One Leader at a Time FINAL

7/29/2019 One Leader at a Time FINAL

1/48

PELLCENTER

forINTERNAT

IONALREALTIONS

andPUBLICP

OLICY

REPO

RT

100 Ochre Point Avenue Newport, Rhode Island 02840 (401) 341-2927 www.salve.edu/pellcente

One Leader at a ime:Te Failure to Educate Future Leaders or anAge o Persistent Cyber Treat

Francesca Spidalieri

March 26, 2013

Internet-based technologies have prolierated to such an extent over the past ewdecades that they are now the predominant method through which we create, process,store, and share inormation. Nearly 80% o Americans are connected to the Internet

today and there were 2.4 billion users worldwide as o June 2012. 1 Te growth in thisarea has been such that, by 2015, the number o Internet hosts is expected to exceedthe planets human population.2 Te very openness that allowed the Internet to spreadinto almost every area o human activity, however, has also spawned vulnerabilities o

staggering proportionsvulnerabilities that are already exploited by non-state and stateactors alike, generating billions o dollars in criminal revenue. Stories about the U.S.critical inrastructure vulnerability to cyber attack, the threat it poses to its economy andthe increase o cybercrime and economic cyber espionage now dominate the news onan almost daily basis. Cyber threats have the potential to undo all the huge economic,social and military advances that cyberspace has enabled, i not properly understoodand mitigated. Ultimately, these threats can touchi not harmevery institution inAmerican society. Te public and private sectors increasing reliance on cyberspace andthe growing scope and sophistication o cybercrimes have resulted in what PresidentObama called one o the most serious economic and national security challenges weace, and what U.S. Cyber Command chie and director o the National Security Agency

(NSA), Gen. Keith B. Alexander, has labeled as the greatest transer o wealth in history. 3

Te threat is widely recognized by experts and acknowledged by non-experts as well. 4Te needs o government and the private sector have driven academic and technicalinstitutions to introduce new majors and courses in computer science, programming,and inormation assurance. Most o the cybersecurity related courses and certicationprograms oered, however, were created or proessionals in the inormation technology(I) eld who want to develop a cybersecurity expertise. Many o these programs arethereore not introductory, and an existing I skill set is usually required to be admitted.

Many o these courses, then, may not suit the needs o the modern world or severalreasons. One is the narrow ocus o these technical courses; I experts are principallyconcerned with the technical solutions to these problems, but lack the expertise todevelop policy to guide the direction that technical development should ollow, and howto implement it in an institutional, legal, and economic context. Cyber deense requiresnot only I experts with computer science, electric engineering, and soware securityskills, but also proessionals with an understanding o political theory, institutional

Francesca Spidalieri is a fellow at the Pell Center for International Relations and Public Policy at SalveRegina University. Te author would like to thank Dr. Chris Demchak of the Naval War College for herinsights and encouragement. Any faults in the report, however, remain the authors alone.


2/48

PELL CENTER for INTERNATIONAL REALTIONS and PUBLIC POLICY2

theory, behavioral psychology, military ethics, international law, international relations, andadditional social sciences.5 A second reason is the lack o this type o knowledge at the leadershiplevel, and the act that most institutions in our society are run by individuals who have virtuallyno background in cybersecurity. Most leaders in the public and private sectors earned degrees

in elds other than computer network security, and ew o them understand what cyberspaceis, how networks physically work, and what dangers lurk within each. 6 As a result, the pillars oour societyour universities, our hospitals, our local governments, our courts, and many o ourbusinessesare oen led by individuals with an extremely limited exposure to cyber issues and theexistential threats they pose to those institutions.

More troubling, the nature o cyber threats today is so pervasive, so strategic and so precise thatwe cannot expect new technologies alone to protect an organizations inormation and business,nor we can expect our I departments to be the only ones in charge o preventing and containingthese threats. Firewalls and encryptions alone are insucient to counter cyber threats today andthey will be insucient to counter the cyber threats o tomorrow. 7 No matter how good a particulartechnology is, i it is not eectively adopted and implemented by executives, and correctly usedby skilled employees who ollow well-dened processes, vulnerabilities will surace that can beleveraged by both internal and external threat actors.8 As Melissa Hathaway, ormer NationalSecurity Council Director or Cyberspace and primary author o Obamas 60-day Cyberspace PolicyReview, explains:

Every proession today has to have some basic understanding o the benetso inormation communications and technology (IC) adoption as well asthe security risks that may be attended with them. I you are the CEO o amajor corporation, you need to understand the contribution o IC to the

bottom line and how it aects your eciency and productivity, but you alsoneed to understand when the policies and programs in place are aectingyour risks i you have a security breach. From a policy makers perspective,it is basically the same thing. We are moving in adopting these technologieswithout regard to the security risks that may be attended with them.9

More than being a mere technical problem, achieving cybersecurity is a social, institutional,legal, and governance problem. In other words, it is an operational issue that requires the leaderso institutions to implement undamental, overarching policies and strategies that can begin tomitigate cyber threats. Cybersecurity problems oen start with ordinary digital technology userswho have not received the proper training, or who do not take security seriously and sidestep

basic security measures. Eective security has to synthesize organization-wide prevention andmitigation measures, and not rely on I proessionals working in a vacuum to x a breach aerthe act. Achieving cybersecurity thus requires managerial action and oversight throughout theentire organization, as much as rules and soware solutions. Institutional leaders do not need to betrained as programmers, but they must have a deep understanding o the cyber-context in whichthey operate to harness the right tools, strategies, people, and training to respond to this dynamicand rapidly-developing array o threats.


3/48

PELL CENTER for INTERNATIONAL REALTIONS and PUBLIC POLICY 3

Universities are key institutions in bridging rom concept to methodology, tools, andimplementation. Tey can play a key role in educating civilian and military workorces onthe unique tenets o cyber, and optimizing their campus-wide resources to use knowledge,intellectual capacity, and practical skills.10 Despite the pressing need to educate uture leaders

about inormation security, however, only a handul o American universities oer coursesor degree programs that combine both cybersecurity policy and technology, and even ewerencourage collaboration among departments to optimize their eorts. In addition, proessionalmilitary institutions studying national security and strategy have only recently begun to integratecybersecurity issues into their curricula, despite more than a decades worth o experiencesuggesting that networks and inormation technologies are both essential to operations andvulnerable to attack.11 o help encourage the study o cyber threats to our national inormationinrastructure, the National Security Agency (NSA) and the Department o Homeland Security(DHS) have established criteria or the designation o qualied non-military universities oracademic departments as Centers o Academic Excellence in Inormation Assurance Education(CAE/IAE), CAE IA Research (CAE/R), and lately as CAE Cyber Operations.12 However, evenmost o these designated institutions qualiying programs are deeply technical and center aroundinformation assurancelimited to the protection and management o inormation-relatedrisksand rarely pursue broader multi-disciplinary approaches that are commensurate with thecomplexity o cyberspace.13

Tis study surveys current eorts by graduate-level educational programs in the United States toprepare non-technical institutional leaders in government, academia, civil society and in the privatesector or an era o persistent cyber threat. It ocuses primarily on the top ten ranked graduateschools (a ew other niche programs are also evaluated) in each o the major degree programs thattraditionally develop leaders across societyMaster o Business Administration (MBA), Master o

Public Administration (MPA), Master o Public Policy (MPP), Master o International Relations(IR), Master o Laws (LLM), Criminal Justice, and Healthcare Managementto assess what level oexposure to cyber issues students already receive and to what extent they graduate with an adequateunderstanding o the cyber challenges acing their respective elds. Lastly, the report identieswhich leading programs still need to include a cybersecurity component into their curricula. Foreach institution, the study indicates CAE/IAE and CAE/R designationsi awardedand a Likertscore (0 to 4) obtained rom a set o variables and the use o a modied Likert approach to evaluatethe opportunities oered to students in relation to the broader systematic need to educate utureleaders about cyber threats in each discipline.14

Tis study is not a one-time only endeavor; it is simply the beginning o a larger eort to review and

update the state o cybersecurity leadership development in Americas higher education system. Asschools come to recognize the importance o cybersecurity to their curriculaa recognition o itsimportance to the uture o the human communityupdates to this report will monitor, track andevaluate those developments. It is also our hope that this work catalyzes additional research into thedevelopment o best practices, specic curriculum recommendations and heightened awareness othe need to develop non-technical cyber leaders across society.


4/48


Mhoology

Tis study summarizes our survey ndings o current eorts by graduate-level educationalprograms in the United States to include inormation technology and cybersecurity education

in their curricula. It seeks to identiy best practices, review program eectiveness in promotingcybersecurity knowledge in non-technical elds o study, as well as recognize existing curriculumgaps in this area o interest. Tis report does not provide an in-depth analysis o specic coursesor an extensive audit o particular programs; rather, it presents the critical need or each disciplineanalyzed to integrate an inormation technology and cybersecurity component into their corecurricula and outlines the progresses, or lack thereo, made by each university in this directions soar. Te survey is not conned to top ranked graduate programs alone. A number o schools thatare at the vanguard o creating new cybersecurity concentrations and certication programs withindierent elds o study are also evaluated. Tese other schools provide a context or exploring howother institutions are positioning themselves in the eld o non-technical cybersecurity educationand or getting a glimpse o what uture trends may look like.

