Certification of Master s Degrees Providing a General Broad Foundation in Cyber Security

Transcription

1 OFFICIAL Certified Master s Briefing Meeting 14 April 2014 Certification of Master s Degrees Providing a General Broad Foundation in Cyber Security Chris Ensor Michael Kirton Ellie England Graeme Dykes GCHQ This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemptions under other UK information legislation. Refer disclosure requests to GCHQ on x30306, infoleg@gchq.gsi.gov.uk

2 Welcome and Introductions Michael Kirton

3 Describe academic engagement programme motivation for setting up Master s certification application process and criteria Outline certification terms and conditions Answer questions and receive feedback Aims of Meeting

4 : Cyber security education and skills programmes, C. Ensor Agenda : Q&A session : Master s applications and criteria, M. Kirton : Q&A Session : Break : Outline of certification terms and conditions, E. England : Q&A Session : Next steps, G. Dykes : Q&A session 4

5 Housekeeping Meeting is not classified Fire alarm, toilets Slides

6 Cyber Security Skills Chris Ensor, Deputy Director National Technical Authority for Information Assurance WORKING WITH GOVERNMENT, INDUSTRY AND ACADEMIA TO MANAGE INFORMATION RISK

7 03/06/ Government Code and Cipher School established within FCO 1939 GCCS moves to Bletchley Park 1946 GCCS moves to Eastcote as GCHQ Intelligence arm moves to Cheltenham Security arm merges with GPO research and becomes CESD 1973 CESD becomes CESG and merges back with GCHQ 1978 CESG moves to Cheltenham 1994 GCHQ recognised under the Intelligence Services Act

8 GCHQ & Academia UK GCHQ needs Academia to support its security mission Enhancing UK NTA knowledge base through original research Providing NTA with top quality people UK Providing effective education and training. make the UK a safe place to do business in Cyber Space

9 NCSS and Our Objectives

10

11 Developing the Workforce of the Future Develop a Cyber Security Profession Outcome 1: There is an increased pipeline of a cyber capable workforce Cyber Security GCSE Cyber Security A Level Cyber & Cipher Challenges Apprenticeships (e-skills UK) Internships (e-skills UK) Certified Masters Bursaries (CSSA) Head of Profession Heads of Specialism Skills Framework CESG Certified Professional Learning Pathways (e-skill UK) Certified Training Outcome 2: There is a sustained supply of competent cyber security professionals available, adequate to meet growing demand levels ACE - CSE Increase Cyber Security Research Influence Associated Professions Outcome 4: UK is recognised as having a leading edge cyber security research capability that can be exploited where appropriate ACE-CSRs Research Institutes Funded PhDs Centres for Doctoral Training Project management Software engineering Procurement Legal Audit Outcome 3: Appropriate cyber security knowledge is part of the day job for relevant noncyber security professionals across the public and private sectors

12 Areas of Excellence Cryptography, Key Management and Security Protocols Information Risk Management Hardware Engineering Information Assurance Methodologies Operational Assurance Techniques Strategic Technologies and Products Electromagnetic Physics and Security Engineering processes and assurance

13 ACE Cyber Security Research

14 PhDs 1 st Tranche Bristol - Authentication, Ciphers, and Encryption Cryptographically Secure and Relevant - Information leakage aware verification Imperial - Joint Modelling of Edge Evolution in Dynamic Graphs Lancaster - Social and Technical Objects for Resilience and Cyber Security (STORC) Oxford - Combining Binary and Source Analysis for Scalable Exploit Generation Queen s - Novel Application of Advanced Machine Learning Techniques for use in Side Channel Attacks RHUL - Randomness in Complexity - Theory Meets Practice - Computational Algebra Approach to Learning with Errors UCL - Measuring and Influencing Cyber Security Risk Perceptions

15 PhDs 2 nd Tranche Birmingham - BaDSeED: Backdoor Detection Systems for Embedded Devices Bristol - Secure Application Programming Interfaces for Key Management - Game Theory of Cryptographic Threat Mitigation Cambridge - Model-Based Assessment of Compromising Emanations Lancaster - Weak Signals as Predictors of Sophisticated Social Engineering Attacks Newcastle - Scalability of Attacks in Identity Federation Leading to Cyber Threats Oxford - Graceful Security Degradation - Realistic, Strong and Provable Key Exchange Security RHUL - Cryptobugs Detecting Incorrect Use of Cryptographic Routines UCL - Towards a Discipline of Traffic Analysis - Access Control: Models and Compliance

16 Centres for Doctoral Training

17 Research Institutes Filling the excellence gaps RI1 - The Science of Cyber Security 2M GCHQ & 1.8M EPSRC How secure is my organisation? How do we make better security decisions? RI2 - Automated Program Analysis and Verification 2M GCHQ & 2.5M EPSRC Program analysis and verification for Binaries, source code, JavaScript and other mobile code RI3 Trustworthy Industrial Control Systems CPNI & EPSRC

18 The Science of Cyber Security

19 Automated Program Analysis and Verification

20 Trustworthy Industrial Control Systems

21 e-skills UK Cyber Apprenticeships Cyber Module A-level Trustworthy Software Initiative Schools cipher challenge Cyber Industry Internships Cyber Module GCSE Cyber in IT Management for Business Academic Centres of Excellence for Education MSc Certification Research Institutes CDTs 4/15/2014 GCHQ Funded PhDs

22 03/06/2013 ACE Cyber Security Education Identify universities taking a holistic approach to education in cyber security subjects. Based on offering at least one suitably recognised Undergraduate or Postgraduate qualification First step will need to establish a scheme for recognising relevant qualifications, starting with Master s.

