NSA-approved cybersecurity law and policy course now available online

Anyone who is interested in cybersecurity law and policy can now take an online course that was partly shaped by National Security Agency.

The course, which can be accessed through the Clark Center, touches on international and domestic cybersecurity law, cyber risk and technical details like how smartphones function, according to Anne McKenna, a Penn State professor who organized the course.

James Houck, director of Penn State’s Center for Security Research and Education, told CyberScoop that program will serve as a primer to the legal and technical details of offensive and defensive cyber-operations.

“What we’re trying to do … is create a framework for people who are trying to be introduced to cyber law, to offensive, defensive cyber operations, and for them to learn the fundamentals, the framework — and in our case legal authorities for how these work,” Houck said.

Houck clarified that although the NSA put out a Call for Proposal for the course’s creation, the course is unclassified and is not intended to cover internal NSA policy or business.

“The concept is: We create curriculum for the NSA, the NSA then, without centering it or trying to modify it, makes this curriculum available to professors around the country,” Houck said.

Although the course is not necessarily about NSA operations, taking the course could help future government employment applications stand out. The course description notes it may prepare students for “potential future employment with the U.S. Government in the cybersecurity field.”

The federal government has acknowledged it has particular challenges when it comes to hiring and retaining cybersecurity talent; the Departments of Commerce and Homeland Security noted just last year the government “needs immediate and sustained improvements in its cybersecurity workforce situation.”

“Employers increasingly are concerned about the relevance of cybersecurity-related education programs in meeting the needs of their organizations,” the 2018 report notes. “Globally, projections suggest a cybersecurity workforce shortage of 1.8 million by 2022.”

A coordinated effort

The course goes beyond those with a technical background: It’s available to undergraduates, law students, national security professionals, and anyone who is interested in brushing up on the technical, legal, and policy context.

“People are going to be looking at this who have no idea how an app functions or a phone functions down to people who know how to code,” McKenna said.

Aside from the NSA’s involvement, the course aligns with the National Institute of Standards and Technology’s National Initiatives in Cybersecurity Education (NICE) by meeting a 2018 recommendation that more educational resources address government employers’ cybersecurity needs.

“So often in education we see someone studies technology or somebody studies domestic law or somebody studies international law and national security and there’s policy folks,” McKenna said. “But we are really trapped in those buckets of education even though everybody talks about interdisciplinary education, you don’t see very many programs that really make it a concerted effort.”

While the professors that designed the course are not representatives of the NSA, the NSA did contribute to developing the course, according to McKenna.

“We did work pretty directly with the NSA on the content,” McKenna said. “The NSA reviewed the content and said, ‘hey we want a little more of this a little less of this.’”

The NSA did not immediately provide comment on the process.

The curriculum

McKenna, Houck, and Scott Sigmund Gartner, the director of Penn State’s School of International Affairs, each contributed different parts of the thirty modules, namely the legal, policy, and technical portions respectively.

“If you want someone to not be able to be manipulated through cyber influence through false posting on social media, if you want to make somebody understand why we need to use two-factor authentication … encryption … we really need to understand broadly how systems function,” McKenna said.

The course, for instance, includes a technical overview of internet of things technologies and encryption, but also provides case examples of online disinformation, how social media platforms work, and details on the European Union’s General Data Protection Regulation (GDPR), the  Clarifying Lawful Overseas Use of Data (CLOUD) Act, wiretapping laws, and international human rights laws.

International norms on cybersecurity are still developing and in flux, which creates a particular gap in the course, McKenna said. For instance, the State Department is still working with other nations at the United Nations to hammer out international norms of accepted behavior in cyberspace, such as not attacking civilian infrastructure in times of peace. The latest round of these conversations begin again this fall.

“There was no goal of, ‘this is what it should be and this is what it needs to be,’” McKenna said, noting the course does not advocate for any particular action or policy. “But it clearly identifies we need to be more educated and [have a more] integrated knowledge base.”