Abstract
Examined are the three core themes: the role of education in cybersecurity, the role of technology in cybersecurity, and the role of policy in cybersecurity. These topics are essential for organizations seeking to establish environments that allow them to be successful irregardless of location while examining external and internal conditions. This study examined the research gaps within cybersecurity as it relates to core themes in an effort to develop stronger policies, education programs, and hardened technologies for cybersecurity use. This work illustrates how cybersecurity can be broken into these three core areas and used together to address issues such as developing training environments for teaching real cybersecurity events. It will further show the correlations between technologies and policies for system Certification and Accreditation. Finally, it will offer insights on how cybersecurity can be used to maintain wirelessly security for international and national security for global organizations.
Keywords
Introduction
To implement cybersecurity in national and international environments that address the hyperconnectivity, a framework is needed (Dawson, 2017a, 2017b). The Mission Framework provides a framework that brings three key elements in cybersecurity together which are education, policy, and technologies (Dawson, 2017a). The education review provides insight on innovative ways to teach cybersecurity coursework to include discussing the accrediting bodies for programs related to information technologies (IT) or computer science. An organization must review governing policies, tools, and techniques that can be brought forward in cybersecurity education. Concepts such as simulation, virtualization, and engineering standards must be further explored in order to establish part of the model. The policy theme of the framework incorporates multiple directives, standards, mandates, laws, and best practices. In the US, these can include policies from the Department of Defense (DoD), National Institute of Standards and Technology (NIST), US military, and more. These policies provide the baseline for further guidance and direction for organizations to set their own policies. The technologies portion of the framework brings in data about emerging technologies such as those that include Internet-enabled devices. These technologies include mobile phones, operating systems (OSs), software, and other devices that undergo a review of security posture to ensure compliance cybersecurity policies.
A detailed, thorough literature review was used to create a customized framework development that includes education, policy, and technology (Dawson, 2017a). The output of this activity can be seen in Figure 1 which displays the Mission Framework that was created by reviewing the education, policy, and technology of that specific entity. The particular entity can be a country, an organization, or a group of institutions. The Mission Framework is built to work to create a cybersecurity environment in any country taking into account of these core themes to shape needs and incorporate requirements to be met.
Mission framework.
Emerging computing environments
Secure computing is essential as environments continue to become intertwined and hyperconnected. As the Internet of Things (IoT), Web of Things, and the Internet of Everything dominate the landscape of technological platforms, protecting these complicated networks is important. Management needs to be aware of what it means to have more devices that allow the ability to be connected and what threats they could be potentially exposing themselves to.
IoT is a global infrastructure for information society enabling services by interconnecting physical and virtual things based on existing and evolving interoperable information communication technologies (International Telecommunication Union, 2012a, 2012b, 2012c). Gartner has developed a figure which displays the hype cycle of emerging technologies. This hype circle shows the expectations on the y-axis where on the x-axis time is displayed (see Figure 2). The time shown is the innovation trigger, the peak of inflated expectations, the trough of disillusionment, slope of enlightenment, and plateau of productivity (Gartner, 2014). What the figure fails to provide is anything associated with security about the technologies identified. The figure simply shows the cycle of emerging technologies with time corresponding to expectations.
Hype cycle of emerging technologies (Gartner, 2014).
Hyperconnectivity is a growing trend that is driving cybersecurity experts to develop new security architectures for multiple platforms such as mobile devices, laptops, and even wearable displays (Dawson et al., 2014). The future of both national and international security relies on complex countermeasures to ensure that a proper security posture is maintained during this state of hyperconnectivity. To protect these systems from the exploitation of vulnerabilities, it is essential to understand current and future threats to include the instructions, laws, policies, mandates, and directives that drive their need to be secured. It is imperative to understand the potential security-related threats with the use of social media, mobile devices, virtual worlds, augmented reality, and mixed reality. Managers and those in the executive suite need to consider what does this additional Internet connectivity mean to their organizational IT policies and how the security posture is changed with this additional capability.
