Enable breadcrumbs token at /includes/pageheader.html.twig

National Security Agency Program Fills Critical Cyber Skills Gaps

Centers of excellence educate network warriors.

The Centers for Academic Excellence-Cyber Operations program is succeeding, NSA officials say, but enthusiasm at some schools has been dampened as a result of documents leaked by former NSA contractor Edward Snowden.

The Naval Post Graduate School in California is designated a Center of Academic Excellence-Cyber Operations. Three or four more schools likely will be announced in mid-June.

Students from around the world can participate in the Centers of Academic Excellence-Cyber Operations program, but only U.S. citizens can participate in the agency’s internship program.

The first graduates are emerging from centers of excellence for cyber operations that teach the in-depth computer science and engineering skills necessary to conduct network operations. The program better prepares graduates to defend networks and should reduce the on-the-job training needed for new hires, saving both time and money.

The National Security Agency (NSA) initiated the Centers of Academic Excellence-Cyber Operations (CAE-CO) program in 2012. Eight schools were designated centers of excellence in the first two years with another round of announcements expected in mid-June. Agency officials say they hope eventually to have a total of 20 to 25 schools on the list.

The effort is a deeply technical, interdisciplinary, higher education program firmly grounded in the computer science, computer engineering and electrical engineering disciplines. “We had noticed that a lot of graduates coming out of universities didn’t have quite the same skills that they’ve had in the past,” recalls Steve LaFountain, dean of the College of Cyber, National Cryptologic School, and the distinguished academic chair for information assurance and cyber, NSA. “Some of the skills needed in the cyber operations field, such as low-level programming, deep knowledge of networks and network protocols and understanding of operating systems internals, were starting to become less emphasized by academic programs.”

The change in school curricula is understandable because a lot of jobs today are focused on Web applications and mobile applications and require a different skill set than today’s cyber operations, he adds. “Instead of doing C programming, they’re now doing Java, Perl and Python programming. We decided to create this program and focus the requirements on the skills necessary for cyber operations,” LaFountain explains.

Cyber operations is a niche area, but the need for more qualified workers is acute. “It’s a critical need for the nation. Studies say that there are hundreds of thousands of empty jobs out there that are missing some level of cyber expertise, whether it’s the folks who are doing information assurance; are monitoring systems; or are building new security technologies. The program will help fill a critical need for the future,” LaFountain emphasizes.

The CAEs offer both four-year undergraduate programs and two-year graduate-level degrees, and the effort now is starting to pay off. “Since it is only two years old, students who have gone through the whole program have really just started to graduate. My hope is that they come in much better prepared,” LaFountain offers. Most graduates can work wherever they please, but for those who hire on at federal agencies, that additional preparation can save both time and money. “We have to spend 10 to 18 months training them on areas we would hope they would get in school. We’re hoping to eliminate that time delay and that cost. It’s actually a pretty significant cost to educate someone for a year or 18 months,” he notes.

Furthermore, the students sometimes contribute solutions for actual cyber operations problems. For example, they may research new products NSA employees have no time to examine closely. “As things are created through tremendous industry innovation, we need knowledge quickly on what those capabilities are, how they work, what their strengths and weaknesses are. Sometimes, we don’t have the manpower to look at everything,” LaFountain observes.

Last year, the agency also initiated an internship program that provides more real-world experience, including a challenge problem the interns work on as a group. “Last year the challenge problem was in a new area of networking: software defined networking. At the end of the internship, they briefed some of the mission folks who are interested in that area, and the mission folks were just amazed at how much the interns were able to accomplish in just a summer,” LaFountain asserts, adding that agency officials hope to grow the internship program. “When they come into the summer internship, they get exposed to actual cyber operations information, and they will be better prepared to do the job.” To participate in the internship, or to work at the NSA, applicants must be U.S. citizens.

The CAE-CO program also benefits participating schools. Having the designation makes schools eligible to apply to the National Science Foundation for “capacity building” grants to increase their curricula, LaFountain points out. They also can apply for scholarship grants for students under the CyberCorps: Scholarship for Service program. “It’s a two-year scholarship, so it could be the last two years of their undergraduate program or the two years to get a master’s degree. It’s completely paid for by the National Science Foundation, and all the costs are covered,” LaFountain reports. “The students also get a living stipend so that they don’t have to get a part-time job to keep themselves alive while they’re going through school.” Students awarded scholarships under the scholarship for service program agree to work for the government for two years upon graduation.

The CAE-CO schools also are each assigned a cyber operations expert who acts as a liaison. The liaison is expected to visit the school at least twice a year, meet with the faculty and offer research challenges. The liaison also will speak with students. “The students better understand the job and what to expect if they come to work at NSA or at Cyber Command, or the FBI or any of the other government entities that have a role in cyber operations,” LaFountain reveals. “It’s a valuable relationship that gets created. It gives the faculty and students a lot more insight into the cyber operations field as it’s practiced than they would have otherwise gotten. And frankly, it gives us an insight into the schools, the capabilities and the students so that we can recruit the best of the best.”

Perhaps one of the greatest benefits to the schools is in marketing their status as a CAE-CO. LaFountain cites Dakota State University as an example. The school already had developed a surprisingly strong cyber operations program before being designated a CAE. Following the designation, the university saw a 300 percent jump in the number of students applying to the program, he reports.

Schools applying for the CAE-CO designation go through a two-phase process. The first is largely a paper exercise with NSA officials reviewing the application, courses and syllabi. Those that meet the requirements, or come close to meeting the requirements, move to the next phase. “Phase two involves an on-site visit where we actually delve into each course in detail with the faculty who teach it, so we have a real good understanding of what’s covered, what kinds of assignments the students are given and what kinds of projects and research might be done in association with that. Then we decide if they do, indeed, meet all of the criteria. And if they don’t, we give them detailed feedback on what they were missing.”

Because things change so quickly in the world of cyber, agency officials will re-examine the requirements this summer. In consultation with subject matter experts, officials will ask whether the state of the art has changed in any area, or whether changes need to be made for other reasons. If the requirements change, new schools receiving the CAE-CO designation will be expected to meet those requirements while those already designated will be given time to adjust.

The agency received 20 applications the first year, and subsequent rounds of applications have been close to that. The response rate is about what LaFountain expected, he says. “We set the bar pretty high because we only need about 20 to 25 schools to meet the requirements,” he indicates.

The CAE-CO program complements the existing CAEs in research and in information assurance education. It provides a particular emphasis on technologies and techniques related to specialized cyber operations, such as collection, exploitation and response, to enhance the national security posture. LaFountain clarifies the difference between cyber operations and information assurance CAEs. Information assurance is more broad; cyber operations are more technical and specialized. Information assurance education teaches students the governance issues and how to set up a program, systems and networks and how to monitor them. It may include writing scripts for some functions, such as administrative tasks. “That takes a lesser depth of technical capability than cyber ops where you need to write code that, for example, you might integrate into a system at the device driver level,” he elaborates. “It’s a very different level of skill and programming than it would be to write scripts for an intrusion detection system or something like that.”

He also stresses the program requires courses in ethics. “Every student who goes through the program has a good understanding of what the legal and ethical issues are related to cybersecurity and cyber operations. The program is really focused on the core science skills we would like students to have. We really aren’t asking the schools to create hackers,” he says.