Issue No. 01 - January/February (2005 vol. 22)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MS.2005.11
Cybercorps Scholarships Fund New Generation of Security Gurus
The Cybercorps scholarship program aims US National Science Foundation funds at two important targets. The first is to educate more of the top computer science students in information assurance and security. The second is to convince them to bring those skills to government agencies after graduation. Since the scholarships began in 2001, students and college educators say the program has made a mark on the nation's next generation of security experts.
Sujeet Shenoi, who runs the Cybercorps program at the University of Tulsa and represents participating universities on an interagency coordinating committee, says that in his first 15 years as a professor, not one of his computer science students joined a government agency. "Now I'm sending my best students to the government."
Formally known as the Federal Cyber Service: Scholarship for Service (SFS) program ( www.ehr.nsf.gov/ehr/DUE/programs/sfs), but commonly called Cybercorps, the program awards two-year scholarships. These typically cover a student's junior and senior years of undergraduate study or a two-year graduate program. (A few students have used the scholarships toward a doctorate.) In return, students serve in a government agency for two years after graduation. Some students win a one-year scholarship when a slot opens unexpectedly; they serve for one year.
The program also bestows capacity-building awards to universities. These awards are designed to update and improve information assurance and security curricula and courses and to get professors out in the field with subject area experts. The awards also help the universities qualify as National Security Agency Centers for Academic Excellence; schools must meet this qualification in order to distribute Cybercorps scholarships.
Participating professors believe that the Cybercorps students will make the US digital infrastructure, both private and public, safer in coming years.
"The students' interest level has been high from the beginning," says Don McGillen, who runs the Cybercorps program at Carnegie Mellon University and is executive director of the school's CyLab research program ( www.cylab.cmu.edu). "The responses we're getting back from the hiring agencies are uniformly outstanding."
Results to date
As of fall 2004, Cybercorps has delivered funding to about 574 students, according to the NSF, and about 59 universities have won capacity-building awards.
To date, Cybercorps graduates have punched in for work at about 17 US federal agencies, including the Departments of Commerce, Homeland Security, Treasury, and Justice. Most of these graduates have joined the NSA, which is part of the Department of Defense.
The NSF committed about US$11.2 million per year to Cybercorps in 2001 and 2002, $19 million in 2003, and $16 million in 2004; 2005 funding is expected to be close to 2004's level. The NSF, an independent federal agency charged with supporting scientific and engineering research and education, has about a $5 billion annual budget.
"We expect the program to continue to grow," says Diana Gant, the lead program director of the SFS program. "This is a priority area for the nation. This is a program that directly prepares students and university curriculums to face the security issues we face in federal government." The need for information assurance and security experts continues to grow as well, she says.
Dot-com vs. Uncle Sam
Why was Cybercorps necessary? During the dot-com boom, private companies were luring top computer science students with rich stock and salary offers. At the same time, many government agencies realized they needed to attract more top students to the information assurance and security fields, according to Shenoi. In addition, not enough university programs were digging deeply into these topics. After the September 11, 2001, attacks, agency recruiting needs became even greater.
The program's formal genesis was in a 1997 presidential commission studying critical computer and information system infrastructure protection issues, and a subsequent 1998 presidential directive. Congress funded the scholarships in NSF's 2001 budget.
In May 2001, the NSF awarded the first scholarships through six institutions: Carnegie Mellon University, Iowa State University, Purdue University, the University of Idaho, the University of Tulsa, and the Naval Postgraduate School.
The program's focus remains specifically on information assurance and computer security. "We have not thought about expanding the program away from information assurance," Gant says. She adds that when you consider other fields of IT study such as database design and electronic government, the government agencies certainly need these types of specialists, but university programs and students are already in place to fill those needs.
Bang for the buck
Historically, almost 90 percent of Cybercorps graduates have won a government job and served, according to Gant. Some problems occur matching students to opportunities. But a bigger problem is that delays in security clearances for students have held up placements. The involved agencies are working to address this issue, Gant notes. "Certainly one of our goals is to reach the 100 percent placement mark."
"Every semester I graduate 12 to 15 students," Shenoi says. "About 60 percent go to work for the NSA. My students on the average get three offers each."
