The NSF’s ‘Scholarship for Service’ program helps Iowa State prepare the next generation of leaders in information assurance
To call Susan Wade “unique” is an understatement.
A master’s student in information assurance, Wade is obviously the rare woman in a field dominated by men. And just south of 40, she is an older student among her largely twenty-something peers.
But most unusually, until a few years ago Wade wasn’t remotely what you’d call a “computer geek”—in fact, she graduated in 1992 from Western Washington University with a bachelor’s degree in speech pathology and audiology. Yet barely ten years later, Wade found herself tackling a grueling academic regimen in computer science, learning calculus, programming, systems, and other formerly arcane subjects from the ground up.
As with music and foreign languages, the road to computational proficiency is best begun at an early age. To decide to become a classical pianist or learn Mandarin Chinese as an adult requires tremendous motivation and discipline, and a positive outcome is far from assured. Surely, a woman in her thirties with little previous exposure to computation would face similarly long odds.
But motivation was not a problem for Susan Wade: “I wanted to go back to school,” she recalls, “but I didn’t know what to study. And then 9/11 happened.”
A directive to excel
While many decided to enlist in the military after the 9/11 terror attacks, Wade chose another path. Her sister knew she had a casual interest in information security so sent Wade a brochure describing the National Science Foundation’s Scholarship for Service (SFS) program. With no guarantee of either admission or a career in the field, Wade would spend the next five years at the University of Texas–Arlington earning the credentials that would qualify her for SFS.
While the 2001 terror attacks might have inspired Wade to serve her country on the front lines of information assurance, the genesis of SFS actually precedes September 11, says Doug Jacobson, University Professor in the Department of Electrical and Computer Engineering and director of Iowa State’s Information Assurance Center. According to Jacobson, the program traces its origins to a Clinton-era presidential directive to recruit more IT professionals in order to better secure critical infrastructure and the sensitive information handled by federal agencies.
As a result, the National Security Agency designated seven “Centers of Excellence” in information assurance (IA)—including Iowa State—to take the lead in recruiting and educating the next generation of IA professionals. Next, in a pre-9/11 meeting with federal experts and directors from the six other centers, Jacobson and his colleagues devised a plan for the National Science Foundation to fund a targeted program to train IA specialists for federal agencies. Ironically, the program enrolled its first students in the fall of 2001, on the eve of the attacks that would fundamentally alter the United States’ defense posture with regard to both military preparedness and information assurance.
A higher obligation
While SFS funds undergraduates as well, the program’s primary focus is the education of graduate students. In return for full tuition and a stipend—typical benefits for graduate students doing research assistantships—SFS provides additional support for room and board, making the program one of the more lucrative for grad students at Iowa State.
Besides coursework, program participants are required to serve an internship with a federal agency or research lab, typically in the summer between the first and second years of the student’s program. In exchange for this support, students are required to accept one year’s employment in a federal government post for each year of support they receive through the program.
Admission requirements for SFS are demanding. Of course, participants must be highly qualified academically for the work. In addition, because the program is taxpayer-supported and many of the jobs for which participants train involve handling classified or other sensitive information, the program is limited to American citizens only. Further, all students admitted must undergo rigorous and costly background checks and security clearances—including polygraph examinations—in order to qualify for internships and federal employment.
Equally important, says Jacobson, program candidates must demonstrate commitment through a pre-admission essay and interview, during which they are asked to outline the basis of their desire to work for the federal government. “When we talk to the students in the interview process,” he observes, “we make sure that they feel the government isn’t just an ‘obligation,’ but something they really want to do.”
A mission to fulfill
At first glance, Adam Jackson seems to be everything Susan Wade is not: younger, male, and effortlessly computer savvy in a way only someone who grew up wired to mouse and monitor could be.
“Computers hit the mainstream as I was growing up—we got a computer when I was five or six,” Jackson recalls. “At each new stage of life, it seemed computers changed, so I just grew with them. They made sense; I liked working with them.”
Yet scratch the surface and you’ll find Jackson has a lot in common with Wade—not least that sense of service to others that meets Doug Jacobson’s higher standards for program members. Indeed, in Jackson’s case, that calling is literally missionary, as the Cedar Falls native has traveled recently to work on education projects in Thailand as well as aiding a Christian mission in Haiti.
Besides, if he’s going to be in security, says Jackson, he’d rather work for the benefit of the nation than for corporations. “I don’t have any problems with corporations,” he adds. “It’s just that the end goal doesn’t seem as interesting to me as the government side or the public sector.”
Still, Jackson’s motivation isn’t entirely altruistic: even if he does sacrifice future earnings working in the public rather than private sphere, computer geeks are predisposed to seek out the greatest challenges and latest technologies. These, he feels, are more often found on the government side, particularly in the defense and intelligence sectors.
“I didn’t have a problem with the commitment thing,” Jackson says, “because the government is doing a lot of the cutting-edge research. So even if I had a two-year commitment, it was two years on the cutting edge of technology, for the most part.”
No lack of challenges
What Wade and Jackson will find when they get out of school and into service depends, of course, on their initial postings. But given the ubiquity and scale of threats against both corporate and governmental networks, they won’t lack for challenges to their knowledge and skills regardless of assignment. The rise of stateless international terror networks, together with the integration of networked information systems into virtually every facet of modern life, poses security challenges previously unknown in human history, and opportunities for hackers to wreak havoc on a global scale. (See, for instance, The New York Times review of a new book on this subject by former national security advisor Richard A. Clarke.)
