Centers of Academic .... Adequacy

Page Content

Share:

History

Back in 1997, the year before CERIAS was formally established, I testified before Congress on the state of cyber security in academia. In my testimony, I pointed out that there were only four established research groups, and their combined, yearly PhD production was around 3 per year, not counting cryptography.

Also in that testimony, I outlined that support was needed for new centers of expertise, and better support of existing centers.

As a result of that testimony, I was asked to participate in some discussions with staff from OSTP, from some Congressional committees (notably, the House Science Committee), and Richard Clarke's staff in the Executive Office of the President. I was also invited to some conversations with leadership at the NSA, including the deputy director for information security systems (IAD) (Mike Jacobs). Those discussions were about how to increase the profile of the area, and get more people educated in information security.

Among the ideas I discussed were ones expanded from my testimony. They eventually morphed into the Scholarship for Service program, the NSF CyberTrust program, and the NSA Centers of Academic Excellence (CAE). [NB. I am not going to claim sole or primary credit for these programs. I know I came up with the ideas, briefed people about them, discussed pros & cons, and then those groups took them and turned them into what we got. None of them are quite what I proposed, but that is how things happen in DC.]

The CAE program was established by the NSA in late 1998. The CAE certification was built around courses meeting CNSS requirements. Purdue was one of the first seven universities certified as CAEs, in May of 1999. We remained in the CAE program until earlier this year (2008). In 2003, DHS became a co-sponsor of the program.

Why Purdue is No Longer a CAE

In 2007, we were informed that unless we renewed our CNSS certifications by the end of August, we would not be eligible for CAE renewal in 2008. This prompted discussion and reflection by faculty and staff at CERIAS. As noted above, the mapping of CNSS requirements to our classes is non-trivial. The CAE application was also non-trivial. None of our personnel were willing to devote the hours of effort required to do the processing. Admittedly, we could have "faked" some of the mapping (as we know some schools have done in the past), but that was never an option for us. We had other objections, too (see what follows).As a result, we did not renew the certifications, and we dropped out of the CAE program when our certification expired earlier this year.

Our decision was not made lightly -- we nearly dropped out in 2004 when we last renewed (and were not grandfathered into the new 5 year renewal cycle, much to our annoyance), and there was continuing thought given to this over intervening years. We identified a number of issues with the program, and the overhead of the mapping and application process was not the only (or principal) issue.

First, and foremost, we do not believe it is possible to have 94 (most recent count) Centers of Excellence in this field. After the coming year, we would not be surprised if the number grew to over 100, and that is beyond silly. There may be at most a dozen centers of real excellence, and pretending that the ability to offer some courses and stock a small library collection means "excellence" isn't candid.

The program at this size is actually a Centers of Adequacy program. That isn't intended to be pejorative -- it is simply a statement about the size of the program and the nature of the requirements.

Some observers and colleagues outside the field have looked at the list of schools and made the observation that there is a huge disparity among the capabilities, student quality, resources and faculties of some of those schools. Thus, they have concluded, if those schools are all equivalent as "excellent" in cyber security, then that means that the good ones can't be very good ("excellent" means defining the best, after all). So, we have actually had pundits conclude that cyber security & privacy studies can't be much of a discipline. That is a disservice to the field as a whole.

Instead of actually designating excellence, the CAE program has become an ersatz certification program. The qualifications to be met are for minimums, not for excellence. In a field with so few real experts and so little money for advanced efforts, this is understandable given one of the primary goals of the CAE program -- to encourage schools to offer IA/IS programs. Thus, the program sets a relatively low bar and many schools have put in efforts and resources to meet those requirements. This is a good thing, because it has helped raise the awareness of the field. However, it currently doesn't set a high enough bar to improve the field, nor does it offer the resources to do so.

Setting a low bar also means that academic program requirements are being heavily influenced by a government agency rather than the academic community itself. This is not good for the field because it means the requirements are being set based on particular application need (of the government) rather than the academic community's understanding of foundations, history, guiding principles, and interaction with other fields. (E.g., Would your mathematics department base its courses on what is required to produce IRS auditors? We think not!) In practice, the CAE program has probably helped suppress what otherwise would be a trend by our community to discuss a formal, common curriculum standard. In this sense, participation in the CAE program may now be holding us back.

