Page Content

An Anniversary of Continuing Excellence


In February of 1997, I provided testimony to a Congressional committee about the state of cyber security education. I noted that there were only four major academic programs, with limited resources, in information security at that time. I outlined some steps that could be taken to improve our national posture in the field. Subsequently, I was involved in discussions with staffers of some Congressional committees, with staff at NSF, with National Security Council staff (notably, Richard Clarke), and people at the Department of Defense. These discussions eventually helped produce1 the Scholarship for Service program at NSF, the NSF CyberTrust program (now known as Secure and Trustworthy Cyberspace, SaTC), and the Centers of Academic Excellence program.

On 11 May 1999, 20 years ago, Purdue University 2 was recognized by the NSA as one of the initial Centers of Academic Excellence (CAE).3 There were some notable advocates of enhanced cyber security at each institution, and they had taken steps to institute courses and research to improve the field—notably including Corey Schou (recently inducted into the Cybersecurity Hall of Fame), Matt Bishop, Deborah Frincke, and Doug Jacobson, to name a few.4 As I recall, Dick Clarke was one of the prime movers to get the CAE program established under PDD-63; Dr, Vic Maconachy (then) at NSA became the director of the CAE program.

Over the years, the CAE program has continued to expand, to now encompass several hundred institutions around the US. DHS has become involved as a co-sponsor with the NSA. The main certification has bifurcated into a designation for cyber defense research (CAE-R) and a designation for cyber defense education (CAE-CDE). There ia also a designation for Centers of Academic Excellence in Cyber Operations. The NSA, as a member of the US intelligence community (IC) also helps support a program for IC Centers of Academic Excellence. In addition to the formal external evaluation process to be designated as a CAE, the program has resulted in creation of curricular guidelines and recommended best practices for educational programs. A number of leaders in education in the field have also grown out of this process, creating various resources for the community (some of which are hosted at the CLARK website for public use).

I have been critical of the overall CAE program in the past (cf. here and here). I believe most of the criticisms I made are still valid, particularly the ones concerning the designation of "excellence" and the burden of the application process. Nonetheless, there is no denying that the listed insitutitions have made strides to improve and standardize their programs towards much-needed common goals. There is also continuing (and growing) synergy with efforts such as the NIST National Initiative for Cybersecurity Education (NICE) program and the National Colloquium on Information Systems Security Education (NISSE). Additionally, there has been real progress towards establishing standardized undergraduate curricula in the field, which now includes the potential for ABET accreditation.

Those of us at Purdue recently received notice that Purdue has been recertified as a CAE-R through 2024. This is a result—in large part—of efforts by Dr. James Lerums , one of our recent Ph.D. grads. He volunteered his time to sift through all the documentsation, gathered the necessary information, and completed the application process. It was a significant effort and kudos to Jim for taking it on soon after completing a Ph.D. dissertation!

Despite some of my "grumpy old dude" criticisms, I am glad to see Purdue continue to be recognized for the continued excellence of its programs. CERIAS continues to be a focal point for the "R" aspect of the CAE-R as Purdue's designated research institute in the field: that's the "R" in CERIAS. However, it has also been Purdue's center for education for most of its existence: the "E" in CERIAS is for Education. That history includes the establishment of the first designated degree in information security in 2000, still offered as an interdisciplinary MS and PhD (which is the program Jim Lerums completed, btw).

As for the CAE program itself, and for the 5 (out of 6) other programs receiving that initial CAE designation that are still listed as CAEs, congratulations: we've come a long way, but there is still a long way to go!


  1. I always note that I cannot claim sole or primary credit for these initiatives; nonetheless, I was the first to publicly advocate for programs such as these, and was involved in the many of the discussions. Dick Clarke deserves a good deal of credit for his active advocacy for the area at the time, as does Lt. General (ret.) Ken Minihan (also a recent CSHOF inductee) for his support.
  2. Via CERIAS, one year old at the time.
  3. Also in that group were James Madison University, George Mason University, Idaho State University, Iowa State University, the University of California at Davis, and the University of Idaho.
  4. My apologies to others whose names I omitted.