Homeland Security Watch

News and analysis of critical issues in homeland security

April 24, 2012

Cybersecurity Awareness and Capacity Building: Some learning objectives

Filed under: Cybersecurity,Education — by Christopher Bellavita on April 24, 2012

Sunday and Monday’s Homeland Security Watch posts reminded me how little I know about cyber fill-in-the-blank issues.  I know more than I did a year ago. But every time I hear or read something from someone who actually understand cyber issues, what I believe I know becomes a much smaller fraction of what I think I could know.

This week’s posts also reminded my of a “cyber awareness” course syllabus a friend sent to me last June when I was trying to make sense of the cyber domain.  The best I can figure out, the 20 page syllabus came from someone named “Paul Herman” at Florida State University.  I have not been able to verify that.

I bring this up for two reasons.

First, this is cyber week on homeland security watch, and I agreed to write something about cyber, severely underestimating how much time it would take to write something coherent about Susan Brenner’s 2009 reminder that “Article I § 8 of the U.S. Constitution gives Congress the “Power To . . . grant Letters of Marque and Reprisal,” and how we might want to consider using that Constitutional authority to encourage “cyber-privateers to deal with cybercriminals.” (See also this related entry on the Morgan Doctrine blog; [and thanks for the idea, KS].)

Second, when I first saw “Paul Herman’s course syllabus” I remember being impressed with how much territory it covered, and how it actually included “learning objectives.”

The syllabus helped me map my own preliminary cyber learning agenda.  I pass a very small portion of it (topics and learning objectives) along today, with the hope it might help someone develop his or her own agenda for learning about (or maybe teaching) this still emerging homeland security issue.

Thank you, “Paul Herman,” whoever you are.

——————

Module 1: The Importance of Cyberspace

Much like globalization writ large, those states and societies that catch the cyberspace bus will tend to move forward, while those that miss it will tend to be left behind.

Learning Objectives:
When you complete this module you should be able to:
• Define Cyberspace and Cybersecurity
• Recognize the centrality of cyberspace to contemporary life
• Recognize the inherent vulnerabilities of utilizing cyberspace
• Differentiate the key sub-dimensions within the overall cybersecurity subject area

Module 2: Invasion of Personal Privacy

Increasingly, individuals’ confidential records and affiliations are stored or expressed on the Internet.

Learning Objectives:
• List the types of personal data that are increasingly connected to the Internet
• Comprehend the visibility of many personal behaviors on the Internet
• Conclude that this type of personal exposure entails risks to individuals

Module 3: Sexual Exploitation / Predation

The Internet lends itself to taking advantage of the physically and emotionally most vulnerable members of society.

Learning Objectives:
• Evaluate the impact on children of their forcible sexual depiction
• Evaluate the impact on women’s status in society
• Analyze the potential for predatory actors on the Internet to misrepresent themselves and lure other gullible participants into dangerous rendezvouses and relationships

Module 4: Disgruntled Insiders

Severe damage is arguably more likely to be done to your organization by persons who legitimately belong there than by external hackers.

Learning Objectives:
• Determine if unhappy employees in an organization are prone to stealing or destroying information assets as a type of revenge or justice seeking
• Determine if unhappy employees in a factory or supply chain are susceptible to being recruited to alter or degrade information and communication technology (ICT) products
• Assess the implications of the … WikiLeaks case

Module 5: Personal Financial Theft

The heist of digitized currency is probably the most prevalent cybercrime in the world.

Learning Objectives:
• Recognize the ease and frequency with which credit card numbers are stolen
• Recognize the susceptibility of financial data, including bank accounts, to being stolen
• Discover that stolen financial account data is sometimes sold to other criminals, or used to blackmail / extort victimized institutions.

Module 6: Corporate Espionage

Building competitive, innovative economies – aided by theft if need be – is probably more conducive to national security than is amassing armaments.

Learning Objectives:
• Estimate the magnitude of the value of stolen Intellectual Property (IP)
• Identify the different types of actors involved in stealing IP
• Explore the potential for commercial competitors to try to ruin one another’s reputation
• Assess the implications of a recent high-vis corporate penetration

Module 7: Violent Extremist Collaboration

Violent extremists bolster one another in cyberspace and exchange tricks of the trade.

Learning Objectives:
• Recognize how extremist groups and individuals can use cyberspace to incite violent impulses
• Recognize the availability of weapon and explosive device designs on the Internet
• Recognize group tactic sharing and operational attack planning on the Internet

Module 8: Critical Infrastructure Disruption

For ease of operation, many of the services citizens count on – utilities/energy, transportation, and financial markets – are increasingly accessible from the Internet.

Learning Objectives:
• List critical infrastructures
• Explain control systems, and illustrate their importance via the recent Stuxnet case
• Interrelate critical infrastructures and how failure in one might cascade

Module 9: National Security Espionage

In the U.S. case, Pentagon and State Department computer systems are probed thousands of times daily.

Learning Objectives:
• Recognize that the Internet provides nation-states and their intelligence agencies with vastly expanded capabilities to furtively acquire information.
• State some of the military and diplomatic advantages that would come from effective espionage.

