b'<html>\n<title> - CYBER SECURITY EDUCATION: MEETING THE NEEDS OF TECHNOLOGY WORKERS AND EMPLOYERS</title>\n<body><pre>[House Hearing, 108 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n                       CYBER SECURITY EDUCATION:\n                          MEETING THE NEEDS OF\n                    TECHNOLOGY WORKERS AND EMPLOYERS\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                          COMMITTEE ON SCIENCE\n                        HOUSE OF REPRESENTATIVES\n\n                      ONE HUNDRED EIGHTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                             JULY 21, 2004\n\n                               __________\n\n                           Serial No. 108-68\n\n                               __________\n\n            Printed for the use of the Committee on Science\n\n\n     Available via the World Wide Web: http://www.house.gov/science\n\n\n                    U.S. GOVERNMENT PRINTING OFFICE\n94-834                      WASHINGTON : 2004\n____________________________________________________________________________\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512\xef\xbf\xbd091800  \nFax: (202) 512\xef\xbf\xbd092250 Mail: Stop SSOP, Washington, DC 20402\xef\xbf\xbd090001\n\n                                 ______\n\n                          COMMITTEE ON SCIENCE\n\n             HON. SHERWOOD L. BOEHLERT, New York, Chairman\nRALPH M. HALL, Texas                 BART GORDON, Tennessee\nLAMAR S. SMITH, Texas                JERRY F. COSTELLO, Illinois\nCURT WELDON, Pennsylvania            EDDIE BERNICE JOHNSON, Texas\nDANA ROHRABACHER, California         LYNN C. WOOLSEY, California\nKEN CALVERT, California              NICK LAMPSON, Texas\nNICK SMITH, Michigan                 JOHN B. LARSON, Connecticut\nROSCOE G. BARTLETT, Maryland         MARK UDALL, Colorado\nVERNON J. EHLERS, Michigan           DAVID WU, Oregon\nGIL GUTKNECHT, Minnesota             MICHAEL M. HONDA, California\nGEORGE R. NETHERCUTT, JR.,           BRAD MILLER, North Carolina\n    Washington                       LINCOLN DAVIS, Tennessee\nFRANK D. LUCAS, Oklahoma             SHEILA JACKSON LEE, Texas\nJUDY BIGGERT, Illinois               ZOE LOFGREN, California\nWAYNE T. GILCHREST, Maryland         BRAD SHERMAN, California\nW. TODD AKIN, Missouri               BRIAN BAIRD, Washington\nTIMOTHY V. JOHNSON, Illinois         DENNIS MOORE, Kansas\nMELISSA A. HART, Pennsylvania        ANTHONY D. WEINER, New York\nJ. RANDY FORBES, Virginia            JIM MATHESON, Utah\nPHIL GINGREY, Georgia                DENNIS A. CARDOZA, California\nROB BISHOP, Utah                     VACANCY\nMICHAEL C. BURGESS, Texas            VACANCY\nJO BONNER, Alabama                   VACANCY\nTOM FEENEY, Florida\nRANDY NEUGEBAUER, Texas\nVACANCY\n\n\n                            C O N T E N T S\n\n                             July 21, 2004\n\n                                                                   Page\nWitness List.....................................................     2\n\nHearing Charter..................................................     3\n\n                           Opening Statements\n\nStatement by Representative Sherwood L. Boehlert, Chairman, \n  Committee on Science, U.S. House of Representatives............    13\n    Written Statement............................................    14\n\nStatement by Representative Bart Gordon, Minority Ranking Member, \n  Committee on Science, U.S. House of Representatives............    14\n    Written Statement............................................    15\n\nPrepared Statement by Representative Nick Smith, Member, \n  Committee on Science, U.S. House of Representatives............    15\n\n                               Witnesses:\n\nMr. Chester ``Chet\'\' Hosmer, President & CEO, WetStone \n  Technologies, Inc.\n    Oral Statement...............................................    17\n    Written Statement............................................    19\n    Biography....................................................    23\n    Financial Disclosure.........................................    25\n\nMr. John R. Baker, Sr., Director, Technology Programs, Division \n  of Undergraduate Education, School of Professional Studies in \n  Business and Education, Johns Hopkins University\n    Oral Statement...............................................    25\n    Written Statement............................................    27\n    Biography....................................................    32\n    Financial Disclosure.........................................    36\n\nMr. Erich J. Spengler, Principal Investigator, Advanced \n  Technology Education Regional Center for the Advancement of \n  Systems Security and Information Assurance, Moraine Valley \n  Community College\n    Oral Statement...............................................    37\n    Written Statement............................................    38\n    Biography....................................................    42\n    Financial Disclosure.........................................    42\n\nSecond Lieutenant David J. Aparicio, Developmental Electrical \n  Engineer, Information Directorate, Air Force Research \n  Laboratory\n    Oral Statement...............................................    43\n    Written Statement............................................    45\n    Biography....................................................    47\n    Financial Disclosure.........................................    47\n\nMs. Sydney Rogers, Principal Investigator, Advanced Technology \n  Education Regional Center for Information Technology, Nashville \n  State Community College\n    Oral Statement...............................................    48\n    Written Statement............................................    51\n    Biography....................................................    66\n    Financial Disclosure.........................................    67\n\nDiscussion.......................................................    67\n\n              Appendix: Answers to Post-Hearing Questions\n\nMr. Chester ``Chet\'\' Hosmer, President & CEO, WetStone \n  Technologies, Inc..............................................    82\n\nMr. John R. Baker, Sr., Director, Technology Programs, Division \n  of Undergraduate Education, School of Professional Studies in \n  Business and Education, Johns Hopkins University...............    83\n\nMr. Erich J. Spengler, Principal Investigator, Advanced \n  Technology Education Regional Center for the Advancement of \n  Systems Security and Information Assurance, Moraine Valley \n  Community College..............................................    85\n\nMs. Sydney Rogers, Principal Investigator, Advanced Technology \n  Education Regional Center for Information Technology, Nashville \n  State Community College........................................    88\n\n \n CYBER SECURITY EDUCATION: MEETING THE NEEDS OF TECHNOLOGY WORKERS AND \n                               EMPLOYERS\n\n                              ----------                              \n\n\n                        WEDNESDAY, JULY 21, 2004\n\n                  House of Representatives,\n                                      Committee on Science,\n                                                    Washington, DC.\n\n    The Committee met, pursuant to call, at 10 a.m., in Room \n2318 of the Rayburn House Office Building, Hon. Sherwood L. \nBoehlert (Chairman of the Committee) presiding.\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n                            hearing charter\n\n                          COMMITTEE ON SCIENCE\n\n                     U.S. HOUSE OF REPRESENTATIVES\n\n                       Cyber Security Education:\n\n                          Meeting the Needs of\n\n                    Technology Workers and Employers\n\n                        wednesday, july 21, 2004\n                         10:00 a.m.-12:00 p.m.\n                   2318 rayburn house office building\n\n1. Purpose\n\n    On Wednesday, July 21, 2004, the House Committee on Science will \nconduct a hearing to review efforts by academia, industry and \ngovernment to develop a cyber security workforce.\n\n2. Witnesses\n\nMr. Chet Hosmer is the President & CEO of WetStone Technologies, Inc. \nof Cortland, New York. Mr. Hosmer has taught Network Security and \nCyber-Crime and Computer Forensic courses at Utica College, and he is \nthe Research Advisor for the Computer Forensics Research and \nDevelopment Center of Utica College. Mr. Hosmer also is Co-chair of the \nElectronic Crime and Terrorism Partnership Initiative\'s Technology \nWorking Group at the National Institute of Justice.\n\nMr. John Baker is the Director of Technology Programs for the Division \nof Undergraduate Education of the School of Professional Studies in \nBusiness and Education at the Johns Hopkins University in Baltimore, \nMaryland.\n\nMr. Erich Spengler is the head of the Regional Center for the \nAdvancement of Systems Security and Information Assurance at Moraine \nValley Community College in Palos Hills, Illinois.\n\nSecond Lieutenant David Aparicio is an electrical engineer for the Air \nForce Research Laboratory Information Directorate in Rome, New York. \nLt. Aparacio is a graduate of the ``Cyber Security Boot Camp\'\' run \njointly by the Air Force, Syracuse University, the New York State \nOffice of Science, Technology and Academic Research.\n\nMs. Sydney Rogers is the head of the Regional Center for Information \nTechnology at Nashville State Community College in Nashville, \nTennessee. Ms. Rogers is also the Vice President for Community and \nEconomic Development at the community college and her responsibilities \ninclude workforce development, computer services and distance \neducation.\n\n3. Overarching Questions\n\n    The hearing will address the following overarching questions:\n\n        <bullet>  How are academia, industry and government working \n        together to meet the Nation\'s cyber security education and \n        training needs?\n\n        <bullet>  What are the strengths and weaknesses of existing \n        cyber security education and training programs?\n\n        <bullet>  What new and emerging challenges need to be addressed \n        in this area? How can the Federal Government contribute to this \n        effort?\n\n4. Brief Overview\n\n        <bullet>  Information technology systems play a critical role \n        in today\'s economy, yet they are vulnerable to security \n        breaches and attacks. Adequately protecting these systems \n        requires, among other things, a well-trained cyber security \n        workforce to block, detect and counter any threats to vital \n        computer systems and networks.\n\n        <bullet>  In 2002, the President signed into law the Cyber \n        Security Research and Development Act (P.L. 107-305), which \n        originated in the Science Committee. The Act effectively \n        designated the National Science Foundation (NSF) as the lead \n        agency for civilian cyber security research and education, and \n        it authorized $216 million over FY 2003-FY 2007 for NSF cyber \n        security education and training programs. The Act also \n        authorized advanced cyber security education and training \n        programs at the National Institute of Standards and Technology \n        (NIST), but these programs have never been funded.\n\n        <bullet>  The National Security Agency (NSA) also is engaged in \n        cyber security education and training. In addition, the \n        Department of Homeland Security (DHS) supports public awareness \n        and outreach on cyber security vulnerabilities and \n        countermeasures, and it helps coordinate private-sector efforts \n        with those of the Federal Government.\n\n        <bullet>  As the challenges of cyber security emerge and \n        evolve, so too do the courses and programs of cyber security \n        education and training. From programs in traditional settings, \n        like two- and four-year colleges and universities, to other \n        programs, like the Cyber Security Boot Camp, the cyber security \n        education and training continuum is growing and becoming more \n        standardized in its effort to meet the needs of technology \n        workers and employers.\n\n5. Background\n\n    Estimates of annual economic losses caused by computer virus and \nworm attacks and to hostile digital acts in general run from about $13 \nbillion (worms and viruses only) to $226 billion (for all forms of \novert attacks). While the precise figures are open to question, there \nis no doubt that cyber security intrusions result in significant losses \ndue to downtime, lost productivity, and expenses related to testing, \ncleaning and deploying patches to computer systems.\n    Experts increasingly point out that improving cyber security \nrequires cyber security training for technicians and users, in addition \nto promulgating sound security practices and deploying sophisticated \ntechnology. As one security professional explained, you can be \n``bristling with firewalls and IDS (intrusion detection systems), but \nif a naive user ushers an attacker in through the back door, you have \nwasted your money.\'\'\nEducation and Training Needs\n    Many system failures and security breaches occur because of human \nerror. Employees may fail to install a patch, or configure a firewall \nincorrectly, or otherwise leave a system open to intrusion. Such errors \noccur, in part, because responsibility for security traditionally has \nfallen to non-security workers who may lack the time, training and \nfocus to handle such responsibilities.\n    A 2002 report by the National Workforce Center for Emerging \nTechnologies and the Computing Technology Industry Association \n(CompTIA) found that many security organizations were beginning to seek \nsecurity professionals, deciding that it was no longer acceptable just \nto buy a firewall package, install it, and let it run.\n    Industry is also increasingly interested in fostering concern with \ncyber security at all the levels of the workforce dealing with \ncomputers from administrative workers (such as network administrators, \ntechnicians, and help desk staff) to engineers (including software \ndevelopers) to system architects.\n    Responding to that interest, cyber security education and training \nis increasingly being offered through degree-granting programs at both \ntwo- and four-year colleges and universities, but also through shorter, \ncredit and non-credit programs that provide certificates or provide \nbackground for students to pass certification exams.\n\nFederal Support for Cyber Security Education and Training\n            National Science Foundation\n    Federal Cyber Service: Scholarship for Service (SFS)--The program \nhas two aspects--a ``Scholarship Track\'\' that provides grants to \ncolleges and universities for student stipends, and a ``Capacity-\nBuilding Track\'\' that provides grants to colleges and universities to \nimprove their ability to provide courses in cyber security.\n    The Scholarship Track provides four-year grants to colleges and \nuniversities, which, in turn, use the money to provide as many as 30 \ntwo-year scholarships. In exchange for two years of stipends ($8,000 \nper year for undergraduate students and $12,000 for graduate students) \nand a summer internship at a federal agency, participating students are \nrequired to work for two years in the Federal Cyber Service for a \nfederal agency. Since 2001, 391 individuals have participated in the \nscholarship program.\n    The Capacity Building Track provides two-year grants of up to \n$150,000 per year for such activities as adapting and implementing the \nuse of educational materials, courses or curricula; offering technical \nexperience; developing laboratories, and offering faculty development \nprograms. (An additional $150,000 per year is available to partnerships \nthat include minority serving institutions.)\n    The SFS program was funded at $16.1 million in Fiscal Year (FY) \n2004, and the Administration request for FY 2005 is $16.2 million. A \nlist of colleges and universities participating in the SFS program is \nprovided in Appendix II.\n    Advanced Technology Education (ATE)--ATE is NSF\'s program to \nimprove technical education at two-year colleges. Grant awards may \ninvolve partnerships between two-year and four-year institutions.\n    One aspect of ATE is the funding of regional centers (such as the \ntwo giving testimony at this hearing), which are designed to create \nmodel programs in specific areas, such as cyber security, to adapt \nthose programs to local needs, provide professional development for \ncollege faculty, and help recruit, retain and place students.\n    The ATE program, which received $45.23 million in FY 2004, of which \nabout $3.7 million will be invested in cyber security education and \ntraining (although the breakdown for cyber security is a very rough \nestimate).\n\n            National Security Agency\n    The National Security Agency (NSA) established the Centers of \nAcademic Excellence in Information Assurance Education (CAE/IAE) \nProgram in 1998 to increase the number of professionals with \ninformation assurance expertise in various disciplines. The CAE/IAE \nProgram endorses qualified four-year and graduate information assurance \ndegree programs (including those at Johns Hopkins, which is testifying \nat this hearing).\\1\\ Currently, there are 59 universities in 27 states \nthat are designated as CAE/IAE (see list in Appendix III). Being \ndesignated a CAE/IAE does not guarantee an institution funding, but it \nis a ``seal of approval\'\' that facilitates applying to grant programs, \nand it makes institutions eligible for certain NSA programs.\\2\\\n---------------------------------------------------------------------------\n    \\1\\ Prospective institutions must meet rigorous standards to \nreceive the national recognition and the CAE/IAE designation, including \ncourseware that is certified under the National Security \nTelecommunications and Information Systems Security Standards as well \nas ten other criteria describing dimensions, depth and maturity of the \ninformation assurance program.\n    \\2\\ NSA competitively awards a small amount of funding (a few \nmillion dollars) for capacity building--curriculum development, \npurchase of infrastructure for courses--at CAE/IAE schools.\n---------------------------------------------------------------------------\n    NSA also manages an SFS program in information assurance for the \nDepartment of Defense (DOD). This program is similar to the one run by \nNSF, with scholarships provided for study at a CAE/IAE in return for a \nstudent\'s service at a DOD agency. Currently 82 students are \nparticipating in the NSA SFS program.\n\n            Department of Homeland Security\n    The Department of Homeland Security (DHS) is working to increase \ncyber security awareness, foster cyber security training and education \nprograms, and promote private sector support for well-coordinated, \nwidely recognized professional cyber security certifications. In these \nareas, DHS plays a supporting role, consulting on the efforts and \nprograms underway in other government agencies, at universities, and in \nthe private sector.\n\n6. Witness Questions\n\nQuestions for Mr. Hosmer\n\n        <bullet>  In your experience, what knowledge and skills are \n        currently needed in the cyber security workforce? Have cyber \n        security education and training programs been sufficiently \n        flexible to respond to these needs as well as the needs of \n        traditional and returning students?\n\n        <bullet>  What are the current strengths and weaknesses in \n        cyber security education and training programs? Do model \n        programs exist and, if they do, are they being adapted to meet \n        local cyber security needs?\n\n        <bullet>  What partnerships should two-year and four-year \n        colleges and universities forge with business and industry to \n        build appropriate programs? In your opinion, is there \n        sufficient collaboration with industry at the administration \n        (advisory committees), faculty (return-to-industry) and student \n        (internship) levels to accommodate rapid changes in these \n        professional and technical areas?\n\n        <bullet>  What can the Federal Government do to improve cyber \n        security education and build the Nation\'s technical workforce?\n\nQuestions for Mr. Baker\n\n        <bullet>  What are the various levels of cyber security \n        education and training, e.g., systems administration, systems \n        engineering, and systems architecture? What role does your \n        university play in this education and training continuum? How \n        do two- and four-year colleges and institutions collaborate--if \n        at all--to identify and fill cyber security educational needs?\n\n        <bullet>  What are the current strengths and weaknesses of \n        cyber security education and training programs? What courses \n        and programs currently exist? And what programs need to be \n        developed and more broadly implemented?\n\n        <bullet>  What are the challenges to faculty preparation, \n        recruitment and retention in cyber security? How has your \n        university attempted to address these challenges?\n\n        <bullet>  What can the Federal Government do to improve cyber \n        security education and build the Nation\'s technical workforce?\n\nQuestions for Mr. Spengler\n\n        <bullet>  What role do community colleges play in the training \n        of new workers and the retraining of current workers? What \n        employment opportunities in cyber security are available for \n        individuals with a certificate or a two-year degree?\n\n        <bullet>  What are the current strengths and weaknesses of \n        cyber security education and training programs? What ``model\'\' \n        courses and programs currently exist? And what types of courses \n        or programs need to be developed or more broadly implemented?\n\n        <bullet>  What are the challenges do you face in recruiting and \n        training cyber security faculty? What type of programs or \n        opportunities do you provide to help keep faculty current?\n\n        <bullet>  What can the Federal Government do to improve cyber \n        security education and build the Nation\'s technical workforce?\n\nQuestions for Lt. Aparicio\n\n        <bullet>  How did your experience at the ACE change your view \n        of cyber security issues? Is this a good way to recruit \n        engineering and other science and technology students into the \n        field? How did your experience in the course influence your \n        career plans?\n\n        <bullet>  Do you think that the combination of education, \n        problem solving and immersion is an effective model for other \n        education and training programs? Why or why not?\n\n        <bullet>  In your opinion, what can the Federal Government do \n        to improve cyber security education and build the Nation\'s \n        technical workforce?\n\nQuestions for Ms. Rogers\n\n        <bullet>  What role do community colleges play in the training \n        of new workers and the retraining of current workers? What \n        employment opportunities in cyber security are available for \n        individuals with a certificate or a two-year degree?\n\n        <bullet>  What are the current strengths and weaknesses of \n        cyber security education and training programs? What ``model\'\' \n        courses and programs currently exist? And what types of courses \n        or programs need to be developed or more broadly implemented?\n\n        <bullet>  What are the challenges do you face in recruiting and \n        training cyber security faculty? What type of programs or \n        opportunities do you provide to help keep faculty current?\n\n        <bullet>  What can the Federal Government do to improve cyber \n        security education and build the Nation\'s technical workforce?\n\nAppendix I: NSF ATE Award Abstracts\n\n        Tennessee Information Technology (TN IT) Exchange Center\n\nStart Date: September 15, 2002\n\nExpires: August 31, 2005 (Estimated)\n\nExpected Total Amount: $1,798,803 (Estimated)\n\nInvestigator:  Sydney U. Rogers <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="8af9f3eee4eff3a4f8e5edeff8f9cae4f9e9e9a4efeeff">[email&#160;protected]</a> (Principal \nInvestigator current))\n\nSponsor:  Nashville St Tech Community College, 120 White Bridge Rd., \nNashville, TN 37209-4515; 615/353--3236\n\n    The Tennessee Information Technology (IT) Exchange Center provides \nan effective workforce capacity building system by increasing the IT \neducational strength in a consortium of two year colleges, four year \ncolleges, secondary schools and industries in North Central Tennessee. \nThe goal is to develop a sustainable Center to meet the needs of \nindustry for a qualified IT workforce by creating real world scenarios \nbased on industrial needs and using them as the basis for instruction \nin IT courses. The learning strategies are developed in workshops at \nthe Center for Learning and Teaching at Vanderbilt University. The \ncases are used in high school academies to interest high school \nstudents in IT careers. A web site provides information about the \navailability and content of education and training programs in the \nregion, a clearinghouse of job opportunities and regular communications \namong partners. Regional stakeholder forums bring industry and \neducators together to develop a shared vision based upon research for \neffective delivery of instruction. The audience includes both students \nin educational institutions and re-careering workers.\n\n    Center for the Advancement of Systems Security and Information \n                           Assurance (CASSIA)\n\nStart Date: September 1, 2003\n\nExpires: August 31, 2007 (Estimated)\n\nExpected Total Amount: $2,997,615 (Estimated)\n\nInvestigator:  Erich Spengler <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="ea999a8f848d868f98aa8785988b83848f9c8b86868f93c48f8e9f">[email&#160;protected]</a> (Principal \nInvestigator current)\n\nSponsor:  Moraine Valley Community College, 10900 South 88th Avenue, \nPalos Hills, IL 60465-2175; 708/974-4300\n\n    This regional center for information technology (IT) security and \ndata assurance serves a five-state area of the Midwest and focuses on a \nfield which is critical to homeland security and which has a large \ndemand for qualified workers. The center builds on a previous Advanced \nTechnological Education project at Moraine Valley Community College, \n``Applied Internet Technology: Curriculum and Careers\'\' (NSF Award No. \n9950037; see http://www.fastlane.nsf.gov/servlet/\nshowaward?award=9950037 and http://www.morainevalley.edu/nsf/), which \nconcluded in 2002. The following educational institutions are \ncollaborating in the operation of the center: Moraine Valley Community \nCollege, Rock Valley College, University of Illinois at Springfield, \nLakeland Community College, Washtenaw Community College, Inver Hills \nCommunity College, and Madison Area Technical College. Other \norganizations from business, industry, and government are also advising \nthe center and participating in its activities.\n    The center is collecting, adapting, and enhancing curricula in \ncyber security, offering certificate and degree programs, and providing \nprofessional development for college faculty in the region. In \nparticular, the center is establishing an A.A.S. degree and a \ncertificate in IT security and data assurance; a concentration in IT \nsecurity and data assurance within a B.S. degree program in computer \nscience; an Internet-accessible laboratory environment that \ndemonstrates and simulates security technologies; ``train the trainer\'\' \nsummer workshops and externship opportunities for faculty from regional \ncommunity colleges and four-year institutions; an internship program \nfor students in the A.A.S. and B.S. degree programs; and a \ncomprehensive outreach and support program to increase the number of \nstudents from under-represented groups who pursue IT careers.\n\nAppendix II. Institutions Involved in NSF\'s Cyber Security Scholarships \n                    for Service Program\n\nInstitutions with Students in NSF\'s Cyber Security Scholarships for \n        Service Program\\3\\\n---------------------------------------------------------------------------\n    \\3\\ NSF does not directly fund students in the Scholarships for \nService program. Instead, funding is provided to institutions who \nselect the scholarship recipients.\n\n---------------------------------------------------------------------------\nCarnegie Mellon University\n\nClark Atlanta University\n\nFlorida State University\n\nGeorge Washington University\n\nGeorgia Institute of Technology\n\nIdaho State University\n\nIowa State University\n\nJackson State University\n\nJohns Hopkins University\n\nMorehouse College\n\nMississippi State University\n\nNaval Postgraduate School\n\nNew Mexico Institute of Mining & Technology\n\nNorwich University\n\nPolytechnic University\n\nPurdue University\n\nSpelman College\n\nSUNY at Stony Brook\n\nSyracuse University\n\nUniversity of Idaho\n\nUniversity of Nebraska at Omaha\n\nUniversity of North Carolina at Charlotte\n\nNorth Carolina A&T University\n\nUniversity of Tulsa\n\nInstitutions Receiving Capacity Building Grants via NSF\'s Cyber \n        Security Scholarships for Service Program\n\nAdelphi University\n\nAmherst College\n\nCalifornia State at Long Beach\n\nCarnegie Mellon University\n\nClark Atlanta University\n\nCUNY Brooklyn\n\nCUNY Borough of Manhattan Community College\n\nCUNY NYC College of Technology\n\nEmbry Riddle Aeronautical University\n\nFlorida Agricultural and Mechanical University\n\nFlorida State University\n\nGeorge Washington University\n\nGeorgia Institute of Technology\n\nHampshire College\n\nIndiana University of Pennsylvania\n\nIllinois Institute of Technology\n\nIndiana University\n\nIowa State University\n\nJackson State University\n\nJohn Jay College of Criminal Justice\n\nKentucky State University\n\nMississippi State University\n\nMount Holyoke College\n\nMurray State University\n\nNaval Postgraduate School\n\nNew Mexico Institute of Mining and Technology\n\nNorth Carolina Agricultural and Technical State University\n\nNorth Dakota State University at Fargo\n\nPennsylvania State University\n\nPolytechnic University\n\nPurdue University\n\nSmith College\n\nStevens Institute of Technology\n\nSUNY Albany\n\nSUNY at Stony Brook\n\nTexas A&M\n\nUniversity of Alaska-Fairbanks\n\nUniversity of Denver\n\nUniversity of Houston\n\nUniversity of Idaho\n\nUniversity of Kansas\n\nUniversity of Louisville Research Foundation\n\nUniversity of Massachusetts at Amherst\n\nUniversity of Missouri\n\nUniversity of North Carolina at Charlotte\n\nUniversity of Pittsburgh\n\nUniversity of Rhode Island\n\nUniversity of Southern California\n\nUniversity of South Carolina at Columbia\n\nUniversity of Washington\n\nUniversity of Wisconsin-Stevens Point\n\nUniversity of Wisconsin-Parkside\n\nUniversity of Wisconsin-Milwaukee\n\nTowson University\n\nUtica College\n\nWichita State University\n\nAppendix III: NSA Centers of Academic Excellence in Information \n                    Assurance Education\n\nAlabama\n\nAuburn University\nCalifornia\n\nNaval Postgraduate School\n\nStanford University\n\nUniversity of California at Davis\nFlorida\n\nFlorida State University\nGeorgia\n\nGeorgia Institute of Technology\n\nKennesaw State University\nIdaho\n\nIdaho State University\n\nUniversity of Idaho\nIllinois\n\nUniversity of Illinois at Urbana-Champaign\nIndiana\n\nPurdue University\nIowa\n\nIowa State University\nMaryland\n\nCapitol College\n\nJohns Hopkins University\n\nTowson University\n\nUniversity of Maryland, Baltimore County\n\nUniversity of Maryland University College\nMassachusetts\n\nBoston University\n\nNortheastern University\n\nUniversity of Massachusetts, Amherst\nMichigan\n\nUniversity of Detroit, Mercy\n\nWalsh College\nMississippi\n\nMississippi State University\nNebraska\n\nUniversity of Nebraska at Omaha\nNew Jersey\n\nNew Jersey Institute of Technology\n\nStevens Institute of Technology\nNew Mexico\n\nNew Mexico Tech\nNew York\n\nPace University\n\nPolytechnic\n\nState University of New York, Buffalo\n\nState University of New York, Stony Brook\n\nSyracuse University\n\nU.S. Military Academy, West Point\nNorth Carolina\n\nNorth Carolina State University\n\nUniversity of North Carolina, Charlotte\nOhio\n\nAir Force Institute of Technology\nOklahoma\n\nUniversity of Tulsa\nOregon\n\nPortland State University\nPennsylvania\n\nCarnegie Mellon University\n\nDrexel University\n\nEast Stroudsburg University\n\nIndiana University of Pennsylvania\n\nPennsylvania State University\n\nUniversity of Pennsylvania\n\nUniversity of Pittsburgh\n\nWest Chester University of Pennsylvania\nSouth Dakota\n\nDakota State University\nTexas\n\nTexas A&M University\n\nUniversity of Dallas\n\nUniversity of North Texas\n\nUniversity of Texas, Dallas\n\nUniversity of Texas, San Antonio\nVermont\n\nNorwich University\nVirginia\n\nGeorge Mason University\n\nJames Madison University\n\nUniversity of Virginia\nWashington\n\nUniversity of Washington\nWashington, D.C.