Time: The Missing Link in Digital Integrity,'' Gorham International
Conference, May 25, 2004
``Bigger Than Viruses-How Malicious Software Can Affect Your
Business,'' Tech 2004, May 4, 2004
``Discovering Evidence Hidden In Plain Sight,'' Southeast Cybercrime
Summit 2004, March 3-4, 2004
``Biometrics and Digital Evidence'' with Countryman, B. The Security
Journal, Winter 2004, Volume 6
``Protecting the Homeland using Biometric Identification,'' Sector 5--
The Global Summit Exploring Cyber Terrorism and the Targets of
Critical Infrastructures, August 21-23, 2002
``Steganography Detection: Finding Evidence Hidden in Plain Sight,''
Forum on Information Warfare, December 2003
``Applying Hostile Content Detection to Digital Forensic
Investigation,'' The Security Journal, Fall 2003, Volume 5
``Cyber-Terrorism: Digital Steganography and its Implications for
Homeland Security,'' Securing the Homeland Conference & Expo,
September 10, 2003
``Steganography as It Relates to Homeland Security,'' Electronic Crimes
Task Force Homeland Security Seminar, September 4, 2003
``Discovering Covert Digital Evidence,'' DFRWS Conference, August 6,
2003
``What You Can't See Can Hurt You--The Dangers of Steganography,'' The
Security Journal, Summer 2003, Volume 4
``Digital Steganography: The Evolving Threat,'' Techno-Security 2003,
April 29, 2003
``The Importance of Digital Time in Preventing Economic Crime,''
CyberCrime 2003, February 9, 2003
``Tracking Cyber Criminals With Time,'' NATO Inforensics and Incident
Response Workshop Keynote, October 22, 2002
``What You Can't See Can Hurt You,'' SC Magazine, August 2002
``Proving the Integrity of Digital Evidence with Time,'' International
Journal of Digital Evidence (IJDE), Spring 2002, Volume 1,
Issue 1
``Steganography Detection: Finding Evidence Hidden in Plain Sight,''
Techno-Security 2002, April 10, 2002
``The Importance of Binding Time to Digital Evidence,'' 12th Annual
Economic Crime Investigation Institute Conference, October 30,
2001
``Technical and Legal Issues in Network Intrusion Investigations,''
with W. Williams and A. Ott, October 31, 2000 11th Annual
Economic Crime Investigation Institute Conference. Cyber Swords
and Shields Fraud Symposium, October 3-5, 2000
``State-of-the-Art of Computer Forensics,'' 10th Annual Economic Crime
Investigation Institute Conference, November 9, 1999
``Advancing Crime Scene Computer Forensics Techniques,'' with J.
Feldman and J. Giordano, SPIE's International Symposium on
Enabling Technologies for Law Enforcement and Security
Conference, November 1998
``Using SmartCards and Digital Signatures to Preserve Electronic
Evidence,'' SPIE's International Symposium on Enabling
Technologies for Law Enforcement and Security Conference,
November 1998
``System Modeling and Information Fusion for Network Intrusion
Detection,'' with N. Ye, J. Feldman, and J. Giordano, ISW '98,
October 1998
``Detecting Subtle System Changes Using Digital Signatures,'' with M.
Duren, 1998 IEEE Information Technology Conference, September
1998
``Time-Lining Computer Evidence,'' 1998 IEEE Information Technology
Conference, September 1998
``The Role of Smart Tokens in Cryptographic Key Management,'' with P.
Samsel, PARAPET Journal of Information Security, Autumn 1997
``Controlling Internal Fraud: Detection and Countermeasures Using
Intelligent Agents,'' Economic Crime Investigation Institute
Eighth Annual Conference, Oct. 27-28, 1997
``Developing Solutions That Employ Tamper Proof Token Devices to
Protect Information Integrity and Privacy,'' IEEE Dual-Use
Technologies and Applications Conference, May 1997
``Securing Lottery Electronic Instant Ticket Technology,'' with M.
Holcombe, 1994 National Lottery Technology Conference, November
1994

Media Coverage

``Secret Codes'': NHK Japan Television, December 2002
``A Novice Tries Steganography''--Tech TV--Cyber Crime Show, January
2002
``A Secret Language''--ABC News Prime Time Thursday, October 4, 2001

Chairman Boehlert. Thank you very much.
You will be interested to know that you were only 45
seconds beyond the five minutes.
Our next witness, Mr. Baker, is accompanied by a support
staff, his young son, Chris, who is behind him in the audience
and who is working on a scouting merit badge in citizenship. So
what we are talking about here, in many respects, is dealing
with human capital for the future. So I am glad to see Chris
here with you, Mr. Baker.

STATEMENT OF MR. JOHN R. BAKER, SR., DIRECTOR, TECHNOLOGY
PROGRAMS, DIVISION OF UNDERGRADUATE EDUCATION, SCHOOL OF
PROFESSIONAL STUDIES IN BUSINESS AND EDUCATION, JOHNS HOPKINS
UNIVERSITY

Mr. Baker. Thank you, Mr. Chairman.
Thank you for the opportunity to speak today, and as you so
eloquently indicated, I am director of the undergraduate
programs in technology in the School of Professional Studies in
Business and Education at Johns Hopkins University. In that
capacity, I run both our undergraduate degree programs in
information system with concentrations in both information
security and cyber forensics and the public technology training
programs that we run.
We define ``cyber security'' as the process of informing
technology professionals, end users, managers, and researchers
about the technical and non-technical aspects of protecting
their information resources and expanding our knowledge in the
field. As I indicated before, it is a multidisciplinary
approach. It has both breadth and depth, including math,
science, technology, business, law, psychology, and personal
issues. It includes topics that range from simple virus
protection to a lot more elaborate forms of security technology
detection, investigation, prevention, as well as many non-
technical areas. In addition, its audience includes end users,
technology professionals, managers, and researchers.
Consequently, information technology--information security
education necessarily covers a wide range of topics at a
variety of levels.
In addition to the specific topics, programs in the area
must address issues such as the demand for graduates, the
differences between training and education, program
development, faculty hiring and development, research, and
developing the field as its own discipline, and recognizing and
accepting educational standards, and keeping costs manageable
while keeping programs current and the potential for student
background checks. To ensure program success, the educational
institution must have some understanding of the need or demand
for program graduates. Potential students with little or no
employment opportunities will not select any given program.
In the area of education and training, a strong
differentiation between the two must be understood. Training is
generally focused on product or a specific set of skills in an
area. Education's goals are multi-purpose: teach the specific
technology skills, develop critical thinking and problem-
solving skills, improve the knowledge of the field, improve
communication capabilities and information literacy skills, and
foster research interests.
As for program development, it is both costly and time-
consuming. It can take a year or longer for a program to be
fully developed and implemented. There are many questions to be
addressed in the development and implementation of a program
and steps to be worked through.
Faculty is a key to a program's development and success.
Questions such as the role of full-time and part-time faculty,
faculty knowledge and development, and the role of research are
constantly being addressed. Each requires considerable
analysis.
One way to encourage involvement in the field is to define
it as a discipline. Components of this include the availability
of research money and the development of educational standards,
especially as they relate to employment opportunities.
As with all such endeavors, cost is an important factor.
Costs obviously include the specific technology components,
however, they also include facility set up, management and
maintenance, academic program development, implementation and
management, faculty hiring and development, and the potential
for other components, such as background checks.
A more recent issue that has surfaced is this issue of
student background checks. Some have expressed concern that we
may need to determine the suitability of a student for these
types of programs. However, there are many questions to be
addressed before this issue can be resolved. Johns Hopkins has
taken an institution-wide approach to both education and
research components.
Our academic community has developed educational components
and/or degree programs that span almost all disciplines and
topics in the information security field. Johns Hopkins has
created the Johns Hopkins University Information Security
Institute, implemented security education in all of its
schools, created separate academic programs and program
collaboration specifically for information security and cyber
forensics, and encouraged research in a number of security-
related areas. The undergraduate program in our school focuses
on both sides of the security incident before and after the
security preparation and cyber forensics.
There are some areas the Federal Government can be of
assistance: include more complete funding for the NSF
initiatives, encourage the development of educational
standards, work with private industry and state governments to
provide scholarship opportunities for their potential
employees, and assist some government agencies in absorbing the
graduates of the Scholarship for Service Program.
More information on these are provided in the detailed
testimony I have submitted to the Committee separately. I would
like to take this opportunity to again thank you for this
opportunity to speak to the Committee.
[The prepared statement of Mr. Baker follows:]
Prepared Statement of John R. Baker, Sr.

1. Cyber Security Education

Cyber Security Education is the process of informing technology
professionals, end-users, managers and researchers about the technical
and non-technical aspects of protecting their information resources,
and expanding our knowledge in the field. It is a multidisciplinary
field that is both broad and deep. The field is constantly evolving to
incorporate more components based on current and historical events and
research. The term itself refers both to security aspects as well as to
cyber forensics. It requires simultaneous education, training and
research in multiple areas (technology, business, management, finance,
psychology, computer science, etc.)
a. Components of the Field: Technical, Managerial, Operational
Cyber Security Education is more than just the technical aspect of
detecting or eliminating the latest virus, or preventing hacker attacks
(the public personae). It requires knowledge of technical areas,
addressing management, and how to infuse security practices into the
everyday operational aspects of an organization. Technical aspects
include firewalls, network security, cryptography and software
development.
Managerial components include personnel issues, disaster recovery
planning, funding (direct and indirect costs, ROI, payback), the
psychology or mind-set of a perpetrator, operational security
management, public relations and legal/regulatory components.
Operational issues include day-to-day security operations, both for the
security field professional and the everyday user.
Each part of the field involves varying levels of research,
education and training. Research investigates new technologies,
financial issues, approaches to security management, personnel issues
and legal/regulatory needs. The most recognizable research is on the
technological components of information security.
b. Education vs. Training
Often interchangeably used, education and training differ greatly.
Education's goal for the student is multi-purpose: teach them specific
technical skills, develop critical thinking and problem-solving
abilities, increase the knowledge of the vast background material in
the field, improve communication capabilities and information literacy
skills, and engage the student in some form of research.
Training is generally focused on a product or specific set of
skills in an area. However, at its highest level, some training
attempts to approximate education, typically by improving some of a
student's background knowledge in a field and/or developing problem
solving capabilities.
c. Research and Education
A major methodological issue for a university is whether to focus
on research or on classroom education. University reputations are based
on faculty research and the institution's research abilities. Johns
Hopkins University was the first U.S. university to include research in
the educational process. Typically, university research has not been
focused specifically in the areas of information security or cyber
forensics. Research for these areas is done in various other
disciplines that directly or indirectly affect these fields.
d. Emerging Discipline
Because of its breadth, Cyber Security Education is a young field
and not currently recognized as a discipline. At the moment it has not
yet been accepted as a discipline of its own. It has components in
various areas: mathematics, computer science, business, finance,
engineering, psychology, law, etc. Consequently, research, education
and training occurs in each of these disciplines independently. For
example, research in the field of mathematics may result in a better
crypto-key system.

2. Programs at JHU

Johns Hopkins has responded to the need for intensive research,
education and training in cyber security in all of its academic areas.
Some of its programs were in place before the events of Sept. 11.
However, all schools at the university have implemented or are in the
process of implementing, information security education and/or research
in their academic disciplines. In addition, Hopkins has created the
Johns Hopkins University Information Security Institute whose goals are
to foster research in information security, help develop
multidisciplinary approaches to security education, provide seminars
and other educational activities, and advance the literature in the
field.
a. Internal Programs
Almost all schools at Hopkins have incorporated some form of
security education. Depending on the program and level, it could
include simple background knowledge about the area and how security
applies to the specific educational discipline, or it could include in-
depth studies into security approaches in a field, practical
applications or advanced security research.
b. Internal Collaboration
Several of Hopkins' Schools have collaborated on academic programs
that are interdisciplinary in nature. The flagship program at Hopkins'
Information Security Institute is the Master's of Science in Security
Informatics (MSSI). It is a collaboration of several schools at
Hopkins: Whiting School of Engineering, Krieger School of Arts and
Sciences, Bloomberg School of Public Health, Nitze School of Advanced
International Studies and the School of Professional Studies in
Business and Education. Over 25 full-time, part-time or adjunct faculty
are available to deliver the MSSI courses at multiple Hopkins' sites in
the Baltimore-Washington area.
In addition, some schools at Hopkins have developed internal
collaborations across academic levels. The Whiting School of
Engineering and the Krieger School of Arts and Sciences jointly offer a
concurrent Bachelor's/Master's program in security. The School of
Professional Studies in Business and Education offers a joint
technology Bachelor's/Master's degree, with a concentration in
information security.
c. External Collaborations
The School of Professional Studies in Business and Education is in
the process of developing joint programs with several area community
colleges. These would provide students at two-year institutions
complete academic program opportunities at the Bachelor's level, and
extending into the Master's level.
The joint program offered by the Whiting School of Engineering and
the Krieger School of Arts and Sciences includes opportunities for
undergraduates of other local universities, which have established
agreements with these Hopkins schools.
d. Research, seminars, courses/teaching, publishing
The Johns Hopkins Information Security Institute has become the
focal point for information security research at the university. Over
15 full-time faculty or JHU Applied Physics Laboratory researchers are
involved in some aspect of information security research.

3. Strengths & Weaknesses of Current Education

a. Education or Training
Often a potential employee seeks the short-term goal of satisfying
a potential employer's advertised need, through specific skill-set
training. Many potential employees view the requirements indicated in a
particular employment ad, then attempt to obtain the specific skill
required (CISCO training, CISSP certification, etc.). While potentially
valid as an entry into the field, or for specific job requirement,
these are not intended to indicate the wider-range of skills and
abilities many employers seek.
Education rather than training provides potential employees this
wider-set of knowledge and abilities, in addition to specific
technology skill sets (not necessarily for a specific product). These
include: critical thinking and problem-solving, knowledge of the vast
background material in the field, communication, information literacy
and some form of research. Often a student in a program wants to know
if they will be learning Product-X. The answer is usually that the
program may teach you some things about Product-X, but its goal is to
teach you how to learn, and apply that skill to learning about
different products. At times we may use various products (including
Product-X) as examples in our classes or for demonstration purposes,
but the goal is not to teach a specific product.
In addition, education is intended to develop the next generation
of researchers in a discipline. Because of the nature of the
information security field, much of the research is focused in other
disciplines. For example, a math researcher may apply their findings to
the information security field.
b. Costs:
The cost of education programs covers many components: physical
items, facilities management, program development and maintenance, and
faculty hiring, training and education.

1. Facilities Set-up and Management

Teaching state-of-the-art information security or cyber forensics
programs requires facilities that can handle the technology. This means
some form of computer lab capability, typically networked. While the
most current technology is not absolutely necessary, the more dated the
technology the more difficult it is to get current and potential
students and employers to accept a program as useful. It is a constant
problem to remain current enough to teach the most important components
of security and forensics, and still not spend `every last dime' on the
most recent technology.
An additional component is the style or set-up of lab facilities.
Most lab set-ups will be done in one of two approaches: a dedicated lab
or a multi-purpose lab. Dedicated labs are designed for a specific
program, and have minimal impact on other programs or facilities.
However, they will sit idle when the specific educational program is
not offered. In addition, management of these labs may be easier (for
program setup and use), but they are almost always `locked down', and
only allowed for students of the specific program. No other use is
allowed because of the sensitive nature of the set-up, and because of
the potential problems with other areas. For example, if a lab virus or
other destructive software is unintentionally allowed into another lab
facility, that facility may become corrupted. If it is a networked
facility, others may also become corrupted.
Multi-purpose labs are more functional, but can be much more costly
in terms of set-up and management. These labs may need periodic
isolation, a special set-up, and additional management. In addition,
when they are used by the security or forensic program, disruption to
other programs needing the lab will occur. This will include
specialized set-up and clean-up time, in addition to the actual class
time.
All of these take time, resources and increase costs of program
offerings. Hardware costs can range from $500 to $2,000 per machine,
plus networking and software costs. Management time will include
initial lab set-up, in addition to the individual class set-up and
clean-up, depending on the type of lab. While difficult to provide
specific cost estimates for this time, it can include several hours of
a lab manager's time and up to 11/2 days of a support staff person's
time, for each class session.