Te survey ndings are based on data collected between August 2012 and March 2013 rom eacheducational institution through a combination o interviews with academics and university sta,and inormation presented on the schools website. Te results derive rom the responses to ourmain curriculum questions and the use o a modied Likert approach to evaluate the level oexposure students receive to cybersecurity issues in each o these academic institutions and theopportunities oered to deepen their knowledge in this eld. Interview respondents were askedwhether their specic department oers: 1) a core course in inormation technology, with at leastpart o the course dedicated to cybersecurity; 2) elective courses in inormation technology andcybersecurity; 3) the possibility or their students to enroll in other elective courses in inormation

technology and cybersecurity at other departments o the university; 4) occasional seminars orconerences in cybersecurity issues. Te modied Likert scale used to derive a notional ranking othe academic institutions analyzed assigns a number (0 to 1) to each response as ollow: Yes = 1;Not specically, but = 0.5; No = 0. Te answers are then summed up and each school receives anoverall score on a 0 to 4 scale, 4 being the highest score a school can receive. Te specic responsesare also discussed in more details in this report.

Whenever the interviewees did not provide an answer to all our questions, we made our ownassessment based on the inormation available rom that graduate programs website. Teassumption behind this approach is that i a school oers a dedicated core course in I andcybersecurity, all students in the program will most likely receive the broader education and

practical knowledge needed to manage the inormation security needs o their sector. I the school,or the university at large, oers elective courses in I and cybersecurity, students interested inthe topic will have at least the opportunity to gain a basic understanding o the cyber-context andexplore cybersecurity related issues. I cyber issues are covered as part o broader courses, studentswill at least be aware o the cybersecurity challenges and opportunities in that specic area o study.I the school oers occasional seminars or conerences on I and cybersecurity, students will havesome opportunities to be exposed to understanding cybersecurity issues and how they relate totheir eld o study. I none o these opportunities are provided, we assume that graduates o these


5/48


programs do not gain a thorough understanding o the challenges, opportunities, and threats o thedigital age beyond their own personal experience. Recognizing that the inclusion o cybersecuritytechnology and policy components may still be a work in progress or many universities, wehope that our ndings will add value to other eorts to integrate cybersecurity education in non-

technical disciplines and serve as useul tools or academic and proessional institutions consideringvarious approaches towards cybersecurity leadership development.

Te graduate school rankings usedand thus the sequential order o the universities presentedin this report or the MBA, MPA, MPP, LLM, Criminal Justice and Health Care Administrationprograms are based on surveys rom U.S. News & World Report.15 U.S. News analyzed morethan 1,200 graduate programs throughout the United States, covering an array o disciplines andprograms. Teir rankings are based upon data which U.S. News collects rom each educationalinstitution either rom an annual survey or rom the schools website. Te results derive rom aweighted average o dierent indicators, including peer assessment score, recruiter assessmentscore, job placement success and student selectivity. Although U.S. News rankings o best graduateschools is not the only ranking system availablethis system has also sparked signicantcontroversy surrounding their annual surveyit is still regarded as the most inuential and widelyused o all college rankings in the United States.

Te IR program rankings are based on the Best International Relations Masters Programs listcompiled byForeign Policy.16 Te surveys authors are researchers with the eaching, Research, andInternational Policy (RIP) project at the College o William and Mary. International Relationsaculty members rom every our-year college and university in the United States participated in thesurvey.


6/48


MBA Gu Pogs

Tere are two types o companies in the United States,those that have been hacked and those that dont yet know theyve been hacked.17

U.S. NwsRkg Collg/Uvsy School o Busss Cy S

Lk SclAvg Sco

NSACco*

#1 Harvard University Harvard University BusinessSchool

Cambridge MA 2.5 N/A

#1 Stanord University Stanord Graduate School oBusiness

Stanord CA 2 N/A

#3 University o Pennsylvania Wharton School o Business Philadelphia PA 2 N/A

#4 Massachusetts Institute o echnology Sloan School o Management Cambridge MA 2.5 N/A

#4 University o Chicago Booth School o Business Chicago IL 1 N/A

#4 Northwestern University Kellogg School oManagement

Evanston IL 0.5 N/A

#7 University o Caliornia, Berkeley Walter A. Haas School oBusiness

Berkeley CA 1.5 N/A

#8 Columbia University Columbia Business School New York City NY 1.5 N/A

#9 Dartmouth CollegeAmos uck School oBusiness Administration

Hanover MA 2 N/A

#10 New York University Stern School o Business New York City NY 1.5 N/A

* Indicates university NSA designation as a Center of Academic Excellence in Information Assurance Education (E) and/or Research (R).

Businesses around the world today tender services and products through the Internet to morethan 2.5 billion people using secure protocols and electronic payments. From managing supplychains, to controlling the operations o banks, coordinating business transactions, and storing

intellectual property, the Internet has opened global markets and revolutionized modern businesspractices. Yet, while providing new opportunities, reliance on the Web has also exposed newvulnerabilities. Te cyber security rm Symantec estimated that U.S. businesses alone are losingupwards o $250 billion in intellectual property (IP) the every year. A recently released PonemanInstitute study reported that cybercrime now costs U.S. companies an average o $8.9 million a year,with an average o 24 days needed to spot and resolve a cyber attack. 18 Te Poneman study showedthat the highest cost o cybercrime estimated or one company was $46 million and that maliciousattacks can take more than 50 days on average to contain. Cleanup costs, including lawsuits,amounts to millions o dollars a year, and then companies have to deal with the damage that a hackdoes to the integrity o their brand. In 2011, another study o 583 U.S. companies conducted byPoneman Research on behal o Juniper Networks established that hackers had breached 90% o

those organizations at least once in the past 12 months.19

Tere are two types o companies: companies that have been breached and companies that dontknow theyve been breached, Shawn Henry, the F.B.I.s top ormer cyber agent who recentlyjoined the cybersecurity start-up CrowdStrike, said in an interview with Te New York imes.Ive seen behind the curtain. Ive been in all the briengs. I cant go into the particulars becauseits classied, but the vast majority o companies have been breached, although such breachesrarely make headlines because companies ear what disclosure will mean or their stock price. 20


7/48


Tese attacks are oen driven by nancially-motivated cyber criminals who use malware, rojans,phishing and other automated attack tools.21 Hackers have targeted companies o all sizes, andcyber attacks on small businesses as well as large nancial institutions are expected to grow in bothvolume and complexity in 2013.22 Nor does it matter what new technology a company may have

acquired to protect their inormation and business, or how prepared their I department may be.Experts at Booz Allen Hamilton indicate that the cyber attacks o 2013 will overwhelm a companyscapacity to protect its networks i not accompanied by appropriate education o top executives andemployees and ne-tuning processes to ensure, not only the proper use o technology, but thatprocesses that require interaces between organizations are well managed and executed awlessly.23

Many o the top executives and employees in these institutions have likely pursued MBAsbeore obtaining leading positions in their organizations (and more than hal o them got theirdegree beore cybersecurity was even an issue). MBA programs encompass a wide varietyo concentrations including but not limited to: accounting, consulting, nance, health careadministration, manuacturing, technology, marketing, non-prots, public policy, humanresources and real estate. None o the MBA programs analyzed in this survey oers courses thatare exclusively dedicated to the technical, policy or operational aspects o cybersecurity. Many othese programs, however, have added case studies and elective courses that address the businesschallenges o inormation security and introduce elements o eective cybersecurity practicesand policies. Further, many o these universities as a whole sponsor conerences and seminarson cybersecurity and, in some cases, they have also established centers or the advancement ocybersecurity research and development.

Hv Uvsy Hv Busss School (HBS) Cambridge, MA(U.S. News Rank #1) NSA Cert: N/A

Te Harvard Business Review has published case studies and articles on cyber espionage, cyberwar, cyber terrorism and cybersecurity since the early 2000s. Nonetheless, the MBA program atHBS oers only one core course in echnology and Operations Management which touches uponinormation technology and operation strategies, but does not address cybersecurity questionsand dilemmas in the business sector. At most, MBA students can choose rom a limited number oelective courses ocusing on the use o inormation communications technology (IC) to promotebusiness, navigate strategic interactions with competing platorms, and manage technology-intensive businesses. Tese courses, including Strategy and echnology, Understandingechnology Businesses, Te Online Economy and Competing with Social Networks, do notseem to provide a sucient understanding o the security challenges that may be attended romthe adoption o these technologies. Despite the lack o cybersecurity dedicated courses, or nearly

twenty years HBS has held an annual cyberposium, the largest MBA technology conerence in theworld. Te conerence acilitates an interactive network o current and uture business leaders toengage in discussion about technology and its impact on business and society. Finally, HBS oersthe opportunity or students to cross-register or up to two courses at other academic departmentsand other selected graduate programs (including MI and the Fletcher School) that may oer Iand cybersecurity courses. In brie, Harvard MBA students can gain a deep understanding o ICin the business sector, but have limited exposure to the specic cybersecurity issues necessary tomanage the inormation security needs o various business organizations.