“The potential is there for devastating terrorist attacks against the infrastructure—water supplies, air traffic control, dams,” notes Wade. “You can get into SCADA systems online. So it’s not something we can overlook or assume they’re not going to try anything that sophisticated if they get the chance.”
Indeed, the potential for a handful of savvy attackers—or even a lone individual—to level crippling attacks against critical infrastructure has redefined the meaning of national defense for the 21st century: as Jacobson often stresses, attackers have to “win” only once to take down a network; defenders must win every time, a challenge compounded even further by the pace of technological change.
“The bad side changes a lot quicker than the defense side,” Jackson offers. “So we have to get past reacting and start anticipating. You have to think like somebody trying to attack a system in order to anticipate and defend it.
“That’s why Dr. Jacobson’s information warfare classes are so important,” Jackson adds. “They don’t necessarily teach how to hack into systems, but how it’s done. We actually have a lab where we can practice breaking into a test network.”
The fog of cyberwar
That the skills used to defend networks must, of necessity, include a deep understanding of the means and methods for finding and attacking those same networks’ vulnerabilities is a paradox not lost on Wade and Jackson. Talk to either, and you’ll soon appreciate their ambivalence on the issue—and their willingness to defer to the military on questions of cyberwarfare in general and retaliatory strikes in particular.
“In my opinion, the only legitimate right to strike lies on the military side of it,” Jackson says. “You can’t really attack whoever it is—in some ways that’s an act of war, but it’s a war against something completely unknown. Even if it’s a government-sponsored attack from some other country, you can’t prove that.”
During the Cold War, nuclear weapons were firmly under the control of nation-states, and even after launch there remained sufficient time and resources to determine their origin and stage a counter-strike against an aggressor. But cyberattacks are virtually instantaneous, says Wade, and retaliation may not be desirable—or even possible—without raising so-called “collateral” damage to innocents to unacceptable levels.
“That’s the problem,” Wade notes. “You have this incoming probing—in some cases more than that—but can you really verify where it’s coming from? And how much can you do before [your response] becomes an international event?
“So,” she adds, “if you can’t respond—or if you don’t have enough information to respond in an appropriate or proportionate manner—then you’re left with defense.”
A unique focus on leadership
The necessary complement to such restraint in the face of potentially devastating attacks is the information needed to anticipate them in the first place. But, as the failure to predict and preempt the 9/11 attacks demonstrated, that requires communication both within and between various governmental and private sector agencies that is often fitful at best—when it isn’t absent altogether.
“From what I understand at the NSA—and it’s probably the same at other government agencies—they have a lot of skilled people who know a lot about one thing,” Wade observes. “But they lack people to pull the pieces together, to say, ‘OK, let’s get together and talk, because nobody is communicating.’”
Adds Jackson, “A lot of problems are related to interactions with people. To get systems secure, you have to communicate across many different levels of government. And even between the private sector and the public sector.”
At least as much as technical knowledge, then, the leadership skills needed to foster and facilitate such communications are central to Jacobson’s vision of the cyberdefender. “Our program has a required leadership component,” he notes. “Students take four classes in leadership—that’s part of their experience. We think it makes them better employees and helps them in their jobs.”
Iowa State’s leadership component is unique among U.S. institutions participating in the SFS program. It is not simply a lecture, Jacobson emphasizes, but an intensive, interactive small group format that meets for several hours each week. Students interview security experts across a variety of specialties and work on projects and presentations with a view to developing their communication and collaboration skills.
And those skills matter, Jacobson observes, because security can be a hard sell.
“Most organizations treat security as the horrible-insurance-policy-we-have-to-buy,” he says. “So that’s part of the leadership piece—to be able to present yourself, to bring forth the idea that security is relevant. It’s being a leader and being able to interact with people who consider security a nuisance and a necessary evil as opposed to something that is really a core benefit to the organization.”
From complacency to action
Given our security posture in a post-9/11 world, it is difficult to imagine that anyone would consider information assurance a “nuisance.” As a continental power bordered by vast oceans and historically friendly neighbors, we Americans have a capacity for complacency that sometimes catches us flatfooted in the face of existential challenges.
Countering that sense of complacency on a daily basis, then, will be the acid test for leadership in the digital age. For we live in a world transformed: oceans don’t protect the data that drives our economy. And once friendly borders can today be crossed with the mere click of a mouse, leaving our vital infrastructure exposed to ruinous attack.
A sober woman not given to exaggeration, Susan Wade nonetheless bears a capacity for wonder at the transformation of her world—indeed, herself—in a way, perhaps, that a young man like Adam Jackson might not fully understand. “It’s hard to believe I’m in Iowa,” she reflects. “I still have those moments where, ‘Wow! How did I get from Texas to here?’”
Still, despite that sense of wonder, nine years after 9/11 Wade is anything but complacent and still feels that same sense of urgency she felt on September 12, 2001. She has absorbed the new reality to the core of her being and doesn’t need to be told that “9/11 changed everything”: it’s enough that it has changed her.
“I would describe myself,” she says softly, “as a believer.”