Second, and related, the CNSS standards are really training standards, and not educational standards. Some of them might be met by a multi-day class taught by a commercial service such as SANS or CSI -- what does that say about university-level classes we map to them? The original CNSS intent was to provide guidance for the production of trained system operators -- rather than the designers, researchers, thinkers, managers, investigators and more that some of our programs (and Purdue's, in particular) are producing.

We have found the CNSS standards to be time-consuming to map to courses, and in many cases inappropriate, and therefore inappropriate for our students. Tellingly, in 9 years we have never had a single one of our grads ask us for proof that they met the CNSS standards because an employer cared! We don't currently intend to offer courses structured around any of the CNSS standards, and it is past the point where we are interested in supporting the fiction that they are central to a real curriculum.

Third, we have been told repeatedly over the years that there might be resources made available for CAE schools if only we participated. It has never happened. The Scholarship for Service program is open to non-CAE schools (read the NSF program solicitation carefully), so don't think of that as an example. With 100 schools, what resources could reasonably be expected? If the NSA or DHS got an extra $5 million, and they spread it evenly, each would get $50,000. Take out institutional overhead charges, and that might be enough for 1 student scholarship...if that. If there were 10 schools, then $500,000 each is an amount that might begin to make a difference. But over a span of nearly 10 years the amount provided has been zero, and any way you divide that, it doesn't really help any of us. Thus, we have been investing time and energy in a program that has not brought us resources to improve. Some investment of our energy & time to bolster community was warranted, but that time is past.

Fourth, the renewal process is a burden because of the nature of university staffing and the time required. With no return on getting the designation, we could not find anyone willing to invest the time for the renewal effort.

Closing Comments

In conclusion, we see the CAE effort as valuable for smaller schools, or those starting programs. By having the accreditation (which is what this is, although it doesn't meet ISO standards for such), those programs can show some minimal capabilities, and perhaps obtain local resources to enhance them. However, for major programs with broader thrusts and a higher profile, the CAE has no real value, and may even have negative connotations. (And no, the new CAE-R program does not solve this as it is currently structured.)

The CAE program is based on training standards (CNSS) that do not have strong pedagogical foundations, and this is also not appropriate for a leading educational program. As the field continues to evolve over the next few years, faculty at CERIAS at Purdue expect to continue to play a leading role in shaping a real academic curriculum. That cannot be done by embracing the CAE.

We are confident that people who understand the field are not going to ignore the good schools simply because they don't have the designation, any more than people have ignored major CS programs because they do not have CSAB accreditation. We've been recognized for our excellence in research, we continue to attract and graduate excellent students, and we continue to serve the community. We are certain that people will recognize that and respond accordingly.

More importantly, this goes to the heart of what it means to be "trustworthy." Security and privacy issues are based on a concept of trust and that also implies honesty. It simply is not honest to continue to participate in (and thereby support) a designation that is misleading. There are not 94 centers of excellence in information and cyber security in the US. You might ask the personnel at some of the schools that are so designated as to why they feel the need to participate and shore up that unfortunate canard.


The above was originally written in 2008. A few years later, the CAE requirements were changed to add a CAE-R designation (R for research), and several of our students did the mapping so we were redesignated. Most of the criticisms remain accurate even in 2012.

Comments

Regarding a formal and common curriculum standard, I couldn’t agree more.  While we do have some decent job and task analysis this is more suited for the training environment.  Today most schools simply center on the 10 domains of ISC2 but that’s not complete or sufficient.  My question to the community would be what will it take for us to establish such a standard?  There are pitfalls with every solution I have considered.

Posted by Dennis Dow on Friday, September 19, 2008 at 08:27 AM

Spaf couldn’t be more correct. Some rather shoddy programs at not-too-credible universities and colleges—certainly not at all characterized by any kind of excellence—have nevertheless achieved CAE status. Unfortunately, I do not expect things to change any time in the near future. The government bureaucrats who award CAE status are generally not sufficiently in touch with the academic community to understand what excellence in academics really means. My hope is that CERIAS’ unparalleled reputation coupled with the fact that CERIAS has dropped out from the ranks of so-called CAEs will motivate these bureaucrats to re-evaluate the purpose and meaning of CAE and, ultimately, to make appropriate changes.