In terms of the program's cost-benefit ratio, the NSF doesn't have formal metrics yet, but they're doing a study with the federal Office of Personnel Management to examine cost issues, Gant says.
The program is clearly meeting the goal of raising awareness among students, Gant believes. "I don't think the students were very aware of the opportunities that existed in the government in this field before. The program has gotten students interested and excited."
"I think the agencies are getting a huge bang for the buck," Shenoi says. "The students work hard, then go work for the government. This is a very nice Homeland Security program, a very cheap one."
Carnegie Mellon's McGillen says the math adds up. "These are extremely bright, extremely motivated students, and the government agencies are enthusiastic and pleased with the students they hire," he says. "The government's getting an extremely valuable resource for the money."
Carnegie Mellon offers Cybercorps scholarships to students pursuing master's in two areas: information security technology and management, and information security policy and management. Neither degree was offered at Carnegie Mellon until the advent of Cybercorps.
Under Carnegie Mellon's current funding, it will award Cybercorps scholarships to 18 students per year (nine in each program) for the next three years. In all, 46 Cybercorps scholars currently attend the school.
McGillen notes that another indicator of the program's long-term value is that students are choosing to stay with government agencies even after their commitments end. All eight original Carnegie Mellon Cybercorps students have finished their commitments, and none have left government service yet.
"At the height of the Internet bubble, we weren't sure what to expect," McGillen says, in terms of students being willing to pass up lucrative private offers. "The students' sense of service and willingness to contribute have been quite impressive."
Chuck Fox, a May 2004 Cybercorps graduate from Carnegie Mellon, recently began development and engineering work at the US Army Research Laboratory, where he develops technologies for information infrastructure for the US Army and Department of Defense.
Fox earned a masters of science in information networking, but he says the people he met through the Cybercorps program, as well as his Cybercorps internship at the US Federal Aviation Administration, were just as valuable as the coursework. At the FAA, he worked in the agency's computer incident security response center, which ensures the integrity of FAA systems handling everything from traffic control to weather.
"The internship wouldn't have happened without the program," Fox says. "You're able to get a foothold, get some real-world experience."
Fox also appreciated meeting Cybercorps students and professors from other universities; he expects these fellow information assurance experts will remain a valuable network in his government service.
Competition to win a Cybercorps scholarship is keen. For example, the University of Tulsa receives an average of 1,000 applications per year and accepts 30 to 40 people, Shenoi says. Passion for the subject matter and personal integrity top the list of qualities that he seeks in applicants.
Shenoi also strives to include a mix of people, including some nontraditional students. Past students include former Marines and Air Force veterans, a father and son in the program at the same time, and a 65-year-old student who had worked on the Apollo space program. Shenoi's youngest student to date was a 17-year-old college junior. Cybercorps is about 20 percent female at the University of Tulsa; the scholarships have increased the number of female computer science students at the school, Shenoi says.
Lindsay Smith, one of Shenoi's undergraduate Cybercorps students, says the program opened her eyes to new courses of study. A junior double-majoring in Russian and computer science, she had been thinking of a career in translation or political analysis. But she's now considering computational linguistics and digital forensics—a topic she got to explore in a US Secret Service internship this past summer. If not for the Cybercorps program, "I probably never would have thought of taking the forensics class," she says.
The knowledge and the professional network gained through Cybercorps have been just as important as the scholarship, claims Kecia Gubbels, a University of Tulsa graduate student who completed her master's in computer science in December 2004. "I've met so many people who'll be working in my field."
Gubbels had earned an undergraduate MIS degree at the University of Nebraska, Omaha, but hadn't really considered government agencies before a professor introduced her to the idea of applying for Cybercorps. Now she's juggling five government agency employment offers, including one from the NASA Office of the Inspector General, where she recently completed an internship.
Gubbels gained a unique benefit at the University of Tulsa: students work on digital-forensics projects in cooperation with Tulsa law enforcement agencies. For example, they helped solve a homicide case using digital evidence. "We've worked side by side with the police," she says. "That's a great opportunity I wouldn't have had anywhere else. And working with them really improved our forensics class."
Improved courses of study
Cybercorps not only benefits students through financial aid but also improves the university curriculum, bettering courses and lab work, according to Carnegie Mellon and University of Tulsa professors.
