Pages

14 September 2020

To Succeed in Its Cybersecurity Mission, the Defense Department Must Partner With Academia (For Real)

By Monica M. Ruiz, Jacquelyn G. Schneider, Eli Sugarman 

In 2018, the U.S. Department of Defense unveiled an ambitious new cyber strategy to expand the department’s cyber missions and capabilities. The strategy leaned on partnerships to achieve two important objectives: (a) to help the department recruit top talent and (b) to invest in the best cyber capabilities. In stressing the importance of partnerships for the strategy, Maj. Gen. Charles Moore, director of operations at Cyber Command, noted, “we can’t be successful in executing our mission against any of our adversaries if we are not working very closely with our interagency partners, with our friends and allies around the globe, with industry and academia, etc.”

Moore’s comments are revealing. While the Defense Department often lists academia as part of important partnerships, this relationship is always the coda in the partnership list—right before the “etc.” As such, it’s no surprise that the department spends very little budget dollars or bureaucratic time on academic engagement. This is a missed opportunity.

This is not to say that the Defense Department has done no engagement with academia. The department first highlighted academia in its first cyber strategy in 2011, and over the past decade the department has invested in cybersecurity programs at the armed forces services academies, increased the focus on cyber within the Professional Military Education (PME) institutions, provided scholarships for cyber education, partnered with academic institutions to run cyber hack-a-thons, and both Cyber Command and the National Security Agency (NSA) host “scholars in residence” and support cyber initiatives at university affiliated research centers.

There is bipartisan agreement that these initial efforts are not enough. The 2020 Cyberspace Solarium Commission advocated for deeper academic partnerships, and two proposed bills in Congress call for greater investment in cyber education within higher education. Thus far, however, the Defense Department has paid only lip service to a true cyber academic engagement strategy, choosing instead to piggyback off existing investments from the National Security Agency and Department of Homeland Security in the National Security Agency Centers of Academic Excellence (NSA-CAE) program.

The Defense Department needs its own cyber academic engagement strategy—one that continues to reap the benefit of the NSA-CAE program, but also creates new inroads with non NSA-CAE universities, facilitates novel research, extends interdisciplinary cybersecurity skills across the workforce, and attracts the best university talent to the department’s workforce. Below, we offer a road map to what the Defense Department needs from academia to make a new cyber academic engagement approach feasible. We provide an overview of the cyber field in academia and the benefits and limitations of the NSA-CAE. Finally, we move toward solutions by articulating features of leading cyber-academic programs and suggest practical ways that the department might advance more impactful academic engagement.

What Does the Defense Department Need From Academia?

The Defense Department partners with academia principally to satisfy two needs: (a) cyber talent and (b) technical and policy research. Academia cannot fully satisfy the scope of those dual needs; a strategy that maximizes the benefit of academic engagement will pragmatically identify the areas in which academia has a comparative advantage over interagency or even industry partners.

At present, the Defense Department’s most urgent need from academia is to produce a talented workforce. The department’s operational need for cyber talent, the widening cyber talent gap, and the intense competition to attract and retain both civilian and military talent is well documented. Effective academic engagement requires both a mass input to facilitate growth of the overall workforce and also approaches tailored to attract the small group of extraordinarily skilled minds to work for the department, even for short periods. Further, the engagement strategy should address two distinct Defense workforces: civilian and uniformed military.

The Defense Department’s civilian cyber talent needs present the easiest win for Defense-academic engagement. This is because the department has an immense quantity and variety of civilian cyber workforce positions, spanning technical and policy roles, in many geographic locations and with flexible options for hiring and accessions. The department needs civilian cyber practitioners to be network administrators, hackers and artificial intelligence (AI) experts. It needs professors and budget specialists who have some degree of technical cybersecurity skills. Indeed, nearly all positions in the department’s civilian workforce can benefit from some level of cybersecurity literacy.

However, the Defense Department needs quality in addition to quantity. In particular, the department needs a component of its civilian cyber workforce to have high-demand, highly specialized skills. For these personnel, the department must leverage the expertise of top academic institutions and recruit graduate students and professors for both short- and long-term working relationships. Such relationships might be official department positions but could also include flexible contracting relationships, fellowships and grants.

