This is a copy of my National Cybersecurity Awareness Campaign Challenge proposal. I licensed it under the Creative Commons Public Domain license when I submitted it to DHS on 02010 April 30. Since its submittal, two updates have been made to the document:
- The term “secondary education” has been replaced with the correct term “higher education.” I was misusing “secondary education” to include the college and university education level.
- The term “America” has been replaced with “United States.” Again, I was misusing the term “America,” in the sense that an American public exists in all of North, Central and South America. While the aim of this project should include a global audience, to begin it should start in the United States.
The Big Picture
- The problem: The United States public is an extremely large and diverse populous and is generally unaware of cyber risks.
- The mission: To clearly and comprehensively communicate with the United States public about the issues concerning cyber security.
- The vision: An informal network composed of various teams and communities organized to share and disseminate cyber security knowledge.
Bill Clinton, regarding health clinics in Rwanda, said that it’s not enough to create one, but that you’ve got to create a system that will work better and better. Public awareness concerning the safe use of the Internet and of the devices that connect us to the Internet requires a holistic strategy. The Department of Homeland Security (DHS) has a complex problem to address concerning the cyber education of residents in the United States. This complex problem is a common problem in every nation in the world, and it is going to take efforts from a global community, the Internet community, to minimize the dangers of using the Internet. The solution to this common problem has to be flexible in order to adapt to the dynamic nature of information and communication technologies that use the Internet. The solution to this common problem also has to be scalable to reach beyond mass-media outlets and be personable so that learning individuals can appreciate the need for Internet best-practices.
The Federal Bureau of Investigation (FBI) created InfraGard in 1996, a public-private partnership to assist the private sector with managing critical infrastructure. DHS needs to create a similar partnership to assist the public with becoming cyber literate—to understand the risks involved with uploading and downloading data and information via the Internet. DHS is in an ideal position to facilitate a cyber education movement in a very organized, informal and cost-effective way. The objective of this movement is to set the foundation for an international network of experts that will create and manage an education framework of solutions for all communities. The facilitation of this movement should entail an expansion of the National Cyber Security Alliance (NCSA) that would engage with colleges and universities to manage education programs tailored to their immediate and surrounding communities.
Richard McDermott and Douglas Archibald, in an article titled Harnessing Your Staff’s Informal Networks from the March 2010 edition of the Harvard Business Review magazine, describe the value of informal teams and communities to “share knowledge and attack common problems.”
“Consider the rise and fall of an informal group of experts at a large water-engineering company located just outside London. Starting in the early 1990s, they began meeting weekly to discuss strategies for designing new water-treatment facilities. The gatherings were so lively and informative that they actually drew crowds of onlookers. (The company can’t be named for reasons of confidentiality.)
The community initially thrived because it operated so informally. United by a common professional passion, participants would huddle around conference tables and compare data, trade insights, and argue over which designs would work best with local water systems. And the community achieved results: Participants found ways to significantly cut the time and cost involved in system design by increasing the pool of experience that they could draw upon, tapping insights from different disciplines, and recycling design ideas from other projects.”
[Harvard Business Review, March 2010, Reprint R1003F]
It is critical that any program designed to educate a population as large as the one inside of the United States do so with care that takes advantage of the uniqueness of individual communities. This program must approach each and every community within the United States with systems that are already available, thereby decreasing the overall cost to DHS while increasing outreach effectiveness. By expanding NCSA, DHS can interface with, at first, colleges and universities across the United States that have information technology related education programs.
The High-level Phases
The NCSA expansion should include several phases in order to build an infrastructure that can support the mission and vision previously outlined. An NCSA expansion must include network creation within the United States, but it must be done in a highly organized and targeted way in order for the network to propagate itself. This network self-propagation is necessary for the network to expand beyond the physical boarders of the United States. The second phase of the NCSA expansion must include an international audience. Cyber literacy is a matter of national security. Cyber literacy extends beyond the borders of the United States because cyber crime outside of the United States directly affects the state of national security. Therefore it is required that the cyber education movement includes an international audience to draw on resources beyond our own.
In order to educate the people of the United States on such large scale, the NCSA expansion must utilize colleges and universities throughout the United States. These already established systems (college campuses) are critical because they are already integrated into their communities, and because they contain the people needed to help DHS with its new mission. The successful completion of this process entails finding students and faculty that are interested in the information assurance profession, and by providing these experts and to-be experts with an infrastructure that will allow them to interface with specific parts of their communities in order to grow and share information. NCSA would be responsible for disseminating the following to these higher education teams:
- Step-by-step processes, goals and objectives in formats organized using systems analysis and design (SAD) models. By providing a common framework that is common among business organizations, SAD models will allow for future integration and the ability to increase the knowledge and experiences of the students involved.
- Information packages with up-to-date, specific cybersecurity information. These information packages will be the primary resources for higher education teams, providing the main content that will be disseminated throughout the team’s community. Information packages will be supported by an online database and social network tailored to the needs of the larger community.