"We've added about five new courses," Shenoi says. The course topics include digital forensics, enterprise security management, security auditing and penetration testing, and secure-systems administration.
Close contact with the agencies keeps course work much more up to date, Shenoi adds. "We get continuous feedback from the agencies, who say 'we'd like you to teach this, do a lab in this,' and it improves the program and what students know."
Carnegie Mellon has also added classes, including secure software engineering, as well as frequent seminars where US government agency representatives speak to students about specialized topics, McGillen says.
According to Gant, two key future goals for Cybercorps are to increase awareness of the program among government agencies and increase the amount of real-world material that students use in classes.
For example, through a program with the NSA that began in fall 2004, students at some universities now work on chunks of real problems from the Department of Defense and send back their results. "We want to do more things like that," says Gant. "We're hoping over the course of the next semesters this becomes a larger part of the university curriculums."
Also, information assurance needs to be addressed from a variety of disciplines, Gant believes, bringing courses together not only in computer science but also in fields such as anthropology, sociology, political science, and engineering.
Keeping up to date with the speed of change will be essential. "Especially in information assurance, the knowledge is only as good as its application to the real world," she says.
LET FREEDOM RING? DEVELOPER DECLARATION PROMOTES OPEN STANDARDS
On 4 July 1776, the Declaration of Independence was signed, and US history was made. Fast-forward to 2004, and a new document—the Developer Declaration of Independence—is trying to make a different kind of history.
The Declaration (also known as the IT Declaration of Independence) was announced in late July by the Open Group, a San Francisco-based vendor and technology-neutral consortium that offers certification services and conformance testing.
The Declaration furthers the Open Group's vision of achieving "boundaryless information flow" and global interoperability through the universal adoption of open technology standards.
"For me, the Declaration is a means to express the importance of open standards and to state that I and hopefully my organization are working to achieve that goal," says Graham Bird, the Open Group's vice president.
Liberty! Equality! Open standards!
Specifically, the Declaration seeks liberation from dependence on proprietary architectures or legacy software controlled by a single organization. It ultimately seeks to achieve a more competitive marketplace by offering IT users freedom of choice and providing interoperability among all providers.
"I believe it will bring about awareness of the importance of open standards and the role they play in achieving interoperability," Bird says.
Although the Declaration's primary purpose seems to be raising awareness about the importance of open standards, as well as calling attention to increasing support in the IT industry for open source software development, the document isn't devoid of substantive value.
"It will direct the way individuals and companies interact using open source code," says Edmond Cooley, assistant professor of engineering and IT director at Dartmouth College. "The Declaration contains very clear directives or requirements on the part of the people who choose to participate."
Joining the mainstream
Yet, despite what he calls its "counterculture roots," Cooley acknowledges that the open source movement is quickly mainstreaming and is, at least partly, economically driven. "There is a strong movement afoot to going totally open source, and it's strengthening every day," he says. "People are saying, 'We're tired of paying licensing fees.'"
It would seem that their voices are being heard. Although initially written off by some in the industry as a not-so-thinly-veiled dig at Microsoft, in a short time the Declaration has become a full-fledged movement. Although a spokesperson for Microsoft (not a signatory to the Declaration) declined comment, more than 2,700 other high-tech signatories from around the world, including IBM, have signed the Open Group's online Declaration at www.opengroup.org/declaration.
"IBM has had an ongoing commitment to encouraging the promotion of open standards," says Robert Sutor, director of IBM's WebSphere software group. "Our rule is standardize as much as possible. It allows you to focus on the higher-level things your clients are doing in their respective industries—be that insurance or finance, or what have you—instead of having to 'fix the plumbing' all the time."
A flip side?
Yet despite its seeming popularity, the Declaration itself—not to mention the principles it espouses—is not without possible drawbacks.
Cooley acknowledges that in the interest of freedom, quality could be compromised. "And there's the issue of cost of ownership," he says. "It may be free up front, but what will it cost to maintain and support it? To secure it?
"The IT Declaration of Independence, and the whole open source movement, is an interesting idea, but it may not be for everybody," he says. "For instance, some software developers might feel threatened, especially if there is no apparent financial benefit to them. It begs the question, how's anybody going to make money if it's all out in the open?"
Sutor isn't concerned. "Even with the growth of the open source software movement, there will still be plenty of money to be made," he says.