Academia’s ability to create military cyber talent is less likely to translate to significant increases in the military cyber workforce, largely because of limited pipelines from campus to corps. The Defense Department sees the greatest return on investment on cyber talent within accessions by continuing its focus on service academies to produce early military cyber talent. However, academia can help build cyber awareness and expertise within the existing military force through increased focus on cyber within professional military education as well as more opportunities for fellowships focused on cyber research at civilian institutions.

Academia is also a natural partner for the department to foster research on cybersecurity—whether at the intersection of computer science, computer engineering, law or social sciences. Academia is often at the leading edge of technological innovation and serves as an incubator for work that is not immediately commercially profitable. Further, interdisciplinary cyber research centers, which combine talent skill sets and operate with academic freedom, are able to engage with cyber policy in a way that iterates and evaluates policy and strategy success. However, the Defense Department does not always understand how best to invest in this interdisciplinary research and struggles to understand how to (or whether to) fund research that does not translate immediately into usable technologies. Academia rarely provides research that translates directly into technology that offers immediately usable enterprise solutions, but the Defense Department should nevertheless invest in early seed research or emerging studies that could lead to revolutionary technological breakthroughs. The department’s failure to invest in academic cyber research limits its strategic options and creates a funding vacuum that inevitably drives research toward corporate audiences and away from national security cyber interests.

Part of the Defense Department’s challenge is that it continues to view cybersecurity as a primarily technical challenge with technical solutions. In reality it’s about people, which is why some organizations are culturally better at defending their networks than others with identical technical capacities. The department may not realize it, but it needs nontechnical cyber research, including broader strategic thinking that can be widely shared and critiqued. In particular, funding for social sciences research in cyber is acutely needed and in short supply. The meager funding that does exist—for example, the department’s Minerva program funding a handful of social sciences-focused cybersecurity research projects—tends to be limited, contingent on budget whimsy, and generally insufficient to address the questions facing the Defense Department and U.S. national decision-makers.

Overview of the Field

Rather than develop new models of academic engagement, the Defense Department’s first inclination might be to continue status quo efforts and piggyback on NSA and Homeland Security efforts to sponsor and administer the Cyber Defense and Cyber Operations Centers of Academic Excellence (CAE) programs. The first program focuses on promoting higher education and research in cyber defense and creates a talent pipeline of professionals with expertise to reduce vulnerabilities in national information infrastructure. The second program supports the National Initiative for Cybersecurity Education to “broaden the pool of skilled workers capable of supporting a cyber-secure nation,” with a focus on building technical skill sets across the computer science, computer engineering and electrical engineering disciplines. After meeting criteria set forth by the NSA-CAE program, U.S.-based accredited two-year, four-year, and graduate-level institutions can become CAE schools and receive formal recognition from the U.S. government. Currently, more than 300 higher education institutions participate in the program.

The Defense Department’s desire to focus on the NSA/Homeland Security program as the foundation of its own cybersecurity engagement in academia is understandable. It is a mature, well-funded program that has created a baseline for cybersecurity curriculum within higher education. Its certification programs have incentivized schools to invest in cybersecurity; and its outreach to rural, minority-focused and commuter universities created a more economically and ethnically diverse cybersecurity talent pool for the federal government to draw from. It builds quantity for the federal cyber workforce without the Defense Department spending its own budget resources or devoting administrative staff. Moreover, it helps incentivize computer science and engineering programs to prioritize security, which many leading programs do not.

