Guest Post by Professor Jason Healey
Admissions note: Jason Healey is a Senior Research Scholar at SIPA specializing in cyber conflict, competition, and cooperation. He directs the Initiative on the Future of Cyber Risk and teaches two courses: Dynamics of Cyber Power and Conflict and Cybersecurity: Technology, Policy, and Law.
In my five years here, it’s been clear that SIPA’s Dean Merit Janow is committed to bringing all things cyber and digital to the school. We’ve developed a robust program of research, events, and coursework that have made SIPA a hub for the study of cybersecurity and technology policy and our students are not only the main recipients but our best partners.
I’m often asked how students can prepare to study cybersecurity policy at SIPA. In this post, I’ll provide some recommendations on resources students can use for self-study whether you want to get a head start before SIPA or help prepare yourself for one of the five main cyber career tracks for SIPA alumni.
There are different learning styles. For me, I prefer reading. Whenever I’ve re-directed my career (into cyber in 1998, working for the finance sector in 2001 and the White House in 2003, expanding into risk and business continuity in 2005, and so on) I’ve read as much as I can get my hands on starting with general topics then diving more deeply.
If you want to switch into a cyber career, or wondering if it’s for you, start your reading early. First, there’s the general cyber reading. Here, look at The Cuckoo’s Egg (Cliff Stoll), a very readable classic, and The Hacked World Order (Adam Segal) or The Darkening Web (Alexander Klimberg) on general cyber international relations. Both are good, but Adam Segal is adjunct faculty at SIPA and directs the Digital and Cyberspace Policy Program at the Council on Foreign Relations. David Sanger’s The Perfect Weapon is amazing, as is Kim Zetter’s Countdown to Zero Day and, more recently, Andy Greenberg’s Sandworm. Andy and Kim are some of the most-trusted journalists in the field, along with David Sanger and Ellen Nakashima.
Singer and Friedman’s Cybersecurity and Cyberwar is a bit out of date but very readable — as is my cyber military history, A Fierce Domain. There’s also a lot of academic works like Ben Buchanan’s The Cybersecurity Dilemma, which is excellent, but probably a better third or fourth book.
Second are reports from think tanks like the Atlantic Council, Center for a New American Security, Council on Foreign Relations, Center for Strategic and International Studies, New America, Carnegie Endowment for International Peace, and the East-West Institute. These organizations are also holding a lot of virtual events during the quarantine that are open to the general public.
Third, the Internet threat reports from major cybersecurity companies will give you a unique and up-to-date perspective. FireEye’s APT1 report made history, a private sector company calling out espionage – with in-depth analysis backed by evidence – by another country. CrowdStrike’s Global Threat Report is quite readable and there are now dozens of such reports focusing on adversary groups, that is, criminal hacking groups or state-backed espionage teams. The Verizon Data Breach Investigations Report and reports from Ponemon are on cybersecurity more generally and the costs of cyber crime.
Last, there is the more technical literature, especially tied to hacking skills and certifications. I started with Hacking Exposed, now on its seventh edition, but study guides for Security+ and Certified Ethical Hacker are also useful. Only dive into these if you care about such things and can deal with sometimes daunting technical material right out of the gate. They’re important but you might start with the other material first.
Many of the most influential and interesting practitioners and scholars in the field are on Twitter, and this is a great way to follow the most recent developments. Start with the authors I’ve mentioned here. Follow me then follow those I retweet. As you read Sandworm (especially, as it is new) be sure to follow those mentioned as well as all the authors and journalists I’ve mentioned above.
Getting a Basic Technical Background
If you want a job in cybersecurity, then you must have some understand of what happens on the other side of your screen. If it still seems like magic, then your analyses won’t have enough foundation. Fortunately, even a modicum of basic computer science or programming can be enough for you dispel the fog of magic and learn key concepts and terms. The deeper you can go, the more job options open up for you.
Any of the basic computer science classes available on the various MOOC platforms (EdX, Coursera, Udemy, etc.) will be a great start. CS50x is a particularly popular option. And get as much Python as you can, not just for cyber but to help you at SIPA and any job afterwards. If you can handle the quant, consider pairing cyber classes with the concentration in Data Analytics and Quantitative Analysis.
Within the cybersecurity fields, a certificate is a routine credential to demonstrate you have special knowledge or skills. The Security+ certificate by CompTIA is one of the most achievable for most SIPA students. Usually, you can study as much as you want for free and only have to pay to take the certification test, usually a few hundred dollars. The higher-end certifications, such as those from SANS, are often highly specialized and more expensive (often paid for by companies to train their staff).
This brief list of recommendations will get you off to a great start in studying cybersecurity policy, and you’ll be well prepared for cyber-related classes at SIPA. More importantly, you’ll be on your way to an exciting career in a field which has difficult and interesting challenges and is well paid and chronically understaffed. I look forward to your joining cybersecurity as a colleague!