8/48


So Uvsy - Gu School o Busss Stanord, CA(U.S. News Rank #1) NSA Cert: N/ATe Stanord MBA program oers several elective courses ocusing on the evolution o inormationtechnology, economics o the Internet, network analysis, advantages and risks o new technology

opportunities, and electronics, computing, networks and soware applications used in a variety obusiness settings. However, only a ew o these courses occasionally address inormation security,Internet policy, and intellectual property topics, dependent on student interests. Even though theMBA program does not include a thorough cybersecurity component, Stanord University hasestablished a Cybersecurity Center that oers a number o elective cybersecurity related coursesand seminars open to all Stanord students.24 Stanord University as a whole houses one o the top-ranked undergraduate and graduate computer security programs in the country, and is extremelywell-connected with the tech industry in Silicon Valley, where MBA students can be exposed to thelatest technologies, research and strategies in I and cybersecurity. However, it remains surprisingrom the inormation gathered that the Stanord MBA program has not integrated more aspects ocybersecurity in its curriculum, and that only those students already predisposed to cybersecurityissues will urther their education in this eld.

Uvsy o Psylv - Who School o Busss Philadelphia, PA(U.S. News Rank #3) NSA Cert: N/AAlthough they do not include cybersecurity per se, the Wharton MBA program oers core coursesin Inormation echnology and Business ransormation and Advance topics in InormationStrategy or students concentrating in Inormation Strategy and Economics. All MBA studentshave the option to choose among the many elective courses in inormation technologies andsystems, innovation management, and inormation strategy oered through the Operation andInormation Management Department at the Wharton School. However, the only course that

touches upon security issues in I is Inormation Systems or Managers. In addition to WhartonMBA courses, students are also welcome to enroll in 4-6 classes oered at any o the 11 Graduateand Proessional Schools at the University o Pennsylvania that may address cybersecurity issues,as long as the respective department or school allows said MBA program coordinator CindyArmour.25 Te courses available in computer and inormation technology, however, are highlytechnical and specialized, and require a pre-existing competency in statistics, computer languageand inormation technology. Tus, MBA students at the Wharton School have the opportunity topursue a strong inormation technology curriculum i they choose, but one that does not include asignicant cybersecurity component.

Msschuss Isu o chology - Slo School o Mg Cambridge, MA

(U.S. News Rank #4) NSA Cert: N/AMBA students at the Sloan School can personalize their curriculum aer completing the rst-semester core subjects (none o them addressing I and cybersecurity), and choose rom variousMBA electives ocusing on inormation technology, digital business and network security. Othercourses in I, cybersecurity and cyberpolitics are oered through other departments at MI. Asish Miller, Director o Academic Programs or MI Proessional Education, explains: thesecourses are open to all MI students, including MI Sloan MBA graduates. Many o the classesare oered through the Computer Science Department, which includes several courses that cover


9/48


the topic o computer and network security. Finally, last year annual MI Sloan CIO Symposium,where CIOs and other senior business executives rom around the world gathered to explorehow leading-edge academic research and innovative technologies can help address the practicalchallenges aced in todays changing economy, ocused primarily on cybersecurity issues. Aside

rom the Sloan Schools initiatives, MI leads the eorts to advance and protect the capabilitieso the nations global deense networks, and is one o the biggest cybersecurity employers in thecountry. In principle, MI could be at the oreront o cybersecurity research, education and policyby tapping into a number o advantagesamong them its world-class research centers and strongbonds with businessesthat other programs in this survey do not have. Te Sloan School MBAcurriculum, however, has yet to incorporate a cybersecurity component sucient to teach studentshow to prevent and mitigate cyber threats in the business sector.

Uvsy o Chcgo - Booh School o Busss Chicago, IL(U.S. News Rank #4) NSA Cert: N/ATe Booth School o Business has yet to include an inormation technology and cybersecuritycomponent in its MBA core and elective courses. Nonetheless, Booth student-organizedconerences and occasional roundtables, such as the Booth School 2011 Business Forecast event,have addressed many o the cybersecurity threats acing the business sector. In 2012, the schoolhosted the Security Innovation Network (SINE) Summit, which ocused on the advancement ocybersecurity innovation through public-private collaboration. Finally, the Booth School used tooer a three-dayExecutive Program in Information echnology: Strategies and Solution or seniorexecutives and upper management, which provided them with the technical oundation, strategiesand solutions to eectively plan, implement and sponsor inormation technology initiatives withintheir organizations. According to Program Manager Catherine Cabrera, however, the program hasbeen currently discontinued due to conicting commitments o the aculty director, but should be

oered again in the uture.26

Nohws Uvsy - Kllogg School o Mg Evanston, IL(U.S. News Rank #4) NSA Cert: N/AAlthough the MBA program at the Kellogg School does not oer any core courses in inormationtechnology or cybersecurity, a limited number o electives address topics in technology andinnovation strategy, marketing in the networked economy, managing IC adoption, and protectingintellectual property. Te only course that includes particular I privacy and security aspects isHealth Inormation echnology, designed or students who are specializing in Health EnterpriseManagement. As Academic Advisor Kalpana Waikar explained: Students can also cross-register orclasses oered by other Northwestern University schools, but evidence suggests that MBA students

rarely do so because o the heavy caseload o their curriculum.27

Uvsy o Clo - Wl A. Hs School o Busss Berkeley, CA(U.S. News Rank #7) NSA Cert: N/ATe MBA program at the Haas School does not oer core courses in inormation technology andcybersecurity. Students, however, can choose rom a variety o evolving I electives and dual degreeoeringsrom within the Haas School and rom the wider universityas well as design courseso their own in conjunction with aculty members, or example rom the College o Engineering.28


10/48


Haas School I electives include Introduction to Management o echnology, echnologyStrategy, Te Future o I, and Innovation and Entrepreneurship in Inormation echnology,but these courses do not seem to address any specic cybersecurity related issues. Nonetheless,Berkeley-Haas takes advantage o its location in the Bay Area and Silicon Valley to invite local

executives and technology experts to be guest lectures and visiting ellows, and to partner withthem in research projects. witter Co-ounder Biz Stone, or example, is currently serving as a HaasExecutive Fellow. Other recent technology experts to speak at Haas have included Former AppleChie Evangelist Guy Kawasaki, Pixar President and Co-ounder Ed Catmull, and Cisco Chairmanand CEO John Chambers.29 In addition, student groups host special events, such as an annualDigital Media Conerence, and organize career-oriented activities with local tech rms. In principle,Haas students interested in pursuing careers in the inormation technology industry can receivea comprehensive education in technology management and strategy, and benet rom the manyhands-on opportunities oered by the local tech industry. However, it is not clear that studentsin this or any other MBA elds at UC Berkeley are exposed to specic cybersecurity issues in thebusiness sector.

Colub Uvsy - Colub Busss School New York, NY(U.S. News Rank #8) NSA Cert: N/AColumbia Business School does not currently oer any courses in inormation technology andcybersecurity, although it has in the past. Te Richman Center or Business, Law, and PublicPolicy at Columbia Universitya joint venture o Columbias Business and Law Schoolsoerslectures on emerging policy issues at the nexus o law and markets, including cyber threats andcybersecurity. Moreover, students interested in business aspects o inormation technology canparticipate in the events and activities organized by the MBA student-run echnology BusinessGroup (BG). Last years events included a trip to Silicon Valley, participation in the Harvard

Business School Cyberposium, and private dinners with tech executives and industry speakers.However, as BG co-president Eric Metelka points out: I is denitely a gap that needs to be lledat Columbia Business School.30 In principle, students inclined to learn more about I and networksecurity can take a limited number o courses at the Computer Science Department; in practice,though, these courses are dicult to access due to their high degree o technicality and pre-existingcompetency requirements, leaving ew opportunities or MBA students to explore cybersecurityrelated issues.