2. Program Development & Maintenance

Development, implementation, operation and maintenance of an
educational program can take more than a year. Typically, the process
includes:

a. An assessment of the need for graduates of a program

b. Development of an advisory board

c. Identification of program components

d. Internal and external approval steps

e. Organization of the program into modules/courses

f. Development of the course material

g. Advertising/marketing the program

h. Program implementation

i. Constant program evaluation and improvement.

While there are ways to speed up the process, each step is needed.
In approving such programs, cost is always a major factor. Employment
surveys, component development costs, hardware and software
identification, developing appropriate course/lesson plans around them,
marketing and oversight are the major ones.

3. Faculty

Cost issues for faculty center on the issues of part-time vs. full-
time faculty, and the role of faculty in the program. Part-time faculty
are usually used for teaching purposes, and to provide expertise in a
specific topic area. While they may be involved in program development,
they are not typically responsible for program development or success/
failure.
Full-time faculty are involved in one or more aspects of program
development, implementation, teaching, evaluation. In addition, in many
institutions they are involved in research activities. This can be a
source of cutting-edge knowledge, prestige and income for the faculty
member and institution, but can also create problems. These and other
faculty issues are addressed in section 4.a.
c. Background Checks
A more recent problem that has surfaced is the issue of student
background checks. With the events of September 11, increasingly
questions of appropriateness of students in the classroom have arisen.
A discussion of background checks raises many additional questions:

1. What is the purpose of the background checks?

2. How deep or wide will they go?

3. How much will they cost?

4. How long will they take?

5. Who will pay for them?

6. Who will do them?

7. What will we do with the information once it is obtained?

8. Will it prevent a student from entering a program or
restrict their access to certain courses or material?

9. Are they relevant given the availability of material on
the Internet?

10. Are they legal?

Background checks are costly, time consuming and raise legal
concerns around privacy and profiling. But, given the awareness of
security concerns, additional guidance will be needed in this area.
d. Ethical Agreements
Some programs have instituted ethical agreements with students in
specific programs. They attempt to educate the student on the
seriousness of the topic, and the expectations of professional and
moral behavior that accompany the education. However, enforcement is
difficult, especially outside the classroom or after the program is
completed.

4. Faculty Preparation, Recruitment and Retention

a. Part-time vs. Full-time Faculty
Identifying appropriate faculty for specialized programs such as
information security and cyber forensics is a challenge. Generally, the
options are:

1. Design the program around the current full-time faculty
knowledge base

2. Upgrade current full-time faculty skills/knowledge

3. Hire new full-time faculty, specifically for this program

4. Hire part-time, practitioner faculty to teach in the
program

Designing the program around the current full-time faculty
knowledge base is the easiest and least costly approach, but is usually
the least desirable. Typically, their knowledge base is very specific
and may not cover the broad-range of technical and non-technical topics
required. Consequently, the program manager is required to augment the
current knowledge base with additional, training or education, or
hiring other faculty, either full-time or part-time. In addition, the
current faculty knowledge base may already be out-of-date or too
narrow.
Upgrading current full-time faculty skills and knowledge is
desirable and useful for them, but is time consuming and adds cost to
the program development and operation. It may delay the program
development and implementation.
Hiring new full-time faculty may be quicker, but also costly. In
addition, if the program is not commercially successful (and if they
are not involved in research which generates grant income), the
organization has incurred the additional faculty cost, with no
offsetting income. That may mean the faculty position results in a
short-term employment opportunity.
Hiring part-time, practitioner faculty is often difficult and time
consuming. While it provides the educational institution the least
costly staffing solution, there are many other factors that affect the
hiring decision. These faculty often:

1. Are not trained educators

2. Are already employed and consequently have problems with
pre-existing course schedules

3. Cannot teach during the day

4. May travel too much

5. May have only some allegiance to the program and/or
institution

6. May not have the necessary academic credentials

7. May not have a teaching aptitude

When hiring part-time faculty the organization needs to commit to
teaching them to be educators. Learning to educate at the college or
university level requires some intensive interaction between the
academic program manager and part-time faculty member, and a commitment
on the part of the university to provide faculty development in the
area of teaching skills and course/classroom management. In addition to
creating a syllabus and organizing some lectures, the part-time faculty
member will need to learn to manage the classroom environment, create
and implement effective and fair evaluation instruments and assign
grades. In addition, the faculty will need to evaluate student writing,
incorporate critical thinking and problem-solving skills, include
information literacy, develop creative presentation styles, and infuse
current research into the education process. These can take some time,
patience, and commitment on the organization's part, with no guarantee
the part-time faculty member will continue with the program.
In addition, the education organization needs to implement a
support system for the part-time faculty member. This includes
administrative support for typical needs (copying, book order
processing, etc.), and academic support for course content, unexpected
problems, articulating college/university policies on various issues
and handling grading questions.
b. Teaching vs. Research
In some educational organizations, full-time faculty may also be
involved in research activities. While this can provide a terrific
resource for the program in terms of up-to-date information in the
field, and potential student involvement in the research, it can also
create conflicts for the faculty. Research activities are often funded
by grants and require intensive time commitments of the faculty.
Consequently, less time is available for teaching.
c. Hopkins Approach
Hopkins has implemented a variety of solutions to address faculty
issues. In some schools, full-time faculty are involved in both
research and teaching. In addition, part-time faculty are used in
selected courses or program components to either provide the
instruction or assist the full-time faculty member with their
instruction.
Others schools at Hopkins are using a large group of part-time
faculty who are professionals in their area, to teach in their program.
In addition to selecting fully qualified part-time faculty (based on
factors such as professional experience, teaching experience, teaching
aptitude, academic credentials and availability), they are provided a
full range of teaching professional support from both the program
manager and other groups with the organization.

5. Federal Government Assistance

a. Funding NSF Initiatives
The National Science Foundation (NSF) has attempted to provide
several opportunities to fund information security educational
initiatives. Because of funding issues NSF has not been able to support
innovative initiatives in information security education. Providing
more complete funding for the NSF initiatives will help in the
development of different and more complete academic programs.
b. SFS Graduates
Evidently, one of the issues with the Scholarship for Service (SFS)
program is the ability of government agencies to absorb the number of
graduates. Some may need assistance in developing their plans and/or
finding ways to hire the graduating talent. Others, (DOD, NSA, etc.)
have indicated a strong need for qualified SFS graduates. One issue
here may be the ability of the students to obtain appropriate security
clearances.
c. Development as a Discipline
Provide some funding to encourage the development of information
security and cyber forensics as disciplines. This would encourage
faculty to enter the field, develop research incentives, and provide
money for the development applied and research-based academic programs.
In addition, it would bring together research and education that is
pertinent to the field.
d. Non-SFS Scholarships
Working with the private sector and state governments, the Federal
Government can help to develop scholarship programs to provide
educational funding for students who may want to be employed in one of
these areas. The private sector and state governments have as strong a
need for information security professionals as the Federal Government.
In some instances they may be on the front lines, or provide early-
warning notification to the Federal Government. Consequently, they need
as much education in the security area as the Federal Government.

6. Other Issues

In addition to the request information areas, these additional
topics may be of interest:
a. Defining Educational Standards
Developing educational standards in a discipline helps define it as
a discipline. The defining of such standards would help the fields of
information security and cyber forensics. While simple in concept, it
is more difficult in practice. It would require the defining of
security knowledge needs in various professions, and at different
levels within a profession. For example, in a given industry there are
system end-users, managers, technical staff and researchers. Each
requires different levels and types of security education and skills.
The end-user may need to understand how, and a little of why, a
password needs to be changed regularly. In addition, the organization
may be helped of they are educated about typical security breaches that
can occur. Technical staff will need more in-depth education about
preventing security problems from occurring, solving unexpected
security problems and reporting them to the appropriate people.
b. Traditional-age Students vs. Returning Adult Students
Students in an educational program are typically one of two types,
the traditional-age student progressing through the academic process,
as we have come to expect, and the returning adult student with several
years of work experience. In most instances they are seeking the same
result, entry into the information security field, either applied or
research. At times they may co-exist in a program. However, typically
specific part-time programs are usually offered for the returning adult
student. These programs are not usually considered when issues
concerning education are addressed.

Biography for John R. Baker, Sr.

EMPLOYMENT:

Johns Hopkins University, School of Professional Studies in Business
and Education, Baltimore, MD

Director, Undergraduate Technology Programs (July 1999 to present)

Key Responsibilities:
Direct activities for undergraduate degree, certificates and non-
credit (training) programs in information and telecommunications
technology. Responsibilities include: market assessment, program
planning, course development and scheduling, budget management,
marketing and strategic planning for academic technology needs. Also
assisted in redevelopment of school-wide technology strategic planning,
both academic and administrative.
Major accomplishments:

-- Worked on team to develop strategic technology plan for
entire school for both academic and administrative areas

-- Redesigned and implemented innovative undergraduate
technology degree (BS/Information Systems) and credit
certificate programs

-- Redesigned and expanded non-credit (training) programs
(CONNECT)

-- Manage on-site programs with local organizations

Graduate Faculty (Jan. 1998 to July 1999)

Key responsibilities:
Assist business technology degree program director with program
development and operation. Major areas include: course development and
quality assurance, faculty development and quality, scheduling faculty
assignments and managing graduate technology degree completion course.

Advanced Technologies Group, Columbia, MD (Aug. 1995 to June 1999)

Director, Consulting Services

Key Responsibilities:
Direct activities to identify and secure potential consulting
engagements, work with consulting clients, plan and manage projects,
provide consulting expertise as needed and assist with business
development. Responsible areas include: information systems, technology
training, executive education program, telecommunications, technology
in education, strategic technology planning, the Internet and World-
Wide-Web. Major clients include: AT&T, MCI, SAIC, U.S. Dept. of
Interior, World Airways, U.S. Dept. of Veterans Affairs, StorComm Inc.,
and Amnex Inc.

Johns Hopkins University, School of Continuing Studies, Baltimore, MD
(Nov. 1987 to Aug. 1995)

Director, Technology Programs (Nov. 1987 to August 1995)

Key Responsibilities:
Directed activities for large program of graduate and undergraduate
degrees in information and telecommunications technology, professional
training programs and executive seminars. Responsibilities included:
market assessment, program planning, course development and scheduling
(over 800 sections and 120 faculty per year), assistance for over 1100
students, budget management, marketing and strategic planning for
academic technology needs.
Major accomplishments:

-- Designed and implemented innovative graduate technology
degree (MS/Information & Telecommunication Systems);
undergraduate information systems program; credit certificate
education, entrepreneur training and executive education
programs,

-- Redesign of graduate technology management (MS/Business-
Management of Technology), and professional education programs,
and

-- Finalist for innovative technology impact award in
Baltimore.

Director, SCS Operations, Montgomery County Center (Nov. 1987 to Aug.
1990)

Key Responsibilities:
Managed the start-up and operation of the School of Continuing
Studies (SCS) remote-campus facilities at the Johns Hopkins University,
Montgomery County Center. Responsibilities included: planning and
implementation of SCS operations (for multiple departments), marketing
(evaluation, planning and implementation), public presentations,
promoted the School and University with county business, education and
government. Simultaneously directed graduate business degree
concentration in Information Technology Management.
Major accomplishments:

-- Started school's most successful off-campus education
facility

-- Managed growth rate of over 125 percent per year for each
of first three years

-- Established educational presence in the county and
developed links with business

The International Bank for Reconstruction and Development (The World
Bank), Washington, DC (Jan. 1984 to Oct. 1987)

Systems and Facilities Manager

Key Responsibilities:
Managed the administrative and investment trading systems and
facilities for the Investment Department of the World Bank (a $20
billion investment operation). Responsibilities included: planning and
implementation of new information and telecommunication (voice and
data) systems, investment facilities and offices; budget management;
managing vendor contracts (exceeding $1.5m); system security; strategic
technology planning, disaster recovery planning and management;
mainframe systems oversight.
Major accomplishments:

-- Planned and managed the construction of a new $2m
securities trading facility,

-- Planned, contracted and implemented a new $1m mainframe
computer system,

-- Negotiated and managed $3.5m software implementation
contracts, and

-- Implemented new office automation technology for department
of 40 professionals, in multiple locations.

Coopers and Lybrand, Washington, DC (Sept. 1979 to Jan. 1984)

Senior Management Consultant

Key Responsibilities:
Managed and conducted various consulting engagements for the
Washington, D.C. office of the Management Consulting Services group.
These engagements were for a variety of Federal and State Government
agencies, and private organizations.
Projects included:
A security review of the U.S. House of Representatives'
computerized Financial Management System; designed and implemented an
economic modeling system for the U.S. Department of the Treasury;
redesigned the automated central personnel database for the Department
of the Navy; managed several engagements to implement, enhance and
maintain financial portfolio management software for several state
housing agencies, including: Nebraska, New Hampshire, Oregon and South
Carolina.

MRI Systems Corporation, Washington, DC (April 1978 to Sept. 1979)

Project Manager

Key Responsibilities:
Managed consulting services contracts for various U.S. government
agencies. These were primarily for the development and implementation
of management information systems using the SYSTEM 2000 Data Base
Management software. Major projects included systems for: Harry Diamond
Laboratories (DOD), Mobile Equipment Research and Development Command,
the Defense Mapping Agency, and the Department of Agriculture.

Lockheed Electronics Corporation, Houston, TX (Sept. 1977 to March
1978)

Project Leader

Key Responsibilities:
Project leader for a Space Shuttle information system support
team--monitored the implementation of operating system enhancements,
and implementation, support and modification of all commercial software
packages. In addition, the team was responsible for analyzing existing
hardware and software utilization and developing new requirements for
the Control Data Corporation computer data center at the NASA Space
Center in Houston, Texas.

Commercial Credit Corporation, Baltimore, MD (Nov. 1971 to Aug. 1977)
Key Responsibilities:
Held a variety of positions, including: Operations Manager, Data
Base Manager, Project Leader, Systems Analyst and Programmer. Major
duties included: managing department responsible for the daily
operation of an on-line, real-time loan processing system with over
1,000 terminals in 800 offices nationwide; lead team responsible for
the control and recovery of a large on-line, real-time financial data
base; developed and implemented on-line applications processing system;
supervised the programming and design teams which were responsible for
user interface, design, programming, testing and implementation of new
applications; assisted in the design, programming and implementation of
an on-line financial application system processing for over 1 million
customers nationwide.

Federal Reserve Bank of Richmond (Baltimore Branch), Baltimore, MD
(July 1969 to Nov. 1971)

Senior Systems Operator

Key Responsibilities:
Progressed from operator trainee to senior operator in mainframe
IBM systems center. Major duties included: operator for an IBM 360
mainframe, monitoring the quantity and quality of work processed during
the shift by junior level operators.

ADDITIONAL QUALIFICATIONS

Johns Hopkins University, School of Continuing Studies, Baltimore, MD
(Sept. 1983 to Nov. 1987)

Part-time Faculty

Position summary:
Part-time faculty position assisting in development and teaching in
technology program. Planned, designed and conducted beginning and
advanced technology courses for students in the graduate Business
degree, Economic Education program, graduate Information Systems and
Telecommunications degree undergraduate Information Systems degree, and
professional development training programs. Topics included: I.S.
Management, Strategic Planning for I.S., Advanced Topics in I.S.,
Applied Graduate Project, Project Management, Business Applications of
Computers, Systems Analysis and Design, Business Planning, and
beginning through advanced training in: Novell Office Suite, Microsoft
Office Suite, Lotus-123, Windows, Internet and World-Wide-Web. Also,
continue to assist with curriculum design and development for credit
programs.

University of Maryland, University College, College Park, MD (Sept.
1995 to May 1998)

Part-time Instructor

University of Maryland, School of Business, College Park, MD (1996-
1997)

Part-time Instructor

EDUCATION

Master's degree in Administrative Science (May 1984), Johns Hopkins
University, Baltimore, MD.