However, relying only on the NSA-CAE program will not solve the Defense Department’s need for top talent or research; 70 percent of the universities with the top 20 computer science or AI programs don’t participate in the NSA-CAE program. This is partly because the NSA-CAE program focuses on strict curriculum requirements that leave little room for universities to innovate or experiment with emerging cyber challenges. Top students or professors are motivated by their success at solving tough problems or puzzles that may be on the horizon for the next generation of cyber practitioners, but the ability to solve such problems is not yet a requirement of the NSA-CAE program.
The NSA-CAE program also struggles to incentivize interdisciplinary cyber education. Though it advocates for interdisciplinary requirements within the core curriculum, these requirements are a mere asterisk to the overall focus. This reflects a broader problem with a cyber academic engagement strategy that focuses most of its attention on technical engagement criteria—for instance, by measuring the numbers of computer science majors who graduate each year or confirming the existence of a cybersecurity curriculum within all departments. The cyber field is inherently multidisciplinary and draws on both technical and non-technical skills and knowledge. A comprehensive approach to the field demands involving technologists, lawyers, economists, national security practitioners and experts from other disciplines to account for the complexity of challenges. Although some progress is being made with support from the Hewlett Foundation’s Cyber Initiative, Craig Newmark Philanthropies and others, interdisciplinary education to create a sustainable cyber talent pipeline is still lacking, and entrenched divides along technology-oriented disciplines versus social sciences remain. While increased funding for policy research from leading technology companies, such as Microsoft and Facebook, is positive, it is not in the Defense Department’s interest to allow research to become excessively influenced by corporate interests—a situation that risks fostering a policy debate unresponsive to—or, worse, one that undermines—the department’s policy priorities.

Finally, the NSA-CAE program has been embraced most fully on the East Coast, particularly in colleges and universities trying to attract students in a region already saturated with higher education choices. Existing geographic rifts between Silicon Valley’s private-sector/techies on the West Coast and Washington, D.C.’s public-sector/legal and policy experts on the East Coast have created parallel, instead of integrated, communities of technical experts and policy experts. As a result, translators—an even smaller talent pool—familiar with both groups are needed to communicate strategically and work across technical and policy domains.

Characteristics of Good Cyber-Academic Programs

As Brandon Valeriano and Miguel Alberto Gomez stated astutely in their recent analysis of academia’s progress (or lack thereof) on cybersecurity, “cybersecurity is an interdisciplinary field that requires more than just support from computer scientists and engineers, but also a firm grasp of international relations, law, criminology, psychology, and economics.” It is also, as mentioned above, a dynamic and rapidly evolving field.

It’s not realistic or desirable for a single university degree program or institution to try to cover all dimensions of cybersecurity or for every degree to aspire to have every combination of courses or topics. The goal, rather, should be to foster experimentation and diversity of curricula. This approach will capitalize on the different strengths and weaknesses of universities and respond to the Defense Department’s diverse needs. For example, some universities are well situated to focus on the legal and policy dimensions of cybersecurity, such as the University of Texas at Austin, which has published online detailed course syllabi and an open source textbook on the subject. Other universities draw on strong political science and international relations faculties to teach cybersecurity. For example, Stanford’s master’s degree program in international policy melds foreign policy with innovative technical courses (like former Facebook CISO Alex Stamos’s hands-on Hack Lab).

But there are more technical degrees, too, that still draw on a variety of disciplines. The University of California, Berkeley’s master’s degree program in information and cybersecurity has made inroads with threat intelligence firms, which have found that the particular degree helps midlevel managers develop the capacity to lead cross-functional teams. In addition, UC Berkeley’s Citizen Clinic (like Indiana University’s Cybersecurity Clinic) is a trailblazer when it comes to developing cybersecurity clinics that provide hands-on training to interdisciplinary teams of students who conduct security audits, perform risk assessments, craft risk-mitigation strategies, and otherwise help civil society and local government organizations defend themselves from cybersecurity threats.

The Defense Department would be wise to look beyond the CAE model of common curricular approaches and expand engagement to support an array of multidisciplinary curricular models. Still, the department will need metrics to filter which programs are most promising or well suited to partnership. Some of the most important metrics are qualitative ones: the level of dedication of tenured faculty and university administrators, the amount of mentorship offered by faculty to students, and the quality of job placements for graduating students. Academia is struggling to provide those at scale given the paucity of cybersecurity faculty, limited financial resources for these new programs, and rare opportunities for junior scholars (with an interdisciplinary focus) to gain tenure.

Moreover, the Defense Department should look for programs that incorporate innovative partnerships with companies and government entities to encourage hands-on learning and generation of applied solutions. Faculty should have meaningful relationships with experts in the private and public sectors to ensure their teaching and research is grounded in the reality of what is happening on-network and around the globe.

Programs should also aim to develop communication and writing skills, given the need to translate between and across technical and nontechnical disciplines. In addition to preparing students to contribute journal articles intended for small, expert audiences, programs should teach students how to write shorter pieces for decision-makers and articles for Lawfare and similar outlets.