Module 10: Information Operations / Cyber War

Cyber war is a force multiplier that developing nations will increasingly want to take account of.

Learning Objectives:
• Recognize that information operations can interfere with critical infrastructure, which is the logistical mechanism for mobilizing in a crisis
• Recognize that degraded targeting data make smart bombs dumb
• Observe that small nation-states are often the target of information operations during a confrontation (as illustrated by Estonia and Georgia opposite Russia in 2007 and 2008, respectively)

Module 11: Summary Patterns

This is a bigger problem than most people realize. Critical infrastructure is increasingly regulated in cyberspace, and such infrastructure is essential for an effective response to any emergency – natural or manmade.

Learning Objectives:
• Deduce or recall examples of how the aforementioned subdivisions of cyber security are nested or interrelated.
• Explain how cyber insecurity can have systemic – economic and/or political – effects
• Recognize that even developing states are not insulated from high-tech cyber concerns

Module 12: Technical Digression

…[It] must be realized that at bottom line, cyber security is heavily a function of computer science / network administration.

Learning Objectives:
• Describe how the leading types of malicious software (malware) work
• Describe the leading techniques exploiters use to trick Internet users.
• Identify several information technology (IT) best practices that aim to blunt computer exploitation

Module 13: A Policy Framework for Cyber Security

While governments alone cannot ensure cybersecurity, they can put in place a policy framework that facilitates it.

Learning Objectives:
• Articulate a case for states to formulate a national cyber strategy
• Explain the connection between legislated authorities and regulatory activities
• List key national cybersecurity institutions
• Identify sources of international / multilateral support

Module 14: A Culture of Cybersecurity

Societal features external to government IT programs contribute to a broad milieu of cyber safety.

Learning Objectives:
• Assess the adequacy of national science and technology (S&T) education
• Examine the adequacy of national business culture for fully incorporating cyber vulnerability into risk management formula
• Comprehend the need for civil society bodies to credential properly trained information security professionals

Share and Enjoy:
  • Digg
  • Reddit
  • Facebook
  • Yahoo! Buzz
  • Google Bookmarks
  • email
  • Print

5 Comments »

Comment by William R. Cumming

April 24, 2012 @ 7:53 am

Depending on how exactly SCOTUS rules on health care, huge implications of their decision could exist for cyber security. Why? Congress continues to refuse, even if incorrectly what sections or the Constitution they have used as the premise for their authority to create and enact legislation. The Administration, erroneously IMO originally argued that the Commerce Clause was the premise of the Obamacare law and now argues Article I Section 8, the so-called Tax and Spend clause, except that the Administration argues even though parts of Obamacare are tax levies and in the IRC it is not a TAX. Thus, the importance of the case. In the world of cyber security the issue of who pays for security is all important. For example if you argue that the internet is the commons and you want to protect the commons you could argue that anyone damaging or sabotaging the commons either negligently, gross negligently, or criminally should pay fines or even subject to imprisonment.

So that is in part why I think Congress should postpone legislation since it has not even considered the first principles of cyber security in this decade and not much of real import has occurred since issuance of the President’s Commission On Critical Infrastructure Protection report in September 1997 that concluded that cyber security and physical security were in fact two different realms. The Clinton response in PD-63 has been modified but not really replaced although IMO again it did contribute some to the analytic framework for CIP.

But hey legislating and administering in complete ignorance [voting also] seems to be the hall mark of 21st Century American life so perhaps no harm no foul. Or perhaps completely and expensively erroneous efforts that will cause major hardships.

I do find it very significant that so many regimes from Egypt to China are able to shut down the internet or censor it in various ways. So thanks for this post Chris helpful to discussion of the issue.

One might have a course discussing how much Microsoft costs its customers in time lost and computer damages do to their failure to have developed secure systems. Systems security again is a cost and despite the past the real game in Washington by the lobbyists is to shift or prevent costs so that anyone including the taxpayer pays as opposed to the corporate socialists.

Comment by William R. Cumming

April 24, 2012 @ 7:54 am

Did I mention that some estimate 80% of all Internet traffic is pornography with major corporations often the beneficiary particularly the MSM and hotel chains?

Comment by Stephanie @ HSDL

April 24, 2012 @ 11:25 am

Chris, no librarian worth her degree could resist the the “Paul Herman” challenge. Florida State College at Jacksonville has a Paul F. Herman, Jr. as Dean of Academic Programs and Student Success. I haven’t see the syllabus, but his bio makes me think he might have written it: http://mpss.fscj.edu/staff.php Have a great day!

Comment by Arnold Bogis

April 24, 2012 @ 12:24 pm

I love the idea of “cyber-privateers to deal with cybercriminals.” All I can think of are guys with parrots on their shoulders, wearing pirate hats, furiously typing away on their computers…

Comment by Kirk Skinner

April 27, 2012 @ 8:30 pm

Chris,

Nicely done. You are definitely at the front of pack when it comes to framing the discussion.

Regards…

RSS feed for comments on this post.

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>