\n\nGeorge Washington University\n\nInformation Resources Management College\n    Chairman Boehlert. The hearing will come to order. Let me \nexplain to our witnesses that both parties had morning \nconferences, party conferences, and they were running a little \nbit later than expected, so the Committee is more important \nthan the party, and that is why Mr. Gordon and I are here to \nwelcome you.\n    It is a pleasure to welcome everyone here this morning for \na hearing on cyber security, a subject that has consumed the \nCommittee over the past couple of years. We have focused on \nthis topic for good reason. Information and communication \nsystems underpin our government, and they ensure the smooth \nfunctioning of our industries, financial institutions, and \ntransportation systems. They touch nearly every aspect of our \nlives, but they are fragile, vulnerable to intrusions and \nattacks.\n    We continue to focus on new tools to prevent devastating \nattacks, and we will undoubtedly revisit the federal investment \nin cyber security research and development in the future, the \nvery near future. But today, we will focus on another cyber \nsecurity challenge, the education and training of a cadre of \nprofessionals in computer security and information assurance.\n    As the cost of security breaches rise and attacks increase \nin frequency and sophistication, business and industry are \nrecognizing the need to invest in technology as well as \ntraining. And education and training programs are springing up \nto meet that need. Some of these programs, including those that \nwill be discussed here today, are particularly innovative. But \nthe field of cyber security education and training is still \ndeveloping. You might say it is in its infancy, and we need to \nsee that it goes to full maturity. We need to learn how to help \nour colleges and universities respond rapidly and intelligently \nto a field that continues to evolve. We need to identify ways \nto attract and retain skilled faculty, and we need to work with \nhigher education institutions, businesses, and other \norganizations to ensure that education and training courses and \nprograms translate into employment.\n    If I might give a parenthetical thought for a minute, I am \na senior Member on the House Committee on Intelligence, and we \nare on the eve of the report of the 9/11 Commission. And that \nreport will emphasize something that we are going to emphasize \nhere today: the importance of the investment in human capital.\n    A few years ago, a friend summed up the challenges of cyber \nsecurity in this way: ``New technologies and enhanced security \npractices are like sun screen: they offer you some protection, \nbut sooner or later, you are going to get burned.\'\' By \nincreasing the quality and quantity of cyber security education \nand training programs, a new generation of technicians and \ntechnology professionals can enhance the SPF of our information \nand communication systems and create a more secure future. And \nthat would provide a very sunny outlook, indeed.\n    Chairman Boehlert. With that, let me recognize the \ndistinguished gentleman from Tennessee, the Ranking Member, Mr. \nGordon.\n    [The prepared statement of Chairman Boehlert follows:]\n\n            Prepared Statement of Chairman Sherwood Boehlert\n\n    It is a pleasure to welcome everyone here this morning for a \nhearing on cyber security--a subject that has consumed the Committee \nover the past couple of years.\n    We have focused on this topic for good reason. Information and \ncommunication systems underpin our government and they ensure the \nsmooth functioning of our industries, financial institutions and \ntransportation systems. They touch nearly every aspect of our lives, \nbut they are fragile, vulnerable to intrusions and attacks.\n    We continue to focus on new tools to prevent devastating attacks--\nand we will undoubtedly revisit the federal investment in cyber \nsecurity research and development in the future--but today we will \nfocus on another cyber security challenge: the education and training \nof a cadre of professionals in computer security and information \nassurance.\n    As the costs of security breaches rise and attacks increase in \nfrequency and sophistication, business and industry are recognizing the \nneed to invest in technology as well as training. And education and \ntraining programs are springing up to meet that need.\n    Some of these programs, including those represented here today, are \nparticularly innovative, but the field of cyber security education and \ntraining is still developing. We need to learn how to help our colleges \nand universities respond rapidly and intelligently to a field that \ncontinues to evolve. We need to identify ways to attract and retain a \nskilled faculty. And we need to work with higher education \ninstitutions, businesses and other organizations to ensure that \neducation and training courses and programs translate into employment.\n    A few years ago, a friend summed up the challenges of cyber \nsecurity in this way: New technologies and enhanced security practices \nare like sun screen. They offer you some protection but, sooner or \nlater, you are going to get burned. By increasing the quality and \nquantity of cyber security education and training programs, a new \ngeneration of technicians and technology professionals can enhance the \nSPF of our information and communication systems and create more secure \nfuture.\n    And that would provide a very sunny outlook indeed.\n    Mr. Gordon.\n\n    Mr. Gordon. Thank you, Mr. Chairman.\n    I am pleased to join you in welcoming our witnesses to this \nhearing on efforts to improve education and training of cyber \nsecurity professionals. The President\'s strategy for security \nin cyberspace highlighted that a lack of trained personnel and \ninadequate certification programs for security professionals is \ncomplicating the task of reducing the vulnerabilities of the \nNation\'s network information systems. This committee also \nrecognized the problem and attempted to address it in the Cyber \nSecurity R&D Act, which was enacted during the last Congress.\n    In addition to new research programs at NSF and NIST, it \nauthorized educational programs at NSF to improve cyber \nsecurity education at undergraduate institutions, including \ntwo-year colleges. These are the education programs that \nproduce the computer and network specialists who are \nresponsible for ensuring that cyber systems are operating \nsafely and reliably.\n    Today, the Committee will get a progress report on these \nNSF programs from those in the field who are carrying them out. \nWe also hope to gain a better understanding of the overall \nstate of cyber security education and training. I am interested \nin whether the federally-sponsored education and training \nprograms are focused on industry\'s requirements, are meeting \nthe demand that exists for cyber security professionals, and \nreceiving funding that is adequate to ensure that the programs \nare effective and of sufficient size to meet the need.\n    Again, I want to welcome the witnesses today and look \nforward to our discussion.\n    [The prepared statement of Mr. Gordon follows:]\n\n            Prepared Statement of Representative Bart Gordon\n\n    Mr. Chairman, I am pleased to join you in welcoming our witnesses \nto this hearing on efforts to improve the education and training of \ncyber security professionals.\n    The President\'s Strategy to Secure Cyberspace highlighted that a \nlack of trained personnel and inadequate certification programs for \nsecurity professionals is complicating the task of reducing the \nvulnerabilities of the Nation\'s networked information systems.\n    This committee also recognized the problem and attempted to address \nit in the Cyber Security R&D Act, which was enacted during the last \nCongress.\n    In addition to new research programs at NSF and NIST, the Act \nauthorized education programs at NSF to improve cyber security \neducation at undergraduate institutions, including two-year colleges. \nThese are the education programs that produce the computer and network \nspecialists who are responsible for ensuring that cyber systems are \noperated safely and reliably.\n    Today the Committee will get a progress report on these NSF \nprograms from those in the field who are carrying them out. We also \nhope to gain a better understanding of the overall state of cyber \nsecurity education and training.\n    I am interested in whether the federally sponsored education and \ntraining programs are focused on industry\'s requirements, are meeting \nthe demand that exists for cyber security professionals, and are \nreceiving funding that is adequate to ensure the programs are effective \nand of sufficient size to meet the need.\n    Again, I want to welcome our witnesses today, and I look forward to \nour discussion.\n\n    [The prepared statement of Mr. Smith follows:]\n\n            Prepared Statement of Representative Nick Smith\n\n    The type of computer systems that banks, universities, government, \nthe military, and large corporations depend on, are immense and \nextremely complex. It saves time and money the more closely connected a \nsystem is internally, and to external systems that it needs to interact \nwith. Because the usefulness of computer systems depends in large part \non interconnectedness, they are vulnerable to outside ``hackers\'\' who \ncan take advantage of the level of openness that the system must \nmaintain in order to be effective. In addition to the threat of \nelectronic attacks, we must not lose sight of the physical security of \ncentral servers.\n    So the need for a highly trained cyber security workforce is \nobvious. And in some ways, the work that the Federal Government needs \nto do in this area is similar to what we are doing to ensure that we \nproduce a sufficient number of workers with technical skills and a math \nand science background. A few examples of these similarities include \nsupporting the development of innovative new strategies for exciting \nkids about math and science in K-12 schools, providing funding so that \nuniversities and community colleges can take the math and science \ntalent developed in those K-12 schools and focus it towards specific \nareas of focus, and helping post-graduate programs attract and educate \nenough talented students to meet growing workforce needs.\n    But it seems to me that training this workforce gives us a paradox \nsimilar to the one that developers of computer systems face in making \nsure that they are open enough to be effective, but not so open that \nhackers can take advantage of them. In order to defend a network it is \nnecessary to know how it works and where its vulnerabilities lie. If we \nwant to maintain a cyber security workforce large enough to meet \ngrowing need, this information needs to be made widely available. By \nfacilitating this, we make it easy for someone with sinister intentions \nto obtain the training that he or she would need to wreak the kind of \nhavoc that we are trying to prevent. As we move forward in the area of \ncyber security education, this is an issue that must be addressed.\n\n    Chairman Boehlert. Thank you very much.\n    And our witnesses today, a very distinguished list of \nwitnesses, I want to thank you in advance for agreeing to be \nfacilitators and educators for this committee. We take great \npride in the quality of witnesses that are invited before this \ncommittee, and we also take great pride in the fact that more \noften than not we listen. It is easy for the elected officials \nlike us to sit up here and pontificate and talk a lot, but we \ndon\'t learn much when we are talking. We learn an awful lot \nwhen we hear from people like you. And it is a very diverse \npanel.\n    Mr. Chet Hosmer, President and Chief Executive Officer for \nWetStone Technologies, Inc. in Cortland, New York. Mr. John \nBaker, Director, Technology Programs, Division of Undergraduate \nEducation, School of Professional Studies in Business and \nEducation, Johns Hopkins University. Mr. Erich Spengler, and \nfor the purpose of an introduction, the Chair will recognize \nthe distinguished Chair of the Subcommittee, Ms. Biggert.\n    Ms. Biggert. Thank you, Mr. Chairman, for the opportunity \nto introduce Mr. Erich Spengler.\n    With a Master\'s degree in Business from Loyola University, \nMr. Spengler is the Director of the NSF Regional Center for the \nAdvancement of Systems Security and Information Assurance at \nMoraine Valley Community College in Palos Hills, Illinois. \nWhile the school lies just outside my district, I am here today \nbecause Mr. Spengler is almost a constituent and because \nMoraine Valley truly is an educational asset to the entire \nChicago land area, and I think that he is to be congratulated \nfor all that he has accomplished at Moraine Valley and \ncertainly has contributed and will contribute this morning to \nour discussion of cyber security education. And that is why it \nis my privilege to welcome Mr. Spengler to the hearing of the \nHouse Science Committee today.\n    Thank you, Mr. Chairman.\n    Chairman Boehlert. Our next witness is Second Lieutenant \nDavid Aparicio. Lieutenant, it is good to see you here. He has \ngot an exciting story to tell. Lieutenant Aparicio is a \ngraduate. As a matter of fact, he was the valedictorian of the \nAdvanced Course in Engineering Cyber Security boot camp, and, \nboy, that is an interesting story, Mr. Gordon and my \ncolleagues, I want you to hear about. And he is joined to his \nrear by Dr. Kamal Jabaar who is director of the cyber security \nboot camp. Doctor, it is good to have you here with us. And Mr. \nAparicio, I can\'t resist the temptation. As you probably know, \nthis weekend the most important event taking place any place in \nthe world is taking place in my home district of New York. \nCooperstown, the National Baseball Hall of Fame, it is the \ninduction ceremony this weekend. A couple of greats from the \npast, Dennis Eckersley and Paul Molitor, are being inducted. \nBut one of the popular inductees of many years ago was Louie \nAparicio, and so I just want to say it is good to see another \nAparicio here.\n    And for the purpose of an introduction, the Chair \nrecognizes Mr. Gordon.\n    Mr. Gordon. Thank you, Mr. Chairman.\n    It is my pleasure to introduce Ms. Sydney Rogers who is \nVice President for Community and Economic Development at \nTennessee State Technological Community College. I also want to \nwelcome her as a fellow graduate of Middle Tennessee State \nUniversity and thank her belatedly for voting for me for \nstudent body president some years back. Ms. Rogers is \nresponsible for workforce development, student services, \ncomputer services, and grants, and development at Nashville \nState Technical Community College. Previously, she served as \ninterim Vice President for Academic Affairs, Dean of \nTechnologies, and Department Chair and Associate Professor for \nComputer Information Systems for 20 years. Of particular \ninterest for today\'s hearing, Ms. Rogers is the lead principal \ninvestigator for the Center for Information Technology \nEducation, a regional center funded by the National Science \nFoundation Advanced Technology Education Program. Her work has \nfocused on the reform of technological education to create a \nmore adaptable workforce suited for the new century. Ms. Rogers \nserves on three NSF national visiting committees and several \nlocal Boards and has 30 years of leadership experience in \ntechnology education and workforce development.\n    Once again, welcome to our committee.\n    Chairman Boehlert. Thank you very much, Mr. President.\n    And now the witnesses. And the general rule in the \nCommittee is that we ask that you summarize your opening \nstatement, which will be made part of--the full opening \nstatement, part of the official record in its entirety. But we \nask for the summary in five minutes or so, and the Chair is \nnever arbitrary, because in addition to the very distinguished \nwitnesses we have today, we are used to hearing from Nobel \nLaureates and astronauts and I can\'t help but recall yesterday \nwas the 35th anniversary of the Apollo 11 Moon landing. We have \nhad Neil Armstrong, with whom I had a good conversation last \nnight, and Buzz Aldrin. And so to have people travel from afar \nand offer expert testimony, it seems to me sometimes almost \nsinful that we ask you to summarize in 300 seconds or less. But \nwhile the clock will be on, and at four minutes it will--the \nlittle sign there will be yellow and in five minutes, it will \ngo red, don\'t stop mid-sentence, mid-thought, mid-paragraph. \nContinue on. There will be some leeway, and then there will be \nopportunity for questions.\n    With that, Mr. Hosmer, it is a pleasure to welcome you \nhere.\n\n STATEMENT OF MR. CHESTER ``CHET\'\' HOSMER, PRESIDENT AND CEO, \n                  WETSTONE TECHNOLOGIES, INC.\n\n    Mr. Hosmer. Thank you, Mr. Chairman and Members of the \nCommittee, for the opportunity to speak with you today on a \ntopic that is very, very important to me personally and to our \ncompany.\n    For many years now, since 1998, we have been involved in \ncyber security research and development at WetStone \nTechnologies, and a critical part of that process has been the \nintegration of and cooperation between many colleges and \nuniversities throughout our great State of New York. \nCongressman Boehlert, the Chairman, and myself, actually, are \nboth alum of Utica College of Syracuse University. And that \nprogram in economic crime investigation that was started there \nback in 1988 is one of the oldest in the country in this \nparticular area. And it was at a time where it took great \nvision in order to be able to create a program in an area \nwhere, at the time, no one knew we really had a problem. And we \nhave been working with that program and with the program at \nTompkins Cortland Community College to develop programs that \ncan basically better prepare our young people for careers in \ncyber security.\n    I can\'t stress enough how important it is for our \ncooperation between business and industry and colleges and \nuniversities in order to be able to build and structure these \nprograms. The reason is that as you look at this field of \nstudy, it is emerging and it is changing on a daily basis. And \nsometimes we call it, at Internet speed, the threat and the \ncyber weapons that are against us are changing. Therefore, the \ncurriculums that have to be provided for those students that \nare coming up in this particular area need to be flexible. They \nneed to be expandable. They need to be modifiable. They need to \nbe able to be delivered in multiple forms.\n    So we kind of took an approach to try to work with those \ncolleges and universities to help develop those programs. And I \nam happy to say that we think it has been a great success. Many \nmembers of our staff have spent countless hours actually \nteaching in those programs as adjunct faculty. And we believe \nthat brings a lot, both to the students and the faculty at \nthose universities that we work with. And one of the real \nprimary objectives of that relationship between our staff and \nour people and the universities is to build internship programs \nfor those students to be able to move into this field of study.\n    I can\'t stress enough how important internships are to this \nprocess. The reason is that at a university or a college level, \na lot of theory is taught. But unfortunately, in this \nparticular area, practical experience is absolutely essential. \nOne of the reasons is that cyber security, especially in the \nform of digital investigation, requires knowledge both in the \nsocial sciences as well as the computer science area. And the \nbridging of the gap of those two things requires a great deal \nof work, because they tend to be taught in two different areas \nof most universities and colleges. So our ability to bridge \nthat gap, to bring social scientists and computer scientists, \ncriminal justice and computer science folks, together is \nabsolutely critical in order to advance this. And we have done \nthat through internship programs.\n    I am proud to say that we have been able to hire 14 interns \nover the last 31/2 years at our company from Utica College, \nTompkins Cortland Community College, Syracuse University, \nBinghamton University in order to bring those into our \norganization. Over half of them have been offered and accepted \nfull-time employment with our company after graduation. Many \nothers have gone on to other careers in law enforcement, \nintelligence defense, and corporate security. And our ability \nto be able to continue that program, to be able to advance that \neducational model of internship, is absolutely critical.\n    There are many programs out there that are being trained by \nvendors, by folks that are in the commercial sector that are \nproviding training for folks that are already in law \nenforcement, in cyber education, and cyber security that have \nto go on afterwards. And that training is very expensive. It \ndoes not end after graduation from college. In many cases, the \nfolks that are actually on the front lines protecting us on a \nday-to-day basis are law enforcement professionals that \nactually did not come up through the computer science track. \nThey actually came up through the criminal justice track. But \nnow, virtually every case that they work with involves some \nsort of cyber or computer evidence or computer investigation is \nrequired. So they have had to go back and take courses in order \nto basically bring themselves up to speed to be able to do this \nkind of investigation.\n    I want to tell this committee that every single week we get \nrequests from those individuals to come to our training courses \nthat are seeking education, and in many cases, those young men \nand women that are in those services are paying for that \ntraining themselves. They are taking time off from their job \nusing their vacation to basically go get trained in this area, \nbecause it is that important. They are giving up time with \ntheir family and their hard-earned money in order to be able to \nperform that training, and it is something that we need to \nsupport them with.\n    So I have many more things to say, but I am going to yield \nto the next member, and I appreciate this opportunity to convey \nsome of the thoughts and some of our experience.\n    [The prepared statement of Mr. Hosmer follows:]\n\n                  Prepared Statement of Chester Hosmer\n\n    Mr. Chairman and Members of the Committee: My name is Chester \nHosmer; and I am a co-founder and the President and CEO of WetStone \nTechnologies, Inc.\n    I would like to thank you for the opportunity to testify regarding \nCyber Security Education. This area has been, and continues to be a \nfocal point of our work at WetStone from many perspectives. I will \nfocus my remarks on our practical experience with Cyber Security \nEducation as an employer, educator, and trainer, and I will limit my \nfocus to the areas that we are intimately involved in digital \ninvestigation and cyber defense. I hope that our ``hands-on\'\' \nperspective will provide an interesting frame of reference for this \ncommittee.\n    WetStone was established in 1998 and is headquartered in Cortland, \nNew York. We perform advanced research and development in cyber \nsecurity for government and corporate customers. We also develop \ncommercial software products that aid in digital investigation and \ncyber defense, and we provide advanced training for digital \ninvestigators. During the past two years, our focus has been on cyber \nsecurity training which includes advanced courses in Steganography and \nMalware Investigation, two technologies used extensively by cyber \ncriminals. During that time we have delivered training to over 1,000 \nfederal law enforcement agents, DOD information warriors, State and \nlocal law enforcement investigators and corporate security \nprofessionals. The demand for training in these advanced areas has \ngrown rapidly over the past two years to the point where we are \ntypically conducting two or three trainings per month, both in our \nCortland training facility, in conjunction with cyber security \nconferences and at customer\'s on-site locations.\n\nWhat knowledge and skills are currently needed in the cyber security \n                    workforce?\n\n    Those tasked with investigating cyber crime or defending against \ncyber threats require knowledge of the domain, specialized skills and \npractical experience. The need is currently both wide and deep. A \nthorough basis and understanding of investigation techniques either \nfrom a criminal justice or law enforcement background, or a formal \neducation program is required. However, when investigating cyber crime, \na strong operational and procedural technical knowledge rooted in the \ncomputer science field, is also necessary. Unfortunately, most Criminal \nJustice university programs are offered out of the Social Science \ndepartments at universities, where Computer Science a hard science, out \nof the math or computer science departments. Building programs that \ncross domains is quite difficult for many reasons, and the student \ntypically lacks depth in either area, and is ill prepared for digital \ninvestigation after graduation. We are however, beginning to see an \nincrease in specialized Computer Forensics programs which give students \nthe background necessary for advanced digital investigation.\n    Many of the current investigators have come through the traditional \nlaw enforcement track and learned basic investigation techniques by \nworking task force assignments (narcotics, homicide, child \nexploitation, etc.). As their cases began to include more and more \ncomputer based evidence, the investigators sought training programs \nthat would allow them to seize, extract, examine, analyze and give \nrelated testimony about digital or cyber evidence.\n    Many colleges and universities are attempting to meet the needs of \nthe cyber first responder by offering evening classes or special \nworkshops. However, the colleges and universities are not equipped to \noffer the advanced ``hands-on\'\' training courses needed. In many cases \nto properly teach these skills, special technology, dedicated \nlaboratories, field knowledge, and extensive preparation is required. \nFurther complicating college based offerings, is the rapid evolution of \nboth the cyber threats and the defenses necessary to counteract them. \nThis instability in curriculum content makes it very difficult for \ncolleges and universities to develop programs under traditional models.\n\nHave cyber security education and training programs been sufficiently \n                    flexible to respond to these needs as well as the \n                    needs of traditional and returning students?\n\n    The current state-of-the-art of cyber security education and \ntraining is varied. Many colleges and universities are now offering \nboth courses and curriculums that range from Junior colleges programs \noffering A.A.S. degrees, undergraduate education offering B.S. and B.A. \ndegrees, and graduate degree programs offering both Master\'s and \ndoctorial degrees that relate to cyber security. I have personally been \ninvolved in three specific programs being offered at two colleges. At \nUtica College of Syracuse University, I have been privileged to teach \nin both the Economic Crime Investigation undergraduate program, and the \nEconomic Crime Management Master\'s level program. Currently, I serve as \nthe Director of the Computer Forensic Research and Development Center \nat Utica College and I guest lecture in both the computer security and \ncomputer forensic classes. At Tompkins Cortland Community College \n(TC3), a Junior college of the State University of New York, I had the \npleasure of working with the administration and department heads to \nhelp establish the first Associates Degree program in Computer \nForensics in the United States, and I continue to guest lecture in this \nprogram today.\n    Many commercial vendors are offering training programs that \ntypically relate to their own specialized technology or product and \nservice offerings. In most cases these classes are cost prohibitive for \nindividual purchase and often place a hardship on limited department \nbudgets. Training programs of this type vary widely in price, however a \ngood rule of thumb is about $750-$1,000 per day not including expenses. \nAdvanced training courses typically run 2-5 days in duration. \nInvestigators spend about 1-2 weeks per year on the training required \nto keep up to date with the state-of-the-art. Compounding the high cost \nof the training itself, is the time required away from the job. Those \nworking in more rural communities must incur additional travel expenses \non top of the high cost of the training. Since these costs recur every \nyear based on the rapid changing landscape of cyber security, a minimum \ninvestment of $25,000 to $35,000 per year, per investigator is \nnecessary. Distance learning would seem to be an obvious option that \ncould mitigate some of these costs. This does offers a promise for the \nfuture, however, to date only a handful of cyber security training \ncourses are offered in this manner and additional study, research and \ndevelopment is needed.\n\nWhat are the current strengths and weaknesses in cyber security \n                    education and training programs?\n\n    Strengths--During the last several years new college based \ncurriculums have been developed to address the demand for cyber \nsecurity professionals. These programs are being offered at every level \nof secondary education, and the expertise of the faculty and curriculum \ndevelopment continue to rapidly advance. Options for Associates, \nUndergraduate and Graduate degree programs offer both new students and \nthose wishing to advance their careers several options from which to \nchoose. Also, many of these curriculums are offered in a ``continuing \neducation environment,\'\' allowing those currently working to \nparticipate as well.\n    Training offered by private companies, and conference and workshops \nare providing excellent content today. This type of training has many \npositive characteristics. First, the content tends to be well aligned \nwith the current threats and solutions due to the competitive nature \nthis environment offers. In addition, the quality of both the trainers \nand content is sound due to the demand of customers, organization \nmembers or conference participants. We see this clearly as the largest \narea of expansion over the past several years. Conference participants \ncan now attend advance training course, receive college credits, take \nexaminations for industry certifications, stay abreast of emerging \ntrends and network with colleagues during a typical five-day \nconference.