In an article published by Forbes, a contributor describes the concept of hyperconnectivity in six different scenarios (Ranadivé, 2013). These events range from energy to hospitality. In health care, for example, there would be real-time monitoring through wrist monitors that the medical staff could monitor to get instantaneous, real-time feeds on patients. Imagine a pregnant woman with early complications who could be monitored first through a wristband that delivers real-time patient information wirelessly. An attacker could start building an intelligence profile on the best way to craft an attack and where it gets the most response. For example, the machines that are being used on the woman to extract the child could undergo a cyber attack and fail midway in use. Or her medical information could be purposely altered, so she is provided the incorrect treatment which places her life in imminent danger. It could be as involved as changing the dosage amounts on the automated pill dispensaries that end up being given to the patient.
When discussing hyperconnectivity, it is necessary to examine systems of systems concepts. Systems of systems is a collection of systems tied together to create a more complex system (Popper et al., 2004). When thinking about the possibilities of hyperconnectivity, the personal area network is an excellent example as it allows multiple technologies to be interconnected with soil ware applications. The Google Glass has the potential to all Global Positioning System, social media, digital terrain overlays, and synchronization with other devices. This increases the complexity of the system as it becomes part of larger systems which multiplies the number of potential vulnerabilities.
Establishing cybersecurity education programs
Understanding how cybersecurity is effective in education is essential when building a rigorous program to meet the demands to be secure and also participate in an offensive manner if that is the organization’s mission. These can range from university education to professional certification to meet the workforce requirement of a government organization. Understanding the requirements for the core technology program such as regional, national, or program-specific accreditation is a method to ensure there are identified benchmarks that are being met. Institutions need to develop, train, update, and retire curriculum to meet the needs of the workforce. Figure 3 displays the section of the framework that addresses how education should be examined for addressing the needs of cyber security education.
Mission framework: Education.
The use of technology in cybersecurity programs is vital in bridging partnerships. Technology costs can be an issue because developing countries may have extremely small budgets due to lack of investment or low exchange rate of national currency. A method of performing this internationally at a low cost to all institutions can occur with open-source software and cloud computing. For working with developing institutions that do not have access to major research databases, then Open Access is a research model to be implemented for sharing research information.
It is important to develop training environments that mimic the real world so that students have the ability to practice learned skills. Simulation allows for the imitation of a real-world scenario or systems. This can be accomplished using software technology such as virtual worlds. Simulation can come in the form of training, education, video games, modeling, low fidelity prototypes, and usability. Simulation can use learning objects and incorporate other modern-day technologies such as Google Glass for increasing teaching effectiveness.
This portion of the framework looks at K-12, university, professional certification, executive education, and training. Each of these methods of education relies upon independent accrediting bodies. These accrediting bodies provide standards, education, and training. For example, the American National Standards Institute and the ISO 17024:2012 are to be used as the standard for professional certifications. This allows an entity to set minimum standards for the selection or the development of education and training for cybersecurity.
Cybersecurity policies, laws, directives, and mandates
The events of 9/11 not only changed policies within the US but also changed the policies of other countries regarding how they treat and combat terrorism. The United Nations (UN) altered Article 51 of the UN charter. This article allows members of the UN to take necessary measures to protect themselves against an armed attack to ensure international peace and security. The UK enacted the Prevention of Terrorism Act 2005 and the Counter-Terrorism Act 2008 which were issued by the Parliament. The first act was created to detain individuals who were suspected in acts of terrorism. This act was intended to replace the Anti-terrorism, Crime and Security Act 2001 as it was deemed unlawful. These acts seem to mirror those created in the US to monitor potential terrorists. The UK also shared their information with the US for coordinating individuals that may be of risk.
In the US, the methods for national security were enhanced to ensure no threats occur on US soil. These changes include enhanced security in all ports of entry. The signing of the Homeland Security Act of 2002 (HS Act) (Public Law 07-296) created an organization that received funding and lots of resources for monitoring the security posture of this country. Additional changes include enhanced monitoring of citizens and residents within the country to prevent terrorist activities by the mention of keywords such as bomb, terrorism, explosive, or Al-Qaeda.