Bachelor's degree in Computer Science (May 1975), Loyola College,
Baltimore, MD.

Honors: Dean's List, graduation honors

PRESENTATIONS & PAPERS

Baker, John, Cyber Security Education: Issues & Approaches, Federal
Information Systems Security Educators Association conference,
March 10, 2004, College Park, MD
Baker, John, Undergraduate Security Programs, Infragard seminar, March
2, 2004, Johns Hopkins Applied Physics Lab, Laurel, MD.
Baker, John, Developing Cyber Security Education Programs, Society for
Advanced Learning Technologies conference, Feb. 18, 2004,
Orlando, FL.
Baker, John, Ensuring Cyber Security, Security Education Programs,
CyberWatch Security Industry Group conference, Nov. 21, 2003,
Greenbelt, MD.
Baker, John, Information Literacy, Society for Advanced Learning
Technologies conference, July 27, 2001, College Park, MD.

Chairman Boehlert. Thank you very much.
Mr. Spengler.

STATEMENT OF MR. ERICH J. SPENGLER, PRINCIPAL INVESTIGATOR,
ADVANCED TECHNOLOGY EDUCATION REGIONAL CENTER FOR THE
ADVANCEMENT OF SYSTEMS SECURITY AND INFORMATION ASSURANCE,
MORAINE VALLEY COMMUNITY COLLEGE

Mr. Spengler. Good morning, Mr. Chairman and Members of the
Committee. I would like to thank the Committee for the
opportunity to comment on the role of community colleges in
cyber security education.
Over the next few minutes, I will discuss how community
colleges address the challenges in cyber security education and
the ability of community colleges to focus on the practitioner
skills necessary to adapt to the rapid changes in technology in
the workplace.
Community colleges play a critical role in the education
and training of our Nation's workforce. With an enrollment of
5.4 million credit students and five million non-credit
students, these institutions train and educate 44 percent of
our Nation's undergraduate students. A strength of community
colleges is its flexibility of the curriculum, which is often
designed specifically to train practitioners. This flexibility
enables community colleges to respond quickly to changes in
technology and the needs of business and industry. Community
colleges facilitate career pathways from high schools to 2-year
career programs and then additional pathways to 4-year colleges
or universities. In addition, community colleges leverage the
use of well-qualified adjunct and career faculty and also play
a crucial role in the re-education and updating of the skills
of current workers.
The NSF ATE Regional Center for Systems Security and
Information Assurance and its partners recently conducted a
survey of companies in five mid-western states to determine the
job demand for IT security-related positions, desired skills,
and preferred educational levels. A total of 340 responses were
received. Respondents were divided into small, medium, and
large companies. Ninety-nine percent of the respondents were
concerned about Internet and computer security. Almost 3/4 of
respondents said their company currently employed people in IT
security positions. Slightly more than half said there was a
shortage in the current supply of qualified applicants for
entry-level IT security positions.
There are significant opportunities for individuals who
possess an Associate's degree, therefore, community colleges
must continue to respond to growing industry demands for
professionals possessing cyber security skills. Opportunity
exists for Associate's degree graduates but also college
pathways are important for those continuing education and
careers.
Current strengths of community college cyber security
programs include the utilization of the National Science
Foundation ATE centers and resources. In addition,
opportunities exist for community college faculty to
participate in cyber security initiatives and information
sharing with sponsored task groups, such as the FBI's InfraGard
and the United States Secret Service Electronic Crimes Task
Force.
Community colleges are also challenged to integrate
security-related course work into existing IT programs and
degrees. The greatest challenge facing community colleges and
their efforts to establish cyber security programs is faculty
recruitment and development. The NSF ATE program currently
provides vital resources for faculty development to enrich
cyber security programs. For example, during the summer of
2004, the NSF ATE Regional Center for Systems Security and
Information Assurance trained over 200 college faculty in
security awareness, information assurance, network security,
and wireless technologies.
Community colleges must also expand relationships with
business and industry to develop innovative funding
opportunities and partnerships. Partnering with national
program models, such as the Cisco Systems Networking Academy,
allows for greater implementation and consistency of
curriculum.
The Center for System Security and Information Assurance is
the first NSF ATE Regional Center for IT security. The center
includes seven partner institutions representing five Midwest
states. This center was established to address the needs for IT
security professionals by increasing faculty expertise and
higher education training programs in IT security and
information assurance. This center collects, categorizes,
adapts, enhances, standardizes, and evaluates curriculum and
other training programs for community colleges and university
faculty in students across the Midwest. The center partners
with business and industry and local and federal agencies for
program development.
To improve cyber security education and build the Nation's
technical workforce, the Federal Government must continue to
invest in the programs and the people that are making a
difference in the education and training of our cyber security
workforce. Without the support for programs such as the NSF
Advanced Technological Education program, many institutions
would not have the resources or faculty expertise to meet the
challenges required to build quality cyber security programs.
This concludes my statement, Mr. Chairman and Members of
the Committee. Thank you for allowing me to address the
Committee on this issue.
[The prepared statement of Mr. Spengler follows:]
Prepared Statement of Erich J. Spengler
Good morning, Mr. Chairman and Members of the Committee. I would
like to thank the Committee for the opportunity to comment on the role
of community colleges in cyber security education. My name is Erich
Spengler, and I am the Director and Principal Investigator for the
National Science Foundation's ATE Regional Center for Systems Security
and Information Assurance (CSSIA). I come to you with 16 years of
combined experience in the classroom and the IT Industry. I am
currently an Associate Professor in Computer Integrated Technology at
Moraine Valley Community College in Palos Hills, Illinois.

What roles do community colleges play in the training of new
workers and the retraining of current workers? What employment
opportunities in cyber security are available for individuals with a
certificate or a two-year degree?

Role of Community Colleges
Community colleges play a critical role in the education and
training the Nation's workforce. Some 1,173 community and technical
colleges enroll 44 percent of all U.S. undergraduate students. The
American Association of Community Colleges (AACC) notes that 200,000
certificates and 450,000 associate's degrees are granted each year.
With an enrollment of 5.4 million credit students and five million non-
credit students, these institutions train and educate a significant
percentage of the workforce.
One of the strengths of community colleges is the close
relationship they maintain with local business and industry. This
relationship may take many forms. For example, community college
faculty are often asked to develop and deliver customized training
solutions for business partners. Business partners play an important
role in shaping career and technical programs by their participation as
members of advisory committees. Another strength is the flexibility of
the community college curriculum, which is often designed specifically
to train practitioners. This flexibility enables community colleges to
respond quickly to changes in technology. Community colleges also
establish career pathways from high schools to two-year career programs
and then additional pathways to four-year colleges or universities.
This articulation of curriculum allows students to seamlessly continue
higher levels of professional studies and education close to home.
Employment Opportunities
The NSF ATE Regional Center for Systems Security and Information
Assurance (CSSIA) and its partners recently conducted a survey (http://
www.cssia.org) of companies in five mid-western states to determine the
job demand for IT security-related positions, desired skills, and
preferred educational levels. I would like to share some of those
results at this time.

A total of 340 responses were received. Respondents
were divided into small (less than 100 employees), medium (100-
499) and large (500 or more) companies.

An overwhelming 99 percent of respondents were
concerned about Internet and computer security.

Almost three-fourths of respondents said their
company currently employed people in IT security positions.

IT security positions were more likely to be part-
time or shared positions (part-time security along with other
IT duties) than dedicated (full-time IT security).

Security responsibilities are being added to most IT
professions, including network administrators, help desk
specialists, network engineers, application developers, and
systems analysts.

Slightly more than half said there was a shortage in
the current supply of qualified applicants for entry-level IT
security positions.

Large companies were more likely to be concerned
about Internet and computer security and to have dedicated
security positions.

The most popular types of security training were
self-study, commercial vendor training sites, and community
college programs.

There are significant opportunities for individuals
who possess an Associate's degree.

Respondents indicated a significant number of current
open IT security positions and projected even more openings
over the next three years.

Community colleges must continue to respond to growing industry
demands for professionals possessing cyber security skills. Although it
is clear that there are career opportunities for professionals holding
Associate's degrees, we must continue to develop pathways with four-
year colleges and universities allowing those professionals to attain a
higher level of education.

What are the current strengths and weaknesses of cyber
security education and training programs? What ``model'' courses and
programs currently exist? And what types of courses or programs need to
be developed or more broadly implemented?

Current strengths and weaknesses of cyber security education and
training programs
Current strengths of cyber security education include the
utilization of NSF ATE centers as resources for faculty development,
internship programs and processes, dissemination and implementation of
curriculum models, collaboration, and partnerships among academic
institutions and business and industry. In addition, opportunities
exist for community college faculty to participate in cyber security
initiatives and information sharing with government-sponsored groups
such as the FBI's InfraGard and the United States Secret Service
Electronic Crimes Task Force.
However, much of the current cyber security curriculum typically
focuses on networking-related technologies. There is a need to expand
the emphasis beyond networking to serve the greater spectrum of IT
curriculum. Specialties might included forensics, programming and
secure coding, information assurance, and e-commerce and secure
communications.
Community colleges are also challenged to integrate security-
related coursework into existing IT programs and degrees. Three career
areas must be addressed: (1) the focused cyber security practitioner
specializing in their field of study, (2) the IT professional not
dedicated to security but who is charged with the protection of
critical information and infrastructure, and (3) non-IT-related
professionals such as health care personnel.
Model courses and programs
As cyber security technology emerges so must the programs within
the community colleges. There is debate regarding modeling of
curriculum on industry certification. This debate centers on the
delicate balance between certification preparation and required skill
sets. Certifications provide a reasonable direction and solid
groundwork representing industry needs. However, barriers exist for
standardized academic models that reflect the skills defined by these
industry certifications: (1) security-related industry certifications
continue to proliferate, making it difficult to identify which
certifications would provide the best models, and (2) skills outlined
in industry certification often require costly effort to be implemented
into an academic framework.
Community colleges have identified four approaches to developing
and offering courses and programs: (1) four-semester programs of study
leading to Associate's degrees, (2) two-semester programs leading to
institution-conferred certificates, (3) credit courses that are part of
an existing program of study, and (4) non-credit programs of
preparation for industry certification.
The NSF ATE Regional Center for Systems Security and Information
Assurance (CSSIA) is developing an adoptable model that reflects both
industry certifications and practitioners' required skills. The CSSIA
center is working within each of the partner states to establish model
four-semester and certificate programs that reflect current and
relevant industry certifications and skills.
Development of programs
Collaboration among community colleges to reduce duplication of
efforts is still needed. The establishment of cyber security programs
can be expensive and require a prolonged development cycle.
Additionally, we should consider the importance of the adaptation and
dissemination of instructional materials and best practices. As an
example, to help reduce implementation costs of quality learning
environments, the NSF ATE CSSIA center developed an innovative use of
laboratory equipment through remote access and management.
Additionally, partnering with national program models, such as the
Cisco Systems Networking Academy, allows for greater implementation and
consistency of curriculum.

What are the challenges you face in recruiting and training
cyber security faculty? What type of programs or opportunities do you
provide to help keep faculty current?

Challenges in recruiting and training cyber security faculty
The greatest challenge facing community colleges and their efforts
to establish cyber security programs is faculty recruitment and
development. Community colleges must try to compete with business and
industry for skilled practitioners. An additional challenge occurs when
individuals interested in becoming faculty members possess the
necessary technological skills, but lack teaching experience.
Programs or opportunities to help keep faculty current
In 2002, the American Association of Community Colleges (AACC)
sponsored the AACC/NSF Cyber Security Workshop. The workshop served as
a catalyst for community college professionals interested in cyber
security by identifying workforce and curricular needs and by
establishing a forum for collaboration among community colleges.
The NSF ATE program has provided vital resources to a number of
community colleges in an effort to establish cyber security programs.
These projects allocate a significant portion of the funding for
faculty development. The funds can be used in activities such as
product training, professional externship opportunities, and graduate-
level courses and workshops.
During the summer of 2004, the NSF ATE Regional Center for Systems
Security and Information Assurance (CSSIA) trained over 200 college
faculty in Security Awareness, Information Assurance, Network Security,
and Wireless technologies. CSSIA will continue to provide training
opportunities in new and emerging skills for faculty in subsequent
years.
It is clearly our belief that without these training programs, the
cyber security initiatives available to attending faculty would not
move forward to meet growing industry practitioner demands. Another
model designed to keep faculty current in emerging IT skills is the
Working Connections Faculty Development Institute. Working Connections
is co-sponsored by the NSF ATE National Workforce Center for Emerging
Technologies (NWCET), AACC and Microsoft Corporation to develop
professional skills of faculty in several regions throughout the U.S.

What can the Federal Government do to improve cyber security
education and build the Nation's technical workforce?

First, the Federal Government can encourage government agencies to
provide to community colleges their job descriptions and titles that
are appropriate for cyber security graduates of two-year community and
technical college programs.
Next, to improve cyber security education and build the Nation's
technical workforce, the Federal Government must continue to invest in
the programs and people that are making a difference in the education
and training of our cyber security workforce. Without the support from
programs such as the NSF Advanced Technological Education (ATE)
Program, many institutions would not have the resources or faculty
expertise to meet the challenges required to build quality cyber
security programs.
This concludes my statement Mr. Chairman and Members of the
Committee. Thank you for allowing me to address the Committee on this
issue.

Biography for Erich J. Spengler

Director/PI--CSSIA, NSF Regional Center for Systems Security and
Information Assurance

Erich Spengler holds a Master's degree from Loyola University and
has been a full-time faculty member at Moraine Valley Community College
for the past nine years. Mr. Spengler also has an extensive background
in information technology, security and information assurance. He holds
several major industry certifications, including CISSP, MCSE and CCNP.
Additionally, he has a broad background in network design and
infrastructure implementation.
Mr. Spengler currently serves as the Director and Principle
Investigator for the National Science Foundation (NSF) ATE Regional
Center for Systems Security and Information Assurance (CSSIA). This
regional center serves a five-state area of the Midwest and focuses on
a field which is critical to homeland security and which has a large
demand for qualified workers. The center is collecting, adapting, and
enhancing curricula in cyber security, modeling certificate and degree
programs, and providing professional development for college faculty in
the region.

Chairman Boehlert. Thank you, Mr. Spengler. And I can't
help but observe that 22 years ago, when I was a freshman
sitting down on the first row at the very end, community
colleges weren't even on the radar screen of the National
Science Foundation. And since then, I have worked very hard,
joined by colleagues, Republicans and Democrats alike, to make
certain the great opportunities presented by community colleges
have been recognized by the National Science Foundation. And
so, in the late '80's was born the ATE program, the Advanced
Technological Education program. And now, NSF recognizes what
you know very well, that the community colleges are very
important in the educational process of America. So thank you
for what you are doing so much.
Lieutenant Aparicio.