Douh Collg - Aos uck School o Busss Aso Hanover, NH(U.S. News Rank #9) NSA Cert: CAE/RTere is no current course in the MBA curriculum at the uck School o Business that address

cybersecurity specically.31 Te uck School, however, houses the Center or Digital Strategies(CDS), which ocuses on the challenges o businesses dependence on the Internet and ways inwhich the private sector can address these challenges.32 CDS brings together groups o CIOsin the Americas and Europe that meet throughout the year to discuss issues acing I leaders[and management in the digital, networked economy], explained CDS Program Manager imParadis. Security is a recurring theme at meetings o the Roundtable on Digital Strategies, andCDS conducts periodic seminars, conerences and workshops on cybersecurity issuessuchas the Inormation Security Workshop, he continued. Moreover, CDS conducts research into


11/48


inormation security through its aliated aculty as well as post-doctoral researchers [] andserves as a sounding board and resource or issue around I and inormation security or uckstudents and interested parties. A number o Center-aliated MBA electives cover various aspectso digital business strategies, cyber risks o rms reliance on the inormation inrastructure,

inormation security risks and privacy in healthcare, and elements o eective cybersecuritypractices and policies. Finally, CDS organizes various events in collaboration with the Instituteor Inormation Inrastructure Protection (I3P), a national consortium o leading academicinstitutions, national laboratories, and non-prot research organizations working to addresscybersecurity challenges aecting the nations critical inrastructures.33 In principle, DartmouthMBA students involved in CDS and I3P activities have the opportunity to be exposed to a greatdeal o cybersecurity issues and explore the many ways in which they aect business strategies ingeneral. From the inormation collected, however, it is not clear i uck MBA students who are notaliated with CDS receive any signicant exposure to the challenges, opportunities, and threats ocyberspace in the business sector.

Nw Yok Uvsy - Lo N. S School o Busss New York, NY(U.S. News Rank #10) NSA Cert: N/ATe NYU Stern prides itsel or being a leader in addressing the ways inormation technologyaects business development. MBA students can graduate with an Inormation Systems (IS)specialization and choose rom a variety o electives addressing Internet technologies, inormationsystems, digital strategies, cyber laws, computer orensics, and network security, explains SaraGorecki, Administrative Assistant or the Inormation, Operations, and Management SystemsDepartment.34 Proessor Norman White conrms that: a number o the MBA elective courses ininormation technology will cover a part o cybersecurity.35 However, none o the core coursesin the MBA curriculum ocuses on I or cybersecurity, and MBA students do not have the

opportunity to cross-register or other I courses at other NYU departments unless they takea non-credit course. An exception to this, are those NYU Stern MBA candidates who choose toenter the eld o cybersecurity and who receive the ASPIRE scholarship rom the National ScienceFoundation. ASPIRE ellows are required to take a set o ASPIRE interdisciplinary gateway coursesencompassing the technological (NYU-Poly)36, business (NYU-Stern), cultural (NYU-Steinhardt),public policy and management (NYU-Wagner) and scientic (NYU Courant Institute) aspectso real world security and privacy problems. Upon graduation, recipients must work or twoyears at a ederal agency. In sum, NYU Stern oers a broad cyber-related curriculum or MBAstudents who want to specialize in Inormation Systems, and provides them with ew incentivesto pursue cybersecurity careers upon graduation. It is unclear rom the inormation provided,though, whether MBA students who do not specialize in IS receive any exposure to understanding

cybersecurity issues in the business sector.

Oh Pogs o No

A recent article in U.S. News & World Reports makes clear that other MBA programs are carvingout their own niche business degrees in inormation security in response to industry demand. 37Js Mso Uvsy, or example, launched its Inormation Security MBA program in 2000and its graduates receive NSA certication upon completion o their MBA. Te program combinestraditional business coursessuch as accounting, nance, and marketingwith specialty courses


12/48


such as inormation security, ethics and computer orensics to show students how protecting datats into a business model. Other schools oering business degrees with a ocus on cybersecurityinclude the Uvsy o Dlls, which oers a MBA Concentration in Cybersecurity, and theColoo Chs Uvsy, which pairs in-person business courses with online inormation

security classes rom the University o Fairax in Virginia. Students enrolled in the MBA programat Fs S Uvsyin Michigan can opt to specialize in inormation security and networkingmanagement. Gog Wshgo Uvsyoers a World Executive MBA in cybersecurity,aimed at both public and private sector proessionals who work in areas ranging rom policyand contracting, to privacy and data security. Te School o Business Administration at theUvsy o Dyo has recently announced a new MBA concentration and certicate programin cybersecurity, which plans to prepare students or careers in cybersecurity management ingovernment organizations and the private sector.

MPA MPP Gu Pogs

We use Facebook to schedule the protests, witter to coordinate, and Youube to tell the world.38

U.S. NwsRkg Collg/Uvsy School Cy S

Lk SclAvg Sco

NSACco*

#1 Syracuse University Maxwell School o Citizenship andPublic Aairs

Syracuse NY 3 E, R

#2 Indiana University School o Public and EnvironmentalAairs

Bloomington IN 1.5 E, R

#3 Harvard University John F. Kennedy School oGovernment

Cambridge MA 3 N/A

#4 University o Georgia

School o Public and International

Aairs Athens GA 0.5 N/A

#5 Princeton University Woodrow Wilson School Princeton NJ 1.5 R

#6 New York University Robert F. Wagner Graduate Schoolo Public Service

New York NY 2 N/A

#6 University o Southern Caliornia Sol Price School o Public Policy Los Angeles CA 2 R

#9 Carnegie Mellon University Heinz School o Public Policy andManagement

Pittsburgh PA 3.5 E, R

#9 University o KansasSchool o Public Aairs andAdministration

Lawrence KS 1 E

#9 University o WashingtonDaniel J. Evans School o PublicAairs

Seattle WA 2 E, R


Te Internet, together with the inormation communications technology (IC) that underpinsit, has become a critical national resource or governments and has allowed the public, private,and non-prot sectors to improve their eciency and better serve constituents. It has also givena voice to the weak and disenranchised against their authoritarian leaders, resulting in what NewYork imes columnist Nicholas Kristo labeled the quintessential 21st-century conict, in whichon one side are government thugs ring bullets...[and] on the other side are young protestersring tweets.39 Indeed, cyber activism has become a catalyst or protestssuch as Occupy Wall


13/48


Street and the Arab Springand a tool or change. But with a rapidly growing user base globally,an increasing reliance on the Internet, and a great potential or disruption, digital tools are alsoexposing the public sector to a new set o cyber threats. Most recently, Internet activist groupAnonymous extracted rom U.S. Federal Reserve computersand publisheddatabases containing

the credentials o 4,000 American bank executives. It also deaced various U.S. government websitesas part o its Operation Last Resort, launched in January in response to the suicide o Internetactivist Aaron Swartz. Internet hacking o government networks is nothing new, though. Terehave been 618 publicly disclosed cases o breaches o government and military networks since 2005,in which at least 147 million records were stolen, according to the Privacy Rights ClearinghouseChronology o Data Breaches.40 Cybersecurity and law enorcement experts say the publiclydisclosed cases represent only a raction o the actual number o successul hacks o corporate andgovernment networks.41

As governments and public organizations grow increasingly dependent on inormation technology,cyber threats have the potential to touchi not harmevery institution in American society.Richard Clarke, in his bookCyber War, warns us that a potential broad-based cyber attack on anations inrastructure could keep the power grid o-line or weeks, pipelines unable to move oiland gas, trains sidelined, airline grounded, banks unable to dispense cash, distribution systemscrippled, and hospital working at severely limited capacity.42

odays cyber threats require government leaders to be equipped with, at minimum, a basicknowledge o the web, the physical structure o networks, its players, major risks, and emergingtrends. No captain o a ship would say: I dont know anything about the ocean, but I hired somebodyto drive the ship.Likewise, public leaders whose physical institutions exist and operate in, through,and with the digital realm need to be able to make good policy and sound security decisions based

on knowledge o cybersecurity risks and potential impacts. Tus, cybersecurity policy, law andtechnology ought to become an integral part o all those graduate programssuch as MPA andMPPintended or public leaders.

At present, only ew o the MPA and MPP programs analyzed have added a cybersecuritytechnology and policy component to their curricula. Many universities, however, have sometype o cybersecurity research or education program at one o their research centers or otherdepartments, indicating at least an interest in preparing their masters programs candidates to leadin a undamentally dierent cyber age. Tese programs are still in their incipient stages and it maybe too soon to assess i their graduates emerge with the necessary understanding o the technical,legal, policy and operational aspects o cybersecurity.

MPA Graduate Programs

Sycus Uvsy - Mxwll School o Czshp Publc As Syracuse, NY(U.S. News Rank #1) NSA Cert: CAE/IE, CAE/RAlthough the MPA program at the Maxwell School does not require students to take any corecourses in inormation technology or security, it does oer a number o electives that explorerelevant topics in I and cybersecurity, including: cyber threats to U.S. inrastructure, cyberattacks waged by nation states, cybersecurity policy implications or governments, management


14/48


in the inormation age, privacy concerns and policies, encryption, I and national security, andthe impact o inormation technology upon oreign aairs. Aside rom a dedicated course inCybersecurity and Policy, however, the other courses only explore these issues peripherally. MPAstudents pursuing the Certicate o Advanced Study in Security Studies or in I Management and

Policy are encouraged to enroll in these courses and take advantage o the many other researchopportunities, educational programs and events oered by the Maxwell School Institute orNational Security and Counterterrorism (INSC). INSC eatures cybersecurity as one o its mainresearch areas and organizes conerences, workshops and speaker series on various aspects o thistopic. Teir project seeks to analyze and inuence specic policies, create an interdisciplinarydialogue among scholars and practitioners, and educate uture leaders on emerging topics incybersecurity. Finally, as MPA graduate Eric Noggle explains: MPA students have a great dealo exibility to enroll in other departments. For example, the iSchool oers a Certicate inInormation Security Management [with coursework in inormation security technology, policy,risk management, and evaluation] and MPA students can take any o these courses i they wish,as long as they meet the prerequisites.43 Importantly, Syracuse University as a whole is one o theew schools assessed that has been designated as a National Center o Academic Excellence in bothInormation Assurance Education and Research. In sum, Maxwell MPA students interested ininormation technology and security issues have many opportunities to be exposed to these topics,especially in relation to policy, law enorcement, and international aairs.