\n    Weaknesses--Although the education programs have quickly ramped up \nto develop curriculums and degree offerings to help meet the needs, the \ngraduates of these programs require significant training on practical \ncyber security matters after graduation, and throughout their careers. \nIn addition, typical college and university based programs have a \ndifficult time staying abreast of current trends. Unfortunately, in the \nbusiness of cyber security, the trends are changing so rapidly that \ncrafting curriculums to meet the needs is a challenge. This not only \ngoes to the curriculum, but also the tools and technologies and \nexpensive laboratory equipment and software necessary to expose the \nstudents to the latest methods.\n    The majority of the training programs currently being offered to \nprovide practical skills by both private and non-profit organizations \nare non-standardized, ad hoc and mostly difficult to qualify or assess. \nThis makes the selection of these programs for training extremely \ndifficult, and the satisfaction level of the attending student low. \nUnfortunately, due to the rapid evolution in the cyber threat, training \nis a recurring consideration for both new hires and veteran employees. \nNo uniform certification process for training courses or trainers is in \nplace today to help assess the quality and/or value of the training \nprograms offered. Many organizations utilize colleges and universities \nto ``accredit\'\' their course offerings and deliver continuing education \ncredits to those that complete the training classes. Students then have \na number of CEU credits from a variety of colleges and universities \nwith no way to combine those for a degree. In many cases students end \nup with 100\'s of hours of seemingly unrelated course credit, when in \nfact they have acquired more knowledge than most four-year college \nstudents attending a traditional academic program.\n\nDo model programs exist and, if they do, are they being adapted to meet \n                    local cyber security needs?\n\n    The National Security Agency (NSA) has created The Centers of \nAcademic Excellence in Information Assurance Education (CAEIAE) \nprogram. Established in November 1998, this endeavor helps NSA partner \nwith colleges and universities across the Nation to promote higher \neducation in Information Assurance (IA). This program is an outreach \neffort that was designed and is operated in the spirit of Presidential \nDecision Directive 63 (PDD 63), the Clinton Administration\'s Policy on \nCritical Infrastructure Protection, dated May 1998. The program is now \njointly sponsored by the NSA and Department of Homeland Security (DHS) \nin support of the President\'s National Strategy to Secure Cyberspace, \nFebruary 2003. The goal of CAEIAE is to reduce vulnerability in our \nnational information infrastructure by promoting higher education in \ninformation assurance (IA), and producing a growing number of \nprofessionals with IA expertise in various disciplines.\'\' \\1\\ In New \nYork, Pace University, Polytechnic, SUNY Buffalo, SUNY Stony Brook, \nSyracuse University and the U.S. Military Academy, West Point have been \ncertified.\n---------------------------------------------------------------------------\n    \\1\\ http://www.nsa.gov/ia/academia/caeiae.cfm\n---------------------------------------------------------------------------\n    Numerous options for training are available at the federal level, \nincluding FBI Quantico, the Federal Law Enforcement Training Center \n(FLETC), the Secret Service Training Center and many others. State and \nlocal law enforcement typically with smaller budgets, receive training \nfrom private for profit or non-profit organizations such as the High \nTechnology Crimes Investigation Association (HTCIA), InfraGard, the \nNational White Collar Crime Center, the National Law Enforcement \nTraining Center (NLETC) along with many others. In many cases the \ninvestigators and officers pay for membership and training out of there \nown pocket. At WetStone we have first hand experience with this \nphenomena and receive multiple requests weekly to attend our training \nby these individuals paying with their own funds to stay current with \nthe emerging threats.\n\nWhat partnerships should two-year and four-year colleges and \n                    universities forge with business and industry to \n                    build appropriate programs? In your opinion, is \n                    there sufficient collaboration with industry at the \n                    administration (advisory committees), faculty \n                    (return-to-industry) and student (internship) \n                    levels to accommodate rapid changes in these \n                    professional and technical areas?\n\n    The experiences over the course of my 20+ years in this industry, \nboth in and out of the classroom have provided me with a very \ninteresting perspective regarding not only the needs but the progress \nthat has been made. First, I must say that the young men and women \nseeking education in these areas are some of the best and brightest I \nhave had the privilege to work with. I learn more every time I enter \nthe classroom either in an academic or training setting than I could \npossibly repay. During the very early days of WetStone, we launched an \naggressive internship program for those working on degrees in cyber \nsecurity. This program is still in full swing today. The idea was two \nfold, first to be directly involved in the education process by \nteaching in the classroom; and second to provide internship \nopportunities for students that had interests in pursuing a career in \ncyber security research and development. I am happy to report to this \ncommittee that this approach has been a stellar success. To date we \nhave executed 14 internships in cyber security, involving students from \nevery college level. Over half of these students have accepted full-\ntime employment with our company after graduation. In addition to the \ninternships at the college level, in June of 2003 we initiated a high \nschool internship program for high school juniors and seniors \nconsidering a career in cyber security. Our first high school intern \nJeff Olson of Cortland High School is with us again this summer. Jeff \ngraduated in June and will be going on to the Rochester Institute of \nTechnology RIT where he will be studying computer engineering. Based on \nthe success of the high school program we are expanding this internship \nin the fall to include two additional high school students.\n    The advancement and availability of education, training and \ninternship programs is paramount if we are to strengthen our nation\'s \ncyber security workforce. For example, education at the undergraduate \nlevel must include practical as well as theoretical aspects. In this \nfield of study, the state-of-the-art is changing daily and those \nengaged in education must keep abreast of current trends \n(technological, legal and operational). In addition, I believe it is \nimportant that internships should be a requirement for those working in \nthis field. Without functional internships students graduating will \ncontinue to lack practical skills that are a requirement for success. \nThis recommendation should not be taken lightly. A serious commitment \nby the student, the college or university, and the private sector is \nnecessary to make this endeavor successful. One metric that we have \ndeveloped for our own cyber security internship program is the 2-for-1 \nrule. For every two cyber security interns we hire, we need to dedicate \none-full time staff member to direct and mentor the interns--a \nsignificant commitment for large or small companies. In many cases \nemployers consider only the labor cost of the interns when making an \nintern program decision, when in fact the cost is many times higher. \nHowever, long-term commitments are necessary, and your ability to \nmentor these students during their junior and senior years will pay \nsignificant dividends after graduation--as they step directly into the \norganization and begin producing and contributing immediately. Also, \nthe colleges and universities are required to commit staff hours to \nmonitor the process the internships in the field. These monitors need \nto be selective as to the environments that students consider--again \nrequiring extensive planning and follow-up for an already overloaded \nschedule. However the payoff here again can be considerable. By \ninterfacing directly with prospective employers, educators are able to \nidentify gaps in their curriculum, get feedback as to the student\'s \npreparation, and directly improve the overall programs.\n    Colleges and universities must forge partnerships with both the \npublic and private sector. In my opinion the internship model is one \nthat should be considered. This model provides all the elements \nnecessary to better prepare students for the workforce and to garner \ndirect feedback throughout the life cycle of the cyber security \ncurriculum development. As new issues and threats are revealed, this \nfeedback will be focused and swift. The internship opportunities also \nallow the colleges and universities to build relationships with \nemployers that will better define and characterize the jobs these new \ncyber warriors take on. This understanding will again help shape the \ncurriculum as a whole, along with shaping the syllabus of specific \ncourses. One other benefit of this approach will be the access to local \nexperts that are willing to guest lecture in the classroom. These local \nexperts educate everyone in this environment (professors, students and \ncolleagues) not to mention what they may learn while interacting with \nthe next generation workforce. I realize that in writing this one may \nthink there must be and easier way, because this sounds like hard work. \nUnfortunately, I\'m not sure there is a silver bullet, as the \nresponsibility for advancing the cyber security of the country should \nfall to everyone\'s shoulders. In almost all cases, we have forged these \nrelationships--one student, one professor, one college, one department \nhead at a time. We must all take a passionate interest in advancing our \ncapabilities against the ever increasing cyber threat and get our hands \ndirty, and give back what we learn and know about every aspect of this \nthreat. Today, the criminals and terrorists communicate and they share \ninformation about weaknesses, system vulnerabilities, our critical \ninfrastructures, social engineering, stolen passwords, credit card \nnumbers, malicious code and the latest cyber weapons freely and \nvirtually unchecked over the Internet. We must do the same. And I \nbelieve education and training are the basis and the first critical \nstep. At WetStone we adopted a quote as our company\'s vision in 1998. \nThe quote came from a different time when our nation was facing a \ndifferent adversary, but as often happens, the words of great men \nwithstand the test of time. Robert Kennedy said in 1960, ``If we do not \non a national scale attack organized criminals with weapons and \ntechniques as effective as their own they will destroy us.\'\' By \ndedicating ourselves to the transfer of knowledge in cyber security to \nthose that are defending, or will defend us, we can train the workforce \nof the future and begin making a difference today.\n\nWhat can the Federal Government do to improve cyber security education \n                    and build the Nation\'s technical workforce?\n\n    I feel that the Federal Government can have direct impact on the \nadvancement of education and training in cyber security from several \nperspectives.\n    First and foremost, cyber security training and education can be \nmade more accessible to our men and women in law enforcement who today \ncan only advance their education and training in this area by spending \ntheir personal funds, trading their vacation time, or giving up time \nwith their families to attend a training course that will ultimately \nhelp them defend our nation. Offering them assistance to participate in \nqualified education and training programs will accelerate the process \nfor those already investing in our future and encourage those that \ntoday do not have access.\n    Second, incentives to colleges, universities and the private sector \nto create internship opportunities in cyber security can be increased. \nThe cost required to carry out this endeavor is staggering today, \nhowever, in my opinion this is an investment that we cannot afford to \noverlook.\n    Third, national accreditation of cyber security education and \ntraining programs that would allow those to combine credits and \nexperience to obtain higher education degrees in a flexible, fair and \nnon-traditional form is urgently needed. We need to not only attract \ntoday\'s young people entering college into this field, we must also \nencourage those that have many years of street experience in law \nenforcement to gain the recognition based on their years of investment \nin our future. When they step on the street tomorrow, they may \nencounter ``cyber evidence\'\' that could in-fact hold critical \ninformation that would preempt a crime, a pending terrorist action, or \nthe exploitation of a child. Their preparedness, I believe, should be \nour paramount concern.\n    I would like to thank the Committee for this opportunity to present \nmy experience, thoughts, views and perspective on cyber security \neducation and training.\n\n                 Biography for Chester ``Chet\'\' Hosmer\n    Chet Hosmer is a co-founder, and the President and CEO of WetStone \nTechnologies, Inc. He has over 25 years of experience in developing \nhigh technology software and hardware products, and during the last 15 \nyears, has focused on research and development of information security \ntechnologies, with specialty areas including: cyber forensics, secure \ntime, and intrusion detection and response.\n    Chet is a co-chair of the National Institute of Justice\'s \nElectronic Crime and Terrorism Partnership Initiative\'s Technology \nWorking Group, and was one of five international steganography experts \ninterviewed by ABC News after the 9/11 al-Qaeda attacks. Chet has been \nquoted in numerous cyber security articles, and has been invited to \npresent as both a Keynote and Plenary speaker numerous times over the \ncourse of his career.\n    Chet is a member of the IEEE and the ACM, and holds a B.S. degree \nin Computer Science from Syracuse University. Chet is also the Director \nof the Computer Forensics Research and Development Center of Utica \nCollege.\n\nSelected Publications and Speaking Engagements:\n\n``Steganography Detection: Finding Evidence in Plain Sight,\'\' 15th \n        Annual ACFE Fraud Conference and Exhibition, July 12, 2004\n``Scanning-Detecting-Eradicating--and Recovering from the Malware \n        Invasion,\'\' Techno Security 2004, June 8, 2004\n``Time: The Missing Link in Digital Integrity,\'\' Gorham International \n        Conference, May 25, 2004\n``Bigger Than Viruses-How Malicious Software Can Affect Your \n        Business,\'\' Tech 2004, May 4, 2004\n``Discovering Evidence Hidden In Plain Sight,\'\' Southeast Cybercrime \n        Summit 2004, March 3-4, 2004\n``Biometrics and Digital Evidence\'\' with Countryman, B. The Security \n        Journal, Winter 2004, Volume 6\n``Protecting the Homeland using Biometric Identification,\'\' Sector 5--\n        The Global Summit Exploring Cyber Terrorism and the Targets of \n        Critical Infrastructures, August 21-23, 2002\n``Steganography Detection: Finding Evidence Hidden in Plain Sight,\'\' \n        Forum on Information Warfare, December 2003\n``Applying Hostile Content Detection to Digital Forensic \n        Investigation,\'\' The Security Journal, Fall 2003, Volume 5\n``Cyber-Terrorism: Digital Steganography and its Implications for \n        Homeland Security,\'\' Securing the Homeland Conference & Expo, \n        September 10, 2003\n``Steganography as It Relates to Homeland Security,\'\' Electronic Crimes \n        Task Force Homeland Security Seminar, September 4, 2003\n``Discovering Covert Digital Evidence,\'\' DFRWS Conference, August 6, \n        2003\n``What You Can\'t See Can Hurt You--The Dangers of Steganography,\'\' The \n        Security Journal, Summer 2003, Volume 4\n``Digital Steganography: The Evolving Threat,\'\' Techno-Security 2003, \n        April 29, 2003\n``The Importance of Digital Time in Preventing Economic Crime,\'\' \n        CyberCrime 2003, February 9, 2003\n``Tracking Cyber Criminals With Time,\'\' NATO Inforensics and Incident \n        Response Workshop Keynote, October 22, 2002\n``What You Can\'t See Can Hurt You,\'\' SC Magazine, August 2002\n``Proving the Integrity of Digital Evidence with Time,\'\' International \n        Journal of Digital Evidence (IJDE), Spring 2002, Volume 1, \n        Issue 1\n``Steganography Detection: Finding Evidence Hidden in Plain Sight,\'\' \n        Techno-Security 2002, April 10, 2002\n``The Importance of Binding Time to Digital Evidence,\'\' 12th Annual \n        Economic Crime Investigation Institute Conference, October 30, \n        2001\n``Technical and Legal Issues in Network Intrusion Investigations,\'\' \n        with W. Williams and A. Ott, October 31, 2000 11th Annual \n        Economic Crime Investigation Institute Conference. Cyber Swords \n        and Shields Fraud Symposium, October 3-5, 2000\n``State-of-the-Art of Computer Forensics,\'\' 10th Annual Economic Crime \n        Investigation Institute Conference, November 9, 1999\n``Advancing Crime Scene Computer Forensics Techniques,\'\' with J. \n        Feldman and J. Giordano, SPIE\'s International Symposium on \n        Enabling Technologies for Law Enforcement and Security \n        Conference, November 1998\n``Using SmartCards and Digital Signatures to Preserve Electronic \n        Evidence,\'\' SPIE\'s International Symposium on Enabling \n        Technologies for Law Enforcement and Security Conference, \n        November 1998\n``System Modeling and Information Fusion for Network Intrusion \n        Detection,\'\' with N. Ye, J. Feldman, and J. Giordano, ISW \'98, \n        October 1998\n``Detecting Subtle System Changes Using Digital Signatures,\'\' with M. \n        Duren, 1998 IEEE Information Technology Conference, September \n        1998\n``Time-Lining Computer Evidence,\'\' 1998 IEEE Information Technology \n        Conference, September 1998\n``The Role of Smart Tokens in Cryptographic Key Management,\'\' with P. \n        Samsel, PARAPET Journal of Information Security, Autumn 1997\n``Controlling Internal Fraud: Detection and Countermeasures Using \n        Intelligent Agents,\'\' Economic Crime Investigation Institute \n        Eighth Annual Conference, Oct. 27-28, 1997\n``Developing Solutions That Employ Tamper Proof Token Devices to \n        Protect Information Integrity and Privacy,\'\' IEEE Dual-Use \n        Technologies and Applications Conference, May 1997\n``Securing Lottery Electronic Instant Ticket Technology,\'\' with M. \n        Holcombe, 1994 National Lottery Technology Conference, November \n        1994\n\nMedia Coverage\n\n``Secret Codes\'\': NHK Japan Television, December 2002\n``A Novice Tries Steganography\'\'--Tech TV--Cyber Crime Show, January \n        2002\n``A Secret Language\'\'--ABC News Prime Time Thursday, October 4, 2001\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n    Chairman Boehlert. Thank you very much.\n    You will be interested to know that you were only 45 \nseconds beyond the five minutes.\n    Our next witness, Mr. Baker, is accompanied by a support \nstaff, his young son, Chris, who is behind him in the audience \nand who is working on a scouting merit badge in citizenship. So \nwhat we are talking about here, in many respects, is dealing \nwith human capital for the future. So I am glad to see Chris \nhere with you, Mr. Baker.\n\n   STATEMENT OF MR. JOHN R. BAKER, SR., DIRECTOR, TECHNOLOGY \n   PROGRAMS, DIVISION OF UNDERGRADUATE EDUCATION, SCHOOL OF \n PROFESSIONAL STUDIES IN BUSINESS AND EDUCATION, JOHNS HOPKINS \n                           UNIVERSITY\n\n    Mr. Baker. Thank you, Mr. Chairman.\n    Thank you for the opportunity to speak today, and as you so \neloquently indicated, I am director of the undergraduate \nprograms in technology in the School of Professional Studies in \nBusiness and Education at Johns Hopkins University. In that \ncapacity, I run both our undergraduate degree programs in \ninformation system with concentrations in both information \nsecurity and cyber forensics and the public technology training \nprograms that we run.\n    We define ``cyber security\'\' as the process of informing \ntechnology professionals, end users, managers, and researchers \nabout the technical and non-technical aspects of protecting \ntheir information resources and expanding our knowledge in the \nfield. As I indicated before, it is a multidisciplinary \napproach. It has both breadth and depth, including math, \nscience, technology, business, law, psychology, and personal \nissues. It includes topics that range from simple virus \nprotection to a lot more elaborate forms of security technology \ndetection, investigation, prevention, as well as many non-\ntechnical areas. In addition, its audience includes end users, \ntechnology professionals, managers, and researchers. \nConsequently, information technology--information security \neducation necessarily covers a wide range of topics at a \nvariety of levels.\n    In addition to the specific topics, programs in the area \nmust address issues such as the demand for graduates, the \ndifferences between training and education, program \ndevelopment, faculty hiring and development, research, and \ndeveloping the field as its own discipline, and recognizing and \naccepting educational standards, and keeping costs manageable \nwhile keeping programs current and the potential for student \nbackground checks. To ensure program success, the educational \ninstitution must have some understanding of the need or demand \nfor program graduates. Potential students with little or no \nemployment opportunities will not select any given program.\n    In the area of education and training, a strong \ndifferentiation between the two must be understood. Training is \ngenerally focused on product or a specific set of skills in an \narea. Education\'s goals are multi-purpose: teach the specific \ntechnology skills, develop critical thinking and problem-\nsolving skills, improve the knowledge of the field, improve \ncommunication capabilities and information literacy skills, and \nfoster research interests.\n    As for program development, it is both costly and time-\nconsuming. It can take a year or longer for a program to be \nfully developed and implemented. There are many questions to be \naddressed in the development and implementation of a program \nand steps to be worked through.\n    Faculty is a key to a program\'s development and success. \nQuestions such as the role of full-time and part-time faculty, \nfaculty knowledge and development, and the role of research are \nconstantly being addressed. Each requires considerable \nanalysis.\n    One way to encourage involvement in the field is to define \nit as a discipline. Components of this include the availability \nof research money and the development of educational standards, \nespecially as they relate to employment opportunities.\n    As with all such endeavors, cost is an important factor. \nCosts obviously include the specific technology components, \nhowever, they also include facility set up, management and \nmaintenance, academic program development, implementation and \nmanagement, faculty hiring and development, and the potential \nfor other components, such as background checks.\n    A more recent issue that has surfaced is this issue of \nstudent background checks. Some have expressed concern that we \nmay need to determine the suitability of a student for these \ntypes of programs. However, there are many questions to be \naddressed before this issue can be resolved. Johns Hopkins has \ntaken an institution-wide approach to both education and \nresearch components.\n    Our academic community has developed educational components \nand/or degree programs that span almost all disciplines and \ntopics in the information security field. Johns Hopkins has \ncreated the Johns Hopkins University Information Security \nInstitute, implemented security education in all of its \nschools, created separate academic programs and program \ncollaboration specifically for information security and cyber \nforensics, and encouraged research in a number of security-\nrelated areas. The undergraduate program in our school focuses \non both sides of the security incident before and after the \nsecurity preparation and cyber forensics.\n    There are some areas the Federal Government can be of \nassistance: include more complete funding for the NSF \ninitiatives, encourage the development of educational \nstandards, work with private industry and state governments to \nprovide scholarship opportunities for their potential \nemployees, and assist some government agencies in absorbing the \ngraduates of the Scholarship for Service Program.\n    More information on these are provided in the detailed \ntestimony I have submitted to the Committee separately. I would \nlike to take this opportunity to again thank you for this \nopportunity to speak to the Committee.\n    [The prepared statement of Mr. Baker follows:]\n                Prepared Statement of John R. Baker, Sr.\n\n1. Cyber Security Education\n\n    Cyber Security Education is the process of informing technology \nprofessionals, end-users, managers and researchers about the technical \nand non-technical aspects of protecting their information resources, \nand expanding our knowledge in the field. It is a multidisciplinary \nfield that is both broad and deep. The field is constantly evolving to \nincorporate more components based on current and historical events and \nresearch. The term itself refers both to security aspects as well as to \ncyber forensics. It requires simultaneous education, training and \nresearch in multiple areas (technology, business, management, finance, \npsychology, computer science, etc.)\na. Components of the Field: Technical, Managerial, Operational\n    Cyber Security Education is more than just the technical aspect of \ndetecting or eliminating the latest virus, or preventing hacker attacks \n(the public personae). It requires knowledge of technical areas, \naddressing management, and how to infuse security practices into the \neveryday operational aspects of an organization. Technical aspects \ninclude firewalls, network security, cryptography and software \ndevelopment.\n    Managerial components include personnel issues, disaster recovery \nplanning, funding (direct and indirect costs, ROI, payback), the \npsychology or mind-set of a perpetrator, operational security \nmanagement, public relations and legal/regulatory components. \nOperational issues include day-to-day security operations, both for the \nsecurity field professional and the everyday user.\n    Each part of the field involves varying levels of research, \neducation and training. Research investigates new technologies, \nfinancial issues, approaches to security management, personnel issues \nand legal/regulatory needs. The most recognizable research is on the \ntechnological components of information security.\nb. Education vs. Training\n    Often interchangeably used, education and training differ greatly. \nEducation\'s goal for the student is multi-purpose: teach them specific \ntechnical skills, develop critical thinking and problem-solving \nabilities, increase the knowledge of the vast background material in \nthe field, improve communication capabilities and information literacy \nskills, and engage the student in some form of research.\n    Training is generally focused on a product or specific set of \nskills in an area. However, at its highest level, some training \nattempts to approximate education, typically by improving some of a \nstudent\'s background knowledge in a field and/or developing problem \nsolving capabilities.\nc. Research and Education\n    A major methodological issue for a university is whether to focus \non research or on classroom education. University reputations are based \non faculty research and the institution\'s research abilities. Johns \nHopkins University was the first U.S. university to include research in \nthe educational process. Typically, university research has not been \nfocused specifically in the areas of information security or cyber \nforensics. Research for these areas is done in various other \ndisciplines that directly or indirectly affect these fields.\nd. Emerging Discipline\n    Because of its breadth, Cyber Security Education is a young field \nand not currently recognized as a discipline. At the moment it has not \nyet been accepted as a discipline of its own. It has components in \nvarious areas: mathematics, computer science, business, finance, \nengineering, psychology, law, etc. Consequently, research, education \nand training occurs in each of these disciplines independently. For \nexample, research in the field of mathematics may result in a better \ncrypto-key system.\n\n2. Programs at JHU\n\n    Johns Hopkins has responded to the need for intensive research, \neducation and training in cyber security in all of its academic areas. \nSome of its programs were in place before the events of Sept. 11. \nHowever, all schools at the university have implemented or are in the \nprocess of implementing, information security education and/or research \nin their academic disciplines. In addition, Hopkins has created the \nJohns Hopkins University Information Security Institute whose goals are \nto foster research in information security, help develop \nmultidisciplinary approaches to security education, provide seminars \nand other educational activities, and advance the literature in the \nfield.\na. Internal Programs\n    Almost all schools at Hopkins have incorporated some form of \nsecurity education. Depending on the program and level, it could \ninclude simple background knowledge about the area and how security \napplies to the specific educational discipline, or it could include in-\ndepth studies into security approaches in a field, practical \napplications or advanced security research.\nb. Internal Collaboration\n    Several of Hopkins\' Schools have collaborated on academic programs \nthat are interdisciplinary in nature. The flagship program at Hopkins\' \nInformation Security Institute is the Master\'s of Science in Security \nInformatics (MSSI). It is a collaboration of several schools at \nHopkins: Whiting School of Engineering, Krieger School of Arts and \nSciences, Bloomberg School of Public Health, Nitze School of Advanced \nInternational Studies and the School of Professional Studies in \nBusiness and Education. Over 25 full-time, part-time or adjunct faculty \nare available to deliver the MSSI courses at multiple Hopkins\' sites in \nthe Baltimore-Washington area.\n    In addition, some schools at Hopkins have developed internal \ncollaborations across academic levels. The Whiting School of \nEngineering and the Krieger School of Arts and Sciences jointly offer a \nconcurrent Bachelor\'s/Master\'s program in security. The School of \nProfessional Studies in Business and Education offers a joint \ntechnology Bachelor\'s/Master\'s degree, with a concentration in \ninformation security.\nc. External Collaborations\n    The School of Professional Studies in Business and Education is in \nthe process of developing joint programs with several area community \ncolleges. These would provide students at two-year institutions \ncomplete academic program opportunities at the Bachelor\'s level, and \nextending into the Master\'s level.\n    The joint program offered by the Whiting School of Engineering and \nthe Krieger School of Arts and Sciences includes opportunities for \nundergraduates of other local universities, which have established \nagreements with these Hopkins schools.