23 03/06/2013 The right Master s qualification in a relevant area of Cyber Security provides: Mid career bridge STEM bridge Top-up Research bridge Why Start with Master s?

24 Thank You.

25 Q&A Session 1

26 Master s Applications and Criteria Michael Kirton

27 Background pan-government strategy BIS, OCSIA start with general Master s map indicative topics to IISP Framework not define syllabus started drafting call document in October 2013 extensive consultation with stakeholders 6 drafts for internal and external review

28 Call document main section + 4 appendices key sections scope: section 3 appendix B: topic coverage appendix D: application structure for full certification appendix E: application structure for provisional certification

29 Scope one-year postgraduate Master s degrees or part-time equivalent cyber security: sole or main focus at least 80% of taught modules can be mapped to Security Disciplines A to H breadth of coverage at least 10 of the Skills Groups (i to xiii) covered substantial original research component

30 Full certification student cohort completed in running in external examiner s report available for Provisional certification running in ; no cohort completed in start by October 2015

31 Full application letter of support (scored) sections C.2 to C.6 description of the applicant description of the Master s degree in cyber security assessment materials and external examiner s report original research dissertations student numbers and grades achieved

32 Provisional application letter of support (scored) sections D.2 to D.5 description of the applicant description of the Master s degree in cyber security assessment materials original research dissertations

33 Scoring 0: no evidence 1: very little evidence 2: some evidence 3: good evidence 4: excellent evidence each scored section must achieve a threshold score of 3

34 General suggestions address the points in the call document e.g., section 2: 2a, 2b,. 2f observe the page limits CVs off the shelf may not be suitable some customisation to the call may be necessary

35 Criteria - 1. HEI s letter of support for the application not scored use it wisely

36 Criteria 2. Description of the applicant coherent team team members with the appropriate knowledge and skills supported by the HEI Master s course regularly reviewed and kept up to date students have access to well-equipped computer laboratories

37 Criteria 3. Description of the Master s degree in cyber security quite a lot of detailed information required scope 80% of taught modules can be mapped to Security Disciplines taught modules cover at least 10 of the Skills Groups indicative topic coverage in Skills Group appendix B, point d, page 12 not required to cover all [indicative topics] explicitly sufficient weight of coverage..

38 Criteria 3. Description of the Master s degree in cyber security permitted combinations that do/do not satisfy scope identified research component > 45% of credits need to show remainder of degree adequately covers the Skills Groups

39 Criteria 4. Assessment materials and external examiner s report rigorous assessment of students knowledge external examiner full certification appropriate technical background positive report

40 Criteria 5. Original research dissertations well-defined process for allocation and monitoring well-defined and rigorous process for assessment dissertation topics must be in one or more Security Disciplines full certification representative dissertations full certification grade awarded should be appropriate research component < 25% need to show students gain sufficient understanding and experience of undertaking original research

41 Criteria 6. Student numbers and grades achieved full certification application expect majority of students to have 2-i STEM degree and/or relevant experience expect grade distribution to some extent reflect experience and entry qualifications consult with external examiner s report positive student survey results

42 Assessment process assessment panel meeting membership: academia, GCHQ, industry, wider government each proposal read by at least 3 panel members at least one academic agree consensus score for each scored section successful application HEI s letter of support threshold score or above for each scored section no prioritisation all who meet criteria achieve certification

43 Q&A Session 2 This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemptions under other UK information legislation. Refer disclosure requests to GCHQ on x30306, infoleg@gchq.gsi.gov.uk

44 Break This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemptions under other UK information legislation. Refer disclosure requests to GCHQ on x30306,

45 Outline of Certification Terms and Conditions Ellie England Senior Commercial Manager

46 T&Cs characteristics Successful applicants will need to agree to T&Cs based on ACE-CSR T&Cs which 11 universities have signed Branding licence HEI can use the Marks to indicate certification non-exclusive, royalty free, revocable, worldwide, non-transferable Continuing obligations maintain standards inform GCHQ of any significant change provide information on student numbers etc.

47 T&Cs characteristics Term full certification: 5 years unless ended earlier if HEI seriously breaches T&Cs and breach can t be remedied provisional certification: from award until receipt of the full certification application time limit from first cohort finishing to submission of full application General no ability to assign confidentiality dispute resolution

48 Full Certification Mark

49 Provisional Certification Mark

50 Q&A Session 3

51 Next Steps Graeme Dykes

52 Next Steps Submitting Applications submission deadline 20 th June 2014, the relevant application documents to: Content beyond the prescribed limits will not be reviewed Application questions to be ed in, there will be FAQs in the CESG web site: Retrospective student awards

53 Next Steps Assessment Panel Will meet in July All qualifying applications will be reviewed Universities will be informed of the result Subject to agreeing the T&Cs National press announcement Individual press announcements

54 Next Steps Future Calls Plan to issue 2 nd call in autumn 2014 To include Master s with narrower focus 3 rd call early 2015 Considering Integrated Master s

55 Next Steps Future Plans Recognition of ACE-CSEs call late 2014 Criteria Consultation on-going Holistic view of the university To work with partners to manage the certification process IET & BCS

56 Q&A Session 4

57 Close This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemptions under other UK information legislation. Refer disclosure requests to GCHQ on x30306,