“Real” cybersecurity today devotes enormous effort to non-code vulnerabilities and responses.
- Peter Swire, Professor of Law and Ethics, Georgia Tech
In a new article published this month in the Communications of the ACM, Georgia Tech professor Peter Swire calls attention to the great variety of skills and know-how required by cybersecurity professionals to combat cyber threats and vulnerabilities. Of the 33 specialty areas listed by the National Initiative for Cybersecurity Education, Professor Swire identifies that “ten of the specialty areas primarily involve coding, but more than half primarily involve non-code work.”
“A Pedagogic Cybersecurity Framework” proposes a system for “categorizing and teaching the jumble of non-code yet vital cybersecurity topics.”
Below are a few excerpts from “A Pedagogic Cybersecurity Framework.”
This column proposes a Pedagogic Cybersecurity Framework (PCF) for categorizing and teaching the jumble of non-code yet vital cybersecurity topics. From my experience teaching cybersecurity to computer science and other majors at Georgia Tech, the PCF clarifies how the varied pieces in a multidisciplinary cybersecurity course fit together. The framework organizes the subjects that have not been included in traditional cybersecurity courses, but instead address cybersecurity management, policy, law, and international affairs.
The PCF adds layers beyond the traditional seven layers in the Open Systems Interconnection model (“OSI model” or “OSI stack”). Previous writers have acknowledged the possibility of a layer or layers beyond seven, most commonly calling layer 8 the “user layer.” The framework proposed here adds three layers—layer 8 is organizations, layer 9 is governments, and layer 10 is international. This column explains how the new framework would benefit cybersecurity students, instructors, researchers, and practitioners. Layers 8–10 classify vulnerabilities and mitigations that are frequently studied by noncomputer scientists, but are also critical for a holistic understanding of the cybersecurity ecosystem by computing professionals.
As a way to introduce layers 8 through 10, each horizontal layer highlights important types of cybersecurity vulnerabilities. At layer 8, organizations face a wide range of cyber-risks, and take many actions to mitigate such risks. At layer 9, governments enact and enforce laws—good laws can reduce cybersecurity risks, while bad laws can make them worse. At layer 10, the international realm, no one nation can impose its laws, but treaties or discussions with Russia and China, for instance, may improve cybersecurity. As shown in Table 1, the vulnerabilities in these new layers are further organized by institutional form—whether the vulnerability arises within the organization (or nation), between organizations (or nations), or from other institutions at that layer.
Table 1:
Put another way, the traditional seven layers concern protocols expressed in machine language; layers 8 to 10 concern protocols (contracts, laws, diplomacy) expressed in natural language. The layers operate in a way familiar from the OSI stack: organizations at layer 8 select the applications at layer 7. Governments at layer 9 set laws to govern organizations. Actions at layer 10 affect the governments at layer 9, and apply when no single government can set the law.
For cybersecurity practitioners, I have often encountered practitioners (and researchers) who believe “real” cybersecurity involves writing code, perhaps with some vague acknowledgment of the need for “interdisciplinary” study. The sheer volume of issues identified in the 3x3 matrix emphasizes the growing significance of non-code issues—bad decisions in any part of the matrix can negatively affect cybersecurity. As with the existing seven layers of the stack, organizations can identify their vulnerabilities by systematically examining layers 8 to 10. Organizations can then better identify and mobilize expertise for these non-code cyber issues.
In sum, the PCF provides a parsimonious way to identify and develop a response to the growing number of non-code cybersecurity risks. The 3x3 matrix visually categorizes and communicates the range of non-code cybersecurity issues. No longer can “real” cybersecurity refer only to technical measures. Instead, a large and growing amount of cyber-risk arises from problems at layers 8, 9, and 10. Extending the stack to these 10 layers results in an effective mental model for identifying and mitigating the full range of these risks.
Read the full article: “A Pedagogic Cybersecurity Framework.”
Peter Swire is Professor of Law and Ethics and the Elizabeth and Thomas Holder Chair at the Scheller College of Business at the Georgia Institute of Technology. Professor Swire has been a leading privacy and cyberlaw scholar, government leader, and practitioner since the rise of the Internet in the 1990’s.