\nd. Research, seminars, courses/teaching, publishing\n    The Johns Hopkins Information Security Institute has become the \nfocal point for information security research at the university. Over \n15 full-time faculty or JHU Applied Physics Laboratory researchers are \ninvolved in some aspect of information security research.\n\n3. Strengths & Weaknesses of Current Education\n\na. Education or Training\n    Often a potential employee seeks the short-term goal of satisfying \na potential employer\'s advertised need, through specific skill-set \ntraining. Many potential employees view the requirements indicated in a \nparticular employment ad, then attempt to obtain the specific skill \nrequired (CISCO training, CISSP certification, etc.). While potentially \nvalid as an entry into the field, or for specific job requirement, \nthese are not intended to indicate the wider-range of skills and \nabilities many employers seek.\n    Education rather than training provides potential employees this \nwider-set of knowledge and abilities, in addition to specific \ntechnology skill sets (not necessarily for a specific product). These \ninclude: critical thinking and problem-solving, knowledge of the vast \nbackground material in the field, communication, information literacy \nand some form of research. Often a student in a program wants to know \nif they will be learning Product-X. The answer is usually that the \nprogram may teach you some things about Product-X, but its goal is to \nteach you how to learn, and apply that skill to learning about \ndifferent products. At times we may use various products (including \nProduct-X) as examples in our classes or for demonstration purposes, \nbut the goal is not to teach a specific product.\n    In addition, education is intended to develop the next generation \nof researchers in a discipline. Because of the nature of the \ninformation security field, much of the research is focused in other \ndisciplines. For example, a math researcher may apply their findings to \nthe information security field.\nb. Costs:\n    The cost of education programs covers many components: physical \nitems, facilities management, program development and maintenance, and \nfaculty hiring, training and education.\n\n1. Facilities Set-up and Management\n\n    Teaching state-of-the-art information security or cyber forensics \nprograms requires facilities that can handle the technology. This means \nsome form of computer lab capability, typically networked. While the \nmost current technology is not absolutely necessary, the more dated the \ntechnology the more difficult it is to get current and potential \nstudents and employers to accept a program as useful. It is a constant \nproblem to remain current enough to teach the most important components \nof security and forensics, and still not spend `every last dime\' on the \nmost recent technology.\n    An additional component is the style or set-up of lab facilities. \nMost lab set-ups will be done in one of two approaches: a dedicated lab \nor a multi-purpose lab. Dedicated labs are designed for a specific \nprogram, and have minimal impact on other programs or facilities. \nHowever, they will sit idle when the specific educational program is \nnot offered. In addition, management of these labs may be easier (for \nprogram setup and use), but they are almost always `locked down\', and \nonly allowed for students of the specific program. No other use is \nallowed because of the sensitive nature of the set-up, and because of \nthe potential problems with other areas. For example, if a lab virus or \nother destructive software is unintentionally allowed into another lab \nfacility, that facility may become corrupted. If it is a networked \nfacility, others may also become corrupted.\n    Multi-purpose labs are more functional, but can be much more costly \nin terms of set-up and management. These labs may need periodic \nisolation, a special set-up, and additional management. In addition, \nwhen they are used by the security or forensic program, disruption to \nother programs needing the lab will occur. This will include \nspecialized set-up and clean-up time, in addition to the actual class \ntime.\n    All of these take time, resources and increase costs of program \nofferings. Hardware costs can range from $500 to $2,000 per machine, \nplus networking and software costs. Management time will include \ninitial lab set-up, in addition to the individual class set-up and \nclean-up, depending on the type of lab. While difficult to provide \nspecific cost estimates for this time, it can include several hours of \na lab manager\'s time and up to 11/2 days of a support staff person\'s \ntime, for each class session.\n\n2. Program Development & Maintenance\n\n    Development, implementation, operation and maintenance of an \neducational program can take more than a year. Typically, the process \nincludes:\n\n        a.  An assessment of the need for graduates of a program\n\n        b.  Development of an advisory board\n\n        c.  Identification of program components\n\n        d.  Internal and external approval steps\n\n        e.  Organization of the program into modules/courses\n\n        f.  Development of the course material\n\n        g.  Advertising/marketing the program\n\n        h.  Program implementation\n\n        i.  Constant program evaluation and improvement.\n\n    While there are ways to speed up the process, each step is needed. \nIn approving such programs, cost is always a major factor. Employment \nsurveys, component development costs, hardware and software \nidentification, developing appropriate course/lesson plans around them, \nmarketing and oversight are the major ones.\n\n3. Faculty\n\n    Cost issues for faculty center on the issues of part-time vs. full-\ntime faculty, and the role of faculty in the program. Part-time faculty \nare usually used for teaching purposes, and to provide expertise in a \nspecific topic area. While they may be involved in program development, \nthey are not typically responsible for program development or success/\nfailure.\n    Full-time faculty are involved in one or more aspects of program \ndevelopment, implementation, teaching, evaluation. In addition, in many \ninstitutions they are involved in research activities. This can be a \nsource of cutting-edge knowledge, prestige and income for the faculty \nmember and institution, but can also create problems. These and other \nfaculty issues are addressed in section 4.a.\nc. Background Checks\n    A more recent problem that has surfaced is the issue of student \nbackground checks. With the events of September 11, increasingly \nquestions of appropriateness of students in the classroom have arisen. \nA discussion of background checks raises many additional questions:\n\n         1.  What is the purpose of the background checks?\n\n         2.  How deep or wide will they go?\n\n         3.  How much will they cost?\n\n         4.  How long will they take?\n\n         5.  Who will pay for them?\n\n         6.  Who will do them?\n\n         7.  What will we do with the information once it is obtained?\n\n         8.  Will it prevent a student from entering a program or \n        restrict their access to certain courses or material?\n\n         9.  Are they relevant given the availability of material on \n        the Internet?\n\n        10.  Are they legal?\n\n    Background checks are costly, time consuming and raise legal \nconcerns around privacy and profiling. But, given the awareness of \nsecurity concerns, additional guidance will be needed in this area.\nd. Ethical Agreements\n    Some programs have instituted ethical agreements with students in \nspecific programs. They attempt to educate the student on the \nseriousness of the topic, and the expectations of professional and \nmoral behavior that accompany the education. However, enforcement is \ndifficult, especially outside the classroom or after the program is \ncompleted.\n\n4. Faculty Preparation, Recruitment and Retention\n\na. Part-time vs. Full-time Faculty\n    Identifying appropriate faculty for specialized programs such as \ninformation security and cyber forensics is a challenge. Generally, the \noptions are:\n\n        1.  Design the program around the current full-time faculty \n        knowledge base\n\n        2.  Upgrade current full-time faculty skills/knowledge\n\n        3.  Hire new full-time faculty, specifically for this program\n\n        4.  Hire part-time, practitioner faculty to teach in the \n        program\n\n    Designing the program around the current full-time faculty \nknowledge base is the easiest and least costly approach, but is usually \nthe least desirable. Typically, their knowledge base is very specific \nand may not cover the broad-range of technical and non-technical topics \nrequired. Consequently, the program manager is required to augment the \ncurrent knowledge base with additional, training or education, or \nhiring other faculty, either full-time or part-time. In addition, the \ncurrent faculty knowledge base may already be out-of-date or too \nnarrow.\n    Upgrading current full-time faculty skills and knowledge is \ndesirable and useful for them, but is time consuming and adds cost to \nthe program development and operation. It may delay the program \ndevelopment and implementation.\n    Hiring new full-time faculty may be quicker, but also costly. In \naddition, if the program is not commercially successful (and if they \nare not involved in research which generates grant income), the \norganization has incurred the additional faculty cost, with no \noffsetting income. That may mean the faculty position results in a \nshort-term employment opportunity.\n    Hiring part-time, practitioner faculty is often difficult and time \nconsuming. While it provides the educational institution the least \ncostly staffing solution, there are many other factors that affect the \nhiring decision. These faculty often:\n\n        1.  Are not trained educators\n\n        2.  Are already employed and consequently have problems with \n        pre-existing course schedules\n\n        3.  Cannot teach during the day\n\n        4.  May travel too much\n\n        5.  May have only some allegiance to the program and/or \n        institution\n\n        6.  May not have the necessary academic credentials\n\n        7.  May not have a teaching aptitude\n\n    When hiring part-time faculty the organization needs to commit to \nteaching them to be educators. Learning to educate at the college or \nuniversity level requires some intensive interaction between the \nacademic program manager and part-time faculty member, and a commitment \non the part of the university to provide faculty development in the \narea of teaching skills and course/classroom management. In addition to \ncreating a syllabus and organizing some lectures, the part-time faculty \nmember will need to learn to manage the classroom environment, create \nand implement effective and fair evaluation instruments and assign \ngrades. In addition, the faculty will need to evaluate student writing, \nincorporate critical thinking and problem-solving skills, include \ninformation literacy, develop creative presentation styles, and infuse \ncurrent research into the education process. These can take some time, \npatience, and commitment on the organization\'s part, with no guarantee \nthe part-time faculty member will continue with the program.\n    In addition, the education organization needs to implement a \nsupport system for the part-time faculty member. This includes \nadministrative support for typical needs (copying, book order \nprocessing, etc.), and academic support for course content, unexpected \nproblems, articulating college/university policies on various issues \nand handling grading questions.\nb. Teaching vs. Research\n    In some educational organizations, full-time faculty may also be \ninvolved in research activities. While this can provide a terrific \nresource for the program in terms of up-to-date information in the \nfield, and potential student involvement in the research, it can also \ncreate conflicts for the faculty. Research activities are often funded \nby grants and require intensive time commitments of the faculty. \nConsequently, less time is available for teaching.\nc. Hopkins Approach\n    Hopkins has implemented a variety of solutions to address faculty \nissues. In some schools, full-time faculty are involved in both \nresearch and teaching. In addition, part-time faculty are used in \nselected courses or program components to either provide the \ninstruction or assist the full-time faculty member with their \ninstruction.\n    Others schools at Hopkins are using a large group of part-time \nfaculty who are professionals in their area, to teach in their program. \nIn addition to selecting fully qualified part-time faculty (based on \nfactors such as professional experience, teaching experience, teaching \naptitude, academic credentials and availability), they are provided a \nfull range of teaching professional support from both the program \nmanager and other groups with the organization.\n\n5. Federal Government Assistance\n\na. Funding NSF Initiatives\n    The National Science Foundation (NSF) has attempted to provide \nseveral opportunities to fund information security educational \ninitiatives. Because of funding issues NSF has not been able to support \ninnovative initiatives in information security education. Providing \nmore complete funding for the NSF initiatives will help in the \ndevelopment of different and more complete academic programs.\nb. SFS Graduates\n    Evidently, one of the issues with the Scholarship for Service (SFS) \nprogram is the ability of government agencies to absorb the number of \ngraduates. Some may need assistance in developing their plans and/or \nfinding ways to hire the graduating talent. Others, (DOD, NSA, etc.) \nhave indicated a strong need for qualified SFS graduates. One issue \nhere may be the ability of the students to obtain appropriate security \nclearances.\nc. Development as a Discipline\n    Provide some funding to encourage the development of information \nsecurity and cyber forensics as disciplines. This would encourage \nfaculty to enter the field, develop research incentives, and provide \nmoney for the development applied and research-based academic programs. \nIn addition, it would bring together research and education that is \npertinent to the field.\nd. Non-SFS Scholarships\n    Working with the private sector and state governments, the Federal \nGovernment can help to develop scholarship programs to provide \neducational funding for students who may want to be employed in one of \nthese areas. The private sector and state governments have as strong a \nneed for information security professionals as the Federal Government. \nIn some instances they may be on the front lines, or provide early-\nwarning notification to the Federal Government. Consequently, they need \nas much education in the security area as the Federal Government.\n\n6. Other Issues\n\n    In addition to the request information areas, these additional \ntopics may be of interest:\na. Defining Educational Standards\n    Developing educational standards in a discipline helps define it as \na discipline. The defining of such standards would help the fields of \ninformation security and cyber forensics. While simple in concept, it \nis more difficult in practice. It would require the defining of \nsecurity knowledge needs in various professions, and at different \nlevels within a profession. For example, in a given industry there are \nsystem end-users, managers, technical staff and researchers. Each \nrequires different levels and types of security education and skills. \nThe end-user may need to understand how, and a little of why, a \npassword needs to be changed regularly. In addition, the organization \nmay be helped of they are educated about typical security breaches that \ncan occur. Technical staff will need more in-depth education about \npreventing security problems from occurring, solving unexpected \nsecurity problems and reporting them to the appropriate people.\nb. Traditional-age Students vs. Returning Adult Students\n    Students in an educational program are typically one of two types, \nthe traditional-age student progressing through the academic process, \nas we have come to expect, and the returning adult student with several \nyears of work experience. In most instances they are seeking the same \nresult, entry into the information security field, either applied or \nresearch. At times they may co-exist in a program. However, typically \nspecific part-time programs are usually offered for the returning adult \nstudent. These programs are not usually considered when issues \nconcerning education are addressed.\n\n                    Biography for John R. Baker, Sr.\n\nEMPLOYMENT:\n\nJohns Hopkins University, School of Professional Studies in Business \n        and Education, Baltimore, MD\n\nDirector, Undergraduate Technology Programs (July 1999 to present)\n\nKey Responsibilities:\n    Direct activities for undergraduate degree, certificates and non-\ncredit (training) programs in information and telecommunications \ntechnology. Responsibilities include: market assessment, program \nplanning, course development and scheduling, budget management, \nmarketing and strategic planning for academic technology needs. Also \nassisted in redevelopment of school-wide technology strategic planning, \nboth academic and administrative.\nMajor accomplishments:\n\n        --  Worked on team to develop strategic technology plan for \n        entire school for both academic and administrative areas\n\n        --  Redesigned and implemented innovative undergraduate \n        technology degree (BS/Information Systems) and credit \n        certificate programs\n\n        --  Redesigned and expanded non-credit (training) programs \n        (CONNECT)\n\n        --  Manage on-site programs with local organizations\n\nGraduate Faculty (Jan. 1998 to July 1999)\n\nKey responsibilities:\n    Assist business technology degree program director with program \ndevelopment and operation. Major areas include: course development and \nquality assurance, faculty development and quality, scheduling faculty \nassignments and managing graduate technology degree completion course.\n\nAdvanced Technologies Group, Columbia, MD (Aug. 1995 to June 1999)\n\nDirector, Consulting Services\n\nKey Responsibilities:\n    Direct activities to identify and secure potential consulting \nengagements, work with consulting clients, plan and manage projects, \nprovide consulting expertise as needed and assist with business \ndevelopment. Responsible areas include: information systems, technology \ntraining, executive education program, telecommunications, technology \nin education, strategic technology planning, the Internet and World-\nWide-Web. Major clients include: AT&T, MCI, SAIC, U.S. Dept. of \nInterior, World Airways, U.S. Dept. of Veterans Affairs, StorComm Inc., \nand Amnex Inc.\n\nJohns Hopkins University, School of Continuing Studies, Baltimore, MD \n        (Nov. 1987 to Aug. 1995)\n\nDirector, Technology Programs (Nov. 1987 to August 1995)\n\nKey Responsibilities:\n    Directed activities for large program of graduate and undergraduate \ndegrees in information and telecommunications technology, professional \ntraining programs and executive seminars. Responsibilities included: \nmarket assessment, program planning, course development and scheduling \n(over 800 sections and 120 faculty per year), assistance for over 1100 \nstudents, budget management, marketing and strategic planning for \nacademic technology needs.\nMajor accomplishments:\n\n        --  Designed and implemented innovative graduate technology \n        degree (MS/Information & Telecommunication Systems); \n        undergraduate information systems program; credit certificate \n        education, entrepreneur training and executive education \n        programs,\n\n        --  Redesign of graduate technology management (MS/Business-\n        Management of Technology), and professional education programs, \n        and\n\n        --  Finalist for innovative technology impact award in \n        Baltimore.\n\nDirector, SCS Operations, Montgomery County Center (Nov. 1987 to Aug. \n                    1990)\n\nKey Responsibilities:\n    Managed the start-up and operation of the School of Continuing \nStudies (SCS) remote-campus facilities at the Johns Hopkins University, \nMontgomery County Center. Responsibilities included: planning and \nimplementation of SCS operations (for multiple departments), marketing \n(evaluation, planning and implementation), public presentations, \npromoted the School and University with county business, education and \ngovernment. Simultaneously directed graduate business degree \nconcentration in Information Technology Management.\nMajor accomplishments:\n\n        --  Started school\'s most successful off-campus education \n        facility\n\n        --  Managed growth rate of over 125 percent per year for each \n        of first three years\n\n        --  Established educational presence in the county and \n        developed links with business\n\nThe International Bank for Reconstruction and Development (The World \n        Bank), Washington, DC (Jan. 1984 to Oct. 1987)\n\nSystems and Facilities Manager\n\nKey Responsibilities:\n    Managed the administrative and investment trading systems and \nfacilities for the Investment Department of the World Bank (a $20 \nbillion investment operation). Responsibilities included: planning and \nimplementation of new information and telecommunication (voice and \ndata) systems, investment facilities and offices; budget management; \nmanaging vendor contracts (exceeding $1.5m); system security; strategic \ntechnology planning, disaster recovery planning and management; \nmainframe systems oversight.\nMajor accomplishments:\n\n        --  Planned and managed the construction of a new $2m \n        securities trading facility,\n\n        --  Planned, contracted and implemented a new $1m mainframe \n        computer system,\n\n        --  Negotiated and managed $3.5m software implementation \n        contracts, and\n\n        --  Implemented new office automation technology for department \n        of 40 professionals, in multiple locations.\n\nCoopers and Lybrand, Washington, DC (Sept. 1979 to Jan. 1984)\n\nSenior Management Consultant\n\nKey Responsibilities:\n    Managed and conducted various consulting engagements for the \nWashington, D.C. office of the Management Consulting Services group. \nThese engagements were for a variety of Federal and State Government \nagencies, and private organizations.\nProjects included:\n    A security review of the U.S. House of Representatives\' \ncomputerized Financial Management System; designed and implemented an \neconomic modeling system for the U.S. Department of the Treasury; \nredesigned the automated central personnel database for the Department \nof the Navy; managed several engagements to implement, enhance and \nmaintain financial portfolio management software for several state \nhousing agencies, including: Nebraska, New Hampshire, Oregon and South \nCarolina.\n\nMRI Systems Corporation, Washington, DC (April 1978 to Sept. 1979)\n\nProject Manager\n\nKey Responsibilities:\n    Managed consulting services contracts for various U.S. government \nagencies. These were primarily for the development and implementation \nof management information systems using the SYSTEM 2000 Data Base \nManagement software. Major projects included systems for: Harry Diamond \nLaboratories (DOD), Mobile Equipment Research and Development Command, \nthe Defense Mapping Agency, and the Department of Agriculture.\n\nLockheed Electronics Corporation, Houston, TX (Sept. 1977 to March \n        1978)\n\nProject Leader\n\nKey Responsibilities:\n    Project leader for a Space Shuttle information system support \nteam--monitored the implementation of operating system enhancements, \nand implementation, support and modification of all commercial software \npackages. In addition, the team was responsible for analyzing existing \nhardware and software utilization and developing new requirements for \nthe Control Data Corporation computer data center at the NASA Space \nCenter in Houston, Texas.\n\nCommercial Credit Corporation, Baltimore, MD (Nov. 1971 to Aug. 1977)\nKey Responsibilities:\n    Held a variety of positions, including: Operations Manager, Data \nBase Manager, Project Leader, Systems Analyst and Programmer. Major \nduties included: managing department responsible for the daily \noperation of an on-line, real-time loan processing system with over \n1,000 terminals in 800 offices nationwide; lead team responsible for \nthe control and recovery of a large on-line, real-time financial data \nbase; developed and implemented on-line applications processing system; \nsupervised the programming and design teams which were responsible for \nuser interface, design, programming, testing and implementation of new \napplications; assisted in the design, programming and implementation of \nan on-line financial application system processing for over 1 million \ncustomers nationwide.\n\nFederal Reserve Bank of Richmond (Baltimore Branch), Baltimore, MD \n        (July 1969 to Nov. 1971)\n\nSenior Systems Operator\n\nKey Responsibilities:\n    Progressed from operator trainee to senior operator in mainframe \nIBM systems center. Major duties included: operator for an IBM 360 \nmainframe, monitoring the quantity and quality of work processed during \nthe shift by junior level operators.\n\nADDITIONAL QUALIFICATIONS\n\nJohns Hopkins University, School of Continuing Studies, Baltimore, MD \n        (Sept. 1983 to Nov. 1987)\n\nPart-time Faculty\n\nPosition summary:\n    Part-time faculty position assisting in development and teaching in \ntechnology program. Planned, designed and conducted beginning and \nadvanced technology courses for students in the graduate Business \ndegree, Economic Education program, graduate Information Systems and \nTelecommunications degree undergraduate Information Systems degree, and \nprofessional development training programs. Topics included: I.S. \nManagement, Strategic Planning for I.S., Advanced Topics in I.S., \nApplied Graduate Project, Project Management, Business Applications of \nComputers, Systems Analysis and Design, Business Planning, and \nbeginning through advanced training in: Novell Office Suite, Microsoft \nOffice Suite, Lotus-123, Windows, Internet and World-Wide-Web. Also, \ncontinue to assist with curriculum design and development for credit \nprograms.\n\nUniversity of Maryland, University College, College Park, MD (Sept. \n        1995 to May 1998)\n\nPart-time Instructor\n\nUniversity of Maryland, School of Business, College Park, MD (1996-\n        1997)\n\nPart-time Instructor\n\nEDUCATION\n\nMaster\'s degree in Administrative Science (May 1984), Johns Hopkins \n        University, Baltimore, MD.\n\nBachelor\'s degree in Computer Science (May 1975), Loyola College, \n        Baltimore, MD.\n\nHonors: Dean\'s List, graduation honors\n\nPRESENTATIONS & PAPERS\n\nBaker, John, Cyber Security Education: Issues & Approaches, Federal \n        Information Systems Security Educators Association conference, \n        March 10, 2004, College Park, MD\nBaker, John, Undergraduate Security Programs, Infragard seminar, March \n        2, 2004, Johns Hopkins Applied Physics Lab, Laurel, MD.\nBaker, John, Developing Cyber Security Education Programs, Society for \n        Advanced Learning Technologies conference, Feb. 18, 2004, \n        Orlando, FL.\nBaker, John, Ensuring Cyber Security, Security Education Programs, \n        CyberWatch Security Industry Group conference, Nov. 21, 2003, \n        Greenbelt, MD.\nBaker, John, Information Literacy, Society for Advanced Learning \n        Technologies conference, July 27, 2001, College Park, MD.\n        <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n        \n\n    Chairman Boehlert. Thank you very much.\n    Mr. Spengler.\n\n  STATEMENT OF MR. ERICH J. SPENGLER, PRINCIPAL INVESTIGATOR, \n     ADVANCED TECHNOLOGY EDUCATION REGIONAL CENTER FOR THE \n  ADVANCEMENT OF SYSTEMS SECURITY AND INFORMATION ASSURANCE, \n                MORAINE VALLEY COMMUNITY COLLEGE\n\n    Mr. Spengler. Good morning, Mr. Chairman and Members of the \nCommittee. I would like to thank the Committee for the \nopportunity to comment on the role of community colleges in \ncyber security education.\n    Over the next few minutes, I will discuss how community \ncolleges address the challenges in cyber security education and \nthe ability of community colleges to focus on the practitioner \nskills necessary to adapt to the rapid changes in technology in \nthe workplace.\n    Community colleges play a critical role in the education \nand training of our Nation\'s workforce. With an enrollment of \n5.4 million credit students and five million non-credit \nstudents, these institutions train and educate 44 percent of \nour Nation\'s undergraduate students. A strength of community \ncolleges is its flexibility of the curriculum, which is often \ndesigned specifically to train practitioners. This flexibility \nenables community colleges to respond quickly to changes in \ntechnology and the needs of business and industry. Community \ncolleges facilitate career pathways from high schools to 2-year \ncareer programs and then additional pathways to 4-year colleges \nor universities. In addition, community colleges leverage the \nuse of well-qualified adjunct and career faculty and also play \na crucial role in the re-education and updating of the skills \nof current workers.\n    The NSF ATE Regional Center for Systems Security and \nInformation Assurance and its partners recently conducted a \nsurvey of companies in five mid-western states to determine the \njob demand for IT security-related positions, desired skills, \nand preferred educational levels. A total of 340 responses were \nreceived. Respondents were divided into small, medium, and \nlarge companies. Ninety-nine percent of the respondents were \nconcerned about Internet and computer security. Almost 3/4 of \nrespondents said their company currently employed people in IT \nsecurity positions. Slightly more than half said there was a \nshortage in the current supply of qualified applicants for \nentry-level IT security positions.\n    There are significant opportunities for individuals who \npossess an Associate\'s degree, therefore, community colleges \nmust continue to respond to growing industry demands for \nprofessionals possessing cyber security skills. Opportunity \nexists for Associate\'s degree graduates but also college \npathways are important for those continuing education and \ncareers.\n    Current strengths of community college cyber security \nprograms include the utilization of the National Science \nFoundation ATE centers and resources. In addition, \nopportunities exist for community college faculty to \nparticipate in cyber security initiatives and information \nsharing with sponsored task groups, such as the FBI\'s InfraGard \nand the United States Secret Service Electronic Crimes Task \nForce.\n    Community colleges are also challenged to integrate \nsecurity-related course work into existing IT programs and \ndegrees. The greatest challenge facing community colleges and \ntheir efforts to establish cyber security programs is faculty \nrecruitment and development. The NSF ATE program currently \nprovides vital resources for faculty development to enrich \ncyber security programs. For example, during the summer of \n2004, the NSF ATE Regional Center for Systems Security and \nInformation Assurance trained over 200 college faculty in \nsecurity awareness, information assurance, network security, \nand wireless technologies.\n    Community colleges must also expand relationships with \nbusiness and industry to develop innovative funding \nopportunities and partnerships. Partnering with national \nprogram models, such as the Cisco Systems Networking Academy, \nallows for greater implementation and consistency of \ncurriculum.