- Communication tools that will bridge gaps between teams with the goal of creating stronger communities. The primary objective of teams will be the development of their communities. NCSA can conduct research that will find organizations that can support nearby higher education teams, or vice-versa, and act as a hand-shake intermediary.
The secondary objective of teams is the establishment and facilitation of cybersecurity information. The following processes will help explain how this will take place.
Higher Education <–> Private Sector
The private sector is an important part of the United States public cyber learning effort. This is because the information assurance best-practices that need to be shared with the general United States public must interface, at some level, with private sector business practices. What people practice at home must make sense with the general practices carried out at work. Therefore it is important for NCSA to support symbiotic relationships with the private sector, through the higher education teams, in order to expand local communities. These symbiotic relationships should support the following goals:
- Increase networking potential on all levels, for both students and business professionals, helping to satisfy the primary objective:
- By connecting students to business professionals, students can ask questions and get answers based on experience. Students will also be in a position to ask for meaningful internships within their communities.
- By connecting business professionals to students, business professionals can ask students to conduct specific research projects. Businesses will also be in a position to see how specific students perform in a business setting.
- An NCSA expansion can support quarterly meetings between students and business professionals in pre-determined regions. These quarterly meetings can:
- Provide direct networking opportunities, as outlined above
- Provide opportunities for students to present to business professionals their findings from their research and teaching experiences
- Support a regional community of information assurance professionals for sharing emerging threats and their expected impacts at work, at home and in school
- It has been claimed that two thirds of all business organizations in the United States have no Internet security policies. Higher education teams in cooperation with NCSA can offer no-cost education programs specific to business organizations that need to better their information assurance programs, or to create them. This can be done via specific information packages provided by NCSA. These packages can include, but are not limited to, general employee training, general security auditing, and general policy development. The information packages provided by NCSA can include resources for local businesses that provide professional consulting services if it is found that these business organizations need to meet federal or state regulations.
Higher Education <–> City Council
City councils generally have special projects or programs that can affect local business organizations, schools, or public facilities or events. Each of these entities/locations interface with the Internet on some level, which means the city council is a perfect place to increase cyber literacy. Higher education institutions in cooperation with NCSA can offer educational programs specific to the needs of city councils, either directly to city councils, or directly to entities that interface with city councils. Because there can often be multiple higher education institutions in any given region, this will present an opportunity for these higher education teams to strategically work together to accomplish their goals concerning the secondary objective.
Higher Education <–> Community Centers
Community centers provide higher education teams a neutral location to offer no-cost public services for general cyber awareness events, helping satisfy the secondary objective. Adult attendees can take information packets to their workplace, spreading general cyber awareness, and by providing these workplaces contact information for the higher education teams for future awareness training. This will help satisfy the primary objective.
Higher Education <–> Primary Education
Primary education institutions are the focal points for higher education teams concerning the secondary objective. Each year, primary education students increase their experiences with Internet facing devices. Primary education teachers are not thoroughly educated to teach cyber security topics to their students. The higher education teams can relieve primary education institutions by providing them with no-cost information packages, provided by the NCSA, and no-cost training services, provided by the higher education teams. Again, this interface with primary education institutions provides adults the opportunity to share the services provided by the higher education teams with their family and friends, helping satisfy the primary objective.
NCAE <–> NCSA Expansion
The National Security Agency (NSA) National Centers of Academic Excellence (NCAE) generally have very large information assurance networks, either within their respective universities or in their professional communities. NCAE can support NCSA by:
- Being the test-beds for the NCSA cyber literacy expansion
- Expanding student-lead research opportunities, helping satisfy the primary objective
InfraGard <–> NCSA Expansion
InfraGard can assist NCSA by helping develop the information packages designed for business organizations, helping satisfy the secondary objective. InfraGard can later integrate itself into regional communities, expanding the higher education team’s community, helping satisfy the primary objective.
AmeriCorps <–> NCSA Expansion
AmeriCorps can work with NCSA by providing national community service opportunities to provide cyber security awareness training to regions of the United States with no nearby higher education teams. These opportunities could be team-based or individual-based. This extended service could then establish its network, helping satisfy the primary objective, by making new contacts in these isolated regions of the United States.
The opportunities presented in this paper are colossal for both DHS and for information assurance students in higher education. Each of these processes and experiences must be designed to be recorded in a privacy-conscious, systematic fashion. This documentation will then be integrated back into the NCSA developed social network and database for continued, sustainable growth.
The primary objective of teams will be the development of their communities. The secondary objective of teams is the establishment and facilitation of cybersecurity information. These distributed teams and communities will form an informal network of information assurance students, managers, community leaders, researchers, practitioners and educators. Combined, DHS will have access to plethora of talent and means to educate the United States public. This strategy will take time and careful planning, but once begun, it will be a system that will get better and better over time.