I Uvsy - School o Publc Evol As Bloomington, IN(U.S. News Rank #2) NSA Cert: CAE/IAE, CAE/RIndiana University was one o the countrys rst schools o public administration to oer anInormation Systems (IS) concentration in its MPA program. Although the school does notemphasize the security aspects o IC, it does address the growing gap between the number o

graduates with I skills and the number o places where such individuals can make an impact.Te school also ocuses on the application o I to complex problems in organizational andenvironmental aairs. Only students concentrating in IS are required to take the courses inPublic Management Inormation Systems and Database Management Systems. Elective coursesaddressing other inormation technology and security issues, including: programming, digitaleconomy, security or networked systems, and economics o security technologies, are oered orall MPA students through other departments at Indiana Universitysuch as the Department oComputer Science, the School o Inormatics, the Kelley School o Business, and the School oLibrary and Inormation Science. Moreover, MPA students interested in inormation security cantake advantage o urther learning opportunities in applied cybersecurity technology and policyat the Indiana University Center or Applied Cybersecurity Research.44 Indiana University has

also been designated as a National Center o Academic Excellence in both Inormation AssuranceEducation and Research. Aside rom the students ocusing on IS, it is not obvious rom the MPAprogram website whether or not their graduates receive even a basic education in cybersecurityissues and how they relate to public aairs.


15/48


Hv Uvsy - Ky School o Gov Cambridge, MA(U.S. News Rank #3) NSA Cert: N/AMPA students at the Harvard Kennedy School (HKS) can design their individual plan o study andinclude electives rom the broad array o courses available at HKS or through cross-registration

with other graduate schools at Harvard University, MI or Te Fletcher School. Although none othe MPA core courses ocuses on I or cybersecurity, HKS does oer electives in InternationalCybersecurity: Public and Private Sector Challenges, echnology, Security, and Conict inthe Cyber Age and Te Future o Cybersecurity. Students may also participate in the manycybersecurity events sponsored by the HKS Beler Center or Science and International Aairs.In conjunction with MI, the HKS Beler Center launched an interdisciplinary research programcalled Exploration in Cyber International Relations.45 Te program ocuses on ways in whichcybersecurity aects the scope and complexity o international relations, and is designed togenerate theory, policy, and strategy or how to address these challenges. Among the centers mostprominent experts working on this project are: Joseph Nye (ormer chairman o the NationalIntelligence Council), Richard Clark (author oCyber War: Te Next Treat to National Security),and Melissa Hathaway (ormer director or cyberspace at the National Security Council). As Ms.Hathaway pointed out: although the project includes research assistants and seminars open toall HKS students, unortunately there is still no core cybersecurity requirement or any o theprograms at Harvard University.46 Tus, rom the inormation provided, it appears that while HKSMPA students are not exposed to cybersecurity issues in their core curriculum, those who areinterested in this eld have the opportunity to work alongside some o the most prominent thinkersand practitioners in cybersecurity and deepen their understanding o the issues.

Uvsy o Gog - School o Publc Iol As Athens, GA(U.S. News Rank #4) NSA Cert: N/A

Te University o Georgias MPA program oers very little with regard to cybersecurity issues andhow they impact decision-making in the public sector. Students interested in I and cybersecurityrelated topics can seek courses in other departments o the universitysuch as the ComputerScience Department, explains MPA Program Director Andrew Whitord.47 Te school mainlyocuses on cybersecurity issues during the National Cyber Security Awareness Month o October,oering educational programs and services to enhance aculty, sta, and student understanding othe challenges posed in the digital age. Beyond this, however, the school does not oer much relatedto I and cybersecurity.

Pco Uvsy - Wooow Wlso School Princeton, NJ(U.S. News Rank #5) NSA Cert: CAE/R

At present, the Woodrow Wilson School (WWS) MPA curriculum does not include any corecourses dedicated to inormation technology or cybersecurity. Some o its elective coursessuch as Making Networks Work, Deense Policy Analysis and Negotiating with Iran over itsNuclear Programtouch upon I and cybersecurity issues peripherally. As explained by WWSsta members, students interested in cybersecurity related topics may cross-register or up to twocourses at other academic departments o Princeton University, although this is usually discouragedbecause o the heavy load o the MPA curriculum. Te Woodrow Wilson Schools Center orInormation echnology Policy oers lecture series and other special events that investigate


16/48


cybersecurity policy topics and other aspects o how digital technologies in general interact withpolicy, markets, and society.48 Finally, Princeton University as a whole has been designated asa National Center o Academic Excellence in Inormation Assurance Research, paving the wayor urther inclusion o cybersecurity research and courses in its various programs. In addition

to ellowships and grants opportunities through the DoD Inormation Assurance ScholarshipProgram and the Federal Cyber Service Scholarship or Service Program, the Scholars in theNations Service Initiative (SINSI) program at Princeton oers scholarships to encourage MPA orMPP students to pursue careers in governmentocusing on various areas including cyber-warare.Aside rom these opportunities, however, MPA students do not receive a signicant exposure tocybersecurity issues. In principle, the many programs and scholarships delineated above couldoer the MPA and MPP curricula many ways in which to integrate a more robust cybersecuritycomponent in the uture.

Nw Yok Uvsy - Rob F. Wg Gu School o Publc Svc New York, NY(U.S. News Rank #6) NSA Cert: N/ATe Wagner Schools MPA program does not include any core requirements in I or cybersecurity.It does oer, though, an elective course in Inormation Systems in Public and NonprotOrganizations, which covers I organizational, technical and managerial aspects in the publicsector. MPA students that choose to pursue cybersecurity related careers in the U.S. government areeligible to apply or the NYU ASPIRE award rom the National Science Foundation and can take aset o interdisciplinary gateway courses oered through various NYU departments.49 Further, theWagner School participates in the NYU Center or Interdisciplinary Studies in Security and Privacy(CRISSP), which explores multidisciplinary approaches to privacy and cybersecurity challenges.50Te CRISSP center oers seminars, lectures and interdisciplinary courses taught by aculty romthe various NYU schools, including NYU-Poly, NYU Wagner, NYU Stern, NYU Steinhardt, and

the NYU Courant Institute. Te CRISSP course listing includes: Economics o Networks, rust,Risk and Deception in Cyberspace, Inormation Privacy Law and Psychology and InternetSecurity. MPA Students interested in I and cybersecurity can always discuss the possibility toenroll in other courses [at other NYU schools] with their academic advisor, especially i in relationsto the ASPIRE ellowship, explained Admission Ocer Marissa Jones.51 Overall, MPA students atWagner generally do not receive an education in the core tenets o cybersecurity, but can pursueextracurricular courses and events in this eld throughout other NYU schools i they wish.

Uvsy o Souh Clo - Sol Pc School o Publc Polcy Los Angeles, CA(U.S. News Rank #6) NSA Cert: CAE/RTe MPA program at the Price School does not include inormation technology and cybersecurity

courses in its curriculum. In 2004, however, USC-Price and the USC Viterbi School o Engineeringestablished a National Center or Risk and Economic Analysis o errorism Events (CREAE),which is unded by the U.S. Department o Homeland Security.52 In addition to serving as anacademic program or the study o the risks, costs and consequences o terrorism, the Centerhas recently started hosting a series o cyber seminars and sponsoring studies on cyber threatsand cybersecurity technologies. USC as a whole has also been designated as a National Centero Academic Excellence in Inormation Assurance Research. As Sarah Esquivel, MPA AssistantDirector o Admission, explains: Te relationship with CREAE is becoming stronger and


17/48


students are well aware o the opportunities oered by the Center in this eld. Students are alsoable to cross-register at other departments o the University o Southern Caliornia or courses incomputer security.53 Although it is hard to assess the actual inuence o CREAEs cyber relatedinitiatives in exposing all MPA students to cybersecurity issues in the public sector, the Center

oers ways in which to integrate a more robust cybersecurity component into the MPA curriculum.