\n    The Center for System Security and Information Assurance is \nthe first NSF ATE Regional Center for IT security. The center \nincludes seven partner institutions representing five Midwest \nstates. This center was established to address the needs for IT \nsecurity professionals by increasing faculty expertise and \nhigher education training programs in IT security and \ninformation assurance. This center collects, categorizes, \nadapts, enhances, standardizes, and evaluates curriculum and \nother training programs for community colleges and university \nfaculty in students across the Midwest. The center partners \nwith business and industry and local and federal agencies for \nprogram development.\n    To improve cyber security education and build the Nation\'s \ntechnical workforce, the Federal Government must continue to \ninvest in the programs and the people that are making a \ndifference in the education and training of our cyber security \nworkforce. Without the support for programs such as the NSF \nAdvanced Technological Education program, many institutions \nwould not have the resources or faculty expertise to meet the \nchallenges required to build quality cyber security programs.\n    This concludes my statement, Mr. Chairman and Members of \nthe Committee. Thank you for allowing me to address the \nCommittee on this issue.\n    [The prepared statement of Mr. Spengler follows:]\n                Prepared Statement of Erich J. Spengler\n    Good morning, Mr. Chairman and Members of the Committee. I would \nlike to thank the Committee for the opportunity to comment on the role \nof community colleges in cyber security education. My name is Erich \nSpengler, and I am the Director and Principal Investigator for the \nNational Science Foundation\'s ATE Regional Center for Systems Security \nand Information Assurance (CSSIA). I come to you with 16 years of \ncombined experience in the classroom and the IT Industry. I am \ncurrently an Associate Professor in Computer Integrated Technology at \nMoraine Valley Community College in Palos Hills, Illinois.\n\n<bullet>  What roles do community colleges play in the training of new \nworkers and the retraining of current workers? What employment \nopportunities in cyber security are available for individuals with a \ncertificate or a two-year degree?\n\nRole of Community Colleges\n    Community colleges play a critical role in the education and \ntraining the Nation\'s workforce. Some 1,173 community and technical \ncolleges enroll 44 percent of all U.S. undergraduate students. The \nAmerican Association of Community Colleges (AACC) notes that 200,000 \ncertificates and 450,000 associate\'s degrees are granted each year. \nWith an enrollment of 5.4 million credit students and five million non-\ncredit students, these institutions train and educate a significant \npercentage of the workforce.\n    One of the strengths of community colleges is the close \nrelationship they maintain with local business and industry. This \nrelationship may take many forms. For example, community college \nfaculty are often asked to develop and deliver customized training \nsolutions for business partners. Business partners play an important \nrole in shaping career and technical programs by their participation as \nmembers of advisory committees. Another strength is the flexibility of \nthe community college curriculum, which is often designed specifically \nto train practitioners. This flexibility enables community colleges to \nrespond quickly to changes in technology. Community colleges also \nestablish career pathways from high schools to two-year career programs \nand then additional pathways to four-year colleges or universities. \nThis articulation of curriculum allows students to seamlessly continue \nhigher levels of professional studies and education close to home.\nEmployment Opportunities\n    The NSF ATE Regional Center for Systems Security and Information \nAssurance (CSSIA) and its partners recently conducted a survey (http://\nwww.cssia.org) of companies in five mid-western states to determine the \njob demand for IT security-related positions, desired skills, and \npreferred educational levels. I would like to share some of those \nresults at this time.\n\n        <bullet>  A total of 340 responses were received. Respondents \n        were divided into small (less than 100 employees), medium (100-\n        499) and large (500 or more) companies.\n\n        <bullet>  An overwhelming 99 percent of respondents were \n        concerned about Internet and computer security.\n\n        <bullet>  Almost three-fourths of respondents said their \n        company currently employed people in IT security positions.\n\n        <bullet>  IT security positions were more likely to be part-\n        time or shared positions (part-time security along with other \n        IT duties) than dedicated (full-time IT security).\n        <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n        \n        <bullet>  Security responsibilities are being added to most IT \n        professions, including network administrators, help desk \n        specialists, network engineers, application developers, and \n        systems analysts.\n\n        <bullet>  Slightly more than half said there was a shortage in \n        the current supply of qualified applicants for entry-level IT \n        security positions.\n\n        <bullet>  Large companies were more likely to be concerned \n        about Internet and computer security and to have dedicated \n        security positions.\n\n        <bullet>  The most popular types of security training were \n        self-study, commercial vendor training sites, and community \n        college programs.\n        <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n        \n        <bullet>  There are significant opportunities for individuals \n        who possess an Associate\'s degree.\n\n        <bullet>  Respondents indicated a significant number of current \n        open IT security positions and projected even more openings \n        over the next three years.\n\n    Community colleges must continue to respond to growing industry \ndemands for professionals possessing cyber security skills. Although it \nis clear that there are career opportunities for professionals holding \nAssociate\'s degrees, we must continue to develop pathways with four-\nyear colleges and universities allowing those professionals to attain a \nhigher level of education.\n\n<bullet>  What are the current strengths and weaknesses of cyber \nsecurity education and training programs? What ``model\'\' courses and \nprograms currently exist? And what types of courses or programs need to \nbe developed or more broadly implemented?\n\nCurrent strengths and weaknesses of cyber security education and \n        training programs\n    Current strengths of cyber security education include the \nutilization of NSF ATE centers as resources for faculty development, \ninternship programs and processes, dissemination and implementation of \ncurriculum models, collaboration, and partnerships among academic \ninstitutions and business and industry. In addition, opportunities \nexist for community college faculty to participate in cyber security \ninitiatives and information sharing with government-sponsored groups \nsuch as the FBI\'s InfraGard and the United States Secret Service \nElectronic Crimes Task Force.\n    However, much of the current cyber security curriculum typically \nfocuses on networking-related technologies. There is a need to expand \nthe emphasis beyond networking to serve the greater spectrum of IT \ncurriculum. Specialties might included forensics, programming and \nsecure coding, information assurance, and e-commerce and secure \ncommunications.\n    Community colleges are also challenged to integrate security-\nrelated coursework into existing IT programs and degrees. Three career \nareas must be addressed: (1) the focused cyber security practitioner \nspecializing in their field of study, (2) the IT professional not \ndedicated to security but who is charged with the protection of \ncritical information and infrastructure, and (3) non-IT-related \nprofessionals such as health care personnel.\nModel courses and programs\n    As cyber security technology emerges so must the programs within \nthe community colleges. There is debate regarding modeling of \ncurriculum on industry certification. This debate centers on the \ndelicate balance between certification preparation and required skill \nsets. Certifications provide a reasonable direction and solid \ngroundwork representing industry needs. However, barriers exist for \nstandardized academic models that reflect the skills defined by these \nindustry certifications: (1) security-related industry certifications \ncontinue to proliferate, making it difficult to identify which \ncertifications would provide the best models, and (2) skills outlined \nin industry certification often require costly effort to be implemented \ninto an academic framework.\n    Community colleges have identified four approaches to developing \nand offering courses and programs: (1) four-semester programs of study \nleading to Associate\'s degrees, (2) two-semester programs leading to \ninstitution-conferred certificates, (3) credit courses that are part of \nan existing program of study, and (4) non-credit programs of \npreparation for industry certification.\n    The NSF ATE Regional Center for Systems Security and Information \nAssurance (CSSIA) is developing an adoptable model that reflects both \nindustry certifications and practitioners\' required skills. The CSSIA \ncenter is working within each of the partner states to establish model \nfour-semester and certificate programs that reflect current and \nrelevant industry certifications and skills.\nDevelopment of programs\n    Collaboration among community colleges to reduce duplication of \nefforts is still needed. The establishment of cyber security programs \ncan be expensive and require a prolonged development cycle. \nAdditionally, we should consider the importance of the adaptation and \ndissemination of instructional materials and best practices. As an \nexample, to help reduce implementation costs of quality learning \nenvironments, the NSF ATE CSSIA center developed an innovative use of \nlaboratory equipment through remote access and management. \nAdditionally, partnering with national program models, such as the \nCisco Systems Networking Academy, allows for greater implementation and \nconsistency of curriculum.\n\n<bullet>  What are the challenges you face in recruiting and training \ncyber security faculty? What type of programs or opportunities do you \nprovide to help keep faculty current?\n\nChallenges in recruiting and training cyber security faculty\n    The greatest challenge facing community colleges and their efforts \nto establish cyber security programs is faculty recruitment and \ndevelopment. Community colleges must try to compete with business and \nindustry for skilled practitioners. An additional challenge occurs when \nindividuals interested in becoming faculty members possess the \nnecessary technological skills, but lack teaching experience.\nPrograms or opportunities to help keep faculty current\n    In 2002, the American Association of Community Colleges (AACC) \nsponsored the AACC/NSF Cyber Security Workshop. The workshop served as \na catalyst for community college professionals interested in cyber \nsecurity by identifying workforce and curricular needs and by \nestablishing a forum for collaboration among community colleges.\n    The NSF ATE program has provided vital resources to a number of \ncommunity colleges in an effort to establish cyber security programs. \nThese projects allocate a significant portion of the funding for \nfaculty development. The funds can be used in activities such as \nproduct training, professional externship opportunities, and graduate-\nlevel courses and workshops.\n    During the summer of 2004, the NSF ATE Regional Center for Systems \nSecurity and Information Assurance (CSSIA) trained over 200 college \nfaculty in Security Awareness, Information Assurance, Network Security, \nand Wireless technologies. CSSIA will continue to provide training \nopportunities in new and emerging skills for faculty in subsequent \nyears.\n    It is clearly our belief that without these training programs, the \ncyber security initiatives available to attending faculty would not \nmove forward to meet growing industry practitioner demands. Another \nmodel designed to keep faculty current in emerging IT skills is the \nWorking Connections Faculty Development Institute. Working Connections \nis co-sponsored by the NSF ATE National Workforce Center for Emerging \nTechnologies (NWCET), AACC and Microsoft Corporation to develop \nprofessional skills of faculty in several regions throughout the U.S.\n\n<bullet>  What can the Federal Government do to improve cyber security \neducation and build the Nation\'s technical workforce?\n\n    First, the Federal Government can encourage government agencies to \nprovide to community colleges their job descriptions and titles that \nare appropriate for cyber security graduates of two-year community and \ntechnical college programs.\n    Next, to improve cyber security education and build the Nation\'s \ntechnical workforce, the Federal Government must continue to invest in \nthe programs and people that are making a difference in the education \nand training of our cyber security workforce. Without the support from \nprograms such as the NSF Advanced Technological Education (ATE) \nProgram, many institutions would not have the resources or faculty \nexpertise to meet the challenges required to build quality cyber \nsecurity programs.\n    This concludes my statement Mr. Chairman and Members of the \nCommittee. Thank you for allowing me to address the Committee on this \nissue.\n\n                    Biography for Erich J. Spengler\n\nDirector/PI--CSSIA, NSF Regional Center for Systems Security and \n        Information Assurance\n\n    Erich Spengler holds a Master\'s degree from Loyola University and \nhas been a full-time faculty member at Moraine Valley Community College \nfor the past nine years. Mr. Spengler also has an extensive background \nin information technology, security and information assurance. He holds \nseveral major industry certifications, including CISSP, MCSE and CCNP. \nAdditionally, he has a broad background in network design and \ninfrastructure implementation.\n    Mr. Spengler currently serves as the Director and Principle \nInvestigator for the National Science Foundation (NSF) ATE Regional \nCenter for Systems Security and Information Assurance (CSSIA). This \nregional center serves a five-state area of the Midwest and focuses on \na field which is critical to homeland security and which has a large \ndemand for qualified workers. The center is collecting, adapting, and \nenhancing curricula in cyber security, modeling certificate and degree \nprograms, and providing professional development for college faculty in \nthe region.\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n    Chairman Boehlert. Thank you, Mr. Spengler. And I can\'t \nhelp but observe that 22 years ago, when I was a freshman \nsitting down on the first row at the very end, community \ncolleges weren\'t even on the radar screen of the National \nScience Foundation. And since then, I have worked very hard, \njoined by colleagues, Republicans and Democrats alike, to make \ncertain the great opportunities presented by community colleges \nhave been recognized by the National Science Foundation. And \nso, in the late \'80\'s was born the ATE program, the Advanced \nTechnological Education program. And now, NSF recognizes what \nyou know very well, that the community colleges are very \nimportant in the educational process of America. So thank you \nfor what you are doing so much.\n    Lieutenant Aparicio.\n\nSTATEMENT OF SECOND LIEUTENANT DAVID J. APARICIO, DEVELOPMENTAL \n    ELECTRICAL ENGINEER, INFORMATION DIRECTORATE, AIR FORCE \n                      RESEARCH LABORATORY\n\n    Second Lieutenant Aparicio. Yes, sir.\n    Mr. Chairman, Congressman Gordon, Members of the Committee, \nand staff, I very much appreciate the opportunity to provide \ntestimony in my personal capacity on cyber security education, \nin particular my experience in the Advanced Course in \nEngineering on Cyber Security.\n    And as an introduction on the National Strategy to Secure \nCyberspace, President George W. Bush wrote that ``securing \ncyberspace is an extraordinarily difficult strategic challenge \nthat requires coordinated and focused effort from our entire \nsociety\'\' and ``the cornerstone of America\'s cyberspace \nsecurity strategy is a public-private partnership.\'\'\n    Last summer, I had the distinct privilege in participating \nin the Advanced Course in Engineering, or ACE, on Cyber \nSecurity at the Air Force Research Laboratory Information \nDirectorate in Rome, New York. The program immersed me in 10 \ngrueling weeks of research, problem solving, and report writing \non a variety of cyber security issues. I completed all \nrequirements to call myself an ACE graduate and earned the \ndistinction of Class Valedictorian. I gained far more than just \na certificate of completion. I gained a mastery of the issues \non cyber security, which challenge our Nation today and shape \nour future.\n    ACE uses a unique approach toward running the program. Once \na week, students are immersed in a one-day lecture covering a \nspecific area in cyber security, concluding with an assignment \nof a real-world problem. Students must solve the problem, write \na report detailing their solution. For the rest of the week, \nstudents work with their personal mentors on military and \nindustry projects with the Rome Research Site. This unique \ncombination of high-intensity instruction and military and \nindustry projects creates an environment that develops cyber \nsecurity leadership and situational awareness vital for our \nfuture. ACE taught me not only technical confidence but mental \nflexibility to solve any problem placed in front of me, \nacademic or critical.\n    I proceeded with great enthusiasm and duty because cyber \nsecurity is a gravely serious business. ACE introduced me to \nmany of the challenges of cyber security. Responding to the \nchallenges, I requested to return to the Air Force Research \nLaboratory Information Directorate to contribute to the defense \nof our Nation through cyber security awareness. With my new \nview on the world, I plan to eventually work for the Central \nIntelligence Agency or the National Security Agency.\n    The Advance Course in Engineering on Cyber Security \naddresses the challenge of the National Strategy to Secure \nCyberspace by developing the top students in pre-commissioning \nofficer training programs into the next generation of cyber \nsecurity leaders. Through public and private partnerships among \nthe Air Force Research Laboratory Information Directorate, \nSyracuse University, the Computer Applications and Software \nEngineering Center of the New York State Office of Science, \nTechnology, and Academic Research, the Griffiss Institute on \nInformation Assurance, and several corporations, the ACE \nfollows the proven model of the General Electric Edison course \nto transform engineers into original thinkers, problem solvers, \nand technical leaders.\n    Far from creating another computer security training \nprogram, the ACE seeks to develop cyber security leaders \nthrough intensive, formal education, teamwork, problem solving, \nmentoring, and immersion into a work environment. Gene Kranz \nbest described his mindset of an engineering leader in his book \n``Failure Is Not an Option: Mission Control from Mercury to \nApollo 13 and Beyond.\'\' As director of the National Aeronautics \nand Space Administration\'s mission control in the Apollo era, \nKranz led his engineers into uncharted territory, the moon, and \nestablished our unchallenged leadership of space.\n    Cyberspace in the 21st century is no less challenging than \nouter space in the 20th century. Besides, the security of our \nNation relies on establishing and maintaining unchallenged \nleadership in cyberspace.\n    In two years at the Rome Research Site, ACE has attracted \nstudents from 25 colleges in 17 states. In addition to Reserve \nOfficers\' Training Corps, or ROTC, the students include \nNational Science Foundation fellows, Junior ROTC cadets, and \ncivilian scientists and engineers committed to careers in cyber \nsecurity. Educators include faculty from Syracuse University, \nthe U.S. Military Academy at West Point, and the State \nUniversity of New York, in addition to domain experts from the \nAir Force Research Laboratory and industry.\n    The Federal Government can help cyber security education in \ntwo ways. First, the government could increase efforts to \nrecruit younger generations, namely middle school and high \nschool students. ACE currently reaches to junior ROTC programs \nto train college-bound students in cyber security. Secondly, \nthe government should consider increasing its cyber security \neducation through public service announcements. Just as the \ngovernment shows anti-drug campaign videos on television, basic \ncyber security videos should be a staple of the American \ntelevision.\n    Mr. Chairman, Members of the Committee, and staff, thank \nyou again for this opportunity to present testimony and thank \nyou for your continuing support of the Air Force cyber security \neducation efforts.\n    [The prepared statement of Second Lieutenant Aparicio \nfollows:]\n       Prepared Statement of Second Lieutenant David J. Aparicio\n    Mr. Chairman, Members of the Committee, and Staff, I very much \nappreciate the opportunity to provide testimony in my personal capacity \non cyber security education and, in particular, my experience in the \nAdvanced Course in Engineering (ACE) on Cyber Security. In his \nintroduction of The National Strategy to Secure Cyberspace, President \nGeorge W. Bush wrote that ``securing cyberspace is an extraordinarily \ndifficult strategic challenge that requires coordinated and focused \neffort from our entire society\'\' and that ``the cornerstone of \nAmerica\'s cyberspace security strategy is a public-private \npartnership.\'\'\n    Last summer, I had the distinct privilege of participating in the \nAdvanced Course in Engineering (ACE) on Cyber Security at the Air Force \nResearch Laboratory Information Directorate in Rome, New York. The \nprogram immersed me into ten grueling weeks of research, problem \nsolving, and report writing on a variety of cyber security issues. I \ncompleted all requirements to call myself an ACE graduate and I earned \nthe distinction of Class Valedictorian. I gained far more than just a \ncertificate of completion. I gained a mastery of the issues of cyber \nsecurity, which challenge our nation today and shape our future.\n    ACE uses a unique approach towards running the program. Once a \nweek, students are immersed into one-day lecture covering a specific \narea in cyber security, concluding with the assignment of a real-world \nproblem. The students must solve the problem and write a report \ndetailing their solution. For the rest of each week, students work with \npersonal mentors on military and industry projects within the Rome \nResearch Site. This unique combination of high-intensity instruction \nand military and industry projects creates an environment that develops \ncyber security leadership and situational awareness vital to our \nfuture. ACE taught me not only technical competence, but mental \nflexibility to solve any problem placed in front of me--academic or \ncritical.\n    I proceeded with great enthusiasm and duty because cyber security \nis a gravely serious business. ACE introduced me to many of the \nchallenges of cyber security. Responding to the challenge, I requested \nto return to the Air Force Research Laboratory Information Directorate \nto contribute to the defense of our nation through cyber security \nawareness. I plan to eventually work for the Central Intelligence \nAgency or the National Security Agency with my new view of the world.\n    Many of my fellow ACE graduates received commissions where they put \nto good use their increased command of cyber security and their \nappreciation of its impact of national security.\n\nACE BACKGROUND\n\n    The Advanced Course in Engineering (ACE) on Cyber Security \naddresses the challenge of The National Strategy to Secure Cyberspace \nby developing the top students in pre-commissioning officers training \nprograms into the next generation of cyber security leaders. Through a \npublic-private partnership among the Air Force Research Laboratory \nInformation Directorate, Syracuse University, the Computer Applications \nand Software Engineering (CASE) Center of the New York State Office of \nScience, Technology, and Academic Research, the Griffiss Institute on \nInformation Assurance, and several corporations, the ACE follows the \nproven model of the General Electric Edison course to transform \nengineers into original thinkers, problem solvers, and technical \nleaders.\n    Far from creating another computer security training program, the \nACE seeks to develop cyber security leaders by drawing from the top \nstudents in Air Force, Army, and Navy pre-commissioning training \nprograms, in addition to the best among our civilian college students. \nThe pedagogical philosophy underlying the ACE seeks to develop \nleadership skills through intensive formal education, teamwork, problem \nsolving, mentoring, and immersion in a work environment.\n    The ACE philosophy is best summarized in the following paradigm: \nfaced with a real-world problem, the graduates of the ACE learn to:\n\n        1.  formulate a clear problem statement,\n\n        2.  make reasonable assumptions,\n\n        3.  apply sound analytical techniques and engineering tools,\n\n        4.  solve the problem to a certain depth,\n\n        5.  perform risk analysis on the solution, and\n\n        6.  deliver a solution on time through effective communication \n        means.\n\n    Gene Kranz best described this mindset of an engineering leader in \nhis book ``Failure Is Not an Option: Mission Control from Mercury to \nApollo 13 and Beyond.\'\' As director of the National Aeronautical and \nSpace Administration\'s mission control in the Apollo era, Kranz led his \nengineers into uncharted territory--the Moon--and established our \nunchallenged leadership of space.\n    Cyberspace in the twenty-first century is no less challenging than \nouter space in the twentieth century. Besides, the security of our \nnation relies on establishing and maintaining unchallenged leadership \nin cyberspace.\n    In its second year at the Rome Research Site, the ACE has attracted \n26 students from 25 colleges in 17 states. In addition to Reserve \nOfficers\' Training Corps (ROTC), the students include fellowship \nrecipients from the National Science Foundation Scholarship for Service \nCyber Corps program, cadets from the Air Force Junior ROTC, and \ncivilian scientists and engineers committed to careers in cyber \nsecurity.\n    The educators include faculty from Syracuse University, the United \nStates Military Academy at West Point, and the State University of New \nYork, in addition to domain experts from the Air Force Research \nLaboratory and industry.\n    Besides attending formal classes and solving real-world problems, \nthe students spend about three days each week working under the \ntutelage of a mentor. The mentors include active duty and retired \nofficers at the Air National Guard North East Air Defense Sector, the \nAir Force Research Laboratory, and several local companies.\n    The duration of the ACE is ten weeks during the June-August \ntimeframe. Each week focuses on one area of cyber security as detailed \nbelow:\n\n         1.  Legal Issues: Internet laws and cyber crime; the Fourth \n        Amendment of the United States Constitution; search and seizure \n        of data; rights and privacy issues; government versus private \n        workplace; search warrants and wiretap laws; and the Patriot \n        Act.\n\n         2.  Security Policies: Establishing and implementing security \n        policies; confidentiality, integrity, and availability \n        considerations; identifying vulnerabilities and threats; and \n        establishing disaster response and recovery procedures.\n\n         3.  Cryptography: Mathematical basis for data encryption; \n        substitution ciphers and the Data Encryption Standard; private-\n        key and public-key cryptography; key distribution and trusted \n        authority; and digital signatures.\n\n         4.  Computer Security: Operating systems and file system \n        security; passwords and one-way hashes; user-space \n        administration; archiving and back-up strategy; intrusion \n        detection; and disaster response and recovery.\n\n         5.  Digital Forensics: Procuring and analyzing digital \n        evidence; preserving the chain of custody of digital evidence; \n        recovering hidden data on hard drives; classifying file \n        systems; analyzing slack and sector data; and recovering lost \n        clusters.\n\n         6.  Network Security: Internet protocol format and \n        vulnerabilities; protocol and implementation flaws; buffer \n        overflow; denial-of-service attacks; distributed attacks; e-\n        mail; domain name system; and web servers.\n\n         7.  Network Defense: Host and network security; firewalls and \n        periphery intrusion detection systems; bastion hosts; network \n        monitors and traffic analyzers; network logfiles; detecting \n        anomalous behavior; and network recovery.\n\n         8.  Network Attack: Port scanners and packet sniffers; IP \n        spoofing; identifying vulnerabilities; designing and \n        implementing network attacks; engineering malicious code; worms \n        and viruses; and offensive cyber warfare.\n\n         9.  Steganography: Data hiding in images; classifying \n        steganography algorithms and tools; categorizing vessel \n        capacity; detection and recovery of hidden data; digital \n        watermarking; streaming media steganography; and multi-lingual \n        steganography.\n\n        10.  Next Generation Cyber Security: Wireless local area \n        networks; wireless encryption protocols; Next Generation \n        Internet Protocols; embedded systems; and third generation (3G) \n        cell phones and personal data assistants.\n\n    For each topic, the instructor in charge assigns a substantial \nreal-world problem that requires 40 to 80 hours of teamwork to solve. \nStudents work on teams of three to solve each problem, then write and \nsubmit individual reports.\n\nRECOMMENDATIONS\n\n    The Federal Government can help cyber security in two ways. First, \nthe government could increase efforts to recruit the younger \ngenerations--namely middle and high school students. ACE currently \nreaches out to junior ROTC programs to train college-bound students in \ncyber security. Secondly, the government should consider increasing its \ncyber security awareness through public service announcements. Just as \nthe government shows anti-drug campaign videos on television, basic \ncyber security videos should be a staple of American television.\n\n           Biography for Second Lieutenant David J. Aparicio\n    2Lt David Aparicio is a developmental electrical engineer for the \nAir Force Research Laboratory Information Directorate in Rome, New \nYork. He supports research and development of tools for multi-sensor \nexploitation and communications intelligence. Lt. Aparicio was born in \nPortland, Oregon, but calls Sugar Land, Texas, his native home. He \nearned his Bachelor of Science degree in electrical and computer \nengineering at Baylor University and received his commission as a Blue \nChip graduate of Baylor\'s ROTC program in 2003. Lt. Aparicio was also a \ngraduate and the valedictorian of the Advanced Course in Engineer on \nCyber Security in 2003. In his free time, Lt. Aparicio enjoys \nphotography, writing, and playing soccer.\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    Chairman Boehlert. Thank you very much, Lieutenant, and \nthank you for calling me ``sir.