Those who read my Security Debrief posts or my Tweets will recognize (maybe with a groan) that one of my “issues” is the lack of action in Awareness and Education with regard to cybersecurity. It is not a sexy, nor a potentially lucrative issue, but I believe with all my heart that it is the foundational piece of any eventual “solution” to our cyber woes. We will never really “solve” this, but if we are to remain in the game with the bad guys, we must do better than we are now.
Last week I participated in a conference hosted by NIST. It was designed to progress forward with the National Initiative for Cybersecurity Education (NICE – a really unfortunate acronym). For two days, we discussed the Awareness efforts being led by DHS, examples of seemingly successful education efforts in the Maryland area and some points of view from industry.
The NICE program has four pillars:
- Awareness (for the general population);
- Education (aimed mostly at K-12);
- Training of the Federal Work Force; and
- Professional Certification.
I will comment on the first three, as I do not consider myself truly qualified to opine on the Professional Certification program.
In regard to Awareness, DHS clearly recognizes the importance of the program. They have put some serious assets against this need, but frankly, it is way too little and way too slow (one hopes it is not too late). They are planning six town hall-style events for the coming year. Yes, I said SIX. When I questioned Bruce McConnell, the counsel to the Deputy Under Secretary for National Plans and Programs, as to this paucity of engagements, he sheepishly admitted that it was not enough, but it was all they could do at this time.
I have said before that based on my experience in speaking outside the Beltway, the Feds could deploy speakers to every local Chamber of Commerce, every Kiwanis Club, and every PTA meeting in America to do a basic presentation on the cyber threats, general issues, and basic cyber hygiene methods, plus Q&A. It would be eaten up by the American public, who is starving for information in this area. DHS’s answer is to solicit volunteer “Ambassadors” to do this task. Great idea, but nowhere near sufficient.
Education is likewise weak at this time. We need a course on cybersecurity taught to every student K-12 and college, every year. The dynamic nature of the subject is such that you never “arrive,” so we need to teach it over and over. The goal is not to make everyone a computer engineer but to reinforce best practices and basic skills that would make the entire system more resilient. Dribs and drabs will not work and will be less than a band aid.
Work Force Training for the federal work force is probably fine, but NICE should also push for Work Force Training writ large. There is no distinct line between the Federal system and the networks of all their private sector partners. Therefore, we need to develop workforce training programs for the American Work Force, not merely the Federal one. I recognize the magnitude of this, but we will get what we pay for. Additionally, we must acknowledge that this sort of training is needed by the entire workforce, not only for the IT folks. If we target only those who are already technologically proficient, we will have failed.
Bottom line of Bucci’s rant is this: we need to make Awareness and Education a real priority and expend the money, time, and personnel to do it correctly. Simply put, the present NICE plan is good but too small. God bless the folks who are working so hard to make this successful. Let’s give them the assets and backing to succeed.