STATEMENT OF SECOND LIEUTENANT DAVID J. APARICIO, DEVELOPMENTAL
ELECTRICAL ENGINEER, INFORMATION DIRECTORATE, AIR FORCE
RESEARCH LABORATORY

Second Lieutenant Aparicio. Yes, sir.
Mr. Chairman, Congressman Gordon, Members of the Committee,
and staff, I very much appreciate the opportunity to provide
testimony in my personal capacity on cyber security education,
in particular my experience in the Advanced Course in
Engineering on Cyber Security.
And as an introduction on the National Strategy to Secure
Cyberspace, President George W. Bush wrote that ``securing
cyberspace is an extraordinarily difficult strategic challenge
that requires coordinated and focused effort from our entire
society'' and ``the cornerstone of America's cyberspace
security strategy is a public-private partnership.''
Last summer, I had the distinct privilege in participating
in the Advanced Course in Engineering, or ACE, on Cyber
Security at the Air Force Research Laboratory Information
Directorate in Rome, New York. The program immersed me in 10
grueling weeks of research, problem solving, and report writing
on a variety of cyber security issues. I completed all
requirements to call myself an ACE graduate and earned the
distinction of Class Valedictorian. I gained far more than just
a certificate of completion. I gained a mastery of the issues
on cyber security, which challenge our Nation today and shape
our future.
ACE uses a unique approach toward running the program. Once
a week, students are immersed in a one-day lecture covering a
specific area in cyber security, concluding with an assignment
of a real-world problem. Students must solve the problem, write
a report detailing their solution. For the rest of the week,
students work with their personal mentors on military and
industry projects with the Rome Research Site. This unique
combination of high-intensity instruction and military and
industry projects creates an environment that develops cyber
security leadership and situational awareness vital for our
future. ACE taught me not only technical confidence but mental
flexibility to solve any problem placed in front of me,
academic or critical.
I proceeded with great enthusiasm and duty because cyber
security is a gravely serious business. ACE introduced me to
many of the challenges of cyber security. Responding to the
challenges, I requested to return to the Air Force Research
Laboratory Information Directorate to contribute to the defense
of our Nation through cyber security awareness. With my new
view on the world, I plan to eventually work for the Central
Intelligence Agency or the National Security Agency.
The Advance Course in Engineering on Cyber Security
addresses the challenge of the National Strategy to Secure
Cyberspace by developing the top students in pre-commissioning
officer training programs into the next generation of cyber
security leaders. Through public and private partnerships among
the Air Force Research Laboratory Information Directorate,
Syracuse University, the Computer Applications and Software
Engineering Center of the New York State Office of Science,
Technology, and Academic Research, the Griffiss Institute on
Information Assurance, and several corporations, the ACE
follows the proven model of the General Electric Edison course
to transform engineers into original thinkers, problem solvers,
and technical leaders.
Far from creating another computer security training
program, the ACE seeks to develop cyber security leaders
through intensive, formal education, teamwork, problem solving,
mentoring, and immersion into a work environment. Gene Kranz
best described his mindset of an engineering leader in his book
``Failure Is Not an Option: Mission Control from Mercury to
Apollo 13 and Beyond.'' As director of the National Aeronautics
and Space Administration's mission control in the Apollo era,
Kranz led his engineers into uncharted territory, the moon, and
established our unchallenged leadership of space.
Cyberspace in the 21st century is no less challenging than
outer space in the 20th century. Besides, the security of our
Nation relies on establishing and maintaining unchallenged
leadership in cyberspace.
In two years at the Rome Research Site, ACE has attracted
students from 25 colleges in 17 states. In addition to Reserve
Officers' Training Corps, or ROTC, the students include
National Science Foundation fellows, Junior ROTC cadets, and
civilian scientists and engineers committed to careers in cyber
security. Educators include faculty from Syracuse University,
the U.S. Military Academy at West Point, and the State
University of New York, in addition to domain experts from the
Air Force Research Laboratory and industry.
The Federal Government can help cyber security education in
two ways. First, the government could increase efforts to
recruit younger generations, namely middle school and high
school students. ACE currently reaches to junior ROTC programs
to train college-bound students in cyber security. Secondly,
the government should consider increasing its cyber security
education through public service announcements. Just as the
government shows anti-drug campaign videos on television, basic
cyber security videos should be a staple of the American
television.
Mr. Chairman, Members of the Committee, and staff, thank
you again for this opportunity to present testimony and thank
you for your continuing support of the Air Force cyber security
education efforts.
[The prepared statement of Second Lieutenant Aparicio
follows:]
Prepared Statement of Second Lieutenant David J. Aparicio
Mr. Chairman, Members of the Committee, and Staff, I very much
appreciate the opportunity to provide testimony in my personal capacity
on cyber security education and, in particular, my experience in the
Advanced Course in Engineering (ACE) on Cyber Security. In his
introduction of The National Strategy to Secure Cyberspace, President
George W. Bush wrote that ``securing cyberspace is an extraordinarily
difficult strategic challenge that requires coordinated and focused
effort from our entire society'' and that ``the cornerstone of
America's cyberspace security strategy is a public-private
partnership.''
Last summer, I had the distinct privilege of participating in the
Advanced Course in Engineering (ACE) on Cyber Security at the Air Force
Research Laboratory Information Directorate in Rome, New York. The
program immersed me into ten grueling weeks of research, problem
solving, and report writing on a variety of cyber security issues. I
completed all requirements to call myself an ACE graduate and I earned
the distinction of Class Valedictorian. I gained far more than just a
certificate of completion. I gained a mastery of the issues of cyber
security, which challenge our nation today and shape our future.
ACE uses a unique approach towards running the program. Once a
week, students are immersed into one-day lecture covering a specific
area in cyber security, concluding with the assignment of a real-world
problem. The students must solve the problem and write a report
detailing their solution. For the rest of each week, students work with
personal mentors on military and industry projects within the Rome
Research Site. This unique combination of high-intensity instruction
and military and industry projects creates an environment that develops
cyber security leadership and situational awareness vital to our
future. ACE taught me not only technical competence, but mental
flexibility to solve any problem placed in front of me--academic or
critical.
I proceeded with great enthusiasm and duty because cyber security
is a gravely serious business. ACE introduced me to many of the
challenges of cyber security. Responding to the challenge, I requested
to return to the Air Force Research Laboratory Information Directorate
to contribute to the defense of our nation through cyber security
awareness. I plan to eventually work for the Central Intelligence
Agency or the National Security Agency with my new view of the world.
Many of my fellow ACE graduates received commissions where they put
to good use their increased command of cyber security and their
appreciation of its impact of national security.

ACE BACKGROUND

The Advanced Course in Engineering (ACE) on Cyber Security
addresses the challenge of The National Strategy to Secure Cyberspace
by developing the top students in pre-commissioning officers training
programs into the next generation of cyber security leaders. Through a
public-private partnership among the Air Force Research Laboratory
Information Directorate, Syracuse University, the Computer Applications
and Software Engineering (CASE) Center of the New York State Office of
Science, Technology, and Academic Research, the Griffiss Institute on
Information Assurance, and several corporations, the ACE follows the
proven model of the General Electric Edison course to transform
engineers into original thinkers, problem solvers, and technical
leaders.
Far from creating another computer security training program, the
ACE seeks to develop cyber security leaders by drawing from the top
students in Air Force, Army, and Navy pre-commissioning training
programs, in addition to the best among our civilian college students.
The pedagogical philosophy underlying the ACE seeks to develop
leadership skills through intensive formal education, teamwork, problem
solving, mentoring, and immersion in a work environment.
The ACE philosophy is best summarized in the following paradigm:
faced with a real-world problem, the graduates of the ACE learn to:

1. formulate a clear problem statement,

2. make reasonable assumptions,

3. apply sound analytical techniques and engineering tools,

4. solve the problem to a certain depth,

5. perform risk analysis on the solution, and

6. deliver a solution on time through effective communication
means.

Gene Kranz best described this mindset of an engineering leader in
his book ``Failure Is Not an Option: Mission Control from Mercury to
Apollo 13 and Beyond.'' As director of the National Aeronautical and
Space Administration's mission control in the Apollo era, Kranz led his
engineers into uncharted territory--the Moon--and established our
unchallenged leadership of space.
Cyberspace in the twenty-first century is no less challenging than
outer space in the twentieth century. Besides, the security of our
nation relies on establishing and maintaining unchallenged leadership
in cyberspace.
In its second year at the Rome Research Site, the ACE has attracted
26 students from 25 colleges in 17 states. In addition to Reserve
Officers' Training Corps (ROTC), the students include fellowship
recipients from the National Science Foundation Scholarship for Service
Cyber Corps program, cadets from the Air Force Junior ROTC, and
civilian scientists and engineers committed to careers in cyber
security.
The educators include faculty from Syracuse University, the United
States Military Academy at West Point, and the State University of New
York, in addition to domain experts from the Air Force Research
Laboratory and industry.
Besides attending formal classes and solving real-world problems,
the students spend about three days each week working under the
tutelage of a mentor. The mentors include active duty and retired
officers at the Air National Guard North East Air Defense Sector, the
Air Force Research Laboratory, and several local companies.
The duration of the ACE is ten weeks during the June-August
timeframe. Each week focuses on one area of cyber security as detailed
below:

1. Legal Issues: Internet laws and cyber crime; the Fourth
Amendment of the United States Constitution; search and seizure
of data; rights and privacy issues; government versus private
workplace; search warrants and wiretap laws; and the Patriot
Act.

2. Security Policies: Establishing and implementing security
policies; confidentiality, integrity, and availability
considerations; identifying vulnerabilities and threats; and
establishing disaster response and recovery procedures.

3. Cryptography: Mathematical basis for data encryption;
substitution ciphers and the Data Encryption Standard; private-
key and public-key cryptography; key distribution and trusted
authority; and digital signatures.

4. Computer Security: Operating systems and file system
security; passwords and one-way hashes; user-space
administration; archiving and back-up strategy; intrusion
detection; and disaster response and recovery.

5. Digital Forensics: Procuring and analyzing digital
evidence; preserving the chain of custody of digital evidence;
recovering hidden data on hard drives; classifying file
systems; analyzing slack and sector data; and recovering lost
clusters.

6. Network Security: Internet protocol format and
vulnerabilities; protocol and implementation flaws; buffer
overflow; denial-of-service attacks; distributed attacks; e-
mail; domain name system; and web servers.

7. Network Defense: Host and network security; firewalls and
periphery intrusion detection systems; bastion hosts; network
monitors and traffic analyzers; network logfiles; detecting
anomalous behavior; and network recovery.

8. Network Attack: Port scanners and packet sniffers; IP
spoofing; identifying vulnerabilities; designing and
implementing network attacks; engineering malicious code; worms
and viruses; and offensive cyber warfare.

9. Steganography: Data hiding in images; classifying
steganography algorithms and tools; categorizing vessel
capacity; detection and recovery of hidden data; digital
watermarking; streaming media steganography; and multi-lingual
steganography.

10. Next Generation Cyber Security: Wireless local area
networks; wireless encryption protocols; Next Generation
Internet Protocols; embedded systems; and third generation (3G)
cell phones and personal data assistants.

For each topic, the instructor in charge assigns a substantial
real-world problem that requires 40 to 80 hours of teamwork to solve.
Students work on teams of three to solve each problem, then write and
submit individual reports.

RECOMMENDATIONS

The Federal Government can help cyber security in two ways. First,
the government could increase efforts to recruit the younger
generations--namely middle and high school students. ACE currently
reaches out to junior ROTC programs to train college-bound students in
cyber security. Secondly, the government should consider increasing its
cyber security awareness through public service announcements. Just as
the government shows anti-drug campaign videos on television, basic
cyber security videos should be a staple of American television.

Biography for Second Lieutenant David J. Aparicio
2Lt David Aparicio is a developmental electrical engineer for the
Air Force Research Laboratory Information Directorate in Rome, New
York. He supports research and development of tools for multi-sensor
exploitation and communications intelligence. Lt. Aparicio was born in
Portland, Oregon, but calls Sugar Land, Texas, his native home. He
earned his Bachelor of Science degree in electrical and computer
engineering at Baylor University and received his commission as a Blue
Chip graduate of Baylor's ROTC program in 2003. Lt. Aparicio was also a
graduate and the valedictorian of the Advanced Course in Engineer on
Cyber Security in 2003. In his free time, Lt. Aparicio enjoys
photography, writing, and playing soccer.

Chairman Boehlert. Thank you very much, Lieutenant, and
thank you for calling me ``sir.'' I was a Specialist 3rd Class,
and so when an officer calls me ``sir,'' it sort of puffs me up
a little bit.
How many were in your class?
Second Lieutenant Aparicio. My class? There were 14.
Chairman Boehlert. And I think this year's boot camp has
28, double the number, something like that.
Second Lieutenant Aparicio. I will have to get back to you
on the exact number.
Chairman Boehlert. Well, the doctor is right behind you
nodding his head yes, so I have the privilege of addressing
him. It is exciting to think about your future.
Second Lieutenant Aparicio. Thank you.
Chairman Boehlert. Ms. Rogers.

STATEMENT OF MS. SYDNEY ROGERS, PRINCIPAL INVESTIGATOR,
ADVANCED TECHNOLOGY EDUCATION REGIONAL CENTER FOR INFORMATION
TECHNOLOGY, NASHVILLE STATE COMMUNITY COLLEGE

Ms. Rogers. Good morning, Mr. Chairman, and Representative
Gordon, and Members of the Committee.
[Slide.]
Today we examine the challenge of educating skilled workers
within the context of a world that is vastly different from the
world when I began my career 30 years ago. My colleagues and I
believe it is important to understand this new context in order
to adequately understand what is needed to design and implement
education programs that will develop a world-class competitive
workforce with respect to cyber security.
[Slide.]
The context of today's educational programs involves new
and constantly evolving technologies that are dramatically
changing every aspect of our society. New threats, such as
terrorism and identity theft, pose even greater security
challenges while the distributed nature of systems and data
storage complicates the control of security exponentially.
[Slide.]
Our response from a technical perspective has been to
mitigate these exposures as much as possible through
techniques, such as patches and virus protection software, and
then reduce the exposure to risk with technologies like
firewall protection and encryption. As a result, we find
ourselves addressing the symptoms and not the real problem:
systems designed and built without consideration of security.
Technicians work on individual problems without an overall
context. One Chief Network Officer in Nashville explains it
this way: ``We are fixing the symptoms because we are dealing
with legacy systems and our only solution is to fix the
symptom.''
[Slide.]
Education's response today is to focus technician education
on training for specific technical skills through certification
programs, expansion of course content, addition of new courses,
new concentrations, and new two- and four-year degrees, and
this slide shows in the background some of the programs we are
doing at my college and others in Tennessee.
[Slide.]
All of these approaches are necessary in order to protect
today's systems, but how do we educate for tomorrow's cyber
risk? How do we build a workforce that will know how to use
what they know in context and that will have the skills
necessary to understand constantly changing technologies and
what is needed to both use them and protect them?
[Slide.]
Our industry partners in Tennessee tell us, as depicted
here, cyber security professionals, who require the most
extensive technical knowledge, also represent a relatively
small number of workers who need specific highly technical
cyber security skills. To be sure, all information technology
professionals must possess technical skills necessary to
develop and maintain secure systems. Our employers tell us that
all workers need some understanding of cyber security and some
level of expertise in these skills. Even though community
colleges and our NSF work at my center touch all three of these
areas, our ATE focuses on the preparation of IT professionals.
[Slide.]
To meet today's need and, at the same time, build a
workforce that meets tomorrow's needs, we must move beyond
traditional curriculum development methods that focus on silos
of content with little context. That is not the first time--you
have already heard that today. We need to develop teaching and
learning methods that foster learning, thinking, and problem
solving in the context of the real world.
[Slide.]
We have developed model programs for bringing these
workplace experiences directly to the students and creating
more adaptable workers. Our contextual and problem-based
methods all share some common characteristics. First, they are
all based on authentic workplace problems. To bring these
authentic workplace problems into the classroom requires a
close and consistent working relationship with our business and
industry partners. Just as technology in the workplace is
changing constantly, these authentic experiences must also
change. By implementing these experiences for students, we are
also building a curriculum that adapts and changes with
changing technology and situations. Using these methods, then,
we can create an educational system that builds a closer link
between the content taught and the actual workplace application
while also developing workers who are more able to adapt the
knowledge they have to a rapidly changing world. Finally, to
effectively teach using these methods, faculty must learn to
function as highly skilled facilitators who guide students to
discover and understand the appropriate scientific and
technical knowledge.
[Slide.]
In Tennessee, the NSF/ATE projects have helped to develop a
strong foundation for re-educating current workers and building
programs for the future. For instance, we have just initiated a
program with the Tennessee Telecommunications Association to
re-educate some of their workers. Our faculty would not have
the skills and knowledge necessary to do this program properly
if we had not had the funding from the ATE program to provide
faculty development opportunities for them.
As for the future workforce in IT, we have piloted an
exciting program that brings real-time industry technical
problems directly to the classroom to be solved by students by
partnering industry technicians with faculty at the community
colleges and universities. Last year, some of these problems
included a network security problem at a music company and a
distributed data and networking problem for the Saturn
Corporation. Students at Nashville State Community College,
Roane State Community College, Tennessee State University,
Middle Tennessee State University, and Austin Peay State
University participated in this program to work more closely
with business and industry.
[Slide.]
The concepts and projects I have highlighted have given us
a fundamental knowledge base for educating cyber security
workers as well as all workers who need to understand their
work within the context of needed security. The road that has
brought us to this point required several years of work in
faculty development, materials development, and building
partnerships with business and industry. Others around the
country have worked on similar concepts with slightly different
approaches. Together, and with the support of the NSF/ATE
program, in two weeks, we will convene more than 250 community
college technological faculty and administrators, along with
some of their industry partners, university partners, and
secondary partners in 31 teams from 17 states across the
country in Nashville for Synergy 2004. The teams are
represented on the map you see. At Synergy, these teams will
begin to develop plans for educational reform of IT and IT-
enabled programs in their own regions of the country. Their
work will be anchored by presentations from leading experts in
teaching and learning, such as John Bransford, Jay McTighe, and
Pam Tate. To provide the context and one global perspective,
Doug Busch, the Chief Information Officer for Intel, will talk
to us about the type of IT workforce we need to build if the
country is to be competitive and to create jobs that will not
be candidates to offshoring. I expect Mr. Busch to confirm that
we are on the right track with the reform programs we have
stated. In an interview Mr. Busch recently provided for us, he
states, ``One of the key problems we see as private sector
participants trying to contribute to improved technological
education is the lack of a central focus for U.S. education.
Reform of technical education is so fragmented in the United
States that it often seems impossible to have a significant
positive impact. This is very different from the situation in
the countries the United States competes with. I believe it
would be very useful to have a single focus point.''
[Slide.]
We also expect those who attend Synergy to leave motivated
and prepared to begin to implement meaningful change. They will
need to be supported in their efforts, and I believe the ATE
program is looking for ways to do that. As I have explained, to
be successful, these community colleges will need to be closely
aligned with their business, industry, and government employers
who will rely on the future workforce. Although our program and
others have been successful in partnering with business and
industry, doing so remains a barrier to many programs.
Therefore, government programs that provide incentives for
business and industry participation with community colleges
would benefit all concerned. Initiatives that provide
opportunities for faculty and students to participate in real-
world internships will further support these efforts. Also, the
educational infrastructure in this country as it is currently
structured creates silos of educational programs. To make real
and substantial progress, we will need incentives to break down
these barriers so that we can begin to build an education
system for the future, one in which cyber security is a
fundamental part of the context and the outcome.
And the government's continued support of the ATE program
so that the necessary materials development, faculty
development in teaching and learning, and up-to-date technical
knowledge can occur will be vital to the success of these
colleges. Finally, to achieve the best result, technological
education should be made a national priority.
Thank you for this opportunity.
[The prepared statement of Ms. Rogers follows:]