\'\' I was a Specialist 3rd Class, \nand so when an officer calls me ``sir,\'\' it sort of puffs me up \na little bit.\n    How many were in your class?\n    Second Lieutenant Aparicio. My class? There were 14.\n    Chairman Boehlert. And I think this year\'s boot camp has \n28, double the number, something like that.\n    Second Lieutenant Aparicio. I will have to get back to you \non the exact number.\n    Chairman Boehlert. Well, the doctor is right behind you \nnodding his head yes, so I have the privilege of addressing \nhim. It is exciting to think about your future.\n    Second Lieutenant Aparicio. Thank you.\n    Chairman Boehlert. Ms. Rogers.\n\n    STATEMENT OF MS. SYDNEY ROGERS, PRINCIPAL INVESTIGATOR, \n ADVANCED TECHNOLOGY EDUCATION REGIONAL CENTER FOR INFORMATION \n         TECHNOLOGY, NASHVILLE STATE COMMUNITY COLLEGE\n\n    Ms. Rogers. Good morning, Mr. Chairman, and Representative \nGordon, and Members of the Committee.\n    [Slide.]\n    Today we examine the challenge of educating skilled workers \nwithin the context of a world that is vastly different from the \nworld when I began my career 30 years ago. My colleagues and I \nbelieve it is important to understand this new context in order \nto adequately understand what is needed to design and implement \neducation programs that will develop a world-class competitive \nworkforce with respect to cyber security.\n    [Slide.]\n    The context of today\'s educational programs involves new \nand constantly evolving technologies that are dramatically \nchanging every aspect of our society. New threats, such as \nterrorism and identity theft, pose even greater security \nchallenges while the distributed nature of systems and data \nstorage complicates the control of security exponentially.\n    [Slide.]\n    Our response from a technical perspective has been to \nmitigate these exposures as much as possible through \ntechniques, such as patches and virus protection software, and \nthen reduce the exposure to risk with technologies like \nfirewall protection and encryption. As a result, we find \nourselves addressing the symptoms and not the real problem: \nsystems designed and built without consideration of security. \nTechnicians work on individual problems without an overall \ncontext. One Chief Network Officer in Nashville explains it \nthis way: ``We are fixing the symptoms because we are dealing \nwith legacy systems and our only solution is to fix the \nsymptom.\'\'\n    [Slide.]\n    Education\'s response today is to focus technician education \non training for specific technical skills through certification \nprograms, expansion of course content, addition of new courses, \nnew concentrations, and new two- and four-year degrees, and \nthis slide shows in the background some of the programs we are \ndoing at my college and others in Tennessee.\n    [Slide.]\n    All of these approaches are necessary in order to protect \ntoday\'s systems, but how do we educate for tomorrow\'s cyber \nrisk? How do we build a workforce that will know how to use \nwhat they know in context and that will have the skills \nnecessary to understand constantly changing technologies and \nwhat is needed to both use them and protect them?\n    [Slide.]\n    Our industry partners in Tennessee tell us, as depicted \nhere, cyber security professionals, who require the most \nextensive technical knowledge, also represent a relatively \nsmall number of workers who need specific highly technical \ncyber security skills. To be sure, all information technology \nprofessionals must possess technical skills necessary to \ndevelop and maintain secure systems. Our employers tell us that \nall workers need some understanding of cyber security and some \nlevel of expertise in these skills. Even though community \ncolleges and our NSF work at my center touch all three of these \nareas, our ATE focuses on the preparation of IT professionals.\n    [Slide.]\n    To meet today\'s need and, at the same time, build a \nworkforce that meets tomorrow\'s needs, we must move beyond \ntraditional curriculum development methods that focus on silos \nof content with little context. That is not the first time--you \nhave already heard that today. We need to develop teaching and \nlearning methods that foster learning, thinking, and problem \nsolving in the context of the real world.\n    [Slide.]\n    We have developed model programs for bringing these \nworkplace experiences directly to the students and creating \nmore adaptable workers. Our contextual and problem-based \nmethods all share some common characteristics. First, they are \nall based on authentic workplace problems. To bring these \nauthentic workplace problems into the classroom requires a \nclose and consistent working relationship with our business and \nindustry partners. Just as technology in the workplace is \nchanging constantly, these authentic experiences must also \nchange. By implementing these experiences for students, we are \nalso building a curriculum that adapts and changes with \nchanging technology and situations. Using these methods, then, \nwe can create an educational system that builds a closer link \nbetween the content taught and the actual workplace application \nwhile also developing workers who are more able to adapt the \nknowledge they have to a rapidly changing world. Finally, to \neffectively teach using these methods, faculty must learn to \nfunction as highly skilled facilitators who guide students to \ndiscover and understand the appropriate scientific and \ntechnical knowledge.\n    [Slide.]\n    In Tennessee, the NSF/ATE projects have helped to develop a \nstrong foundation for re-educating current workers and building \nprograms for the future. For instance, we have just initiated a \nprogram with the Tennessee Telecommunications Association to \nre-educate some of their workers. Our faculty would not have \nthe skills and knowledge necessary to do this program properly \nif we had not had the funding from the ATE program to provide \nfaculty development opportunities for them.\n    As for the future workforce in IT, we have piloted an \nexciting program that brings real-time industry technical \nproblems directly to the classroom to be solved by students by \npartnering industry technicians with faculty at the community \ncolleges and universities. Last year, some of these problems \nincluded a network security problem at a music company and a \ndistributed data and networking problem for the Saturn \nCorporation. Students at Nashville State Community College, \nRoane State Community College, Tennessee State University, \nMiddle Tennessee State University, and Austin Peay State \nUniversity participated in this program to work more closely \nwith business and industry.\n    [Slide.]\n    The concepts and projects I have highlighted have given us \na fundamental knowledge base for educating cyber security \nworkers as well as all workers who need to understand their \nwork within the context of needed security. The road that has \nbrought us to this point required several years of work in \nfaculty development, materials development, and building \npartnerships with business and industry. Others around the \ncountry have worked on similar concepts with slightly different \napproaches. Together, and with the support of the NSF/ATE \nprogram, in two weeks, we will convene more than 250 community \ncollege technological faculty and administrators, along with \nsome of their industry partners, university partners, and \nsecondary partners in 31 teams from 17 states across the \ncountry in Nashville for Synergy 2004. The teams are \nrepresented on the map you see. At Synergy, these teams will \nbegin to develop plans for educational reform of IT and IT-\nenabled programs in their own regions of the country. Their \nwork will be anchored by presentations from leading experts in \nteaching and learning, such as John Bransford, Jay McTighe, and \nPam Tate. To provide the context and one global perspective, \nDoug Busch, the Chief Information Officer for Intel, will talk \nto us about the type of IT workforce we need to build if the \ncountry is to be competitive and to create jobs that will not \nbe candidates to offshoring. I expect Mr. Busch to confirm that \nwe are on the right track with the reform programs we have \nstated. In an interview Mr. Busch recently provided for us, he \nstates, ``One of the key problems we see as private sector \nparticipants trying to contribute to improved technological \neducation is the lack of a central focus for U.S. education. \nReform of technical education is so fragmented in the United \nStates that it often seems impossible to have a significant \npositive impact. This is very different from the situation in \nthe countries the United States competes with. I believe it \nwould be very useful to have a single focus point.\'\'\n    [Slide.]\n    We also expect those who attend Synergy to leave motivated \nand prepared to begin to implement meaningful change. They will \nneed to be supported in their efforts, and I believe the ATE \nprogram is looking for ways to do that. As I have explained, to \nbe successful, these community colleges will need to be closely \naligned with their business, industry, and government employers \nwho will rely on the future workforce. Although our program and \nothers have been successful in partnering with business and \nindustry, doing so remains a barrier to many programs. \nTherefore, government programs that provide incentives for \nbusiness and industry participation with community colleges \nwould benefit all concerned. Initiatives that provide \nopportunities for faculty and students to participate in real-\nworld internships will further support these efforts. Also, the \neducational infrastructure in this country as it is currently \nstructured creates silos of educational programs. To make real \nand substantial progress, we will need incentives to break down \nthese barriers so that we can begin to build an education \nsystem for the future, one in which cyber security is a \nfundamental part of the context and the outcome.\n    And the government\'s continued support of the ATE program \nso that the necessary materials development, faculty \ndevelopment in teaching and learning, and up-to-date technical \nknowledge can occur will be vital to the success of these \ncolleges. Finally, to achieve the best result, technological \neducation should be made a national priority.\n    Thank you for this opportunity.\n    [The prepared statement of Ms. Rogers follows:]\n\n                  Prepared Statement of Sydney Rogers\n\n    Good morning Mr. Chairman and Members of the Committee. My name is \nSydney Rogers and I am Vice President of Community and Economic \nDevelopment at Nashville State Technical Community College (NSCC) in \nTennessee. NSCC is located in an urban area and serves a student body \nof approximately 7000 racially diverse students including approximately \n26 percent African American. The average age of an NSCC student is 30 \nyears. Many of our current students are already in the workforce and \nattend NSCC to acquire new work skills, some enter the workforce \ndirectly or transfer to Tennessee State University, a Historically \nBlack College or University (HBCU) located less than five miles from \nour campus. Many others transfer to Middle Tennessee State University \n(MTSU) in Murfreesboro, Tn., or Austin Peay State University (APSU) in \nClarksville, Tn.\n    For nearly a decade, Nashville State Community College has led a \nregional effort to transform Information Technology education. The \nAdvanced Technological Education (ATE) program of the National Science \nFoundation (NSF) has funded these activities. Our partners include the \nregional universities just listed above, local school systems, and \ndozens of business partners such as Saturn, BMI, Dell Computer, EDS, \nHospital Corporation of America (HCA), and Vanderbilt University \nMedical Center, among others.\n    Today we examine the challenge of educating skilled workers within \nthe context of a world that is vastly different from the world when I \nbegan my career 30 years ago. My colleagues and I believe it is \nimportant to understand this new context in order to adequately \nunderstand what is needed to design and implement education programs \nthat will develop a world-class competitive workforce, with respect to \ncyber security.\n    The context of today\'s educational programs involves new and \nconstantly evolving technologies that are dramatically changing every \naspect of our society. New threats, such as terrorism and identity \ntheft pose even greater security challenges while the distributed \nnature of systems and data storage complicates the control of security \nexponentially.\n    Our response from a technical perspective has been to mitigate \nthese exposures as much as possible through techniques such as patches \nand virus protection software and then reduce the exposure to risk with \ntechnologies like firewall protection and encryption. As a result, we \nfind ourselves addressing the symptoms and not the real problem; \nsystems designed and built without consideration of security. \nTechnicians work on individual problems without an overall context. One \nChief Network Officer in Nashville explains it this way, ``We are \nfixing the symptoms because we are dealing with legacy systems and our \nonly solution is to fix the symptom.\'\'\n    Education\'s response today is to focus technician education on \ntraining for specific technical skills through certification programs, \nexpansion of course content, addition of new courses, new \nconcentrations, and new two- and four-year degrees and this slide shows \nsome of the programs we are doing at my college and others in \nTennessee. All of these approaches are necessary in order to protect \ntoday\'s systems, but how do we educate today for tomorrow\'s cyber risk? \nHow do we build a workforce that will know how to use what they know in \ncontext and that will have the skills necessary to understand \nconstantly changing technologies and what is needed to both use and \nprotect them?\n    Our industry partners in Tennessee tell us, as depicted here; cyber \nsecurity professionals who require the most extensive technical \nknowledge also represent a relatively small number of workers who need \nspecific highly technical cyber security skills. To be sure, all \ninformation technology professionals must possess the technical skills \nnecessary to develop and maintain secure systems. Our employers tell us \nthat all workers need some understanding of cyber security and some \nlevel of expertise in these skills. Even though community colleges and \nour NSF work touch all three of these areas, our ATE focus is in the \npreparation of IT professionals.\n    To meet today\'s need and at the same time build a workforce that \nmeets tomorrow\'s needs, we must move beyond traditional curriculum \ndevelopment methods that focus on silos of content with little context. \nWe need to develop teaching and learning methods that foster learning, \nthinking, and problem solving in the context of the real world. Not \nonly do workers need to know how to use their knowledge ``in context,\'\' \nbut educational research has shown us that such methods produce great \nimprovements in learning and that students prepared in this way more \neasily transfer what they know to new and different situations. My \ncolleagues and I believe the ability to transfer knowledge more quickly \nwill result in more adaptable workers who will be able to understand \nmore quickly and apply changing technologies. The term the researchers \nuse for this is ``adaptive expertise.\'\' Through a previous NSF/ATE \ngrant called (SEATEC-DUE 9850307), NSCC in conjunction with Saleh \nSbenaty of Middle Tennessee State University (MTSU), conducted a \nresearch study that tested the theory that students would more easily \ntransfer technical knowledge learned using problem based case studies \nthan they would knowledge learned using traditional methods. Although \nwe did not address cyber security directly in this study, we believe \nthe concept of knowledge transfer is important in building a workforce \nthat is cyber security competent. For more information about this study \nand the results please see the article by Dr. Saleh Sbenaty of MTSU in \nthe Proceeding of the 2002 American Society of Engineering Education \n(ASEE) Annual Conference and Exposition. The community colleges in \nTennessee have learned much about how to transfer this research in to \npractice through our NSF/ATE grants. In 1998, Gerhard Salinger one of \nthe lead program officers of the ATE program introduced us to John \nBransford from Vanderbilt University (now at University of Washington). \nDr. Bransford is the one of the editors of the National Research \nCouncil\'s publication ``How People Learn,\'\' an extensive collection of \nrecent research on the subject. Working with him and his team of \nresearchers, we have begun to transform the way we structure the \nlearning environment. For information on how we have used this research \nto transform teaching and learning, see article in American Association \nof Community College Journal, October/November 2003 ``Transferring \nTeaching and Learning Research to the Classroom\'\' by Sydney Rogers and \nGeorge Van Allen.\n    We have developed model programs for bringing these workplace \nexperiences directly to the students and creating more adaptable \nworkers. Our contextual and problem-based methods all share some common \ncharacteristics. First, they are all based on authentic workplace \nproblems. To bring these authentic workplace problems into the \nclassroom requires a close and consistent working relationship with our \nbusiness and industry partners. Just as technology and the workplace \nare changing constantly, these authentic experiences must also change. \nBy implementing these experiences for students we are also building a \ncurriculum that adapts and changes with changing technology and \nsituations. Using these methods, then, we can create an educational \nsystem that builds a closer link between the content taught and the \nactual workplace application while also developing workers who are more \nable to adapt the knowledge they have to a rapidly changing world. \nFinally, to effectively teach using these methods, faculty must learn \nto function as highly skilled facilitators who guide students to \ndiscover and understand the appropriate scientific and technical \nknowledge. (See our websites for case studies of some of these \nauthentic problems. www.cite-tn.org and www.casefiles.org)\n    In Tennessee, the NSF/ATE projects have helped to develop a strong \nfoundation for reeducating current workers and building programs for \nthe future. For instance, we have just initiated a program with the \nTennessee Telecommunications Association (TTA) to re-educate some of \ntheir workers. In a series of courses, including two courses on network \nsecurity, our community college faculty will teach the TTA employees \nusing the contextual and problem-based methods in the form of problem-\nbased case studies and real-time problems. Our faculty would not have \nthe skills and knowledge to do this if we had not had the funding from \nthe ATE program to provide faculty development opportunities for them. \nOur NSF/ATE Center for Information Technology (CITE) sponsors an \nelectronic marketplace for workforce development called the Tennessee \nIT Exchange. Employers and students can find out where to obtain \neducation on the latest technologies, including cyber security. The \ncommunity colleges in the region, Nashville State, Columbia State, and \nRoane State along with the regional universities, TSU, MTSU, and APSU, \nall contribute to the Exchange. The Tennessee IT Exchange may be viewed \nat www.cite-tn.org. CITE also partnered with the local workforce \ninvestment board to H1B-Visa funds to middle Tennessee for retraining \nin IT. A portion of this training will be on cyber security.\n    As for the future workforce in IT, we have piloted an exciting \nprogram that brings real-time industry technical problems directly into \nthe classroom to be solved by students by partnering industry \ntechnicians with faculty at the community colleges and universities. \nLast year, some of these problems included a network security problem \nat a music company and a distributed data and networking problem for \nthe Saturn Corporation. Results at both the community college and the \nuniversity have exceeded expectations. For instance, Saturn and EDS \nworked with us on two problems, one at NSCC and one at Tennessee State \nUniversity. Evaluations from students, faculty, and employers tell us \nthat students are more engaged and learn better and Saturn is now \nconsidering implementing some of the student solutions at the plant. \nSee attached description of this type problem solved by students at the \nDOE Y12 Security Complex in Oak Ridge, TN.\n    Last year and this year, CITE partnered with the Nashville \nTechnology Council to sponsor faculty and student teams at the \nTechnology Council\'s annual ``IT Security Conference.\'\' At this \nconference, students\' interaction with security experts and vendors \nprovides a context for their learning. CITE is also helping to \nestablish ``IT Academies\'\' in high schools across Tennessee to build a \npipeline of students who will enter the workforce or college in \ntechnical IT careers. One such academy is located at Stratford High \nSchool, an inner city, mostly minority school in Nashville. It opened \nin the fall of 2003 with 97 students and nine faculty members. Thus \nfar, 57 additional students have applied to attend in the fall of 2004.\n    The concepts and projects I have highlighted have given us a \nfundamental knowledge base for educating cyber security workers as well \nas all workers who need to understand their work within the context of \nthe needed security. The road that has brought us to this point \nrequired several years of work in faculty development, materials \ndevelopment, and building partnerships with business and industry. \nOthers around the country have worked on similar concepts with slightly \ndifferent approaches. Together and with the support of the NSF/ATE \nprogram, in two weeks we will convene more than 250 community college \ntechnological faculty and administrators, along with some of their \nindustry partners, university partners, and secondary school partners \nin 31 teams from 17 states across the country in Nashville for \n``Synergy 2004\'\' (DUE 0412846). At ``Synergy,\'\' these teams will begin \nto develop plans for educational reform of IT and IT enabled programs \nin their own regions of the country. Their work will be anchored by \npresentations from leading experts in teaching and learning such as \nJohn Bransford, Jay McTighe, and Pam Tate. To provide the context and \none global perspective, Doug Busch, the Chief Information Officer for \nIntel, will talk to us about the type of IT workforce we need to build \nif the country is to be competitive and to create jobs that will not be \ncandidates to offshore. I expect Mr. Busch to confirm that we are on \nthe right track with the reform programs we have started. In an \ninterview Mr. Busch recently provided for us, he states, ``One of the \nkey problems we see as private sector participants trying to contribute \nto improved education is the lack of a central focus for U.S. \neducation. Reform of technical education is so fragmented in the United \nStates that it often seems impossible to have a significant positive \nimpact. This is very different from the situation in the countries the \nUnited States competes with. I believe it would be very useful to have \na single focus point.\'\' Several colleges and universities around the \ncountry have collaborated to produce ``Synergy.\'\' They are Nashville \nState Technical Community College in Nashville Tennessee, University of \nArkansas at Fort Smith, University of Massachusetts in Boston \nMassachusetts, Springfield Technical Community College in Springfield \nMassachusetts, and Bellevue Community College in Bellevue Washington. \nPlease see www.synergy2004.org for a complete description of the \nmeeting.\n    We also expect those who attend ``Synergy\'\' to leave motivated and \nprepared to begin to implement meaningful change. They will need to be \nsupported in their efforts and I believe ATE program is looking for \nways to do that. As I have explained, to be successful, these community \ncolleges will need to be closely aligned with their business, industry, \nand government employers who will rely on the future workforce. \nAlthough our program and others have been successful in partnering with \nbusiness and industry, doing so remains a barrier to many programs. \nMany small businesses cannot donate the needed time and resources to \nour efforts. Therefore, government programs that provide incentives for \nbusiness and industry participation with community colleges would \nbenefit all concerned. Too, initiatives that provide opportunities for \nfaculty and students to participate in real-world internships will \nfurther support these efforts. Also, the educational infrastructure in \nthis country as it is currently structured creates ``silos\'\' of \neducational programs. To make real and substantial progress, we will \nneed incentives to break down these barriers so that we can begin to \nbuild and education system for the future; one in which cyber security \nis a fundamental part of the context and the outcome.\n    And, the government\'s continued support of the ATE program so that \nthe necessary materials development, faculty development in teaching \nand learning, and up-to-date technical knowledge can occur will be \nvital to the success of these colleges. Finally, to achieve the best \nresult, technological education should be made a national priority.\n    Thank you for the opportunity to give you this information about \nour programs.\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n                      Biography for Sydney Rogers\n\n    Ms. Sydney Rogers is Vice President for Community and Economic \nDevelopment at Nashville State Technical Community College where she is \nresponsible for workforce development, distance education, student \nservices, computer services, and grants and development. Prior to this \nrole, she served as Interim Vice President of Academic Affairs and Dean \nof Technologies at Nashville State Tech where she was also Department \nChair and Associate Professor of Computer Information Systems for 20 \nyears. As Dean of Technologies, she was responsible for the overall \nsuccess of 21 degree programs in Engineering Technology, Computer \nTechnologies, Business, and Visual Communications.\n    Ms. Rogers serves as lead principal investigator for the Center for \nInformation Technology Education (CITE), a regional center funded by \nthe National Science Foundation, Advanced Technological Education \nprogram and has led four other NSF ATE projects. Her work has focused \non the reform of technological education to create a more adaptable \nworkforce suited for the new century. She serves on three NSF National \nVisiting Committees and several local boards. She has 30 years of \nleadership experience in technological education and workforce \ndevelopment.\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n                               Discussion\n\n    Chairman Boehlert. Thank you very much.\n    When academics and business people and military people and \nelected officials talk about a subject like cyber security, \nunfortunately, too often, it elicits muffled yawns, because \npeople aren\'t really, sort of, focusing on it at all. Let me \nask you this. Do we get it and do they get it? Now the ``we\'\' \nis America, in general. Understand the severity and the extent \nof the challenges facing us. And do ``they\'\' get it? And I am \ntalking about young people, like you, obviously you get it, \nLieutenant, and guidance counselors, on the great opportunities \nthat are available in this field. Let us talk about in general, \ndo they get it? Most businesses think their computers are \nsecure. Most individuals, and we have got them by the millions \nacross America, have got all sensitive information about their \npersonal finances and everything else on their home computer, \nand they think it is secure. Is it?\n    Mr. Hosmer, let me----\n    Mr. Hosmer. Actually, I don\'t think any of us get it. I \ndon\'t think any of us understand the threat of a cyber attack, \nthe stealing of our personal information at any level. I think \nthat we are still struggling with this, because the threat is \nemerging. It changes every day at Internet speed, and we have \nto react to it. One of the ways we try to counter that to get \nit down into the high schools is we have created a high school \ninternship program, not only at the college level, to basically \nbring high school students in to teach them what this is really \nabout today. And those students are going on further in their \neducation at the undergraduate and graduate level after leaving \nhigh school to understand this. So we have to train our young \npeople to do that and understand what they can do about it. And \nit is an exciting career opportunity. When you look at \ntelevision today and you look at programs like CSI Miami, etc., \nthey are starting to excite young people about this particular \ncareer, because it has all of the sex appeal that they are \ninterested in, and we need their help. And I think those \nprograms are actually introducing new ways for people to get \ninvolved in these kinds of programs.\n    Chairman Boehlert. Lieutenant, you are nodding your head. \nWhen an officer nods to a non-enlisted guy, he says, ``yes, \nsir.\'\'\n    Second Lieutenant Aparicio. No, I nod my head to the \nCongressman. But I just wanted to just add on to what Mr. \nHosmer said that we do need programs, more programs in the \nsense that--to bring awareness. And I think one example is what \nwe are doing right now in Rome, New York with the ACE program, \ntargeting JROTC to bring the awareness to everybody. They tell \ntheir friends. They bring awareness, and that is just one less \nperson that we have to worry about.\n    Chairman Boehlert. You know, everybody talks these days \nabout identity theft. That is a big issue in America today. One \nof the easiest ways to be a very active and successful criminal \nin America today is to get a home computer and then go out and \npilfer information from individuals on personal computers, from \nbusinesses, and--well, Mr. Baker, do you want to address that?\n    Mr. Baker. I was thinking about your original question, \ntoo, about do we get it. And I think, on one level, we \ncertainly do. I mean, if you don\'t--if you watch TV in any way, \nshape, or form, you, to some degree, get it. You know, there \ncan be identity theft. There are problems. Businesses get it to \nsome degree. Unfortunately, they sometimes get it a little too \nlate. They get attacked by the most recent virus. They don\'t \nkeep their software up-to-date to protect their systems and \nthat kind of stuff. I think the more important issue is that \nthe variety and levels of education that are needed and \nawareness--I mean, it starts with awareness building. And from \nthere, it goes down to many deeper levels on the business side, \nthe legal side, the computer science side where we can actually \nstart building a cadre of professionals who can help protect us \nin many different ways, from the psychological, you know, who \nare these people and why do they attack us, to the more \nphysical, how do we protect our software, how do we protect the \nnetworks, how do we protect our computers--personal computers \nand that kind of stuff.\n    Chairman Boehlert. Mr. Spengler.