Cg Mllo Uvsy - Hz School o Publc Polcy Mg Pittsburgh, PA(U.S. News Rank #9) NSA Cert: CAE/IAE, CAE/RTe Heinz School oers a wide range o innovative degree programs in public interest elds, andprides itsel or its particular strengths in inormation and technology management and publicpolicy analysis. Unlike many graduate schools, the Heinz College is not organized along academicdepartments, and oers a broader M.S. in Public Policy and Management (MSPPM), instead oa regular MPA. Faculty rom its two schoolsthe School o Public Policy and Management andthe School o Inormation Systems and Managementcollaborate on instruction and research toprovide graduates with a better understanding o current trends in inormation technology inorganizations, markets and societies, no matter what their concentration will be. As AssociateDean Brenda Peyser explains: MSPPM students are required to take a core course in databasemanagement and then choose rom at least one or more courses in inormation technology.54Students specically interested in cybersecurity have the opportunity to choose among a widevariety o electives in the echnology Policy eld, and gain valuable exposure to inormationsecurity, inormation warare, inormation assurance policy, U.S. and European inormationsecurity policy, management o technological innovation, and privacy policy law. Graduates canalso choose among other cybersecurity related courses oered at the Carnegie Mellon epperSchool o Business, the University o Pittsburgh Graduate School o Public and InternationalAairs, and any o the Pittsburg Council on Higher Education (PCHE) institutions. Moreover, the

Heinz School oers regular lectures on technology and policy issues, and has instituted a dedicatedM.S. in Inormation Security Policy and Management (MSISPM), which is at the vanguard o thecybersecurity sector with recognized leadership in risk management, data privacy, threat controland inormation policy.55 Finally, CMU as a whole has also been designated as a National Center oAcademic Excellence in Inormation Assurance Education, paving the way or urther inclusion ocybersecurity research and courses in its various programs.

Uvsy o Kss - School o Publc As Aso Lawrence, KS(U.S. News Rank #9) NSA Cert: CAE/IAETe University o Kansas MPA program does not oer any core courses in inormation technologyor cybersecurity. It does, however, oer one elective course in Management and Inormation

echnology that includes aspects o inormation policy, implementation and management o ICin governmental organizations. Moreover, the school organizes occasional cybersecurity relatedseminars typically one to two hours in length conducted by practitioners, as AdministrativeDirector Ray Hummert explained.56 Finally, the school participates in the annual Cyber SecurityAwareness Month by organizing events on campus during that month to increase cybersecurityawareness and promote sae computing. Aside rom these activities, however, the school oers verylimited opportunities or MPA students to explore cybersecurity issues urther.


18/48


Uvsy o Wshgo - Dl J. Evs School o Publc As Seattle, WA(U.S. News Rank #9) NSA Cert: CAE/IAE, CAE/RTe Evans School MPA program does not include any core or elective courses specically dedicatedto inormation technology or cybersecurity. MPA students that specialize in Science & echnology

Policy, however, can take a handul o electives that address cybersecurity issues peripherallyand more courses may be added in the uture, explained Director o Academic ServicesEllen Weinstein. Moreover, students interested in this area can take courses through the UWInormation School and even earn a UW certicate with this specialization. Te UW EducationalOutreach also oers an online certicate in Inormation Assurance and Cybersecurity. [TeEvan School] oers also seminars and special events related to cybersecurity.57 In addition, theWashington University Center or Inormation Assurance and Cybersecurity (CIAC), a Center orAcademic Excellence in both Inormation Assurance Education and Research, actively collaborateswith the Evans School, among other departments, to integrate IA education and research intheir curriculum.58 Tis center oers elective courses, online classes and training programs ininormation assurance, network security, incident orensics and cryptology. Most o their currentactivities and research projects are highly technical, but the Center aspires to become a leader in thePacic Northwest or research and education in inormation inrastructure protection and cyber-security issues. From the inormation collected, the MPA curriculum does not currently include asignicant cybersecurity component, but could very much benet rom a urther collaboration withCIAC to include more cybersecurity aspects in its program.

MPP Gu Pogs


Lk SclAvg Sco

NSACco*

#1 University o Caliornia, BerkeleyRichard and Rhonda GoldmanSchool o Public Policy

Berkeley CA 2 N/A


Cambridge MA 3 N/A

#3 University o MichiganGerald R. Ford School o PublicPolicy

Ann Arbor MI 2 N/A

#4 University o ChicagoHarris School o Public PolicyStudies

Chicago IL 1 N/A

#5 Princeton University Woodrow Wilson School Princeton NJ 1.5 N/A

#6 Duke University Sanord School o Public Policy Durham NC 1.5 N/A

#7 Carnegie Mellon University Heinz School o Public Policy andManagement

Pittsburgh PA 3.5 E, R

#8 Syracuse University Maxwell School o Citizenship andPublic Aairs

Syracuse NY 3 E, R

#9 Indiana University School o Public andEnvironmental Aairs

Bloomington IN 1.5 E, R

#10 University o WisconsinRobert M. La Follette School oPublic Aairs

Madison WI 1 N/A



19/48


In recent years, there has been a gradual convergence between MPA and MPP programs. oday, thecourse oerings o most MPA and MPP programs overlap to some degree, even i MPP programsstill tend to place more emphasis on policy analysis, research and evaluation, while MPA programsusually provide more ocused coursework in program implementation and public management.59

Uvsy o Clo - Gol School o Publc Polcy Berkeley, CA(U.S. News Rank #1) NSA Cert: N/AAlthough not specically dedicated to I and cybersecurity, core courses in the MPP curriculumat the Goldman School provide students with a strong oundation in quantitative and analyticalmethods so that they can analyze any type o policy area, including inormation technology andcybersecurity issues, explained Assistant Dean or Academic Aairs Martha Chavez.60 Moreover,the MPP program oers elective courses in inormation technology and cybersecurity, includingProessor Jason Christophers course in Inormation echnology and Public Policy [and]Proessor Michael Nachts course in US National Security Policy, which includes discussion osome cybersecurity issues. In addition, MPP students have the opportunity to take classes allthroughout the UC Berkeley campus, including at the School o Inormation, Haas School oBusiness and Berkeley Law. Finally, the Goldman School and UC Berkeley Computer Scienceare currently collaborating with the University o Caliornia Institute on Global Conict andCooperation (IGCC) to develop an interdisciplinary graduate training program to prepare the nextgeneration o university researchers to address critical challenges in cybersecurity or industry andgovernment.61 Te program plans to bring together aculty in computer science, political science,international relations, economics, public policy, and law, together with industry and governmentexperts, to train students to examine gaps in cyber deense and develop new approaches to thwartand deeat cybercrime and attacks. From the inormation provided, MPP students interested incyber issues have the opportunity to receive at least a basic education on the policy aspects o

inormation technology and security, and the Goldman School will likely expand such oerings.

Hv Uvsy - Ky School o Gov Cambridge, MA(U.S. News Rank #2) NSA Cert: N/AMPP students at HKS are encouraged to explore dierent policy areas that interest them and cantake advantage o all the courses and opportunities oered by the our graduate degree programsand thirteen research centers at HKS, says MPP Director Deborah Isaacson.62 Although noneo the MPP core courses ocuses on cybersecurity, the International and Global Aairs (IGA)concentration, geared toward students seeking to join the ranks o international policy wonk,has incorporated readings and case studies on cybersecurity in many o its elective courses. Inaddition, MPP students interested in cybersecurity can include other electives rom the broad

array o courses available at Harvard University or through cross-registration with other graduateschools (MI and Te Fletcher School). Finally, the all-star aculty and senior advisors workingon the Exploration in Cyber International Relations project at the HKS Beler Center or Scienceand International Aairs oer an additional incentive or MPP students to delve into cybersecuritymatters and participate in cyber-related events and research opportunities.

*See MBA and MPA sections o this report or more inormation on Harvard University cyber-security courses, and the Beler Center activities and research opportunities.


20/48


Uvsy o Mchg - Gl R. Fo School o Publc Polcy Ann Arbor, MI(U.S. News Rank #3) NSA Cert: N/ATe Ford School MPP program does not include any core or elective courses ocused oninormation technology or cybersecurity. Proessor Robert Axelrod, however, dedicates a week o

his International Security Aairs course to this subject. Moreover, the University o Michiganis known or its low administrative barriers to cross registration among departmentssuch as theSchool o Inormation and the Computer Science Departmentand all students can also pursuea Science, echnology and Public Policy Certicate while enrolled in their degree program at theuniversity, explained Director o Communication Laura Lee.63 Tis certicate is dedicated tolearning how science and technology are inuenced by politics and policy, and includes variouselectives in computer networks, I, technology policy analysis, and inormation law. Finally, theFord School has oered some public lectures on cyber issues more broadly. Tus, although nospecic courses or seminars on cybersecurity have been added to the MPP curriculum, MPPstudents can take advantage o the many other opportunities oered through the University oMichigan to learn more about cyber issues in the public policy eld.