Prepared Statement of Sydney Rogers

Good morning Mr. Chairman and Members of the Committee. My name is
Sydney Rogers and I am Vice President of Community and Economic
Development at Nashville State Technical Community College (NSCC) in
Tennessee. NSCC is located in an urban area and serves a student body
of approximately 7000 racially diverse students including approximately
26 percent African American. The average age of an NSCC student is 30
years. Many of our current students are already in the workforce and
attend NSCC to acquire new work skills, some enter the workforce
directly or transfer to Tennessee State University, a Historically
Black College or University (HBCU) located less than five miles from
our campus. Many others transfer to Middle Tennessee State University
(MTSU) in Murfreesboro, Tn., or Austin Peay State University (APSU) in
Clarksville, Tn.
For nearly a decade, Nashville State Community College has led a
regional effort to transform Information Technology education. The
Advanced Technological Education (ATE) program of the National Science
Foundation (NSF) has funded these activities. Our partners include the
regional universities just listed above, local school systems, and
dozens of business partners such as Saturn, BMI, Dell Computer, EDS,
Hospital Corporation of America (HCA), and Vanderbilt University
Medical Center, among others.
Today we examine the challenge of educating skilled workers within
the context of a world that is vastly different from the world when I
began my career 30 years ago. My colleagues and I believe it is
important to understand this new context in order to adequately
understand what is needed to design and implement education programs
that will develop a world-class competitive workforce, with respect to
cyber security.
The context of today's educational programs involves new and
constantly evolving technologies that are dramatically changing every
aspect of our society. New threats, such as terrorism and identity
theft pose even greater security challenges while the distributed
nature of systems and data storage complicates the control of security
exponentially.
Our response from a technical perspective has been to mitigate
these exposures as much as possible through techniques such as patches
and virus protection software and then reduce the exposure to risk with
technologies like firewall protection and encryption. As a result, we
find ourselves addressing the symptoms and not the real problem;
systems designed and built without consideration of security.
Technicians work on individual problems without an overall context. One
Chief Network Officer in Nashville explains it this way, ``We are
fixing the symptoms because we are dealing with legacy systems and our
only solution is to fix the symptom.''
Education's response today is to focus technician education on
training for specific technical skills through certification programs,
expansion of course content, addition of new courses, new
concentrations, and new two- and four-year degrees and this slide shows
some of the programs we are doing at my college and others in
Tennessee. All of these approaches are necessary in order to protect
today's systems, but how do we educate today for tomorrow's cyber risk?
How do we build a workforce that will know how to use what they know in
context and that will have the skills necessary to understand
constantly changing technologies and what is needed to both use and
protect them?
Our industry partners in Tennessee tell us, as depicted here; cyber
security professionals who require the most extensive technical
knowledge also represent a relatively small number of workers who need
specific highly technical cyber security skills. To be sure, all
information technology professionals must possess the technical skills
necessary to develop and maintain secure systems. Our employers tell us
that all workers need some understanding of cyber security and some
level of expertise in these skills. Even though community colleges and
our NSF work touch all three of these areas, our ATE focus is in the
preparation of IT professionals.
To meet today's need and at the same time build a workforce that
meets tomorrow's needs, we must move beyond traditional curriculum
development methods that focus on silos of content with little context.
We need to develop teaching and learning methods that foster learning,
thinking, and problem solving in the context of the real world. Not
only do workers need to know how to use their knowledge ``in context,''
but educational research has shown us that such methods produce great
improvements in learning and that students prepared in this way more
easily transfer what they know to new and different situations. My
colleagues and I believe the ability to transfer knowledge more quickly
will result in more adaptable workers who will be able to understand
more quickly and apply changing technologies. The term the researchers
use for this is ``adaptive expertise.'' Through a previous NSF/ATE
grant called (SEATEC-DUE 9850307), NSCC in conjunction with Saleh
Sbenaty of Middle Tennessee State University (MTSU), conducted a
research study that tested the theory that students would more easily
transfer technical knowledge learned using problem based case studies
than they would knowledge learned using traditional methods. Although
we did not address cyber security directly in this study, we believe
the concept of knowledge transfer is important in building a workforce
that is cyber security competent. For more information about this study
and the results please see the article by Dr. Saleh Sbenaty of MTSU in
the Proceeding of the 2002 American Society of Engineering Education
(ASEE) Annual Conference and Exposition. The community colleges in
Tennessee have learned much about how to transfer this research in to
practice through our NSF/ATE grants. In 1998, Gerhard Salinger one of
the lead program officers of the ATE program introduced us to John
Bransford from Vanderbilt University (now at University of Washington).
Dr. Bransford is the one of the editors of the National Research
Council's publication ``How People Learn,'' an extensive collection of
recent research on the subject. Working with him and his team of
researchers, we have begun to transform the way we structure the
learning environment. For information on how we have used this research
to transform teaching and learning, see article in American Association
of Community College Journal, October/November 2003 ``Transferring
Teaching and Learning Research to the Classroom'' by Sydney Rogers and
George Van Allen.
We have developed model programs for bringing these workplace
experiences directly to the students and creating more adaptable
workers. Our contextual and problem-based methods all share some common
characteristics. First, they are all based on authentic workplace
problems. To bring these authentic workplace problems into the
classroom requires a close and consistent working relationship with our
business and industry partners. Just as technology and the workplace
are changing constantly, these authentic experiences must also change.
By implementing these experiences for students we are also building a
curriculum that adapts and changes with changing technology and
situations. Using these methods, then, we can create an educational
system that builds a closer link between the content taught and the
actual workplace application while also developing workers who are more
able to adapt the knowledge they have to a rapidly changing world.
Finally, to effectively teach using these methods, faculty must learn
to function as highly skilled facilitators who guide students to
discover and understand the appropriate scientific and technical
knowledge. (See our websites for case studies of some of these
authentic problems. www.cite-tn.org and www.casefiles.org)
In Tennessee, the NSF/ATE projects have helped to develop a strong
foundation for reeducating current workers and building programs for
the future. For instance, we have just initiated a program with the
Tennessee Telecommunications Association (TTA) to re-educate some of
their workers. In a series of courses, including two courses on network
security, our community college faculty will teach the TTA employees
using the contextual and problem-based methods in the form of problem-
based case studies and real-time problems. Our faculty would not have
the skills and knowledge to do this if we had not had the funding from
the ATE program to provide faculty development opportunities for them.
Our NSF/ATE Center for Information Technology (CITE) sponsors an
electronic marketplace for workforce development called the Tennessee
IT Exchange. Employers and students can find out where to obtain
education on the latest technologies, including cyber security. The
community colleges in the region, Nashville State, Columbia State, and
Roane State along with the regional universities, TSU, MTSU, and APSU,
all contribute to the Exchange. The Tennessee IT Exchange may be viewed
at www.cite-tn.org. CITE also partnered with the local workforce
investment board to H1B-Visa funds to middle Tennessee for retraining
in IT. A portion of this training will be on cyber security.
As for the future workforce in IT, we have piloted an exciting
program that brings real-time industry technical problems directly into
the classroom to be solved by students by partnering industry
technicians with faculty at the community colleges and universities.
Last year, some of these problems included a network security problem
at a music company and a distributed data and networking problem for
the Saturn Corporation. Results at both the community college and the
university have exceeded expectations. For instance, Saturn and EDS
worked with us on two problems, one at NSCC and one at Tennessee State
University. Evaluations from students, faculty, and employers tell us
that students are more engaged and learn better and Saturn is now
considering implementing some of the student solutions at the plant.
See attached description of this type problem solved by students at the
DOE Y12 Security Complex in Oak Ridge, TN.
Last year and this year, CITE partnered with the Nashville
Technology Council to sponsor faculty and student teams at the
Technology Council's annual ``IT Security Conference.'' At this
conference, students' interaction with security experts and vendors
provides a context for their learning. CITE is also helping to
establish ``IT Academies'' in high schools across Tennessee to build a
pipeline of students who will enter the workforce or college in
technical IT careers. One such academy is located at Stratford High
School, an inner city, mostly minority school in Nashville. It opened
in the fall of 2003 with 97 students and nine faculty members. Thus
far, 57 additional students have applied to attend in the fall of 2004.
The concepts and projects I have highlighted have given us a
fundamental knowledge base for educating cyber security workers as well
as all workers who need to understand their work within the context of
the needed security. The road that has brought us to this point
required several years of work in faculty development, materials
development, and building partnerships with business and industry.
Others around the country have worked on similar concepts with slightly
different approaches. Together and with the support of the NSF/ATE
program, in two weeks we will convene more than 250 community college
technological faculty and administrators, along with some of their
industry partners, university partners, and secondary school partners
in 31 teams from 17 states across the country in Nashville for
``Synergy 2004'' (DUE 0412846). At ``Synergy,'' these teams will begin
to develop plans for educational reform of IT and IT enabled programs
in their own regions of the country. Their work will be anchored by
presentations from leading experts in teaching and learning such as
John Bransford, Jay McTighe, and Pam Tate. To provide the context and
one global perspective, Doug Busch, the Chief Information Officer for
Intel, will talk to us about the type of IT workforce we need to build
if the country is to be competitive and to create jobs that will not be
candidates to offshore. I expect Mr. Busch to confirm that we are on
the right track with the reform programs we have started. In an
interview Mr. Busch recently provided for us, he states, ``One of the
key problems we see as private sector participants trying to contribute
to improved education is the lack of a central focus for U.S.
education. Reform of technical education is so fragmented in the United
States that it often seems impossible to have a significant positive
impact. This is very different from the situation in the countries the
United States competes with. I believe it would be very useful to have
a single focus point.'' Several colleges and universities around the
country have collaborated to produce ``Synergy.'' They are Nashville
State Technical Community College in Nashville Tennessee, University of
Arkansas at Fort Smith, University of Massachusetts in Boston
Massachusetts, Springfield Technical Community College in Springfield
Massachusetts, and Bellevue Community College in Bellevue Washington.
Please see www.synergy2004.org for a complete description of the
meeting.
We also expect those who attend ``Synergy'' to leave motivated and
prepared to begin to implement meaningful change. They will need to be
supported in their efforts and I believe ATE program is looking for
ways to do that. As I have explained, to be successful, these community
colleges will need to be closely aligned with their business, industry,
and government employers who will rely on the future workforce.
Although our program and others have been successful in partnering with
business and industry, doing so remains a barrier to many programs.
Many small businesses cannot donate the needed time and resources to
our efforts. Therefore, government programs that provide incentives for
business and industry participation with community colleges would
benefit all concerned. Too, initiatives that provide opportunities for
faculty and students to participate in real-world internships will
further support these efforts. Also, the educational infrastructure in
this country as it is currently structured creates ``silos'' of
educational programs. To make real and substantial progress, we will
need incentives to break down these barriers so that we can begin to
build and education system for the future; one in which cyber security
is a fundamental part of the context and the outcome.
And, the government's continued support of the ATE program so that
the necessary materials development, faculty development in teaching
and learning, and up-to-date technical knowledge can occur will be
vital to the success of these colleges. Finally, to achieve the best
result, technological education should be made a national priority.
Thank you for the opportunity to give you this information about
our programs.

Biography for Sydney Rogers

Ms. Sydney Rogers is Vice President for Community and Economic
Development at Nashville State Technical Community College where she is
responsible for workforce development, distance education, student
services, computer services, and grants and development. Prior to this
role, she served as Interim Vice President of Academic Affairs and Dean
of Technologies at Nashville State Tech where she was also Department
Chair and Associate Professor of Computer Information Systems for 20
years. As Dean of Technologies, she was responsible for the overall
success of 21 degree programs in Engineering Technology, Computer
Technologies, Business, and Visual Communications.
Ms. Rogers serves as lead principal investigator for the Center for
Information Technology Education (CITE), a regional center funded by
the National Science Foundation, Advanced Technological Education
program and has led four other NSF ATE projects. Her work has focused
on the reform of technological education to create a more adaptable
workforce suited for the new century. She serves on three NSF National
Visiting Committees and several local boards. She has 30 years of
leadership experience in technological education and workforce
development.

