Network.training-awareness July 2019

network.training-awareness@internal.sparta.eu

2 participants
1 discussions

[SPARTA - network.training-awareness] Minutes from an ECSO WG5 meeting last Wednesday

by Olivier Levillain

Dear WP9 members, Here are some notes about an ECSO (European Cyber Security Organisation) meeting I attended last week (Wednesday June 19th) in Brussels. The meeting was about WG5 which deals with awareness, skills, education and training in cybersecurity (the exact scope of SPARTA WP9). I am sorry to have written rather long minutes for the day, but I believe some pointers might be useful for SPARTA WP9. I added comments using brackets, beyond what was discussed on Wednesday. I am at your disposal for any comments and I plan to share the documents I will be allowed to with you as soon as I get them. Best regards, olivier = CyberRange = The first item discussed was about cyber ranges, which, as you know, are being developed in many institutions and training centers. == CR14 : NATO Cyber Range (A. Rebane - Estonia Ministry of Defence) == A. Rebane presented the CR14, facilities located in the center of Tallin, consisting of 10 classrooms. Estonia has been organizing LockShield, a massive annual exercise (24 teams across different countries, of 15 people each) for several years. With their infrastructure, they mainly target governments, but also industry and academia. In particular, they opened a new program this year called Open Cyber Range for SMEs and startups Later this year, they will organize an exercise to show how to federate cyber ranges across countries. One aof the four pilot, ECHO, has a package on federation of cyberranges. ECSO WG5 has been invited by ECHO on July 12th (in Brussels) to a meeting on the topic. [At this time, I don't plan to attend]. == Draft paper on definition of cyber ranges == ECSO plans to produce a paper on cyber ranges. The table of contents is a WIP, but it should be available for comments soon (in July). The goal is a 10 to 20-page document with definitions, guidelines on how to mount a cyber range, business models and legal/ethical aspects. == Cyber range workshops and collaboration with EC Pilots == There is work in progress with the EDA (European Defence Agency) about cyberrange federation. As a side note, ECSO representatives told us they will act as a coordinator between the 4 pilots and the commission, especially when it comes to trainings/cyberranges. There was an argument about the word defence, since the ECSO Board of Directors firmly said that they should not work on military/offensive aspects of cyberranges. This may change in the future and we might be able to work with industrial in the defense industry in a more open fashion. To be able to work more easily, we will use the paper to include a glossary in the draft paper. = Education and training activities (Parish Rathod) = A recent study tells that 142,000 professionals are missing in Europe (350,000 in 2022), 63% of the businesses questionned need more staff, and 59% of the companies are currently considered at risk. We are thus facing a challenge to get the competent workforce. A lot of efforts has already benn put, but they are scattered. In Fance, we have trainings, but we need them to more attractive (a recent initiative was discussed at ECSO general assembly concerning 10-18-year-old students) In Italy, they have a 1-year training but it might be too long, since we need people now. CSI (Cyber Security Initiative) in Ireland aims at teaching hygiene for small businesses (since it is difficult to have them in trainings). They are looking at webinars. Moreover, leadership people are not always technical people and they are lost in the lingo. Academia has been asked to deliver trainings with industry content (part-time trainings) and they mostly use online resources. Italy also has cyberchallenge.it for students (16-23 years old). The goal of the presentation is to push for an initiative, Towards European Cybersecurity Professional Education and Training Framework. Among the questions asked, we wondered how we could homogenize ECTS, skills frameworks, etc. between countries? For skills, there is the European Competence Framework... One big question is how can we compare different trainings (e.g. masters degree) in differente countries? [Of interest for WP9 is a white paper on Gaps in Education & Professional training (https://www.ecs-org.eu/documents/publications/5bf7e01bf3ed0.pdf)] There is currently existing certifications - CISSP (see below) - Certified Ethical Hacker - Pentest and Security Analysis certificates - Some Finnish certifications? - CompTIA [I need to get the slides to be more precise about these certifications, but at the time of writing, I did not receive them yet.] The presentation also presented a paper on online cybersecurity education and professional training [There