|
|
|
EURIM – IPPR E-Crime Study
Partnership Policing for the Information Society |
Draft Document For Discussion:
|
Working Paper 5: V0.4Growing the Necessary Skills |
|
|
The Issues |
|
|
|
If the opportunities for e-crime are to be reduced, and instances of e-crime prosecuted effectively, large numbers of people will have to become more knowledgeable in a variety of skills. These will range from in-depth capabilities in the investigation of e-crime to an understanding of how to secure information systems against perceived threats. The need for people to have a greater knowledge of specific information security skills appropriate to their responsibilities and jobs is addressed in the paper on Reducing Opportunities for E-crime. This paper focuses on the need to grow the skills necessary across law enforcement and industry to tackle e-crime. However, many of the recommendations made in this paper on how to achieve this will help meet the wider training needs outlined in the other paper. Industry and law enforcement both need similar skills to tackle effectively crimes involving computers and the Internet. Currently significant investment is being made in creating and running courses in particular skills for law enforcement agencies. In parallel there are commercial training operations and academic institutions running courses in similar skills for industry. It is not clear what remit the new Skills Councils will have in this area. There is currently little contact between the various skills providers in this area, nor is there any common agreement on the sets of skills (particularly those at the higher levels) for which training would be most beneficial or on the mutual recognition of credible accreditation and certification processes. Common understanding of the required sets of skills, sharing of the costs of creating and providing appropriate training and recognition of commonly accepted accreditation and certification processes could cut costs and also encourage further sharing of resources and information between the different constituencies. Questions might include: |
|
|
|
1. Who needs what skills? Security personnel through investigation to forensics? Users through law enforcement to expert witnesses? What are the priority skills that need to be developed first? 2. What are the current/planned frameworks (UK/EU or International) for defining the skills needed by whom? 3. How can training in the necessary skills best be given by whom to which groups? What evidence of the competence and/or probity of those providing the training is needed? How can this be provided and by whom? 4. What qualifications should be acquired by those with particular skills – and who should set the criteria for experience, training, etc required for qualifications recognised by whom? 5. Who is expected to pay, via which channels, for the development, delivery and certification of the courses, materials and assessment of competence/experience needed to ensure that the skills can indeed be available when and where needed? 6. Who needs what motivation to ensure that the necessary skills are indeed provided to those who need them? |
|
|
|
Given that the definition and certification of skillsets, let alone the development and delivery of courses to develop skills, are expensive processes that take a long time to establish, with responsibility split across many organizational boundaries even when the new sector skills councils come into being, the likely answers lead to three further questions: |
|
|
|
7. How do we create practical co-operation in bringing together the skill-set components and assessment methods which already exist to meet needs which might be addressed through any of the existing or planned frameworks, or a mix, national or international?. 8. How should the process be funded? 9. How do we decide the priorities for this work across all parties? |
|
|
|
|
|
|
Approach |
|
|
|
There is currently little contact between the various skills providers, nor is there any common agreement on the sets of skills (particularly those at the higher levels) for which training would be most beneficial. Common understanding of the required sets of skills and sharing of the costs of creating and providing appropriate training could cut costs and also encourage further sharing of resources and information between the different constituencies. |
|
|
|
Potential Quick Win |
|
|
|
That a co-ordinating group be set up with representation from the key public (e.g. Centrex) and private (e.g.Cranfield University (RMCS), Skills Councils, training providers) sector agencies to agree priorities and to agree where there is advantage in sharing resources and materials. |
|
|
|
There are currently no widely recognised qualifications for investigators, computer forensic experts and the like. If there is to be trust and sharing between people with these skills across the public and private sectors, and possibly internationally, there would be real benefit in having qualifications that are universally acknowledged. There may be advantage in developing a baseline set of criteria for specific disciplines, possibly at different levels of competence within each, against which knowledge and experience can be measured. A balance needs to be struck between the introduction of formal qualifications, which will take time both to define and to introduce and may be a long-term goal, and the need for measures of practitioner competence to meet the needs for mutual trust and/or admissibility of evidence. It may well be that at least some of the latter can be organised rather more rapidly. The list below gives some idea of the complexity of this issue, with specific organisations identified as examples in particular areas where appropriate. Note that there are bodies, particularly in the private sector, that cover more than one area. |
|
|
|
Skills Sets |
|
|
|
Lead Investigator, Prosecutor, Expert Witness, Security staff and consultants: from protection to investigation, Product Designer, Service Designer, Network Designer, System/Network Administrators, Support/Maintenance, End-users, etc. |
|
|
|
|
|
|
|
Criminal Justice, Law Enforcement, Security , E-Skills, SEMTA, Skillset, etc. |
|
|
|
EU/International Skills Frameworks |
|
|
|
Legal, Security, ICT, Comms etc |
|
|
|
Certification Bodies |
|
|
|
Accrediting the course material, trainers, qualifications, etc provided by academic, professional, technical, proprietary or public bodies that purport to support particular skills or competencies, etc. Examples include: BCS, IEE, IMIS, IRCA, Skills Councils, ICAF, etc. |
|
|
|
Qualifications |
|
|
|