The USA Patriot Act was signed into law by President George W. Bush in 2001 after September 11, 2001 (Bullock et al., 2009). This act was created in response to the event of 9/11 and provided government agencies increased abilities. These increased abilities provided the government rights to search various communications such as e-mail, telephone records, medical records, and more of those who were thought to be perpetrators of terrorist acts (Bullock et al., 2009). This allowed law enforcement to have the upper hand in being proactive to stopping potential acts against US soil. In the year 2011, President Obama signed an extension on the USA Patriot Act. This act has received criticism from the public due to the potential to be misused or abused by those in power. This act has allowed government agencies to intrude on constitutional rights. The Protecting Cyberspace as a National Asset Act of 2010 was an act that also amends Title 11 of the Homeland Security Act of 2002. This act enhanced security and resiliency of the cyber and communication infrastructure within the US. This act is important as the President declared that any cyber aggression would be considered an act of war. This is also important as Estonia’s entire digital infrastructure was taken down by hackers who supported the former Soviet rule. This type of attack could be damaging to the infrastructure in the US, causing loss of power for days or more which could result in death.
Israel is a country with some of the most stringent policies toward national and international security. This nation requires all citizens to serve in the military and includes multiple checkpoints throughout the country to ensure security. Israel has utilized stringent checks in airports long before 9/11; however, now they have implemented additional measures to ensure the nation’s security as they are surrounded by countries that have tried to invade before. Israel has also deployed more unmanned air vehicles and unmanned ground vehicles to patrol the border in the event a threat to the border occurs.
In an area, such as the Huntsville Metro, there could be multiple nuclear facility meltdowns, loss of ISR capabilities, and loss of communication to the war fighter that the US is supporting.
Additional changes from this act include the ability to carry out a research and development program to improve cybersecurity infrastructure. At the moment, all government organizations must comply with the Federal Information Security Management Act (FlSMA) of 2002. This act has shown many holes within the US cybersecurity infrastructure, including in those organizations that are leads. This act provides Department of Homeland Security (DHS) the ability to carry out the duties described in the Protecting Cyberspace as a National Asset Act of 2010.
During the fall of 2010, many headlines declared that Stuxnet was the game changer in terms of cyber warfare (Denning, 2012). This malicious worm was complex and designed to target only a specific system. This worm had the ability to detect location, system type, and more. And this worm only attacked the system if it met specific parameters that were designed in the code. Stuxnet tampered directly with software in a programmable logic controller that controlled the centrifuges at Natanz. This tampering ultimately caused a disruption in the Iranian nuclear program.
The DHS is concerned with cyberattacks on infrastructure such as supervisory control and data acquisition (SCADA) systems. SCADA systems are the systems that autonomously monitor and adjust switching among other processes within critical infrastructures such as nuclear plants and power grids. The DHS is worried about these systems as they are unmanned frequently and remotely accessed. As they are remotely accessed, this could allow anyone to take control of assets to critical infrastructure remotely. There have been increasing mandates and directives to ensure any system deployed meets stringent requirements. As the Stuxnet worm has become a reality, future attacks could be malicious code directly targeting specific locations of critical infrastructure.
Figure 4 displays how connected devices need to follow policy and technology in order to ensure a hardened environment. This combines both technology and policy for the life cycle of a product, use of a product, and creation of policies regarding technology usage.
Mission framework: Connected devices.
For a laptop, a script would be ran on the device that installs preapproved applications, removes applications deemed a risk by the organization, and configures firewalls and antivirus settings. This would include writing the results of the program to a .txt or .html file that can be read by the administrator later during an audit of the system. If it is a .txt or .csv file, then it can be analyzed using the R language for anomalies or patterns.
Testing is integral to the software and systems life cycle for development; however, there is guidance from NIST in the SP 800-15, but there is not truly something that addresses developing tests on commercial devices that provide an analysis that looks at risks. So, there is a need for the development of testing applications like built-in test that allow users to set their level of acceptable risk. In Figure 5, a testing process for multiple devices is shown. In steps 1a and 1b, devices that decide to pair connect in step 2. During step 3 is where a handshake is done. During this step, the information gathered goes through yet another step to look at specific items regarding the environment. Thus in steps 4a and 4b, the appropriate security measures are selected to allow the secure connection. In step 4a, an appropriate risk management framework is chosen with security controls being applied to the device. Step 4b looks at the CWE database and uses the appropriate tests for the devices depending upon applications discovered. Location can be pulled from the devices to look at the governing laws, regulations, and policies for that location. Once tests have been satisfied, step 3 performs a handshake that allows devices to connect. Devices have the ability to perform checks as much as possible to remain securely attached. For this process to occur, a software application will be on the devices that allows connectivity to the Internet. For an organization to implement this process requires that the risk management framework and CWE database get updated daily to ensure that the device owner understands the appropriate risk before deciding to connect or pair device ultimately.