\n    Mr. Spengler. I think when we look at the question of do we \nget it and do businesses get it, I am looking at what has been \ngoing on this year. And I think before this year started, I \ndon\'t think a lot of businesses did get it. But with the \nproliferation of an enormous amount of viruses, business and \nindustry now are spending more time on fighting those issues \nthan actually enhancing and upgrading their networking systems. \nUnfortunately, the people that do get it are the people who are \naffected one at a time. It isn\'t almost until you are affected \nthat you do understand the critical importance of the nature of \nit. What needs to be done is to focus on, again, and I totally \nagree with the processes of security awareness, but \nadditionally, to focus on the policies and practices of \ncompanies being able to look at and address these types of \nissues.\n    From a curriculum standpoint at the community college, we \nare positioned very well to address from a practical skills and \ntools standpoint, these types of issues. Within our center, we \nlook at the flow of curriculum as being a critical direction, \nbeing able to generate the new generation of practitioners from \na general security understanding standpoint to more specific \nbridges in technologies to be productive in business and \nindustry, such as the health care and financial industries.\n    Chairman Boehlert. Ms. Rogers, do you have any----\n    Ms. Rogers. The employers that I have spoken with recently \nabout this, in particular I have spoken with a senior executive \nin IT from one of the largest health care companies in \nNashville, and I think that they get it. I think he gets it. I \ndon\'t think he feels very secure. They are doing everything \nthey can, but I think he thinks it is fragile, but--and I am \nparaphrasing--he said that we have got a dangerous combination, \nbecause the people who are working on cyber security understand \nit very well, those who are the professionals. But the--all of \nthe other workers don\'t get it, and he--and his words were, \n``This is a dangerous combination.\'\'\n    Chairman Boehlert. Well, let me assure all of you that we \nget it on this Science Committee, but you would expect that \nthis committee does, on a bipartisan basis. My bill, the Cyber \nSecurity Research and Development Act, was passed out of here, \npassed by the House and Senate, signed into law by the \nPresident. And that is very important, but you know, this room \nshould be packed with representatives of the media. We have the \nspecialty, technical press represented, but the popular media, \nso more and more people begin to appreciate the severity and \nextent of the problem.\n    When I was a young kid, I can remember vividly the Buck \nRogers\' stories. You know, a man on the Moon and everybody used \nto chuckle it would never happen. Last night, I attended the \n35th anniversary of Apollo 11 when Aldrin and Armstrong walked \non the Moon. And right now, it is not farfetched to think in \nterms if there ever is, God forbid, a World War III, it could \nbe fought not with guns and bullets or ships or tanks or \nplanes, but with computers. Our whole financial system, our \ntransportation network, our electric grids, so much is \ndependent on a computer, so the subject here today is extremely \nimportant. And that is why we value so highly your testimony, \nand that is why we are focusing on education for the next \ngeneration, the Lieutenant Aparicios and those who will follow \nwho will be on the front lines in this battle.\n    Thank you very much.\n    Mr. Gordon.\n    Mr. Gordon. Thank you.\n    Ms. Rogers, you have had experience with the NSF\'s ATE \nprogram and said it had been helpful at Nashville Tech. Can you \ngive us any thoughts as to how that program can be improved in \neither content or administration?\n    Ms. Rogers. I don\'t have any suggestions on how it could be \nimproved in the administration, although, you know, I might if \nI thought about it longer, but to tell you the truth, I have \nbeen involved for 30 years in higher education in a number of \nfederal programs and had a number of federal grants from \ndifferent programs. And I have to tell you that as far as what \nis happening with ATE and technological education, it is of the \nhighest quality. It is the best one that I have ever worked \nwith. What I see as the problem, from my perspective, is that \nthere are so many more community colleges who need help in this \narea, and you know, the funding pie is just what it is. So you \nhate to say just put more money there, but the fact is that \nthere are a lot of good projects that are out there. Other \nschools want to participate with us and they just can\'t, \nbecause there is just not enough funding there. It is one of \nthe--it is the best program, federal program, I have been \nassociated with, frankly.\n    Mr. Gordon. Anyone else have any suggestions on improving \nthe ATE program?\n    Mr. Spengler. From an NSF standpoint, administration, I \nthink that NSF has--and the ATE, have been making solid steps \nwith--to look at the collaboration between the different funded \nprojects from NSF, which is allowing us to more broadly take in \nthe work that has been done in specific projects and \ndisseminate that work out to other schools that can benefit \nfrom the work. It is firmly our belief that without the NSF/ATE \nprogram, many of the faculty, quite frankly, couldn\'t afford \nthe types of training needed to have quality programs within \nthe schools, and many of the programs, absolutely, would not \nexist within these schools.\n    Mr. Gordon. We frequently talk about and hear good and bad \nabout federal programs, but the NSF, I think more than anything \nelse, is consistently given high marks in all regards. We are \nable to double the funds for NIH. I hope we are, at some point, \ngoing to be able to double funds over a period of time for the \nNSF. I think that is very, very important.\n    And Mr. Hosmer, in your written statement, you had talked \nabout there should be a role, a federal role, in establishing \nnational accreditation for cyber security education and \ntraining programs. You know, typically that is done by non-\ngovernmental entities. Could you elaborate more on why you \nthink there should be a federal role here?\n    Mr. Hosmer. Actually, it is an excellent point. One of the \nthings that we see is many of the training programs that are \nout there that law enforcement, defense, corporate security \ntake in order to basically make themselves current, they \nparticipate in these every year, and they spend a lot of money \nand a lot of time. And many of those programs come with \ncontinuing education credits from specific universities that \nare associated with that particular vendor\'s training program. \nUnfortunately, they end up with all of these ad hoc credits \nfrom, maybe, 10 or 15 different universities, and there is no \nway to bring them together in order to get a degree or any kind \nof overwhelming accreditation.\n    The second problem is that there are so many courses that \nare out there trying to understand the quality issues that are \nassociated with each one of those programs and which ones to \nselect and which ones to take because the investments are \nsignificant. What we are seeing in the marketplace today is \ntypically $750 to $1,000 per day of, you know, advanced \ntraining in any kind of digital investigation or cyber \nsecurity, plus the time and the travel in order to be able to \ndo it. So you could easily spend $25,000 to $30,000 per year \nper employee in order to take these, and they come out of it \nwith a certificate and not with any kind of degree from----\n    Mr. Gordon. Those are legitimate concerns. I guess my \nquestion, though, is why--or what would be a federal role here \nwhere typically it is, you know, a non-governmental \naccreditation body that does those sorts of things?\n    Mr. Spengler. I think the government role can be one of \ncoordination, one of bringing together those universities that \nare accrediting all of these courses out there and trying to \ncome up with some sort of national program, not to basically \nadminister it, but actually to coordinate it, to hold more \nhearings on how to bring those things together so that the \nuniversities and industry partnerships can be formed so that we \ncan solve this basic problem. It is not being solved by the \nuniversities by themselves or the industry partners by \nthemselves, and it needs some sort of organization that can \nbasically help bring that together.\n    Mr. Gordon. Anyone else have any--yes, sir.\n    Mr. Baker. I look at it as two different issues. One is \naccreditation. And I understand where you are coming from. If \nyou look at the model where business programs are accredited, \nthat is somewhat of a private institution, ACSB, those \naccreditations, so to speak, for business programs, and I think \nthat is the kind of context in which your question is coming \nout. You know, shouldn\'t we have that kind of model for \naccreditation for security programs? But I think the first step \nto that process is creating standards in education, looking at \nthe variety of education needs from the end user in a \nparticular discipline, be it medicine or manufacturing or \nwhatever the area is, and the levels of people. Some staff just \nneed to be aware of what is going on, and to know that they \nshould be thinking about security, all of the way to the more \ntechnical level where we look at software development and the \nissues of applications development to security and network \ndevelopment and the security that goes with those kinds of \nthings. You know, in the classroom, we often joke with the \nstudents about, you know, how are you securing your log-on to a \nparticular system, you know. You put in a very difficult \npassword and user ID, but in point of fact, you can\'t remember \nit, so we go to putting it on a little piece of, what, paper \nand sticking it next to your monitor and, you know, gee, no one \nwould think to look there to find the user ID and password. You \nknow, those kinds of things. Be aware of not doing those \nthings. You know, from awareness all of the way down to the \nmore technical levels. So I think it starts with, you know, \nwhat kinds of security education needs to be done, what kind of \nstandards should apply to that at what levels in different \ndisciplines, and then look at accrediting different kinds of \nprograms, because they--there are different needs at different \nlevels.\n    Chairman Boehlert. Thank you very much. The gentleman\'s \ntime has expired.\n    The Chair recognizes the distinguished Chairman of the \nSubcommittee on Research, the gentleman from Michigan, Mr. \nSmith for five minutes.\n    Mr. Smith. Mr. Chairman, thank you.\n    Really an exciting hearing in terms of the potential for \nproblems that we have already looked at. It seems to me, \nthough, that a country, such as the United States that probably \nhas a greater dependency on the Internet and computer systems \nand the fact that the inter-connectedness of these systems, \nwhether it is banking or food distribution or the military or \nairlines or anything else, big corporations, the military, the \ninter-connectedness is very important because of the \nusefulness. And it seems to me that that brings in two \nquestions, not only the cyber security and the potential for \ndamage because of the inter-linking of the computers, but also \nthe physical, potential physical damage that could be done to \ncentral servers. So part of my question, Mr. Baker and Mr. \nHosmer and maybe Lieutenant, is should there be or is there any \nconsideration for somewhat of a confidential setting for the \nserver systems that might be more vulnerable to physical \nattack?\n    Mr. Baker. The short answer is probably yes. The longer \nanswer is look at some of the protection systems that have been \nput in place by various organizations. If you take the events \nof September 11 and look at what occurred on September 11, the \ncomputer systems in point of fact were ready to go fairly \nquickly after that occurred, because they had already--most of \nthe financial industry, which is highly dependent on network \ninformation systems, had their systems off-site, remote \nlocations, not easy to get to in one single attack. They \nrecognize disaster recovery planning and the needs for it. So \nthey were somewhat prepared.\n    Mr. Smith. So are you saying that most of these systems, \nwhether you are a large corporation or a financial institution, \nthe way we move money or move materials or move airplanes or \nmove personnel, that they have more--they have several servers \nthat can accommodate the damage to any one single facility \nserver? I sort of was under the impression that a lot of these \ncorporations and the people that--where they outsource server \nnetworking accommodations are centrally located.\n    Mr. Baker. Some organizations will. Most of the medium to \nlarger sized organizations will have backup systems. They will \ndo remote off-site storage. There are a number of organizations \nthat provide off-site storage capability in various parts of \nthe country and recovery capabilities in various parts of the \ncountry. And some organizations have redundant systems where--\n--\n    Mr. Smith. How serious would be the physical damage of a \ncar bomb, an Oklahoma type bomb or a bunker buster type bomb, \nto a large, central server center that does work for even--\neither--for anything?\n    Mr. Baker. My guess would be probably down for a day or \ntwo, but if it is any sizable organization, they recognize the \nneed for, again, disaster recovery planning and have probably \nput in place the ability to get back up fairly quickly. You \nknow, one of my former roles, before I came into education \nfull-time, was to run an IT organization for a large group. And \nthe issue that we addressed most importantly was disaster \nrecovery. And we had put in place the ability to get back up \nand running within a day or two.\n    Mr. Smith. Mr. Hosmer, at Utica, or Mr. Baker, at Johns \nHopkins, what would be the salary for an individual graduating \nwith a Master\'s degree in--specializing in cyber security?\n    Mr. Hosmer. Well, that certainly depends, you know, on the \njob that they are going to take, but the starting salaries out \nof those are certainly in the $50,000 to $75,000 range in our \nregion for graduates, and that could be higher in other parts \nof the country, certainly, but as a starting salary, that would \nbe very typical.\n    Mr. Smith. So if a terrorist organization that didn\'t look \nlike a terrorist organization offered $150,000, they probably \ncould hire the greatest talent that might be graduating?\n    Mr. Hosmer. Just about anybody they wanted to, sure.\n    Mr. Baker. Okay. Now your point--the previous question that \nyou asked is that, you know, we tend to think about cyber \nattacks or attacks on the physical infrastructure from the \noutside in. The greater threat is from the inside out. The \ninsider threat that we have to counter inside our organizations \nand the trust that we put in people that have access to those \nsystems. And in, typically, most organizations, it isn\'t one \nperson that has the keys to the kingdom; it is typically \nmultiple people in the organization that have keys to the \nkingdom. Everybody has root access in order to be able to \naccess those systems and modify them. So the real threat, from \na cyber security perspective, is the insider threat, and we \nfocus most of our attention on the outsider threat where, in \nfact, we need to turn more attention to the inside.\n    Mr. Smith. Will your graduates--concluding, Mr. Chairman. \nWill your graduates or--Lieutenant----\n    Second Lieutenant Aparicio. Aparicio.\n    Mr. Smith [continuing]. Aparicio, will their talents and \nwhat they learned be obsolete because of the technological \nadvances that are taking place in computers? And it is such a \nchanging evolution, it seems like, just in the last 10 years of \nwhat has happened in research and science and computers, will \nwhat we are learning now--is it continually being updated for a \nperson that wants to be in that field? Lieutenant----\n    Second Lieutenant Aparicio. Sir----\n    Mr. Smith [continuing]. Are you going back to refreshers \nevery six months?\n    Second Lieutenant Aparicio. Oh, well, I was going to \ncomment on that. We have to--as military members, we are always \nbeing trained, having required reading courses, and it is just \npart of professional education to keep up. And as--to answer \nyour question about the graduates, I don\'t believe that they \nwould be obsolete if they keep on learning. The students that \nwe target, they are not necessarily what I would say the \naverage, but there are requirements, and most of them have \nhigher aspirations to continue on learning. I think that that \nis true for most people who--you know, you don\'t just stop \nlearning right after high school. You don\'t stop learning after \ncollege. To keep up----\n    Mr. Smith. Sometimes when you get to Congress, it slows \ndown a little bit.\n    Second Lieutenant Aparicio. I wasn\'t implying that, either, \nsir.\n    Mr. Smith. Thank you, Mr. Chairman.\n    Chairman Boehlert. And that is why we invite expert \nwitnesses like that to continue to be teaching.\n    The gentleman from Washington, Mr. Baird.\n    Mr. Baird. Thank you very much. I thank the Chairman for \nhosting this important meeting, and I thank the panelists.\n    I had the coincidental good fortune of riding on the flight \nhere with the gentleman who wrote the security standard for \nwireless Internet technology. It is one of those great \nserendipitous things. And I asked him to look at some of the \nissues today. And I thought his comments were interesting. He \npersonally suggested to me that the notion of a certification \nexam probably was going to be obsolete before you actually--by \nthe time you have created the exam, the world of real-world \nchange has probably exceeded the exam, so he didn\'t think we \nshould spend a lot of time on that. And certainly my \nexperience, which is limited, but--would suggest that may be \nthe case.\n    Two questions I have, one from him and then one of my own. \nHe expressed a challenge that academics often have a difficult \ntime working within the government setting, and within, more \nimportantly, perhaps, with industry. So you have got the \nacademics, the cryptographers, etc., working on the \nmathematical equations within the academic institutions, but \nthen you have got the people working on the standards within \nindustry. And one of this gentleman\'s claim to fame was he \nbasically broke into the initial wireless standard in about 30 \nseconds flat. He just looked at it and said, ``You have got a \nhuge flaw here,\'\' because basically the folks doing the \nindustry side were the guys working on the radio side of it and \nthe broadcast side of the--of wireless, and he was looking at \nthe cryptographic issues. So the question I would have is what \nobstacles do we face in terms of interactions between the \nacademic side, the government standard setting side, and real-\nworld industry that is creating the hardware and software that \nwe use, and how can we address those?\n    Mr. Spengler. I would like to address just--the obstacle we \nface is the complexities of developing quality faculty and \nspending those times becomes difficult when you are looking at \npractical experience. Sometimes we look at developing those \nskills and then we bring those skills to the classroom. But for \nfaculty to really be effective and efficient within the \nclassroom environment, they need to understand the applications \nof technologies out in the workforce. It is our belief that the \nencouragement of faculty participating in real-world work \nexperiences is critical to the ongoing development, not just \nthe attending of courses, to build a finite set of skills that \nmight be changed in a quick manner. What we try to encourage is \nto establish relationships with business and industry not just \nto look at the concept of students being able to go out in the \nprofessional development environments but for faculty to \nparticipate. For example, we are working with a hospital called \nGotlieb Hospital in the Chicago area and implemented voice-over \nwireless within the hospital. So we approached them, and we are \nworking on a partnership with this hospital, and again, we are \ntrying to model that throughout the Midwest for us to be able \nto identify meaningful projects that are going on out in \nindustry and to be able to schedule those and including faculty \nas part of those projects. What we are finding that is very \ninteresting is that in many times--in many cases, faculty are \nactually able to excel in those areas because of their detailed \nknowledge of the actual technologies and they are actually able \nto offer a lot to business and industry at the times they are \nparticipating in this type of externship opportunities.\n    Mr. Baird. Great example.\n    Ms. Rogers.\n    Ms. Rogers. I would like to address that, too. The basis \nfor almost all of our work at our NSF project has been to \ndevelop what we call contextual problems, but it is all based \non authentic workplace experiences. We have two kinds. One we \ncall problem-based case studies where current problems in \nindustry are brought into the classroom. But even in more \nrecent types of authentic experience we have the students \nactually solving industry problems, real-time in working with \nthe industry. And we think that we have to make that a part of \nthe curriculum development process so that we have a dynamic \ncurriculum development process.\n    Mr. Baird. That makes sense to me.\n    Ms. Rogers. And the other thing that I think is relevant \nhere is that the whole issue of retraining that comes up in \nunderstanding new information, what we have worked on, and \neducation research supports this, is that we know how, by \nstructuring the learning environment the right way, to create \nworkers and employees that are more adaptable. We know--we have \nevidence of how to make people transfer knowledge better from \none situation to new situations based on the way that they are \ntaught. So if we can further that effort and teach them \ndifferently, we can create a workforce that is more adaptable, \nand therefore more able to understand the new stuff as it comes \nout.\n    Mr. Baird. Thank you.\n    Mr. Baker.\n    Mr. Baker. Yeah. One of the things--a couple of things that \ncome to mind, you know, one, the question of, you know, can we \nkeep up with the technology as it is evolving, and to some \ndegree, yes. And that is a little bit of the difference between \ntraining and education. We look at education as the process of \nteaching a student how to learn so that they can keep up on \ntheir own. You know, training is learning how to do something \nvery specific. Education is teaching how to learn, how to do \ninformation literacy, how to research things, etc. And a second \ncomment, along with the ones that Ms. Rogers was making, that \nyou know, in our programs, we have the same kind of--I don\'t \nwant to call it experiential, but completion part of our \nprogram where at the end of their degree, we like to \ncharacterize it as you need to see where the rubber meets the \nroad. Okay. Here is what you have learned in the classroom, now \nlet us take it out into the practical world. So we have a \nsenior project where students over, roughly, a 20-week period \nof time are doing projects for organizations or doing some \napplied research for organizations, etc., so that they can take \nwhat they have learned and then see how it really works, you \nknow, from the real-world perspective, so that they can \nunderstand the translation of yes, I learned this theory and \nsometimes it doesn\'t work, but sometimes it does, and here is \nhow I can improve things.\n    Mr. Baird. Mr. Chairman, I know my time is expired. I \nmight, if I may--I appreciate those answers. The one thing I \nwould say--the question I was going to ask, but I know I am out \nof time, but for a future reference----\n    Chairman Boehlert. You can ask the question. Go ahead.\n    Mr. Baird. Well, it is--oh, he is gone. Okay. The question \nis this. My understanding is that increasingly chip fabrication \nfacilities are locating--they have been, for a long time, \nlocating offshore in Taiwan, but now increasingly on Mainland \nChina. The fabs are going there. Increasingly, we know that we \nare outsourcing code writing, and I have a two-part concern as \nthis relates to cyber security. One, are we losing or is it--\nmaybe is it eroding our technological, educational, academic \nbase of expertise in these areas so we are going to get more \nand more people with more expertise abroad than domestically? \nAnd two, is code written or hardware developed offshore posing \na security threat that we need to be cognizant of?\n    Mr. Hosmer. That was what I thought your question was \noriginally, and I was going to address that. I mean, obviously \nmost of the vulnerabilities within systems today are \nvulnerabilities caused by bad software. Okay. And the reason is \nthat security is typically an afterthought, not a forethought, \nin the process of developing these systems. Further \ncomplicating it are your exact points of moving most of the \nsoftware development offshore. The estimates are the next \nversion of Microsoft Windows is going to have 100 million lines \nof code. If you think about 75 or 80 percent of that being \ndeveloped offshore, and this is the critical infrastructure \nthat we are basing our Nation on, it is certainly a risk to be \nconcerned about, because it is impractical to walk through \nevery line of software in those systems in order to be able to \naddress the threat. So we have to come up with a better way, \nand that goes into training and education to build better \nsoftware, but also how do we assess and analyze that in order \nto basically determine if it is safe.\n    Mr. Baker. Yeah, one of the things I would say is it also \nis a matter of jobs and students going into programs wonder if \nthere is going to be a job coming out, and to some degree, the \nanswer is no, and so they think of other things to do.\n    Mr. Spengler. I would like to add one more item on that. We \ninitially started our center focusing on predator protection \nand information assurance. And one of those--one of the issues \nthat quickly came up was the idea of secure coding. When taking \na look at the available programs in secure coding, we found \nthat there wasn\'t a lot currently out there as far as structure \nand secure coding environments. We contacted some professionals \nin the industry, and they concurred, and that is one of the \ndirections of secure coding. Does it pose a risk if those jobs \nand that software are moved offshore? My answer would be yes.\n    Ms. Rogers. One of the employers in Nashville said that \nsecure coding is worse than Y2K with no end in sight.\n    Mr. Baird. Expand on that, if you would, Ms. Rogers.\n    Ms. Rogers. Well, he sees the problem as, you know, \nespecially in the legacy systems where what we are trying to do \nis protect and just sort of patch what has already been \ndeveloped out there, because those systems weren\'t developed \nwith security in mind. And so if we think about developing the \nfuture workforce so that they can develop our new systems and \ndoing so with security in mind is part of the design on the \nfront end, but then if you add the issue of taking those jobs \noffshore, then you have really got a problem, as you pointed \nout. I mean, he--and he said that this problem that we are \ndealing with the legacy systems all over the country is--it--I \nthink that--his word wasn\'t fragile, but that was what he \nmeant.\n    Mr. Baird. I appreciate that we now know a new problem. I \ndon\'t know that we will get the solution in today\'s hearing, \nbut it is----\n    Chairman Boehlert. Thank you very much.\n    Well, I will wrap it up with sort of a two-part question. \nThe first part is do we know the extent of the challenge? And \nit has been suggested by many that entities, whether they be \nprivate sector businesses or public sector government, are \nreluctant to share information about their vulnerabilities. And \nso we really probably don\'t know the extent of the problem. And \nsecondly, what do we do? How would you suggest we do something \nto promote a national awareness program so that the individual, \nthe business, people across the broad spectrum will appreciate \nthat this is a very serious issue facing the Nation at a \ncritical time and we better darn well be responsive in \naddressing the issue? Two-part question. Do we know the extent \nof the problem and how do we increase public awareness so \nthat--well, that is enough.\n    Mr. Hosmer or anybody?\n    Mr. Hosmer. Well, I think the extent of the problem has \nalways been an issue. It has always been underreported, because \nof the concern that it would have on the organization. \nLegislation, like Sarbanes-Oxley, that has been passed that \nrequires the reporting of those kinds of things and that will \ngo into effect on November 15 of this year, are going to \nrequire at least publicly-traded corporations to provide public \ndata about those threats, also about audits and other things \nthat could have been modified. So that is a step in the right \ndirection, so there is going to be more full reporting, at \nleast from publicly-traded companies, on those kinds of \nimpacts. But there is still a lot that is not going to be \nreported. And I think without that reporting and understanding \nof the problem and the sharing of that information, everything \nin this area has been underfunded because of that. I think the \nawareness issue is attempting to be addressed through \nconferences and workshops that are popping up everywhere in the \ncountry. I have seen an increase in participation and the \nnumber of those over the last two to three years. They have \nbeen significantly increasing from virtually every aspect of \nour community. And the attendance, because we go to all of \nthose, has been significantly up. So that is happening \nautomatically through the normal channels, but it is certainly \nstill not enough. I mean, we still need to get this information \nout to people to talk about the threats about the \nvulnerabilities that are out there and encourage some sort of \nnational communication and reporting of the problems that we \nface.\n    Chairman Boehlert. You know, I recall a conversation I had \na few years ago with an executive of a credit card company, \nwho, at that time, and this was maybe eight years ago, told me \nthat his company\'s experience--well, they lost, on average, \nabout $100 million a year due to fraud, most of which was \nperpetrated using cyber systems. And he said his company \nconcluded that was an acceptable loss, because it would \nprobably cost them more than that to prevent that loss. And I \nsaid to myself, just like me, Americans have a lot of plastic \nin their pocket. And we are paying interest rates higher than \nwe should pay, because we have to cover that fraud and that \nloss. So it affects every single person in a variety of ways.\n    Mr. Baker.\n    Mr. Baker. It is interesting you would mention that, \nbecause you know, one of the thoughts that came to my mind when \nyou talked about awareness programs, to some degree, business \nis doing it for us. You look at the Citi Bank ads with identity \ntheft. You know, they are hard to forget, because they are so \ncute, but they drive the point home, ``Be careful about the \ninformation about you,\'\' which is an awareness program. It is \nan awareness campaign. Taking it to other levels and other \nareas is another story, you know, protect your computer and \nthat kind of stuff, you know, because it is only about \nprotecting the credit card that you have. To some degree, \nlegislation that has been passed has already helped. I mean, \nHCFA [Health Care Financing Administration] is raising \nawareness in the medical area. Sarbanes-Oxley, as Mr. Hosmer \nhas already indicated, is going to certainly raise awareness in \nthe private sector of what we have got to do. To some degree, I \ndon\'t think they quite understood yet what it really means, but \nit certainly will hit them square in the face, you know, when \nthey start getting questions about their finances. And \nbusiness, to some degree, and you have already kind of \nexpressed this, looks at it as a cost of doing business. So if \nit costs me $300 million to put in security and I lose $100 \nmillion, on balance, I will pay the $100 million instead of \n$300 million.