again, I did not have time to take the reference, but I will ammend the minutes as soon as possible]. == ENISA / education mapping == ENISA is starting a new task on training and education database. ECSO agreed to collaborate on this with ENISA. It would certainly be useful that the four EC pilots also participate. There is some information available at https://www.enisa.europa.eu/topics/cybersecurity-education/nis-in-education… [This might be useful for SPARTA T9.2 and perhaps for T9.3. We should try and be consistent with the ENISA templates if possible?] = EHR4CYBER = The afternoon was dedicated to the EHR4CYBER Workshop. The EHR4CYBER task force aims at producing a body of knowledge and skills to enable setting up education and training programs, and to verify skills in programs. The related initiatives are : - US NICE Framework - Australian approach - Cybok - CEN e-CF (http://ecompetences.eu/wp-content/uploads/2014/02/European-e-Competence-Fra…) - ENISA work on education mapping [These documents might be of interest for T9.1, but also T9.2 and T9.3] To define a minimum skill set for cybersecurity, European Digital Competence Framework (developed by GRC) The goal could be to define EU-wide minimum curricula for cybersecurity with 3 different levels: - secondary vocational - bachelor - master => but we should still leave room for the different specialisations of universities and training centers == Word from the pilots == ECHO, Sparta and Concordia were represented at the meeting. We were asked to present our position. For Sparta, I presented the different work packages and a high-level description of our goals in WP9. One immediate feed back was an invitation to not neglect existing documents (from ECSO, ENISA and other reports). Concerning education and training, Concordia is working on CyberRanges and aims at building a European ecosystem for cybersecurity. Here are some Their target is not only technical people. Currently, they have a map with the courses handled by Concordians. They are also trying to gather what is needed on the market, to then develop micro masters aimed at the professionals. One of Concordia partners is TUV, a certification body. Finally, they plan to teach the teachers. Regarding ECHO, they only focus on 4 sectors. Their planned methodology is the following: - Work from what we want to have, and then build - Focus on hands-on training (cyberranges) - Work on the methodology of training - Mix F2F training and online courses A recurring question during the workshop was to know how ECSO can work with the pilots to avoid doing the same tasks four times. ECSO would like to assume the role of coordinator layer between the pilots and the commission. We should especially focus on what ECSO can disseminate. [This is why I proposed we ask the coordination level of SPARTA how we will work with the other pilots on education and training.] The four pilots were also asked to produce a short document to describes the tasks and the deliverables to share with ECSO and the other pilots. [This was discussed on the WP9 Steering Committee on Friday June 24th] [For T9.1], we were invited to try and not reinvent the wheel. That is why it might be useful to consider existing frameworks such as e-CF. == Word from (ISC)2 == (ISC)2 was represented by Yves Le Roux, who presented their certifications [which should be an input for T9.3 of SPARTA I guess]: - SSCP is the basis - CISSP is the well known certification - 3 specializations (Engineering, Architecture and Management) on top of CISSP - a Healthcare-specific certification - CCSP : a cloud certification with a lot of legal stuff (it was done with the Cloud Security Alliance, CSA) For CISSP, 5 years of experience are required, but it is possible to have the qualification and work then to gain the experience needed. (ISC)2 also presented their Charitable Arm Center for Cyber Safety and Education, aimed at teaching the teachers (the material is based on the commic strip Garfield) Finally, there exists a mapping between (ISC)2 certifications and the NICE framework. We should be able to get it when (ISC)2 shares it with ECSO. == Miscellaneous and wrap-up == On a related note, the UK has launched its National Cybersecurty Center which delivers the CCP, to certify people on 4 different job titles. Finally, there seems to be an interesting document to read: ENISA Stock Taking, which describes the gap between trainings and needs from the industry. It is available here: https://www.enisa.europa.eu/publications/stock-taking-of-information-securi… The next deliverable for ECSO WG5 is a standard EU-wide minimum curriculum for information/cyber security on different EQF levels. This curriculum will however allow universities and training centers to keep their specializations.

6 years, 3 months

2025

2024

2023

2022

2021

2020

2019

Network.training-awareness July 2019