Uvsy o Chcgo - Hs School o Publc Polcy Sus Chicago, IL(U.S. News Rank #4) NSA Cert: N/AAlthough there are no core requirements in inormation technology or cybersecurity, the MPPprogram at the Harris School includes one elective course in Science, echnology, and Policy,which provides students with an introduction to science policy and some cybersecurity issues.Moreover, the school has organized ew mini-courses in this subject taught by practitioners,explained Director o Admission Maggie De Carlo.64 Other than these initiatives, however,cybersecurity issues are not mentioned in other schools course syllabi or lecture topics.

Pco Uvsy - Wlso School o Publc Iol As Princeton, NJ(U.S. News Rank #5) NSA Cert: N/A

* See MPA section o this report.

Duk Uvsy - So School o Publc Polcy Durham, NC(U.S. News Rank #6) NSA Cert: N/ATe Sanord School does not oer a core course or an elective course exclusively dedicatedto cybersecurity at the graduate (or undergraduate) level, explained Director o ProgramDevelopment Helene McAdams.65 Proessor om aylor, however, teaches a survey course oncontemporary issues in national security, during which [he] devotes part o one class to cyberattacks.66 Similarly, other national security courses may touch on the topic, but they do not ocus

on it exclusively, continued Ms. McAdams. Moreover, MPP students can cross-register or othercybersecurity related courses at other departments o Duke Universitysuch as the School oEngineering. Although, there is no regular conerence ocused exclusively on cyber security [atthe Sanord School], there is, or example, an annual national security law conerence at the DukeLaw School and in recent years there have been panels on cyber security, explained ProessorDavid Schanzer.67 From the inormation gathered, it is still surprising that the courses in theMPP National Security specializationspecically designed to prepare uture policymakers andpractitioners to address U.S. national security challengesdo not address more o the cybersecurityconcerns in the national security policy agenda and debate.


21/48


Cg Mllo Uvsy - Hz School o Publc Polcy Mg Pittsburgh, PA(U.S. News Rank #7) NSA Cert: CAE/IAE, CAE/R


Sycus Uvsy - Mxwll School o Czshp Publc As Syracuse, NY(U.S. News Rank #8) NSA Cert: CAE/IAE, CAE/R


I Uvsy - School o Publc Evol As Bloomington, IN(U.S. News Rank #9) NSA Cert: CAE/IAE, CAE/R


Uvsy o Wscos - Rob M. L Foll School o Publc As Madison, WI(U.S. News Rank #10) NSA Cert: N/AAlthough, La Follette public aairs programs do not include any core or elective courses in

inormation technology or cybersecurity, they allow students to cross-register among departmentsat the University o Wisconsin with the permission o their advisor. Te only courses that addressspecic aspects o cybersecurity are oered through the School o Library and Inormation Studiesand ocus on international cyber law and policy. Aside rom these electives and a series o activitiessponsored during the Cyber Security Awareness Month o October, however, MPP students do notseem to have other opportunities to be exposed to cybersecurity issues in the public sector.

IR Gu Pogs

Stuxnet [] achieved, with computer code, what until then could be accomplished onlyby bombing a country or sending in agents to plant explosives.68

Fog PolcyMgz Rkg Collg/Uvsy School Cy S

Lk SclAvg Sco

NSACco*

#1 Georgetown University Edmund A. Walsh Schoolo Foreign Service

Washington DC 3.5 E

#2 Johns Hopkins University Nitze School o AdvancedInternational Studies

Washington DC 2 E, R


Cambridge MA 3 N/A

#4 Princeton University Woodrow Wilson School Princeton NJ 1.5 R

#5 us University Te Fletcher School o Lawand Diplomacy

Medord MA 2.5 N/A

#6 Columbia University School o Internationaland Public Aairs

New York NY 2 N/A

#7 George Washington University Elliott School oInternational Aairs

Washington DC 2.5 E, R

#8 American University School o InternationalService

Washington DC 2.5 N/A

#10 University o ChicagoCommittee onInternational Relations

Chicago IL 0.5 N/A



22/48


In 2010, top soware-security experts and top government ocials were shocked by the discoveryo a drone-like computer virus, radically dierent rom and ar more sophisticated than any seenuntil then. Te sel-replicating virus was making its way through thousands o computers aroundthe world, searching or a specic target. Te New York imes reported that the Stuxnet worm

was probably developed by the United States and Israel to disrupt Irans nuclear program.69 Whileits exact source has not been conrmed, Stuxnet was a blueprint or a new way o attacking largescale societal inrastructure without direct personal involvement and represented the new aceo 21st century warare: invisible, anonymous, and devastating.70 As the Stuxnet case illustrates,cyberspace is changing the character o national power, the structure o the international systemand the more traditional aspects o power and security in international relations theory. Cyberinstruments are being used as oensive weapons and tools o national power. Moreover, whilecybercriminals goals are pretty straightorwardseek prot and (or most part) stealstate-sponsored attackers objectives are widely dierent and concern sabotage and espionage, and evenchaos and destruction.71 Te lessons rom these broad, and dierent but interconnected cyberthreats need to be learned and a common cybersecurity vocabulary and theory need to emergein order to properly understand and prepare or the inevitable cyber component o 21 st centuryinternational relations.

It is undamental or International Relations (IR) Masters programs, then, to start integrating acybersecurity component into their curricula. Aer all, these are programs designed to producegraduates who have the skills needed to take on leadership roles in the international arena, romheads o state and ambassadors to leaders in politics, non-prot research institutes, public interestand policy advocacy organizations, intelligence agencies, business and global institutions. Tereexists no group with a greater need or understanding cybersecurity issues, as these issues are bydenition global in scope and encompass all the ambiguities and challenges o an arena already

concerned with state and non-state actors, international organizations, and global governance.

Most o the IR programs below have included case studies and elective courses that address someo the technical, military, commercial, legal, or policy aspects o cybersecurity. In addition, many othese universities sponsor conerences and seminars on cybersecurity and, in some cases, have evenestablished specic cyber projects or the advancement o cybersecurity policy, laws, and strategies.

Gogow Uvsy - Eu A. Wlsh School o Fog Svc Washington DC(Foreign PolicyRank #1) NSA Cert: CAE/IAEGeorgetown University oers a variety o masters programs within the IR eld, including aMaster o Science in Foreign Service and a Master o Arts in Security Studies. Te Security

Studies Program (SSP), which is the academic pillar o the Center or Security Studies at theSchool o Foreign Service, includes core and elective courses in undamentals o cybersecurity,emerging technology and security issues, inormation warare and cyber law. Tese courses arecomprehensive, covering everything rom what cyberspace is, and what role it plays in civilian lieand military operations, to how inormation systems upon which cyberspace is built work, whatsecurity means in that realm, and what characteristics o such systems (e.g. vulnerabilities) permitothers to violate security in this domain. Other elective courses at the School o Foreign Serviceanalyze countermeasures, including authentication, encryption, auditing, monitoring, intrusion


23/48


detection and rewalls, and other aspects o cyberspace law, law enorcement, inormation warareand the military, and intelligence in the inormation age. In addition, SFS hosts a Yahoo! Felloweach year. Te current one, Francesca Musiani, will teach a course in Inormation echnologies Innovations & Society, which includes elements o science and technology studies, sociology

o socio-technical controversies and contentious politics, sociology o media, internationalcommunication, and international law, explained Associate Dean Jennier Windsor.72 Moreover,the School o Foreign Service is involved in a cyber project sponsored by Georgetown UniversitysInstitute or Law, Science, and Global Security.73 Tis project was created in 2009 in response tothe demand or policy development in conjunction with legal analysis o cybersecurity measures.General Michael Hayden, ormer director o the National Security Agency, has joined the projectas a senior advisor and will help the institute better integrate law, policy and technology to tacklethe issue o cybersecurity. Te institute organizes workshops, seminars and conerences that bringtogether policymakers, academics and key industry stakeholders rom across the globe to exploreways to integrate cybersecurity in dierent disciplines. Georgetown University has also beendesignated as a National Center o Academic Excellence in Inormation Assurance Education. Insum, Georgetown IR students interested in inormation technology and cybersecurity issues havemany opportunities to be exposed to these topics, especially in relation to national security, policy,law enorcement and international aairs.

Johs Hopks Uvsy - Nz School o Avc Iol Sus Washington DC(Foreign PolicyRank #2) NSA Cert: CAE/IAE, CAE/RAlthough the SAIS curriculum does not have any core requirements in inormation technologyor cybersecurity, it oers one elective course in National and International Dimensions oCybersecurity, which explores intra- and international aspects o cybersecurity rom a theoreticaland policy perspective. Other electives in the strategic studies concentration may also address these

topics peripherally. Johns Hopkins as a whole houses one o the top-ranked graduate programs ininormation security and inormation assurance in the country, and allows IR students to cross-register or specic courses that may interest them. Despite the overall strength o its academicprograms, however, SAIS has not yet ully-integrated cybersecurity issues into its curriculum, and ithas not placed as much emphasis on the security aspects o cyber-threats as some other institutions.

