The History and Development of a “Cyber security” Program Criteria
By Steven Lingafelt
Cybersecurity, cyber security, information security, security, information protection, computer security, network security, forensics, assured operations … these are only a few of many phrases used to describe a broad field focused on protection of assets. We have all been personally affected by protection failures: your personal information taken, your credit card stolen and your PC infected by malware. The destruction of medical research data, the hacking of our voting systems and shutdown of critical infrastructure devices have also affected our society greatly.
Because of these and other factors, this has become a popular field, with many unfilled jobs and low unemployment rates. The U.S. government articulates the need for security skills by directives to various agencies formally stating protection requirements, research grants and educational support for those who study or work in the field.
In July 2014, a group of volunteers interested in assessing the “cyber” protection arena and in developing a case for accrediting educational programs in the “cyber sciences” created an organization that became known as the Cyber Education Project (CEP). As work progressed, it became clear this effort was of sufficient national interest as to warrant a National Science Foundation grant (DGE-1539715) for logistical support.
The chosen term “cyber sciences” reflects the breadth of the field, which includes various engineering and computing fields of study and multiple affiliated disciplines. These fields of study include consideration of the design, creation and operation of systems in conjunction with aspects of law, policy, human factors, ethics, risk management and other topics.
After two years of considering relevant studies, existing courses of study, educational certifications and standards; formal engagements with industry, academia and government representatives; and more informal public participation through various outreach actions, the CEP had narrowed its focus toward systems with a computing element. By March of 2016, leaders had produced several artifacts, including a listing of key learnings for the field and CEP draft program criteria reflective of these learnings.
In January 2016, IEEE established a committee to create ABET program criteria for “cyber security” engineering programs, and, in March 2016, CSAB established a committee to create ABET program criteria for “cybersecurity” computing programs. These committees based their work on various inputs and sources relevant to their respective fields. For both committees, the CEP artifacts were a primary source, including the CEP draft program criteria, appropriately modified and recast to meet the needs of the respective engineering and computing professions.
Each committee, following the processes of their respective organizations, the Engineering Accreditation Commission and the Computing Accreditation Commission, created their respective draft program criteria. In July 2017, both the engineering and computing draft program criteria were approved by their respective commissions. The Computing Area Delegation then approved the criteria for Cybersecurity and similarly named programs in August. These criteria are now open for public review and comments until June 15, 2018. The Engineering Area Delegation will vote on the Cybersecurity Engineering program criteria later this month. This marks a major milestone in the journey to create program criteria supportive of the engineering and computing professions.
We encourage those interested in these very important issues to participate in ABET’s review and comment process, which will improve these criteria and facilitate adoption by programs in the coming years. As part of this criteria development and maturation process, several engineering and computing programs have requested “piloting” the respective criteria, for both current programs as well as programs under development. It is anticipated that within a few years, the ABET processes for public review and criteria publication will complete, resulting in criteria for both engineering and computing programs, marking a final milestone for an effort that formally began in 2014.
As the value of information and assets grows, as more of our physical world is controlled by components which may be compromised, as methods and techniques to destroy, steal or alter assets become more sophisticated and prevalent, the need for well-considered engineering and computing solutions, based on cyber security skills, knowledge and know-how is critical to protection of both our personal assets and society’s assets. These engineering and computing accreditation criteria will become foundational pieces of our “protection” puzzle.
Co-chair: Cyber Education Project – Accreditation Committee
Chair: IEEE Committee for Engineering Accreditation Activities (CEAA) – Cyber Security Engineering Program Criteria Committee
Member: Cybersecurity Subcommittee of the Joint CSAB/CAC Criteria Committee
IEEE senior member, ISSA senior member, IBM Lifetime Master Inventor, IBM Senior Technical Staff Member and a practicing Cybersecurity Engineer