Filling the infosec ranks

With a little help from Uncle Sam, Carnegie Mellon University is helping colleges and universities train the next generation of information security professionals.

The university last month held the first in what will be a series of sessions to assist other colleges and universities with creating their own information security academic programs. These capacity-building programs, primarily at the graduate level, are crucial to meeting the need for trained security professionals in the government and in the private sector.

"The more schools that can develop these [information security] programs, then the more students we can turn out with this kind of expertise," said Don McGillen, executive director of Carnegie Mellon's Center for Computer and Communications Security and a leader of the program.

Carnegie Mellon received a $400,000 grant through the National Science Foundation's Federal Cyber Service program to provide the training. Begun about two-and-a-half years ago, the NSF program provides grant money to schools for capacity-building programs. It also provides scholarships to students studying information assurance in exchange for two years of government service in the Cyber Corps.

In its capacity-building program, Carnegie Mellon brought together nine faculty members from Howard University, Morgan State University and the University of Texas at El Paso — all institutions with computer science programs. Next summer, program officials hope to bring back at least one participant from each school while expanding the program to other institutions, McGillen said.

Carnegie Mellon is a good institution to offer such a program, said Alan Paller, director of research at the SANS Institute, an information security education and research group. "No organization is better positioned to do what they're proposing to do."

The university gathered staff from its computer science, engineering and public policy schools, from its CERT Coordination Center and from other institutions designated as centers of excellence under the National Security Agency's Infosec Education and Training Program. "We went to the experts," McGillen said.

The four-week residency program started with how to teach information security and how the topic fits in with other academic subjects, such as public policy. The program then dealt with how to develop an information security curriculum.

It ended with an examination of current and future research opportunities for which Carnegie Mellon officials believe the government could get "the greatest bang for its buck," McGillen said. The four institutions are working together on proposals.

The availability of research money is primarily why professors migrate toward certain subject areas, and good professors with interesting funded research draw students, Paller said. And the best way to keep capacity-building programs going is by funding more research.

At Carnegie Mellon, the program directors sought feedback and ideas during the training session, and even ended up changing the schedule to incorporate new subjects that participants requested, McGillen said.

Feedback and collaboration will continue throughout the year, he added. Part of the NSF grant will be used to maintain a collaborative Web site where participants can ask questions, exchange ideas and start working on research proposals together.

"We want to establish continuing, long-term relationships," McGillen said.

After returning to Howard University last week, Wayne Patterson, a professor of computer science at the university's graduate school, adapted the information security course he teaches and plans to add a follow-up course.

"We have a very heavy emphasis on our graduate programs here," he said. "So what we have been interested in is really developing our capacity at the graduate level in computer security."

But capacity building is something that takes time. "We're definitely playing catch-up," McGillen said, "but better [that] we play catch-up than just throw up our hands."

***

At a glance

Information security capacity-building program

Lead institution: Carnegie Mellon University

Participating institutions:

* Howard University, Washington, D.C.

* Morgan State University, Baltimore, Md.

* University of Texas at El Paso

Purpose:

This four-week program, funded with a grant from the National Science Foundation as part of the Federal Cyber Service initiative, will help colleges and universities develop information security graduate programs. In the long run, having more programs will increase the number of Ph.D.-level information security researchers available to meet public- and private-sector security needs.