Mission framework: Cyber risk management for device pairing.
Implementing certification and accreditation
Implementing a Certification and Accreditation (C&A) process geared towards IT products and systems according to regulating policies is essential. Deploying systems that use baseline regulation and security controls alleviates the need for an organization to develop controls from scratch. Organizations need to have a solid foundation and a system used to measure effectiveness of the C&A process. Below addressed are two processes that organizations should consider as adjustments can be made that serve a globalized IT organization.
The Common Criteria (CC), an internationally approved set of security standards, provides a clear and reliable evaluation of the security capabilities of IT products (CCEVS, 2008). By providing an independent assessment of a product’s ability to meet security standards, the CC gives customers more confidence in the security of products and leads to more informed decisions (CCEVS, 2008). Security-conscious customers, such as the US Federal Government, are increasingly requiring CC certification as a determining factor in purchasing decisions (CCEVS, 2008). Since the requirements for certification are clearly established, vendors can target very specific security needs while providing broad product offerings. The international scope of the CC, currently adopted by 14 nations, allows users from other countries to purchase IT products with the same level of confidence, since certification is recognized across all complying nations. Evaluating a product with respect to security requires identification of the customer’s security needs and an assessment of the capabilities of the product. The CC aids customers in both these processes through two key components: protection profiles and evaluation assurance levels (CCEVS, 2008).
The Risk Management Framework (RMF) is a systems framework created by the NIST to address risk management (NIST, 2012). The RMF uses the risk-based approach to security control selection and specification considering effectiveness, efficiency, and constraints due to applicable laws, directives, executive orders, policies, standards, or regulations. There are six RMF categorization steps that serve as the basis for this NIST guidance (NIST, 2012). Step 1: Categorize. The system is assessed and categorized based on an impact analysis. Step 2: Select. During the period the organization must identify, select, customize, and document the security and privacy controls required to protect the system and the organization commensurate with the risk to organizational operations and assets, individuals. These controls are to be addressed in the design and are a result of high-level requirements that are decomposed into lower level requirements. Step 3: Implement. During this step the controls selected in step 2 are deployed within the system to include the associated environment of operation. Step 4: Assess. The controls implemented are assessed to see if they are working as intended, and that the desired outcome meets the security requirements for the system. Step 5: Authorize. Get authority for the system to operate based upon an acceptable decision upon the acceptable risk for the system. Step 6: Monitor. Continually assess the security control of the system on an ongoing basis. This can include annual security checks to review compliance.
Conclusion
In this submission, an innovative way of looking at cybersecurity through a framework that ties education, policy, and technologies together is introduced. The education review provided insight on innovative ways to teach cybersecurity coursework to include discussing the accrediting bodies for programs related to IT, computing technologies, or computer science. Further reviewed were the policies, tools, and techniques that can be brought forward in cybersecurity education. Concepts such as simulation, U-Learning, virtualization, and engineering standards were explored. The policy section needs to include the review and use multiple directives, standards, mandates, laws, and best practices. These included policies form the DoD, NIST, US military, and more. These provide the baseline for further guidance and direction for organizations setting policies. The technologies portion is to bring in data about emerging technologies such as those that include Internet-enabled devices. Mobile phones, OSs, software packages, and other devices must be evaluated separately and how the security posture changes once integrated within a systems environment.
The application of these three elements can be used to drive federal or state policies, and for the commercial sector that creates a long-lasting effect in the battle against cybercrime. This collective research argues that education, policies, and technologies are essential in the holistic view of cybersecurity. Previous viewpoints have researched these items in silos rather than capturing them as a whole; however, this research can be used to bring these themes together targeting specifically the deployment of IT systems to specific locations globally.
Footnotes
Declaration of conflicting interests
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
Funding
The author(s) received no financial support for the research, authorship, and/or publication of this article.