Lastly, the Defense Department should prioritize programs that seek to empower more women and otherwise diversify the field. Insufficient diversity in the cybersecurity field is so acute that it threatens U.S. national security. This has affected how the cyber field has evolved and impacts the policy relevance of cybersecurity research. However, it also presents unique opportunities for the department’s engagement with academia in terms of both fostering cyber talent and supporting innovative research.

A More Effective Defense Department Academic Engagement Strategy

As the Defense Department continues to scope out how it will educate its cybersecurity workforce and learn from cybersecurity research, it will benefit from the NSA-CAE program. However, the department cannot rely solely on the program to fully leverage academia for both talent and research. Instead, a Defense cyber academic engagement strategy should focus on flexibility, boutique engagement, and a more dynamic and diverse multidisciplinary approach that will prepare its rapidly evolving workforce to succeed in their respective roles.

Whereas the NSA-CAE model tries to build a larger talent pool, the Defense Department should focus on tailoring efforts to recruit top civilian talent from a diverse set of academic programs. Part of that recruitment could come from engagement through workshops, conferences, and joint projects organized and funded by the Defense Department. Interdisciplinary hack-a-thons and Defense Department involvement in cyber policy competitions (like the Atlantic Council’s Cyber 9/12 Strategy Challenge) enervate both research and talent for further opportunities with the department. For the department to capitalize on these engagements, it will also need more flexible ways to bring this top talent into its workforce. The department should double down on fellowships and exchanges, allowing top talent from universities to take both long-term and short-term employment opportunities. Creating these kinds of flexible opportunities will allow researchers to stay affiliated with their universities while appealing to their sense of duty and desire to serve.

The Defense Department should also lean on its PME and midcareer civilian university fellowships to educate the workforce it already has by investing in more technical and interdisciplinary cyber professors and advanced research centers on cybersecurity. The Navy has made strides in this direction, investing in the new Cyber & Innovation Policy Institute at the Naval War College. All of these programs would benefit from more formal relationships with Cyber Command, similar to Strategic Command’s Academic Alliance Program. Moreover, the Defense Department should send its mid- and senior-career enlisted and officer personnel to top civilian cyber programs, perhaps even investing in more annual fellowships that hone cyber technical skills and introduce interdisciplinary cyber education to officers and enlisted personnel across the military workforce.

Finally, the Defense Department’s investment in cyber research, especially interdisciplinary research, presents an opportunity to increase the investment in cyber education—thus growing the talent pool, while spurring innovative cyber research. As a matter of strategic national security interest, the department should simultaneously prioritize those programs that seek to diversify the cybersecurity field by including students from diverse backgrounds.

Extending the Minerva program (whose funding has recently been pulled) or developing similar cyber-focused grant programs would incentivize targeted research for the department and foster relationships with top cyber programs. Further, innovation events or hack-a-thons between the department and universities could identify both emerging talent and potential future solutions to the department’s technical problems. The overall largest research investment opportunity for the Defense Department is in research grants that allow top cyber researchers the space to focus on national security issues. This long-term approach harkens back to the early days of DARPA, where large, flexible block grants catalyzed major breakthroughs that are still contributing to U.S. national security decades later.

Ultimately, the Defense Department’s cyber strategy and Cyber Command’s Strategic Vision were wise to include academia in their list of partnerships. The department is more likely to succeed in its great power competition if it draws on the research and talent created by academia. But that will require a different quantity and quality of engagement than the department has pursued thus far. To make this possible, the Defense Department—either the Office of the Secretary of Defense’s Cyber Policy Office or Cyber Command—must articulate a strategy for that engagement. And the strategy needs funding, earmarked by Congress, for outreach, fellowships, and grants as well as administrative support to execute those funds. The department also needs more programs like the Cyber Excepted Service, in order to bring academic talent into the workforce, and more promotion and flexible work opportunities to keep the talent it already has. Academia contains the potential to leapfrog U.S. cyber capabilities and build the best cyber force of the future, but the potential of such partnerships will remain locked as long as academia is the mere coda in the list of partnerships.

Disclosure: The Hewlett Foundation is a generous financial supporter of Lawfare’s cybersecurity coverage. This article, as with all articles, underwent Lawfare’s normal editorial process and review.

No comments:

Post a Comment