\n    Chairman Boehlert. But you don\'t pay the $100 million, we \ndo.\n    Mr. Baker. Right. That is correct.\n    Chairman Boehlert. Anyone else care to--Lieutenant?\n    Second Lieutenant Aparicio. Sir, I was going to try and \nanswer a comment on both of those questions, and the--to the \npoint on the knowing the extent of the challenge, I think we \nknow the challenge, but America does not necessarily understand \nthe challenge. But the people who really do are the younger \ngeneration. And so for, like a lot of people, they say, ``Well, \nI can\'t fix my computer, but my son does,\'\' or ``My daughter \ncan fix it, because I don\'t even know what is going on.\'\' And \nso again, that shows that we understand that the younger \ngeneration has more of a command on that. And what we need to \ndo is be targeting that next generation who is going to be \nrunning everything around here soon and educating them. And how \nwe, again, could help out is just, as mentioned earlier about \nthe Citi Bank or credit card commercials that we see that we \nlaugh at, we need to be, probably, doing some sort of \nannouncements or putting it on TV where we all can watch and \nsee the extent of it. You know, just like a simple, ``Would you \npark your car in DC unlocked? Well, then why do you have your \nnetwork,\'\' you know, ``running open, too?\'\' You know.\n    Chairman Boehlert. Sure.\n    Second Lieutenant Aparicio. Just things like that, but I \nwould just say we need to be targeting the younger generation.\n    Chairman Boehlert. Well, let me say we agree with that \nwholeheartedly, and we are comforted on this committee and in \nCongress when we see young people like you with your very \nimpressive record and direction in which you are going. And you \nare reflective of so many more that are with you and doing what \nyou are doing. We just need more of you.\n    Second Lieutenant Aparicio. Thank you, sir.\n    Chairman Boehlert. Anyone else? Mr. Baker.\n    Mr. Baker. I--yeah. Interesting you were talking about the \nyounger people, and I agree with that about the grade schools \nand the high schools, and it is kind of anecdotal information, \nbut it kind of drives home the point of how much the younger \ngeneration understands technology. My son is here today, and \none of the things I talked about in my class about him, he \ndoesn\'t know this yet, is that in the fifth grade, he did five \nPowerPoint presentations that year.\n    Chairman Boehlert. In the fifth grade?\n    Mr. Baker. In the fifth grade. And the next year, he wanted \nto stop doing those and go back to doing poster boards, because \nit was a lot of work. But I think it underscores just how much \ntechnology that the younger generation understands. He likes to \nget on the Web. What does he like to look for? Game codes so \nthat he can figure out how to get through his video games \nfaster and get more advanced----\n    Chairman Boehlert. Mr. Baker, that allows me to get an \napplaud for something this committee has done. We are \nresponsible for the science and math initiative for America, \nbecause we look at the international comparisons. And our \nyoungsters, when compared to their counterparts around the \nworld in math and science proficiency, if you issue a report \ncard, there is need for improvement. The fourth graders are \nabout on par with their counterparts around the world in math \nand science proficiency. The international comparisons show \nthat by the eighth grade, we are falling a little bit behind, \nand by the twelfth grade, we are way down on the list. That is \nnot good enough for America. So we, in this committee, the \nScience Committee, Democrats and Republicans working together, \nadded to the No Child Left Behind big education initiative, \nsomething that is called the Math and Science Partnership \nProgram. We are determined to do a better job of producing more \npeople like Lieutenant Aparicio, because if we fail on that \nmission, shame on us. We are not going to fail. We are going to \nsucceed.\n    Does anyone else have anything for the good of--Mr. Hosmer.\n    Mr. Hosmer. Just one final point on your--the acceptable \nlosses from the credit card companies. The reason that there \ncan be no acceptable losses, regardless of who is paying the \nbill, is because where are those funds going that have been \nstolen, because criminal organizations and terrorist \norganizations attack those infrastructures in order to fund \ntheir other operations? And I think that we have to look at all \nof those losses and find out where they are going, because they \nmay be going into a place that none of us would accept, \nregardless of how small the losses were.\n    Chairman Boehlert. Thank you very much.\n    I wish the media would beat a path to the door of the boot \ncamp, cyber security boot camp up in Rome, New York. This year, \nthey have got about 28 Aparicios up there, and they are the \nbest and the brightest from all over the country. They have \nsuch a promising career path ahead of them, and as you have \nobserved in the upstate region, you know, a graduate starts at \n$50,000 to $75,000. That is not a bad start. And the future is \nvirtually unlimited for them, so we have got to do a better job \nof advising more people of the great opportunities and also \nheightening the awareness of the American public on the \nchallenges that face us.\n    And you have been facilitators for this committee in that \nregard, and I thank you all for your testimony. This hearing is \nadjourned.\n    [Whereupon, at 11:35 a.m., the Committee was adjourned.]\n\n                               Appendix:\n\n                              ----------                              \n\n\n                   Answers to Post-Hearing Questions\nResponses by Chester ``Chet\'\' Hosmer, President & CEO, WetStone \n        Technologies, Inc.\n\nQuestions submitted by Representative Bart Gordon\n\nQ1.  In general, what is the state of credentialing for cyber security \nprofessionals?\n\nQ1a.  Are there certification standards in place or under development \nfor cyber security education and training programs?\n\nA1a. Certification today comes in basically two flavors: Formal \ntraining courses held for law enforcement, such as those held at the \nFederal Law Enforcement Training Center (FLETC), and the International \nAssociation of Computer Investigative Specialist (IACIS). These courses \noffer certifications that carry significant weight in the community. \nThe second is courses being offered by commercial organizations \noffering certifications. These certifications are offered by the \nhosting organization. Typically the certification requires the \nparticipants to take a test that is a combination of a written test and \na practical examination.\n\nQ1b.  Do formal mechanisms exist to develop such standards, and if so, \nplease describe how they work?\n\nA1b. Certainly on the federal level, certifications offered by FLETC \nand IACIS are reviewed by advisory boards. In the commercial sector, a \nsimilar model is put in place by organizations offering the training. \nHowever, the acceptance of these credentials is based primarily on the \nrespect for the organizations offering the training, which is based on \nthe perception in the marketplace.\n\nQ1c.  To what extent are academic credits for cyber security studies \nearned through programs at one institution transferable to another in \nfurtherance of meeting degree requirements?\n\nA1c. Several organizations (WetStone being one) have entered \npartnerships with colleges and universities to offer continuing \neducation units (CEU\'s) for students completing training courses. Here \nin New York State, the formula is typically .1 CEU per contact hour. \nTherefore, a two-day--16-hour training course would yield 1.6 CEU\'s. In \nour case, our instructors, course materials, and curriculum are \nreviewed by the college and then approved. Periodically, professors \nwill sit in on one of our courses and provide feedback and suggestions. \nThe use of these CEU\'s is an important consideration, and my suggestion \nis to establish criteria for national recognition of the CEU\'s that \nwould allow these credits to be applied more easily toward degree \nprograms.\n\nQ1d.  Is there a federal role in establishing national accreditation of \ncyber security education and training programs, and if so, how would \nyou characterize it?\n\nA1d. I believe the advancement of cyber security education and training \nis an essential ingredient in improving our nation\'s cyber security \nposture. The Federal Government has an opportunity to work with, and \nbring together colleges, universities, training organizations and those \ncharged with the protection of our critical cyber security resources, \nto help establish standards and accreditation for professionals at all \nlevels. I would recommend the establishment of a working group that \ncould, within a short-time (12 months), study the situation further and \ndeliver a report to the House Science Committee with recommendations \nregarding the needs, impact and nature of such a national \naccreditation.\n\nQ2.  What is the supply and demand situation for individuals with cyber \nsecurity expertise? What evidence do you have that such individuals are \nin demand, and what skill sets are most in demand?\n\nA2. Today the investigation of cybercrime activities is at an all time \nhigh. Virtually every law enforcement organization in this country has \nincreased their backlog of cases involving digital or cyber evidence. \nThe law enforcement agencies that we work with are constantly seeking \nassistance, new technologies and methods to speed the investigative \nprocess, and additional human resources to interpret the results. Today \nmore and more digital evidence relating to both traditional and \ncybercrime activities enters U.S. Courtrooms. The need for highly \ntrained cyber security professionals that can collect, analyze, \ninterpret and report on cyber activities is upon us. We must rapidly \nexpand this cyber security workforce with individuals that are not only \ntalented, skill and dedicated, but also bring a high degree of \nintegrity and ethics to the process.\n                   Answers to Post-Hearing Questions\nResponses by John R. Baker, Sr., Director, Technology Programs, \n        Division of Undergraduate Education, School of Professional \n        Studies in Business and Education, Johns Hopkins University\n\nQuestions submitted by Representative Bart Gordon\n\nQ1.  In general, what is the state of credentialing for cyber security \nprofessionals?\n\nQ1a.  Are there certification standards in place or under development \nfor cyber security education and training programs?\n\nA1a. While there are some recognized credentials for information \nsecurity professionals, there is no widely recognized, independent \ncredentialing organization or process currently in place. Unlike \naccounting and other professions, the `standard\' is to recognize \ncredentials offered by companies established to do the credentialing. \nISC<SUP>2</SUP>, CompTia and SANS are the most widely recognized \norganizations providing such credentials. Each has some `standards\' for \ntheir credential and a course intended to prepare the professional to \ntake the credentialing test, which they also provide.\n\nQ1b.  Do formal mechanisms exist to develop such standards, and if so, \nplease describe how they work?\n\nA1b. I am not aware of any formal mechanisms currently in place to \ndevelop fully independent credentialing for security professionals at \nvarious levels.\n\nQ1c.  To what extent are academic credits for cyber security studies \nearned through programs at one institution transferable to another in \nfurtherance of meeting degree requirements?\n\nA1c. The typical arrangements are for one institution to accept credits \nfrom another accredited institution. Academic institutions in the U.S. \nare accredited by a regional accrediting organization, sanctioned by \nthe Dept. of Education. (Johns Hopkins is accredited by the Middle \nStates Accrediting body.) However, each institution usually reserves \nthe right to not accept credits from another institution, usually, \nbecause 1) the number of credits to be transferred in for a student \nexceeds some limit, 2) they are not applicable to the program the \nstudent will be entering at the new institution, or 3) there is some \nquestion of validity of the sending organization or the credits.\n    Also, if the organization that is providing the credits is from \noutside the U.S., another process is in place to determine the validity \nand applicability of the incoming credits.\n\nQ1d.  Is there a federal role in establishing national accreditation of \ncyber security education and training programs, and if so, how would \nyou characterize it?\n\nA1d. At the moment, the federal role should be reserved to encourage \nthe industry to develop an independent set of credentialing criteria. \nThis could be accomplished through some small grants intended to start \nsuch a process, and/or the development of specific standards within the \nFederal Government for various levels of security professionals. \nCredentials should be tied to specific job task or employment \nrequirements. NIST has done some work in this area.\n    Once the credential requirements are established and the process \nfor determining if a professional has met the credential requirements \nis in place, the industry can usually provide plenty of opportunity to \nreceive the appropriate training or education needed to receive the \ncredential.\n\nQ2.  What is the supply and demand situation for individuals with cyber \nsecurity expertise? What evidence do you have that such individuals are \nin demand, and what skill sets are most in demand?\n\nA2. Anecdotal evidence suggests the will be plenty of opportunities for \nsecurity professionals. Network security appears it will be the most \nsought after expertise in the near future.\n\nQ3.  You indicated in your testimony that NSF has not been able to \nsupport innovative initiatives in information security education \nbecause of funding issues. Could you expand on this comment, and in \nparticular, what kinds of innovative initiatives are not getting \nsupport?\n\nA3. In discussing this issue with colleagues, they have indicated their \nunderstanding is NSF has not received its full funding and therefore is \nnot able to support some proposals in the area of cyber security \neducation. However, they did not provide specific information about \ntheir concerns.\n\nQ4.  What has been your experience with the NSF Scholarships for \nService program in terms of its ability to attract good students and \nits success in placing graduates in federal agencies? Do you have \nsuggestions on ways to improve the scholarship program?\n\nA4. Hopkins\' experience with the SfS program has been good. Earlier we \nhad some problems placing the students, but that seems to be much less \nof a problem at this point.\n                   Answers to Post-Hearing Questions\nResponses by Erich J. Spengler, Principal Investigator, Advanced \n        Technology Education Regional Center for the Advancement of \n        Systems Security and Information Assurance, Moraine Valley \n        Community College\n\nQuestions submitted by Representative Bart Gordon\n\nQ1.  In general, what is the state of credentialing for cyber security \nprofessionals?\n\nQ1a.  Are there certification standards in place or under development \nfor cyber security education and training programs? Do formal \nmechanisms exist to develop such standards, and if so, please describe \nhow they work?\n\nA1a. The current state of credentialing encompasses an ongoing debate \nregarding the modeling of curriculum on industry certification. This \ndebate focuses on the balance between certification standards and \nrequired skill sets. As academic institutions construct the basis for \ncyber security curriculum, several factors must be considered. These \nfactors include the reflection of current industry demand identified by \njob skill proficiency and alignment to existing standards or \ncertification through government or private entities. Therefore, one \nset of standards is not in place, but the debate for its development is \nindeed ongoing.\n    Job skills proficiency and the mastering of industry knowledge \noften represent the framework used to construct cyber security programs \nfrom a practitioner outcome perspective. Cyber security skills are \noften identified through a thorough examination of current and future \nemployer hiring needs. This process is often costly and must be ongoing \nto ensure consistency with current employer demands. Failure to \naccurately represent needs may result in programs that lack necessary \ncomponents to adequately prepare cyber security professionals. To avoid \nthese situations, many vendor and non-vendor organizations have \nestablished education/training programs and certification processes for \nbenchmarking information security knowledge.\n    I would caution the use of the term certification standard at this \npoint, as this may convey that a single model of authority exists. In \nfact, there are currently many available models that can be used when \ncreating cyber security education and training programs. The following \nrepresent only a few of the models that developers evaluate when \nestablishing their curriculum framework:\n\n        (1)  The International Information Systems Security \n        Certifications Consortium, Inc. (ISC) <SUP>2\n\n        </SUP>     (ISC) <SUP>2</SUP> maintains what is referred to as \n        the Common Body of Knowledge for Information Security (CBK). \n        They administer certification examinations and require the \n        maintenance of post certification credentials through \n        continuing education. The CBK provides a common foundation for \n        the mastering of information security skills. The Certified \n        Information Systems Security Professional (CISSP) and System \n        Security Certified Practitioner (SSCP) are certification \n        examinations offered to candidates wishing to demonstrate \n        proficiency in areas of CBK knowledge.\n\n        (2)  The National Security Agency/Central Security Service\n\n             The Committee on National Security Systems (CNSS), chaired \n        by the Department of Defense, works with the National \n        Information Assurance Education and Training Program (NIETP) to \n        develop Information Assurance training standards. Under these \n        standards, the Information Assurance Courseware Evaluation \n        (IACE) program is used to ensure compliance with national \n        standards including:\n        <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n        \n    CNSS and (ISC) <SUP>2</SUP> are examples of the many groups that \nare working to provide standards in information security education and \ntraining. Others include the SANS Institute Global Information \nAssurance Certification (GIAC), CompTIA Security+, the National \nInstitute of Standards and Technology (NIST) Special Publication 800-\n16. Additionally, vendors such as Microsoft, Cisco Systems Inc., and \nIBM develop product-specific and technology-specific security \ncertifications. A growing challenge exists when determining which of \nthe aforementioned certification standards should be incorporated as \ncurriculum is mapped to certification.\n    The National Security Agency (NSA) currently implements the \nInformation Assurance Courseware Evaluation (IACE) Program. This \nprogram enables cyber security education and training programs at \nacademic, government and commercial organizations and most recently \ncommunity and two-year technical colleges, to map curriculum to \nnational standards as set forth by the Committee on National Security \nSystems (CNSS).\n    The National Science Foundation Advanced Technological Education \n(NSF ATE) program continues to play a major role in the identification \nand development of appropriate standards for education and training \nprograms in cyber security related areas. The NSF ATE program also \nencourages collaboration between organizations tasked with the \nformulation and development of such standards. Over the next year, the \nNSF ATE Regional Center for Systems Security and Information Assurance \n(CSSIA) will partner with the National Workforce Center for Emerging \nTechnology (NWCET) to enhance and review current skill standards. This \ngroup will also determine opportunities for alignment with other skill \nstandards identified by (ISC) <SUP>2</SUP>, CNSS and others.\n\nQ1b.  To what extent are academic credits for cyber security studies \nearned through programs at one institution transferable to another in \nfurtherance of meeting degree requirements?\n\nA1b. There is a clear weakness in the transferability of academic \ncredentials from one institution to another. With a lack of common \nstandards for program certification, schools construct programs \nreflecting different standards. Some programs may place an emphasis on \na particular vendor\'s cyber security skill requirements while others \nmay emphasize a more general non-vendor approach. This results in \ncurriculum that is difficult to articulate on a course by course basis \nresulting in earned credits not transferring. When earned credits do \nnot transfer, barriers emerge for students as they continue the pursuit \nof cyber security related careers. Institutions should be encouraged to \nemphasize a common set of standards or certification criteria in cyber \nsecurity. Through this, academic education and training programs will \nsubstantially increase pathways toward articulation.\n    As noted in my original testimony, community colleges play a \ncritical role in the education and training of the Nation\'s workforce. \nThe American Association of Community Colleges (AACC) also indicates \nthat community and technical colleges enroll 44 percent of all U.S. \nundergraduate students, including 11.4 million credit and non-credit \nstudents. From these numbers, some 200,000 certificates and 450,000 \nassociate\'s degrees are granted each year. As cyber security programs \nemerge we must consider that the ability to meet degree requirements \nwill be significantly reduced without emphasizing pathways, \narticulation agreements, and common standards. The NSF ATE program \nsupports projects that provide guidance and leadership in the area of \ncareer pathways, articulation and standards. NSF ATE Centers continue \nto focus on these initiatives.\n\nQ1c.  Is there a federal role in establishing national accreditation of \ncyber security education and training programs, and if so, how would \nyou characterize it?\n\nA1c. The Federal Government can play a role in the national \naccreditation of cyber security education programs. Most recently, \ninviting community and two-year technical colleges to submit requests \nunder the National Security Agency (NSA) Information Assurance \nCourseware Evaluation (IACE) Program is a move in a positive direction. \nWe must, however, recognize that the acceptance of other standards such \nas (ISC) <SUP>2</SUP>, SANS, CompTIA, and (NIST) SP 800-16 are becoming \nprevalent in their relationship to business and industry workplace \nskills and therefore will remain a vital component of the curriculum \ndevelopment process.\n\nQ2.  What is the supply and demand situation for individuals with cyber \nsecurity expertise? What evidence do you have that such individuals are \nin demand, and what skill sets are most in demand?\n\nA2. As stated in previous testimony, the NSF ATE Regional Center for \nSystems Security and Information Assurance (CSSIA) and its partners \nconducted a survey of companies in five mid-western states to determine \nthe job demand for IT security-related positions, desired skills, and \npreferred educational levels. The study was completed in the spring of \n2004 at a regional level and shows evidence that the demand for cyber \nsecurity related skills is growing. At the completion of this survey, a \ntotal of 340 responses from companies throughout the Midwest were \nreceived. Respondents were divided into small (less than 100 \nemployees), medium (100-499) and large (500 or more) companies. An \noverwhelming 99 percent of respondents were concerned about Internet \nand computer security. Almost three-fourths of respondents said their \ncompany currently employed people in IT security positions and IT \nsecurity positions were more likely to be part-time or shared positions \n(part-time security along with other IT duties) than dedicated (full-\ntime IT security). Table 1 below shows employment projections based on \nthese 340 responses.\n    Additional summarized responses are as follows:\n\n        <bullet>  A total of 340 responses were received. Respondents \n        were divided into small (less than 100 employees), medium (100-\n        499) and large (500 or more) companies.\n\n        <bullet>  Almost all respondents were concerned about Internet \n        and computer security.\n\n        <bullet>  Almost three-fourths of respondents said their \n        company currently employed people in IT security positions.\n\n        <bullet>  IT security positions were more likely to be part-\n        time or shared positions (part-time security along with other \n        IT duties) than dedicated (full-time IT security).\n\n        <bullet>  Part-time security responsibilities can be or are \n        being added to most IT areas, including network administrator, \n        help desk, network engineer, applications developer and systems \n        analyst.\n\n        <bullet>  Associate\'s degree graduates will be able to find IT \n        security positions, both at the entry-level and experienced \n        level, but Bachelor\'s degree graduates are preferred.\n\n        <bullet>  The most popular types of security training provided \n        for IT staff were self-study and commercial vendor training \n        site. Somewhat more than two out of ten used community college \n        classes.\n\n        <bullet>  Respondents indicated a total of 166 current openings \n        for IT security positions, and projected more openings in one \n        year (N = 237) and still more in three years (N = 422).\n\n        <bullet>  One-fourth of respondents said their company would be \n        hiring new IT security staff within the next year. Slightly \n        more than half said there was shortage in the current supply of \n        qualified applicants for entry-level IT security positions. \n        Large companies were more likely to be concerned about Internet \n        and computer security, to have security positions, to have \n        dedicated (that is, full-time) security positions, and to \n        require a Bachelor\'s degree than medium and small companies. \n        More than half of respondents indicated some interest in \n        participating in IT security activities such as serving on an \n        advisory committee, acting as an internship site, providing \n        work-site tours, or other partnering activities.\n                   Answers to Post-Hearing Questions\nResponses by Sydney Rogers, Principal Investigator, Advanced Technology \n        Education Regional Center for Information Technology, Nashville \n        State Community College\n\nQuestions submitted by Representative Bart Gordon\n\nQ1.  In general, what is the state of credentialing for cyber security \nprofessionals?\n\nQ1a.  Are there certification standards in place or under development \nfor cyber security education and training programs?\n\nA1a. Certification standards for information security professionals \nhave been developed by the National Security Agency (NSA) and the \nCommittee on National Security Systems (CNSS). These standards have \nbeen incorporated into the Information Systems Security Professional \ncertification offered by CISCO Systems. Many other organizations offer \ncertification programs in information security. Although I do not know \nfor sure, I assume they also incorporate the NSA and CNSS standards.\n\nQ1b.  Do formal mechanisms exist to develop such standards, and if so, \nplease describe how they work?\n\nA1b. I am not qualified to answer this question; however, I assume the \ninformation is available from the NSA and the CNSS. I have included a \nURL that provides information about those who are working on this \nproblem.\n    http://www.nsa.gov/ia/academia/\n\nQ1c.  To what extent are academic credits for cyber security studies \nearned though programs at one institution transferable to another in \nfurtherance of meeting degree requirements?\n\nA1c. In Tennessee, credits for cyber security studies will transfer \nfrom one higher education institution to another to the same degree \nthat all other technical and courses in a specific discipline transfer. \nAt Nashville State Community College, students may be awarded college \ncredit toward a degree in computer networking for non-credit \ncertification courses in cyber security and those credits will transfer \nto university programs that are of like disciplines. At this time in \nTennessee, these credits are primarily for individual courses that are \na part of degree programs in networking and telecommunications rather \nthan for an entire degree in cyber security.\n\nQ1d.  Is there a federal role in establishing national accreditation of \ncyber security education and training programs, and if so, how would \nyou characterize it?\n\nA1d. From my perspective at the community college, it seems that \naccreditation standards for cyber security programs are being \nestablished by the commercial community and training programs and is \nwidely available. If there is a federal role, I think it would be to \nprovide a coordination or leadership function to actually get these \nprograms implemented and get students enrolled. For instance, \ninformation coming to the college must be sought out by the college and \nalthough my college does this to some degree, many colleges do not. \nToo, most experts agree that for the country to achieve the best \noutcome, all programs must include some elements of cyber security \ntraining. If this is to happen, a proactive national effort to \ndisseminate information and materials about the subject to community \ncolleges, universities, and State and local school systems will be \nnecessary. A suggested approach might be to have an office within the \nDepartment of Homeland Security with a function to coordinate all the \ninformation being developed about cyber security through NSF, NSA, and \nother departments and proactively organize distribution of those \nresources and the need to implement the programs all across the country \nto colleges and local school systems.\n\nQ2.  What is the supply and demand situation for individuals with cyber \nsecurity expertise? What evidence do you have that such individuals are \nin demand, and what skill sets are most in demand?\n\nA2. At my college, we have seen little demand for workers with specific \nexpertise in cyber security. Instead, we have seen increased demand for \nnetwork technicians and the job listings specify security knowledge as \na part of the overall job description. Listings include knowledge and \nskills in firewall protection, knowledge of virus software, etc. In one \ncase, an advisory committee for the health industry asked for all \nemployees to have some understanding of cyber security and we have \nheard from other employers that they would like to see the curricula of \nall programs include elements of cyber security education to varying \ndegrees. We have seen an increase in the number of requests for network \ntechnicians during the last quarter. From March to May of this year we \nhad 16 requests for such technicians and from June through August, we \nhad 24 requests for the same job title. Most of these employers assume \nthat the network technicians have specific knowledge of cyber security.\n\x1a\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'