Discussion

Chairman Boehlert. Thank you very much.
When academics and business people and military people and
elected officials talk about a subject like cyber security,
unfortunately, too often, it elicits muffled yawns, because
people aren't really, sort of, focusing on it at all. Let me
ask you this. Do we get it and do they get it? Now the ``we''
is America, in general. Understand the severity and the extent
of the challenges facing us. And do ``they'' get it? And I am
talking about young people, like you, obviously you get it,
Lieutenant, and guidance counselors, on the great opportunities
that are available in this field. Let us talk about in general,
do they get it? Most businesses think their computers are
secure. Most individuals, and we have got them by the millions
across America, have got all sensitive information about their
personal finances and everything else on their home computer,
and they think it is secure. Is it?
Mr. Hosmer, let me----
Mr. Hosmer. Actually, I don't think any of us get it. I
don't think any of us understand the threat of a cyber attack,
the stealing of our personal information at any level. I think
that we are still struggling with this, because the threat is
emerging. It changes every day at Internet speed, and we have
to react to it. One of the ways we try to counter that to get
it down into the high schools is we have created a high school
internship program, not only at the college level, to basically
bring high school students in to teach them what this is really
about today. And those students are going on further in their
education at the undergraduate and graduate level after leaving
high school to understand this. So we have to train our young
people to do that and understand what they can do about it. And
it is an exciting career opportunity. When you look at
television today and you look at programs like CSI Miami, etc.,
they are starting to excite young people about this particular
career, because it has all of the sex appeal that they are
interested in, and we need their help. And I think those
programs are actually introducing new ways for people to get
involved in these kinds of programs.
Chairman Boehlert. Lieutenant, you are nodding your head.
When an officer nods to a non-enlisted guy, he says, ``yes,
sir.''
Second Lieutenant Aparicio. No, I nod my head to the
Congressman. But I just wanted to just add on to what Mr.
Hosmer said that we do need programs, more programs in the
sense that--to bring awareness. And I think one example is what
we are doing right now in Rome, New York with the ACE program,
targeting JROTC to bring the awareness to everybody. They tell
their friends. They bring awareness, and that is just one less
person that we have to worry about.
Chairman Boehlert. You know, everybody talks these days
about identity theft. That is a big issue in America today. One
of the easiest ways to be a very active and successful criminal
in America today is to get a home computer and then go out and
pilfer information from individuals on personal computers, from
businesses, and--well, Mr. Baker, do you want to address that?
Mr. Baker. I was thinking about your original question,
too, about do we get it. And I think, on one level, we
certainly do. I mean, if you don't--if you watch TV in any way,
shape, or form, you, to some degree, get it. You know, there
can be identity theft. There are problems. Businesses get it to
some degree. Unfortunately, they sometimes get it a little too
late. They get attacked by the most recent virus. They don't
keep their software up-to-date to protect their systems and
that kind of stuff. I think the more important issue is that
the variety and levels of education that are needed and
awareness--I mean, it starts with awareness building. And from
there, it goes down to many deeper levels on the business side,
the legal side, the computer science side where we can actually
start building a cadre of professionals who can help protect us
in many different ways, from the psychological, you know, who
are these people and why do they attack us, to the more
physical, how do we protect our software, how do we protect the
networks, how do we protect our computers--personal computers
and that kind of stuff.
Chairman Boehlert. Mr. Spengler.
Mr. Spengler. I think when we look at the question of do we
get it and do businesses get it, I am looking at what has been
going on this year. And I think before this year started, I
don't think a lot of businesses did get it. But with the
proliferation of an enormous amount of viruses, business and
industry now are spending more time on fighting those issues
than actually enhancing and upgrading their networking systems.
Unfortunately, the people that do get it are the people who are
affected one at a time. It isn't almost until you are affected
that you do understand the critical importance of the nature of
it. What needs to be done is to focus on, again, and I totally
agree with the processes of security awareness, but
additionally, to focus on the policies and practices of
companies being able to look at and address these types of
issues.
From a curriculum standpoint at the community college, we
are positioned very well to address from a practical skills and
tools standpoint, these types of issues. Within our center, we
look at the flow of curriculum as being a critical direction,
being able to generate the new generation of practitioners from
a general security understanding standpoint to more specific
bridges in technologies to be productive in business and
industry, such as the health care and financial industries.
Chairman Boehlert. Ms. Rogers, do you have any----
Ms. Rogers. The employers that I have spoken with recently
about this, in particular I have spoken with a senior executive
in IT from one of the largest health care companies in
Nashville, and I think that they get it. I think he gets it. I
don't think he feels very secure. They are doing everything
they can, but I think he thinks it is fragile, but--and I am
paraphrasing--he said that we have got a dangerous combination,
because the people who are working on cyber security understand
it very well, those who are the professionals. But the--all of
the other workers don't get it, and he--and his words were,
``This is a dangerous combination.''
Chairman Boehlert. Well, let me assure all of you that we
get it on this Science Committee, but you would expect that
this committee does, on a bipartisan basis. My bill, the Cyber
Security Research and Development Act, was passed out of here,
passed by the House and Senate, signed into law by the
President. And that is very important, but you know, this room
should be packed with representatives of the media. We have the
specialty, technical press represented, but the popular media,
so more and more people begin to appreciate the severity and
extent of the problem.
When I was a young kid, I can remember vividly the Buck
Rogers' stories. You know, a man on the Moon and everybody used
to chuckle it would never happen. Last night, I attended the
35th anniversary of Apollo 11 when Aldrin and Armstrong walked
on the Moon. And right now, it is not farfetched to think in
terms if there ever is, God forbid, a World War III, it could
be fought not with guns and bullets or ships or tanks or
planes, but with computers. Our whole financial system, our
transportation network, our electric grids, so much is
dependent on a computer, so the subject here today is extremely
important. And that is why we value so highly your testimony,
and that is why we are focusing on education for the next
generation, the Lieutenant Aparicios and those who will follow
who will be on the front lines in this battle.
Thank you very much.
Mr. Gordon.
Mr. Gordon. Thank you.
Ms. Rogers, you have had experience with the NSF's ATE
program and said it had been helpful at Nashville Tech. Can you
give us any thoughts as to how that program can be improved in
either content or administration?
Ms. Rogers. I don't have any suggestions on how it could be
improved in the administration, although, you know, I might if
I thought about it longer, but to tell you the truth, I have
been involved for 30 years in higher education in a number of
federal programs and had a number of federal grants from
different programs. And I have to tell you that as far as what
is happening with ATE and technological education, it is of the
highest quality. It is the best one that I have ever worked
with. What I see as the problem, from my perspective, is that
there are so many more community colleges who need help in this
area, and you know, the funding pie is just what it is. So you
hate to say just put more money there, but the fact is that
there are a lot of good projects that are out there. Other
schools want to participate with us and they just can't,
because there is just not enough funding there. It is one of
the--it is the best program, federal program, I have been
associated with, frankly.
Mr. Gordon. Anyone else have any suggestions on improving
the ATE program?
Mr. Spengler. From an NSF standpoint, administration, I
think that NSF has--and the ATE, have been making solid steps
with--to look at the collaboration between the different funded
projects from NSF, which is allowing us to more broadly take in
the work that has been done in specific projects and
disseminate that work out to other schools that can benefit
from the work. It is firmly our belief that without the NSF/ATE
program, many of the faculty, quite frankly, couldn't afford
the types of training needed to have quality programs within
the schools, and many of the programs, absolutely, would not
exist within these schools.
Mr. Gordon. We frequently talk about and hear good and bad
about federal programs, but the NSF, I think more than anything
else, is consistently given high marks in all regards. We are
able to double the funds for NIH. I hope we are, at some point,
going to be able to double funds over a period of time for the
NSF. I think that is very, very important.
And Mr. Hosmer, in your written statement, you had talked
about there should be a role, a federal role, in establishing
national accreditation for cyber security education and
training programs. You know, typically that is done by non-
governmental entities. Could you elaborate more on why you
think there should be a federal role here?
Mr. Hosmer. Actually, it is an excellent point. One of the
things that we see is many of the training programs that are
out there that law enforcement, defense, corporate security
take in order to basically make themselves current, they
participate in these every year, and they spend a lot of money
and a lot of time. And many of those programs come with
continuing education credits from specific universities that
are associated with that particular vendor's training program.
Unfortunately, they end up with all of these ad hoc credits
from, maybe, 10 or 15 different universities, and there is no
way to bring them together in order to get a degree or any kind
of overwhelming accreditation.
The second problem is that there are so many courses that
are out there trying to understand the quality issues that are
associated with each one of those programs and which ones to
select and which ones to take because the investments are
significant. What we are seeing in the marketplace today is
typically $750 to $1,000 per day of, you know, advanced
training in any kind of digital investigation or cyber
security, plus the time and the travel in order to be able to
do it. So you could easily spend $25,000 to $30,000 per year
per employee in order to take these, and they come out of it
with a certificate and not with any kind of degree from----
Mr. Gordon. Those are legitimate concerns. I guess my
question, though, is why--or what would be a federal role here
where typically it is, you know, a non-governmental
accreditation body that does those sorts of things?
Mr. Spengler. I think the government role can be one of
coordination, one of bringing together those universities that
are accrediting all of these courses out there and trying to
come up with some sort of national program, not to basically
administer it, but actually to coordinate it, to hold more
hearings on how to bring those things together so that the
universities and industry partnerships can be formed so that we
can solve this basic problem. It is not being solved by the
universities by themselves or the industry partners by
themselves, and it needs some sort of organization that can
basically help bring that together.
Mr. Gordon. Anyone else have any--yes, sir.
Mr. Baker. I look at it as two different issues. One is
accreditation. And I understand where you are coming from. If
you look at the model where business programs are accredited,
that is somewhat of a private institution, ACSB, those
accreditations, so to speak, for business programs, and I think
that is the kind of context in which your question is coming
out. You know, shouldn't we have that kind of model for
accreditation for security programs? But I think the first step
to that process is creating standards in education, looking at
the variety of education needs from the end user in a
particular discipline, be it medicine or manufacturing or
whatever the area is, and the levels of people. Some staff just
need to be aware of what is going on, and to know that they
should be thinking about security, all of the way to the more
technical level where we look at software development and the
issues of applications development to security and network
development and the security that goes with those kinds of
things. You know, in the classroom, we often joke with the
students about, you know, how are you securing your log-on to a
particular system, you know. You put in a very difficult
password and user ID, but in point of fact, you can't remember
it, so we go to putting it on a little piece of, what, paper
and sticking it next to your monitor and, you know, gee, no one
would think to look there to find the user ID and password. You
know, those kinds of things. Be aware of not doing those
things. You know, from awareness all of the way down to the
more technical levels. So I think it starts with, you know,
what kinds of security education needs to be done, what kind of
standards should apply to that at what levels in different
disciplines, and then look at accrediting different kinds of
programs, because they--there are different needs at different
levels.
Chairman Boehlert. Thank you very much. The gentleman's
time has expired.
The Chair recognizes the distinguished Chairman of the
Subcommittee on Research, the gentleman from Michigan, Mr.
Smith for five minutes.
Mr. Smith. Mr. Chairman, thank you.
Really an exciting hearing in terms of the potential for
problems that we have already looked at. It seems to me,
though, that a country, such as the United States that probably
has a greater dependency on the Internet and computer systems
and the fact that the inter-connectedness of these systems,
whether it is banking or food distribution or the military or
airlines or anything else, big corporations, the military, the
inter-connectedness is very important because of the
usefulness. And it seems to me that that brings in two
questions, not only the cyber security and the potential for
damage because of the inter-linking of the computers, but also
the physical, potential physical damage that could be done to
central servers. So part of my question, Mr. Baker and Mr.
Hosmer and maybe Lieutenant, is should there be or is there any
consideration for somewhat of a confidential setting for the
server systems that might be more vulnerable to physical
attack?
Mr. Baker. The short answer is probably yes. The longer
answer is look at some of the protection systems that have been
put in place by various organizations. If you take the events
of September 11 and look at what occurred on September 11, the
computer systems in point of fact were ready to go fairly
quickly after that occurred, because they had already--most of
the financial industry, which is highly dependent on network
information systems, had their systems off-site, remote
locations, not easy to get to in one single attack. They
recognize disaster recovery planning and the needs for it. So
they were somewhat prepared.
Mr. Smith. So are you saying that most of these systems,
whether you are a large corporation or a financial institution,
the way we move money or move materials or move airplanes or
move personnel, that they have more--they have several servers
that can accommodate the damage to any one single facility
server? I sort of was under the impression that a lot of these
corporations and the people that--where they outsource server
networking accommodations are centrally located.
Mr. Baker. Some organizations will. Most of the medium to
larger sized organizations will have backup systems. They will
do remote off-site storage. There are a number of organizations
that provide off-site storage capability in various parts of
the country and recovery capabilities in various parts of the
country. And some organizations have redundant systems where--
--
Mr. Smith. How serious would be the physical damage of a
car bomb, an Oklahoma type bomb or a bunker buster type bomb,
to a large, central server center that does work for even--
either--for anything?
Mr. Baker. My guess would be probably down for a day or
two, but if it is any sizable organization, they recognize the
need for, again, disaster recovery planning and have probably
put in place the ability to get back up fairly quickly. You
know, one of my former roles, before I came into education
full-time, was to run an IT organization for a large group. And
the issue that we addressed most importantly was disaster
recovery. And we had put in place the ability to get back up
and running within a day or two.
Mr. Smith. Mr. Hosmer, at Utica, or Mr. Baker, at Johns
Hopkins, what would be the salary for an individual graduating
with a Master's degree in--specializing in cyber security?
Mr. Hosmer. Well, that certainly depends, you know, on the
job that they are going to take, but the starting salaries out
of those are certainly in the $50,000 to $75,000 range in our
region for graduates, and that could be higher in other parts
of the country, certainly, but as a starting salary, that would
be very typical.
Mr. Smith. So if a terrorist organization that didn't look
like a terrorist organization offered $150,000, they probably
could hire the greatest talent that might be graduating?
Mr. Hosmer. Just about anybody they wanted to, sure.
Mr. Baker. Okay. Now your point--the previous question that
you asked is that, you know, we tend to think about cyber
attacks or attacks on the physical infrastructure from the
outside in. The greater threat is from the inside out. The
insider threat that we have to counter inside our organizations
and the trust that we put in people that have access to those
systems. And in, typically, most organizations, it isn't one
person that has the keys to the kingdom; it is typically
multiple people in the organization that have keys to the
kingdom. Everybody has root access in order to be able to
access those systems and modify them. So the real threat, from
a cyber security perspective, is the insider threat, and we
focus most of our attention on the outsider threat where, in
fact, we need to turn more attention to the inside.
Mr. Smith. Will your graduates--concluding, Mr. Chairman.
Will your graduates or--Lieutenant----
Second Lieutenant Aparicio. Aparicio.
Mr. Smith [continuing]. Aparicio, will their talents and
what they learned be obsolete because of the technological
advances that are taking place in computers? And it is such a
changing evolution, it seems like, just in the last 10 years of
what has happened in research and science and computers, will
what we are learning now--is it continually being updated for a
person that wants to be in that field? Lieutenant----
Second Lieutenant Aparicio. Sir----
Mr. Smith [continuing]. Are you going back to refreshers
every six months?
Second Lieutenant Aparicio. Oh, well, I was going to
comment on that. We have to--as military members, we are always
being trained, having required reading courses, and it is just
part of professional education to keep up. And as--to answer
your question about the graduates, I don't believe that they
would be obsolete if they keep on learning. The students that
we target, they are not necessarily what I would say the
average, but there are requirements, and most of them have
higher aspirations to continue on learning. I think that that
is true for most people who--you know, you don't just stop
learning right after high school. You don't stop learning after
college. To keep up----
Mr. Smith. Sometimes when you get to Congress, it slows
down a little bit.
Second Lieutenant Aparicio. I wasn't implying that, either,
sir.
Mr. Smith. Thank you, Mr. Chairman.
Chairman Boehlert. And that is why we invite expert
witnesses like that to continue to be teaching.
The gentleman from Washington, Mr. Baird.
Mr. Baird. Thank you very much. I thank the Chairman for
hosting this important meeting, and I thank the panelists.
I had the coincidental good fortune of riding on the flight
here with the gentleman who wrote the security standard for
wireless Internet technology. It is one of those great
serendipitous things. And I asked him to look at some of the
issues today. And I thought his comments were interesting. He
personally suggested to me that the notion of a certification
exam probably was going to be obsolete before you actually--by
the time you have created the exam, the world of real-world
change has probably exceeded the exam, so he didn't think we
should spend a lot of time on that. And certainly my
experience, which is limited, but--would suggest that may be
the case.
Two questions I have, one from him and then one of my own.
He expressed a challenge that academics often have a difficult
time working within the government setting, and within, more
importantly, perhaps, with industry. So you have got the
academics, the cryptographers, etc., working on the
mathematical equations within the academic institutions, but
then you have got the people working on the standards within
industry. And one of this gentleman's claim to fame was he
basically broke into the initial wireless standard in about 30
seconds flat. He just looked at it and said, ``You have got a
huge flaw here,'' because basically the folks doing the
industry side were the guys working on the radio side of it and
the broadcast side of the--of wireless, and he was looking at
the cryptographic issues. So the question I would have is what
obstacles do we face in terms of interactions between the
academic side, the government standard setting side, and real-
world industry that is creating the hardware and software that
we use, and how can we address those?
Mr. Spengler. I would like to address just--the obstacle we
face is the complexities of developing quality faculty and
spending those times becomes difficult when you are looking at
practical experience. Sometimes we look at developing those
skills and then we bring those skills to the classroom. But for
faculty to really be effective and efficient within the
classroom environment, they need to understand the applications
of technologies out in the workforce. It is our belief that the
encouragement of faculty participating in real-world work
experiences is critical to the ongoing development, not just
the attending of courses, to build a finite set of skills that
might be changed in a quick manner. What we try to encourage is
to establish relationships with business and industry not just
to look at the concept of students being able to go out in the
professional development environments but for faculty to
participate. For example, we are working with a hospital called
Gotlieb Hospital in the Chicago area and implemented voice-over
wireless within the hospital. So we approached them, and we are
working on a partnership with this hospital, and again, we are
trying to model that throughout the Midwest for us to be able
to identify meaningful projects that are going on out in
industry and to be able to schedule those and including faculty
as part of those projects. What we are finding that is very
interesting is that in many times--in many cases, faculty are
actually able to excel in those areas because of their detailed
knowledge of the actual technologies and they are actually able
to offer a lot to business and industry at the times they are
participating in this type of externship opportunities.
Mr. Baird. Great example.
Ms. Rogers.
Ms. Rogers. I would like to address that, too. The basis
for almost all of our work at our NSF project has been to
develop what we call contextual problems, but it is all based
on authentic workplace experiences. We have two kinds. One we
call problem-based case studies where current problems in
industry are brought into the classroom. But even in more
recent types of authentic experience we have the students
actually solving industry problems, real-time in working with
the industry. And we think that we have to make that a part of
the curriculum development process so that we have a dynamic
curriculum development process.
Mr. Baird. That makes sense to me.
Ms. Rogers. And the other thing that I think is relevant
here is that the whole issue of retraining that comes up in
understanding new information, what we have worked on, and
education research supports this, is that we know how, by
structuring the learning environment the right way, to create
workers and employees that are more adaptable. We know--we have
evidence of how to make people transfer knowledge better from
one situation to new situations based on the way that they are
taught. So if we can further that effort and teach them
differently, we can create a workforce that is more adaptable,
and therefore more able to understand the new stuff as it comes
out.
Mr. Baird. Thank you.
Mr. Baker.
Mr. Baker. Yeah. One of the things--a couple of things that
come to mind, you know, one, the question of, you know, can we
keep up with the technology as it is evolving, and to some
degree, yes. And that is a little bit of the difference between
training and education. We look at education as the process of
teaching a student how to learn so that they can keep up on
their own. You know, training is learning how to do something
very specific. Education is teaching how to learn, how to do
information literacy, how to research things, etc. And a second
comment, along with the ones that Ms. Rogers was making, that
you know, in our programs, we have the same kind of--I don't
want to call it experiential, but completion part of our
program where at the end of their degree, we like to
characterize it as you need to see where the rubber meets the
road. Okay. Here is what you have learned in the classroom, now
let us take it out into the practical world. So we have a
senior project where students over, roughly, a 20-week period
of time are doing projects for organizations or doing some
applied research for organizations, etc., so that they can take
what they have learned and then see how it really works, you
know, from the real-world perspective, so that they can
understand the translation of yes, I learned this theory and
sometimes it doesn't work, but sometimes it does, and here is
how I can improve things.
Mr. Baird. Mr. Chairman, I know my time is expired. I
might, if I may--I appreciate those answers. The one thing I
would say--the question I was going to ask, but I know I am out
of time, but for a future reference----
Chairman Boehlert. You can ask the question. Go ahead.
Mr. Baird. Well, it is--oh, he is gone. Okay. The question
is this. My understanding is that increasingly chip fabrication
facilities are locating--they have been, for a long time,
locating offshore in Taiwan, but now increasingly on Mainland
China. The fabs are going there. Increasingly, we know that we
are outsourcing code writing, and I have a two-part concern as
this relates to cyber security. One, are we losing or is it--
maybe is it eroding our technological, educational, academic
base of expertise in these areas so we are going to get more
and more people with more expertise abroad than domestically?
And two, is code written or hardware developed offshore posing
a security threat that we need to be cognizant of?
Mr. Hosmer. That was what I thought your question was
originally, and I was going to address that. I mean, obviously
most of the vulnerabilities within systems today are
vulnerabilities caused by bad software. Okay. And the reason is
that security is typically an afterthought, not a forethought,
in the process of developing these systems. Further
complicating it are your exact points of moving most of the
software development offshore. The estimates are the next
version of Microsoft Windows is going to have 100 million lines
of code. If you think about 75 or 80 percent of that being
developed offshore, and this is the critical infrastructure
that we are basing our Nation on, it is certainly a risk to be
concerned about, because it is impractical to walk through
every line of software in those systems in order to be able to
address the threat. So we have to come up with a better way,
and that goes into training and education to build better
software, but also how do we assess and analyze that in order
to basically determine if it is safe.
Mr. Baker. Yeah, one of the things I would say is it also
is a matter of jobs and students going into programs wonder if
there is going to be a job coming out, and to some degree, the
answer is no, and so they think of other things to do.
Mr. Spengler. I would like to add one more item on that. We
initially started our center focusing on predator protection
and information assurance. And one of those--one of the issues
that quickly came up was the idea of secure coding. When taking
a look at the available programs in secure coding, we found
that there wasn't a lot currently out there as far as structure
and secure coding environments. We contacted some professionals
in the industry, and they concurred, and that is one of the
directions of secure coding. Does it pose a risk if those jobs
and that software are moved offshore? My answer would be yes.
Ms. Rogers. One of the employers in Nashville said that
secure coding is worse than Y2K with no end in sight.
Mr. Baird. Expand on that, if you would, Ms. Rogers.
Ms. Rogers. Well, he sees the problem as, you know,
especially in the legacy systems where what we are trying to do
is protect and just sort of patch what has already been
developed out there, because those systems weren't developed
with security in mind. And so if we think about developing the
future workforce so that they can develop our new systems and
doing so with security in mind is part of the design on the
front end, but then if you add the issue of taking those jobs
offshore, then you have really got a problem, as you pointed
out. I mean, he--and he said that this problem that we are
dealing with the legacy systems all over the country is--it--I
think that--his word wasn't fragile, but that was what he
meant.
Mr. Baird. I appreciate that we now know a new problem. I
don't know that we will get the solution in today's hearing,
but it is----
Chairman Boehlert. Thank you very much.
Well, I will wrap it up with sort of a two-part question.
The first part is do we know the extent of the challenge? And
it has been suggested by many that entities, whether they be
private sector businesses or public sector government, are
reluctant to share information about their vulnerabilities. And
so we really probably don't know the extent of the problem. And
secondly, what do we do? How would you suggest we do something
to promote a national awareness program so that the individual,
the business, people across the broad spectrum will appreciate
that this is a very serious issue facing the Nation at a
critical time and we better darn well be responsive in
addressing the issue? Two-part question. Do we know the extent
of the problem and how do we increase public awareness so
that--well, that is enough.
Mr. Hosmer or anybody?
Mr. Hosmer. Well, I think the extent of the problem has
always been an issue. It has always been underreported, because
of the concern that it would have on the organization.
Legislation, like Sarbanes-Oxley, that has been passed that
requires the reporting of those kinds of things and that will
go into effect on November 15 of this year, are going to
require at least publicly-traded corporations to provide public
data about those threats, also about audits and other things
that could have been modified. So that is a step in the right
direction, so there is going to be more full reporting, at
least from publicly-traded companies, on those kinds of
impacts. But there is still a lot that is not going to be
reported. And I think without that reporting and understanding
of the problem and the sharing of that information, everything
in this area has been underfunded because of that. I think the
awareness issue is attempting to be addressed through
conferences and workshops that are popping up everywhere in the
country. I have seen an increase in participation and the
number of those over the last two to three years. They have
been significantly increasing from virtually every aspect of
our community. And the attendance, because we go to all of
those, has been significantly up. So that is happening
automatically through the normal channels, but it is certainly
still not enough. I mean, we still need to get this information
out to people to talk about the threats about the
vulnerabilities that are out there and encourage some sort of
national communication and reporting of the problems that we
face.
Chairman Boehlert. You know, I recall a conversation I had
a few years ago with an executive of a credit card company,
who, at that time, and this was maybe eight years ago, told me
that his company's experience--well, they lost, on average,
about $100 million a year due to fraud, most of which was
perpetrated using cyber systems. And he said his company
concluded that was an acceptable loss, because it would
probably cost them more than that to prevent that loss. And I
said to myself, just like me, Americans have a lot of plastic
in their pocket. And we are paying interest rates higher than
we should pay, because we have to cover that fraud and that
loss. So it affects every single person in a variety of ways.
Mr. Baker.
Mr. Baker. It is interesting you would mention that,
because you know, one of the thoughts that came to my mind when
you talked about awareness programs, to some degree, business
is doing it for us. You look at the Citi Bank ads with identity
theft. You know, they are hard to forget, because they are so
cute, but they drive the point home, ``Be careful about the
information about you,'' which is an awareness program. It is
an awareness campaign. Taking it to other levels and other
areas is another story, you know, protect your computer and
that kind of stuff, you know, because it is only about
protecting the credit card that you have. To some degree,
legislation that has been passed has already helped. I mean,
HCFA [Health Care Financing Administration] is raising
awareness in the medical area. Sarbanes-Oxley, as Mr. Hosmer
has already indicated, is going to certainly raise awareness in
the private sector of what we have got to do. To some degree, I
don't think they quite understood yet what it really means, but
it certainly will hit them square in the face, you know, when
they start getting questions about their finances. And
business, to some degree, and you have already kind of
expressed this, looks at it as a cost of doing business. So if
it costs me $300 million to put in security and I lose $100
million, on balance, I will pay the $100 million instead of
$300 million.
Chairman Boehlert. But you don't pay the $100 million, we
do.
Mr. Baker. Right. That is correct.
Chairman Boehlert. Anyone else care to--Lieutenant?
Second Lieutenant Aparicio. Sir, I was going to try and
answer a comment on both of those questions, and the--to the
point on the knowing the extent of the challenge, I think we
know the challenge, but America does not necessarily understand
the challenge. But the people who really do are the younger
generation. And so for, like a lot of people, they say, ``Well,
I can't fix my computer, but my son does,'' or ``My daughter
can fix it, because I don't even know what is going on.'' And
so again, that shows that we understand that the younger
generation has more of a command on that. And what we need to
do is be targeting that next generation who is going to be
running everything around here soon and educating them. And how
we, again, could help out is just, as mentioned earlier about
the Citi Bank or credit card commercials that we see that we
laugh at, we need to be, probably, doing some sort of
announcements or putting it on TV where we all can watch and
see the extent of it. You know, just like a simple, ``Would you
park your car in DC unlocked? Well, then why do you have your
network,'' you know, ``running open, too?'' You know.
Chairman Boehlert. Sure.
Second Lieutenant Aparicio. Just things like that, but I
would just say we need to be targeting the younger generation.
Chairman Boehlert. Well, let me say we agree with that
wholeheartedly, and we are comforted on this committee and in
Congress when we see young people like you with your very
impressive record and direction in which you are going. And you
are reflective of so many more that are with you and doing what
you are doing. We just need more of you.
Second Lieutenant Aparicio. Thank you, sir.
Chairman Boehlert. Anyone else? Mr. Baker.
Mr. Baker. I--yeah. Interesting you were talking about the
younger people, and I agree with that about the grade schools
and the high schools, and it is kind of anecdotal information,
but it kind of drives home the point of how much the younger
generation understands technology. My son is here today, and
one of the things I talked about in my class about him, he
doesn't know this yet, is that in the fifth grade, he did five
PowerPoint presentations that year.
Chairman Boehlert. In the fifth grade?
Mr. Baker. In the fifth grade. And the next year, he wanted
to stop doing those and go back to doing poster boards, because
it was a lot of work. But I think it underscores just how much
technology that the younger generation understands. He likes to
get on the Web. What does he like to look for? Game codes so
that he can figure out how to get through his video games
faster and get more advanced----
Chairman Boehlert. Mr. Baker, that allows me to get an
applaud for something this committee has done. We are
responsible for the science and math initiative for America,
because we look at the international comparisons. And our
youngsters, when compared to their counterparts around the
world in math and science proficiency, if you issue a report
card, there is need for improvement. The fourth graders are
about on par with their counterparts around the world in math
and science proficiency. The international comparisons show
that by the eighth grade, we are falling a little bit behind,
and by the twelfth grade, we are way down on the list. That is
not good enough for America. So we, in this committee, the
Science Committee, Democrats and Republicans working together,
added to the No Child Left Behind big education initiative,
something that is called the Math and Science Partnership
Program. We are determined to do a better job of producing more
people like Lieutenant Aparicio, because if we fail on that
mission, shame on us. We are not going to fail. We are going to
succeed.
Does anyone else have anything for the good of--Mr. Hosmer.
Mr. Hosmer. Just one final point on your--the acceptable
losses from the credit card companies. The reason that there
can be no acceptable losses, regardless of who is paying the
bill, is because where are those funds going that have been
stolen, because criminal organizations and terrorist
organizations attack those infrastructures in order to fund
their other operations? And I think that we have to look at all
of those losses and find out where they are going, because they
may be going into a place that none of us would accept,
regardless of how small the losses were.
Chairman Boehlert. Thank you very much.
I wish the media would beat a path to the door of the boot
camp, cyber security boot camp up in Rome, New York. This year,
they have got about 28 Aparicios up there, and they are the
best and the brightest from all over the country. They have
such a promising career path ahead of them, and as you have
observed in the upstate region, you know, a graduate starts at
$50,000 to $75,000. That is not a bad start. And the future is
virtually unlimited for them, so we have got to do a better job
of advising more people of the great opportunities and also
heightening the awareness of the American public on the
challenges that face us.
And you have been facilitators for this committee in that
regard, and I thank you all for your testimony. This hearing is
adjourned.
[Whereupon, at 11:35 a.m., the Committee was adjourned.]