Hv Uvsy - Joh F. Ky School o Gov Cambridge, MA(Foreign PolicyRank #3) NSA Cert: N/A

*See MPA and MPP sections o this report.

Pco Uvsy - Wlso School o Publc Iol As Princeton, NJ

(Foreign PolicyRank #4) NSA Cert: CAE/R* See MPA section o this report.

ufs Uvsy - T Flch School o Lw Dplocy Medord, MA(Foreign PolicyRank #5) NSA Cert: N/ATe M.A. in Law and Diplomacy (MALD) at Te Fletcher School is known or the exibility o itscurriculum that allows students to explore their particular area o interest and take advantage omultiple research opportunities. Although none o the Fletcher courses is exclusively dedicatedto I and cybersecurity, some o the aculty have started to integrate readings and case studies on


24/48


cyber issues to part o the coursework in each o the three major international aairs divisionsInternational Law and Organizations; Diplomacy, History, and Politics; and Economics andInternational Business. For example, Proessor William Martel dedicates one to several weeks tocyber issues, including cyber attacks, cybercrime, cyber deense, and cyber strategy, in each o

his policy, technology and international security courses.74 Every year, at least one o the publicpolicy courses nal projects consists o an NSA simulation o a cyber crisis or cyber attackagainst the United States. Other Fletcher courses, including Prolieration-Counterprolierationand Homeland Security Issues, Crisis Management and Complex Emergencies, InternationalIntellectual Property Law and Policy and even Te International Legal Order, now includeaspects o cyber conict, cyber crisis prevention and management, international laws in cyberspace,IP and technology law. Troughout these courses, students are encouraged to think analyticallyand critically about these issues and some o them are exploring cyber issues urther in their nalcapstone projects. Moreover, a Cyber Policy Working Group o 10-15 MALD students, guidedby Proessor Martel, is currently working to create a Code of Conduct for Cyberspace for States,Firms, and Individuals in conjunction with MI Lincoln Laboratory. Tis group is analyzingand researching prior and current activity in cyberspace so as to inorm and direct behavior. Inaddition, Te Fletcher School sponsors a series o roundtables and conerences on contemporaryglobal issues, including cybersecurity, and organizes an annual crisis management exercise(SIMULEX), which allows participants to play roles as decision-makers on the internationalscene and experience the problems and processes o managing a crisis or resolving a conict. PastSIMULEX scenarios have included staged cyber attacks and cyber crisis.75 Finally, the Fletcherprograms can be supplemented through joint partnerships with Harvard University and MI,among others, which oer other courses and events on cybersecurity issues. Fletcher students,especially those ocusing on International Security Studies, have various opportunities to beexposed to cybersecurity challenges in the international arena, and gain a broader perspective on

cyber-related issues.

Colub Uvsy - School o Iol Publc As New York, NY(Foreign PolicyRank #6) NSA Cert: N/ATe M.A. in International Aairs (MIA) at Columbias School o International and Public Aairs(SIPA) encourages students to tailor their specic course o study to t their academic andcareer interests. Although the school does not oer any core courses in inormation technologyand cybersecurity, the International Security Policy (ISP) concentration includes a course inCybersecurity that explores the evolution o cyberspace and its impact on national security, thecommercial environment and individuals, and one in echnology and National Security, whichocuses on how military and intelligence related technological innovations are applied in the

context o national security. SIPA is actually launching a cybersecurity specialization or ISP whichwill likely launch next all, explained ISP Coordinator Jessica Baen.76 In addition, ISP studentscan take any elective oered within the MIA/MPA program (and with some restrictions within therest o the universityPoliSci, Law, etc.), so long as it doesnt conict with their required courses.International and Public Aairs Proessor Abraham Wagner added that Columbia students cancross-register or the Cybersecurity course and that mostly law students do this.77 Moreover, TeSaltzman Institute or War and Peace Studies (SIWPS) oers regular events on topics related tosecurity that are open to students and, as Ms. Baenis added, it is currently working on a conerence


25/48


in cybersecurity with the Deense Advanced Research Projects Agency (DARPA) or thissummer. SIPAs Deense and Security Student Organization (DSSO) has also hosted events aboutcybersecurity in the past. SIPA students, especially those ocusing in ISP, have the opportunity toreceive at least a basic education in cybersecurity and other technology aspects o national security.

Gog Wshgo Uvsy - Ello School o Iol As Washington DC(Foreign PolicyRank #7) NSA Cert: CAE/IAE, CAE/RTe Elliott School o International Aairs oers a variety o MA degrees, but none o its IR eldso study have a strong I or cybersecurity component at this time. Te Center or InternationalScience and echnology Policy at the Elliott School oers an elective course in Cybersecuritywhich provides students with an introduction to major debates over this issue, concentrating onthe policy rather than the technical aspects. Proessor Scott Pace has also pointed out how othercourses in International Science and echnology (S&) Policy and S& in National Securitytouch on inormation technology security and policy.78 IR students interested in this eld have

also the opportunity to participate in other GW-aliated events and choose additional classesrom other schools within the university, which in some cases have already carved their own nichedegrees in cybersecurity in response to industry demand.79 George Washington University is nowsponsoring a Cybersecurity Initiative to bring together all o their cybersecurity graduate educationprograms with the work o the GWs Cyber Center or National and Economic Security and theCyber Security Policy and Research Institute in an integrated and interdisciplinary approach. 80Further, GW has been designated as a National Center o Excellence in both Inormation AssuranceEducation and Research. GW seems to have a number o advantages that most o other programsin this survey do not. GW hosts prolic research centers and graduate programs that alreadypromote technical research, national and economic examination, and policy analysis o problemsthat have a signicant computer security and inormation assurance component; takes advantage

o the relevant work and research opportunities in cybersecurity technology and policy oeredby its central location in Washington, DC; and orges strong bonds with government and privateorganizations. All these aspects together could position GW at the oreront o cybersecurityresearch, education, and policy, but the Elliott School is not leading these eorts.

Ac Uvsy - School o Iol Svc Washington DC(Foreign PolicyRank #8) NSA Cert: N/ATe School o International Service (SIS) at American University oers a variety o degree programsand certicates within the IR eld, some o which have started to integrate cybersecurity topics intheir electives. For example, the International Communication program oers a course in Cyber-Conict in Global Perspective, and both the Strategic Communication, Intelligence & NationalSecurity and the Teater o error: Modern errorism & Mass Media courses address dierentaspects o cybersecurity. Students in other programs can choose rom a ew other special topicscourses that, even i not exclusively dedicated to cybersecurity, touch upon inormation technology,cybercrime, cyber espionage and cyber warare and examine the role o these issues in nationaland transnational security. Qualied graduates also have the opportunity to enroll in courses atany o the institutions in the Consortium o Universities o the Washington Metropolitan Areato complement their programs, particularly in specialized interest areas like cybersecurity. Lastly,like many o the universities analyzed, AU as a whole sponsors a series o activities during the


26/48


Cyber Security Awareness Month o October. In short, IR students, especially those ocusing onInternational Communication, have the opportunity to explore cybersecurity issues in internationalaairs and national security, i personally interested in doing so.

Uvsy o Chcgo - Co o Iol Rlos Chicago, IL(Foreign PolicyRank #10) NSA Cert: N/ATe IR graduate program at the University o Chicago ocuses on the more intellectual side ointernational aairs. Te Committee on International Relations (CIR) at the University o Chicagois a predominantly interdisciplinary program that takes advantage o coursework oered acrossthe universitys ten academic departments and proessional schools, explained Student AairsAdministrator E.G. Enbar.81 For example, students interested in cyber issues can take a coupleo courses that touch upon cyber intrusion and cyber warare [and attend a ew conerences onprivacy issues in cyberspace] at the Law School. Because the structure o the international relationsprogram at Chicago is driven by the priorities and oerings o other disparate departments,however, its ability to oer comprehensive education in cybersecurity issues is limited. At present,none o the core coursework available to CIR students covers explicit cyber issues, but i acultyocus and student interest in cybersecurity issues motivates the oering o new courses, they wouldbe included in the CIR course list, added CIR alumnus Steven Stashwick. 82

LLM Gu Pogs

I a cyber attack produces death, damage, destruction or high-level disruption that a traditionalmilitary attack would cause, then it would be a candidate or use o orce consideration.83


Lk SclAvg Sco

NSACco*

#1 Yale University Yale Law School New Haven C 0.5 N/A

#2 Stanord University Stanord Law School Berkeley CA 3 N/A

#3 Harvard University Harvard Law School Cambridge MA 3 N/A

#4 Columbia University Columbia Law School New York NY 2 N/A

#5 University o ChicagoTe University o Chicago LawSchool

Chicago IL 1.5 N/A

#6 New York University New York University Schoolo Law

New York NY 1.5 N/A

#7 University o Caliornia, Berkeley Berkeley Law Berkeley CA 2 N/A

#7 University

One Leader at a Time FINAL

Documents

Transcript of One Leader at a Time FINAL