Posted by Gene Schultz on Friday, September 19, 2008 at 10:06 AM

Gene - great and very blunt writing.  I agree with almost everything you say, and am glad you came out to say it.  I was, until about a year ago, the director of a CAE-designated center, and I stepped down after our renewal partially to pursue a new opportunity and partially out of frustration.

I had two main goals in originally pursuing the CAE designation: publicity to attract students and resources that it might bring.  Unlike at Purdue, attracting the best students is quite a challenge for many universities, and something to distinguish us, particularly with the mysterious letters “NSA” associated with it, seemed just the ticket.  On this point we succeeded - with the NSA designation, a commendation from the governor, and other publicity, we did attract students.  Almost all of the students that contacted us were interested in training and certification and not participating in our research, however, so I’m not sure our success there was quite as we had hoped.

The cost we paid was to take a well thought-out structure for some courses, and rework them to more closely match the CNSS topics (with assistance from one of the original 7 CAEs, which I will always be grateful for).  In the process we moved further from organizing around ideas to organizing around tasks, and while the result still has educational value, I think it was less valuable than what we could have created without trying to bend to CNSS criteria.

Our second goal (resources) never did materialize in any significant way - a small SFS capacity building grant which was only a fraction of what we generated in research grants.  I suppose I should be grateful for that, and I am, except that the effort-to-payoff ratio seemed awfully high.

So now I’m at a new university, thinking about things in a new way.  We’ve got some security talent here, but I’m not planning to go the CAE route this time.  We won’t be a Purdue or a Santa Barbara or a Davis, but I think building something of quality on our own terms will make me happier at the end of the day.

Posted by Steve on Friday, September 19, 2008 at 12:57 PM

Congratulations for taking a principled stand.

Too many people confuse the label with the real thing.

Jim H.

Posted by Jim Horning on Friday, September 19, 2008 at 12:58 PM

Dr. Spafford:

I appreciate your input and the reputation you bring to the issues is outstanding.  I agree that allowing so many NAE centers degrades the award, kind of like everyone getting a statue at the end of Little League season. 

I don’t agree with an above poster, though, in that the input of those who helped get the ball rolling for the federal government will have much of an impact on changing its course—the ship, to mix metaphors, has sailed, and it’s not coming back.

Posted by Josh Morrison on Sunday, September 21, 2008 at 11:29 AM

I concur with the actions by Spaf and Purdue and join the rest of the posters in applauding his taking this stand on principle. As the government person who championed the original funding for both Purdue and UC Davis’ security research programs, I’m profoundly disappointed by the direction taken in the CAE program. The need for academic quality and rigor in advancing the discipline of information security is even more acute on most every front than when I first took up the cause of university funding back in the early 90s. It’s high time to rethink the quality and quantity of attention and resource applied to this critical area.

Posted by Rebecca Bace on Tuesday, September 23, 2008 at 11:38 PM

Dr. Spafford,
Excellent comments.  I believe the CAE program has served its intended purpose: to raise the amount of security content in academic curriculum.  The issues you raised in this blog are spot on correct and highlight the diminishing value in participating.
Michael

Posted by Michael Grimaila on Thursday, September 25, 2008 at 08:12 AM

I sure feel for ya Spaf, must be hard to sit here 10 years later trying to figure out how to repeat what you said 10 years ago, but in a more influential way…

I kinda felt that way a couple of years into CVE, but alas I guess we must accept that research doesn’t always translate into reality as well as we might hope…;-]

Cheers,
Russ

Posted by Russ Cooper on Friday, October 31, 2008 at 09:22 PM

I have to agree with Rebecca.  I just came across this article while looking for other Purdue information. I’ve followed the CAE for several years. Like any other program, the government seems to have a way of screwing it up. One size doesn’t fit all, and academics in the field would be better suited to plan and write rules for execution of CAE, than centralized government desk jockies.

Posted by Steve Benedict on Tuesday, December 15, 2009 at 01:43 PM

Leave a comment

Commenting is not available in this section entry.