Appendix:

----------

Answers to Post-Hearing Questions
Responses by Chester ``Chet'' Hosmer, President & CEO, WetStone
Technologies, Inc.

Questions submitted by Representative Bart Gordon

Q1. In general, what is the state of credentialing for cyber security
professionals?

Q1a. Are there certification standards in place or under development
for cyber security education and training programs?

A1a. Certification today comes in basically two flavors: Formal
training courses held for law enforcement, such as those held at the
Federal Law Enforcement Training Center (FLETC), and the International
Association of Computer Investigative Specialist (IACIS). These courses
offer certifications that carry significant weight in the community.
The second is courses being offered by commercial organizations
offering certifications. These certifications are offered by the
hosting organization. Typically the certification requires the
participants to take a test that is a combination of a written test and
a practical examination.

Q1b. Do formal mechanisms exist to develop such standards, and if so,
please describe how they work?

A1b. Certainly on the federal level, certifications offered by FLETC
and IACIS are reviewed by advisory boards. In the commercial sector, a
similar model is put in place by organizations offering the training.
However, the acceptance of these credentials is based primarily on the
respect for the organizations offering the training, which is based on
the perception in the marketplace.

Q1c. To what extent are academic credits for cyber security studies
earned through programs at one institution transferable to another in
furtherance of meeting degree requirements?

A1c. Several organizations (WetStone being one) have entered
partnerships with colleges and universities to offer continuing
education units (CEU's) for students completing training courses. Here
in New York State, the formula is typically .1 CEU per contact hour.
Therefore, a two-day--16-hour training course would yield 1.6 CEU's. In
our case, our instructors, course materials, and curriculum are
reviewed by the college and then approved. Periodically, professors
will sit in on one of our courses and provide feedback and suggestions.
The use of these CEU's is an important consideration, and my suggestion
is to establish criteria for national recognition of the CEU's that
would allow these credits to be applied more easily toward degree
programs.

Q1d. Is there a federal role in establishing national accreditation of
cyber security education and training programs, and if so, how would
you characterize it?

A1d. I believe the advancement of cyber security education and training
is an essential ingredient in improving our nation's cyber security
posture. The Federal Government has an opportunity to work with, and
bring together colleges, universities, training organizations and those
charged with the protection of our critical cyber security resources,
to help establish standards and accreditation for professionals at all
levels. I would recommend the establishment of a working group that
could, within a short-time (12 months), study the situation further and
deliver a report to the House Science Committee with recommendations
regarding the needs, impact and nature of such a national
accreditation.

Q2. What is the supply and demand situation for individuals with cyber
security expertise? What evidence do you have that such individuals are
in demand, and what skill sets are most in demand?

A2. Today the investigation of cybercrime activities is at an all time
high. Virtually every law enforcement organization in this country has
increased their backlog of cases involving digital or cyber evidence.
The law enforcement agencies that we work with are constantly seeking
assistance, new technologies and methods to speed the investigative
process, and additional human resources to interpret the results. Today
more and more digital evidence relating to both traditional and
cybercrime activities enters U.S. Courtrooms. The need for highly
trained cyber security professionals that can collect, analyze,
interpret and report on cyber activities is upon us. We must rapidly
expand this cyber security workforce with individuals that are not only
talented, skill and dedicated, but also bring a high degree of
integrity and ethics to the process.
Answers to Post-Hearing Questions
Responses by John R. Baker, Sr., Director, Technology Programs,
Division of Undergraduate Education, School of Professional
Studies in Business and Education, Johns Hopkins University

Questions submitted by Representative Bart Gordon

Q1. In general, what is the state of credentialing for cyber security
professionals?

Q1a. Are there certification standards in place or under development
for cyber security education and training programs?

A1a. While there are some recognized credentials for information
security professionals, there is no widely recognized, independent
credentialing organization or process currently in place. Unlike
accounting and other professions, the `standard' is to recognize
credentials offered by companies established to do the credentialing.
ISC², CompTia and SANS are the most widely recognized
organizations providing such credentials. Each has some `standards' for
their credential and a course intended to prepare the professional to
take the credentialing test, which they also provide.

Q1b. Do formal mechanisms exist to develop such standards, and if so,
please describe how they work?

A1b. I am not aware of any formal mechanisms currently in place to
develop fully independent credentialing for security professionals at
various levels.

Q1c. To what extent are academic credits for cyber security studies
earned through programs at one institution transferable to another in
furtherance of meeting degree requirements?

A1c. The typical arrangements are for one institution to accept credits
from another accredited institution. Academic institutions in the U.S.
are accredited by a regional accrediting organization, sanctioned by
the Dept. of Education. (Johns Hopkins is accredited by the Middle
States Accrediting body.) However, each institution usually reserves
the right to not accept credits from another institution, usually,
because 1) the number of credits to be transferred in for a student
exceeds some limit, 2) they are not applicable to the program the
student will be entering at the new institution, or 3) there is some
question of validity of the sending organization or the credits.
Also, if the organization that is providing the credits is from
outside the U.S., another process is in place to determine the validity
and applicability of the incoming credits.

Q1d. Is there a federal role in establishing national accreditation of
cyber security education and training programs, and if so, how would
you characterize it?

A1d. At the moment, the federal role should be reserved to encourage
the industry to develop an independent set of credentialing criteria.
This could be accomplished through some small grants intended to start
such a process, and/or the development of specific standards within the
Federal Government for various levels of security professionals.
Credentials should be tied to specific job task or employment
requirements. NIST has done some work in this area.
Once the credential requirements are established and the process
for determining if a professional has met the credential requirements
is in place, the industry can usually provide plenty of opportunity to
receive the appropriate training or education needed to receive the
credential.

Q2. What is the supply and demand situation for individuals with cyber
security expertise? What evidence do you have that such individuals are
in demand, and what skill sets are most in demand?

A2. Anecdotal evidence suggests the will be plenty of opportunities for
security professionals. Network security appears it will be the most
sought after expertise in the near future.

Q3. You indicated in your testimony that NSF has not been able to
support innovative initiatives in information security education
because of funding issues. Could you expand on this comment, and in
particular, what kinds of innovative initiatives are not getting
support?

A3. In discussing this issue with colleagues, they have indicated their
understanding is NSF has not received its full funding and therefore is
not able to support some proposals in the area of cyber security
education. However, they did not provide specific information about
their concerns.

Q4. What has been your experience with the NSF Scholarships for
Service program in terms of its ability to attract good students and
its success in placing graduates in federal agencies? Do you have
suggestions on ways to improve the scholarship program?

A4. Hopkins' experience with the SfS program has been good. Earlier we
had some problems placing the students, but that seems to be much less
of a problem at this point.
Answers to Post-Hearing Questions
Responses by Erich J. Spengler, Principal Investigator, Advanced
Technology Education Regional Center for the Advancement of
Systems Security and Information Assurance, Moraine Valley
Community College

Questions submitted by Representative Bart Gordon

Q1. In general, what is the state of credentialing for cyber security
professionals?

Q1a. Are there certification standards in place or under development
for cyber security education and training programs? Do formal
mechanisms exist to develop such standards, and if so, please describe
how they work?

A1a. The current state of credentialing encompasses an ongoing debate
regarding the modeling of curriculum on industry certification. This
debate focuses on the balance between certification standards and
required skill sets. As academic institutions construct the basis for
cyber security curriculum, several factors must be considered. These
factors include the reflection of current industry demand identified by
job skill proficiency and alignment to existing standards or
certification through government or private entities. Therefore, one
set of standards is not in place, but the debate for its development is
indeed ongoing.
Job skills proficiency and the mastering of industry knowledge
often represent the framework used to construct cyber security programs
from a practitioner outcome perspective. Cyber security skills are
often identified through a thorough examination of current and future
employer hiring needs. This process is often costly and must be ongoing
to ensure consistency with current employer demands. Failure to
accurately represent needs may result in programs that lack necessary
components to adequately prepare cyber security professionals. To avoid
these situations, many vendor and non-vendor organizations have
established education/training programs and certification processes for
benchmarking information security knowledge.
I would caution the use of the term certification standard at this
point, as this may convey that a single model of authority exists. In
fact, there are currently many available models that can be used when
creating cyber security education and training programs. The following
represent only a few of the models that developers evaluate when
establishing their curriculum framework:

(1) The International Information Systems Security
Certifications Consortium, Inc. (ISC) ² (ISC) ² maintains what is referred to as
the Common Body of Knowledge for Information Security (CBK).
They administer certification examinations and require the
maintenance of post certification credentials through
continuing education. The CBK provides a common foundation for
the mastering of information security skills. The Certified
Information Systems Security Professional (CISSP) and System
Security Certified Practitioner (SSCP) are certification
examinations offered to candidates wishing to demonstrate
proficiency in areas of CBK knowledge.

(2) The National Security Agency/Central Security Service

The Committee on National Security Systems (CNSS), chaired
by the Department of Defense, works with the National
Information Assurance Education and Training Program (NIETP) to
develop Information Assurance training standards. Under these
standards, the Information Assurance Courseware Evaluation
(IACE) program is used to ensure compliance with national
standards including:

CNSS and (ISC) ² are examples of the many groups that
are working to provide standards in information security education and
training. Others include the SANS Institute Global Information
Assurance Certification (GIAC), CompTIA Security+, the National
Institute of Standards and Technology (NIST) Special Publication 800-
16. Additionally, vendors such as Microsoft, Cisco Systems Inc., and
IBM develop product-specific and technology-specific security
certifications. A growing challenge exists when determining which of
the aforementioned certification standards should be incorporated as
curriculum is mapped to certification.
The National Security Agency (NSA) currently implements the
Information Assurance Courseware Evaluation (IACE) Program. This
program enables cyber security education and training programs at
academic, government and commercial organizations and most recently
community and two-year technical colleges, to map curriculum to
national standards as set forth by the Committee on National Security
Systems (CNSS).
The National Science Foundation Advanced Technological Education
(NSF ATE) program continues to play a major role in the identification
and development of appropriate standards for education and training
programs in cyber security related areas. The NSF ATE program also
encourages collaboration between organizations tasked with the
formulation and development of such standards. Over the next year, the
NSF ATE Regional Center for Systems Security and Information Assurance
(CSSIA) will partner with the National Workforce Center for Emerging
Technology (NWCET) to enhance and review current skill standards. This
group will also determine opportunities for alignment with other skill
standards identified by (ISC) ², CNSS and others.

Q1b. To what extent are academic credits for cyber security studies
earned through programs at one institution transferable to another in
furtherance of meeting degree requirements?

A1b. There is a clear weakness in the transferability of academic
credentials from one institution to another. With a lack of common
standards for program certification, schools construct programs
reflecting different standards. Some programs may place an emphasis on
a particular vendor's cyber security skill requirements while others
may emphasize a more general non-vendor approach. This results in
curriculum that is difficult to articulate on a course by course basis
resulting in earned credits not transferring. When earned credits do
not transfer, barriers emerge for students as they continue the pursuit
of cyber security related careers. Institutions should be encouraged to
emphasize a common set of standards or certification criteria in cyber
security. Through this, academic education and training programs will
substantially increase pathways toward articulation.
As noted in my original testimony, community colleges play a
critical role in the education and training of the Nation's workforce.
The American Association of Community Colleges (AACC) also indicates
that community and technical colleges enroll 44 percent of all U.S.
undergraduate students, including 11.4 million credit and non-credit
students. From these numbers, some 200,000 certificates and 450,000
associate's degrees are granted each year. As cyber security programs
emerge we must consider that the ability to meet degree requirements
will be significantly reduced without emphasizing pathways,
articulation agreements, and common standards. The NSF ATE program
supports projects that provide guidance and leadership in the area of
career pathways, articulation and standards. NSF ATE Centers continue
to focus on these initiatives.

Q1c. Is there a federal role in establishing national accreditation of
cyber security education and training programs, and if so, how would
you characterize it?

A1c. The Federal Government can play a role in the national
accreditation of cyber security education programs. Most recently,
inviting community and two-year technical colleges to submit requests
under the National Security Agency (NSA) Information Assurance
Courseware Evaluation (IACE) Program is a move in a positive direction.
We must, however, recognize that the acceptance of other standards such
as (ISC) ², SANS, CompTIA, and (NIST) SP 800-16 are becoming
prevalent in their relationship to business and industry workplace
skills and therefore will remain a vital component of the curriculum
development process.

Q2. What is the supply and demand situation for individuals with cyber
security expertise? What evidence do you have that such individuals are
in demand, and what skill sets are most in demand?

A2. As stated in previous testimony, the NSF ATE Regional Center for
Systems Security and Information Assurance (CSSIA) and its partners
conducted a survey of companies in five mid-western states to determine
the job demand for IT security-related positions, desired skills, and
preferred educational levels. The study was completed in the spring of
2004 at a regional level and shows evidence that the demand for cyber
security related skills is growing. At the completion of this survey, a
total of 340 responses from companies throughout the Midwest were
received. Respondents were divided into small (less than 100
employees), medium (100-499) and large (500 or more) companies. An
overwhelming 99 percent of respondents were concerned about Internet
and computer security. Almost three-fourths of respondents said their
company currently employed people in IT security positions and IT
security positions were more likely to be part-time or shared positions
(part-time security along with other IT duties) than dedicated (full-
time IT security). Table 1 below shows employment projections based on
these 340 responses.
Additional summarized responses are as follows:

A total of 340 responses were received. Respondents
were divided into small (less than 100 employees), medium (100-
499) and large (500 or more) companies.

Almost all respondents were concerned about Internet
and computer security.

Almost three-fourths of respondents said their
company currently employed people in IT security positions.

IT security positions were more likely to be part-
time or shared positions (part-time security along with other
IT duties) than dedicated (full-time IT security).

Part-time security responsibilities can be or are
being added to most IT areas, including network administrator,
help desk, network engineer, applications developer and systems
analyst.

Associate's degree graduates will be able to find IT
security positions, both at the entry-level and experienced
level, but Bachelor's degree graduates are preferred.

The most popular types of security training provided
for IT staff were self-study and commercial vendor training
site. Somewhat more than two out of ten used community college
classes.

Respondents indicated a total of 166 current openings
for IT security positions, and projected more openings in one
year (N = 237) and still more in three years (N = 422).

One-fourth of respondents said their company would be
hiring new IT security staff within the next year. Slightly
more than half said there was shortage in the current supply of
qualified applicants for entry-level IT security positions.
Large companies were more likely to be concerned about Internet
and computer security, to have security positions, to have
dedicated (that is, full-time) security positions, and to
require a Bachelor's degree than medium and small companies.
More than half of respondents indicated some interest in
participating in IT security activities such as serving on an
advisory committee, acting as an internship site, providing
work-site tours, or other partnering activities.
Answers to Post-Hearing Questions
Responses by Sydney Rogers, Principal Investigator, Advanced Technology
Education Regional Center for Information Technology, Nashville
State Community College

Questions submitted by Representative Bart Gordon

Q1. In general, what is the state of credentialing for cyber security
professionals?

Q1a. Are there certification standards in place or under development
for cyber security education and training programs?

A1a. Certification standards for information security professionals
have been developed by the National Security Agency (NSA) and the
Committee on National Security Systems (CNSS). These standards have
been incorporated into the Information Systems Security Professional
certification offered by CISCO Systems. Many other organizations offer
certification programs in information security. Although I do not know
for sure, I assume they also incorporate the NSA and CNSS standards.

Q1b. Do formal mechanisms exist to develop such standards, and if so,
please describe how they work?

A1b. I am not qualified to answer this question; however, I assume the
information is available from the NSA and the CNSS. I have included a
URL that provides information about those who are working on this
problem.
http://www.nsa.gov/ia/academia/

Q1c. To what extent are academic credits for cyber security studies
earned though programs at one institution transferable to another in
furtherance of meeting degree requirements?

A1c. In Tennessee, credits for cyber security studies will transfer
from one higher education institution to another to the same degree
that all other technical and courses in a specific discipline transfer.
At Nashville State Community College, students may be awarded college
credit toward a degree in computer networking for non-credit
certification courses in cyber security and those credits will transfer
to university programs that are of like disciplines. At this time in
Tennessee, these credits are primarily for individual courses that are
a part of degree programs in networking and telecommunications rather
than for an entire degree in cyber security.

Q1d. Is there a federal role in establishing national accreditation of
cyber security education and training programs, and if so, how would
you characterize it?

A1d. From my perspective at the community college, it seems that
accreditation standards for cyber security programs are being
established by the commercial community and training programs and is
widely available. If there is a federal role, I think it would be to
provide a coordination or leadership function to actually get these
programs implemented and get students enrolled. For instance,
information coming to the college must be sought out by the college and
although my college does this to some degree, many colleges do not.
Too, most experts agree that for the country to achieve the best
outcome, all programs must include some elements of cyber security
training. If this is to happen, a proactive national effort to
disseminate information and materials about the subject to community
colleges, universities, and State and local school systems will be
necessary. A suggested approach might be to have an office within the
Department of Homeland Security with a function to coordinate all the
information being developed about cyber security through NSF, NSA, and
other departments and proactively organize distribution of those
resources and the need to implement the programs all across the country
to colleges and local school systems.

Q2. What is the supply and demand situation for individuals with cyber
security expertise? What evidence do you have that such individuals are
in demand, and what skill sets are most in demand?

A2. At my college, we have seen little demand for workers with specific
expertise in cyber security. Instead, we have seen increased demand for
network technicians and the job listings specify security knowledge as
a part of the overall job description. Listings include knowledge and
skills in firewall protection, knowledge of virus software, etc. In one
case, an advisory committee for the health industry asked for all
employees to have some understanding of cyber security and we have
heard from other employers that they would like to see the curricula of
all programs include elements of cyber security education to varying
degrees. We have seen an increase in the number of requests for network
technicians during the last quarter. From March to May of this year we
had 16 requests for such technicians and from June through August, we
had 24 requests for the same job title. Most of these employers assume
that the network technicians have specific knowledge of cyber security.