Awarding qualifications that may be statutory, voluntary, exam-based, course-based, competence or experience based, etc. Examples include: BCS, IEE, IMIS, COMPTIA, City & Guilds, product suppliers (Microsoft, CISCO, Oracle, etc), Universities & colleges, ISACA, (ISC)2 , etc. |
|
|
|
Developers |
|
|
|
Development of certification and qualification frameworks, of courses, materials and assessment routines (inc. for experience). Examples include: BCS, IEE, IMIS, COMPTIA, City & Guilds, product suppliers (Microsoft, CISCO, Oracle, etc), universities & colleges, (ISC)2 , ISACA, LINX, etc |
|
|
|
Delivery Providers |
|
|
|
Delivery including course and certification fees and materials, time and access (whether travel and subsistence or network and local support). Examples include: Pearson, Learning Tree, Parity, Knowledgepool, universities & colleges, Insight Consulting, etc. |
|
|
|
Funding Agencies & Budget Holders |
|
|
|
Public
Sector: |
Private
Sector |
|
|
Central
Government Departments: Justice, Legal and other investigatory agencies: CPS, HSE, FSA, IR, Police, DWP, TSOs. etc Security Services Local Goverment and Agencies |
Suppliers: Telcos, ISPs, S/ware, h/ware, support, etc. Users: inc. Banks, E-tailers, Schools, etc. Law firms and consultants etc. Individuals, including. teachers, parents, SMEs etc |
|
|
Defining Skill Sets |
||
|
There is no commonly agreed definition of the sets of skills that are required, or of the level of knowledge required by each. In truth, there is not likely to be one universal set of agreed definitions, but a list of specific competencies that together enable individuals to perform particular types of task. NSLEC has established a set of competencies that could be used as a basis for ongoing discussion. There are also commercial trainers who provide appropriate courses and who could contribute to the discussion. Agreement to definitions of competencies may be a by-product of work on accreditation and certification since that process requires criteria that can be used in the certification process for individuals, and the accreditation process for providers. |
||
|
||
|
Vocational Education and Training within the The process of consultation over the skills needed to address E-Crime should be used to expedite the creation of effective operational routines with regard to the relevant cross-sector skill sets, building on the work already being done in preparation for the new Councils. It should also be used to clarity thinking with regard to the funding needed and important, the channels through which it should flow, to reduce the risk of waste and duplication. The products, services and networks which need to understood by those involved in the fight against e-crime
were commonly developed for international use and action often requires
international co-operation. There is therefore also a need to progress debate
on how the relevant There appear to be a least five current or planned sector skills councils with remits related to parts of the E-Crime Agenda: |
||
|
· Criminal Justice - taking over from the Police National Training Organisation and the various bodies concerned with all parts of the public sector side of the Criminal Justice systems, including CPS, Prison Service et al. · Security - which covers the private sector side of prevention, investigation and detection. · E-Skills - which covers information systems development, service and user skills with regard to computing and communications. · SEMTA - which covers science and engineering, including the manufacture of computing and communications equipment. · Skillset - which cover multi-media skills, including the image processing and manipulation which is forming an increasing part of modern digital evidence. |
||
|
The next question is not “which skill sets or employers should belong to which Skills Councils?” but “how should they work together to bring together the skill-set components and assessment methods which they already have in order to meet needs which might be addressed through any one of them, or any mix?”. There is unlikely to be one universally valid answer and the best way forward is probably to see what works in practice, beginning with areas which clearly cut across boundaries and where proprietary positions have not yet been taken up, e.g. “Lead Investigator” (where the needs of law enforcement, of those working for the defence and of the commercial sector overlap but are not identical) and Mobile Phone Forensics (where law enforcement and the mobile phone operators have, so far, taken different approaches). |
||
Certification, Accreditation and Qualifications |
||
|
There is a need to distinguish those bodies that accredit courses, training providers and qualifications against publicly accepted criteria from those that award individuals with accredited certificates or other forms of qualification that demonstrate a level of competence and/or knowledge. Accreditation is essential if there is to be universal acceptance of the quality of training and qualifications – although there are qualifications that are universally accepted on the basis of the reputation of the controlling body (such as ISACA). Only with formal accreditation are qualifications likely to be seen as having worth. It can also ensure that standards, once achieved, are maintained. Equally, some qualifications will require robust CPD programmes to ensure those with the qualification maintain their competence over time. One of the tasks of the Skills Councils could be to rationalise the jungle of qualifications currently confusing employers, observers and students. There is a similar tangle of “clubs” cited by witnesses to bolster their claims to expertise. The process of consultation over E-Crime skills issues should identify those relevant and what they bring to the party. As an immediate action we should seek to build and populate a sample grid to illustrate the potential, cross-referencing those expected to develop and pay for relevant courses, materials and assessment routines. The types of entry might therefore include: |
||
|
· Government Agencies and Certification “Authorities” with roles in this area: e.g. skills councils, curriculum and qualification bodies, professional institutions. · Course and Qualifications developers (sectorial, professional, not-for-profit or commercial) with relevant exams, certifications, CPD programmes or registration programmes (and their relevant qualifications, programmes and areas of expertise) e.g. BCS/ISEB, C&G, CISCO, CENTREX, CMA/ICAF, COMPTIA, Council for the Registration of Forensic Practitioners, ICSS/CISSP, IEE, ISACA, LINX, Microsoft, Mobile Telephone Examination Board. OCR. · Current delivery providers (and their relevant roles qualifications, programmes and areas of expertise) e.g. Academy, Cranfield, DataSec, Greenwich, Learning Tree, Open University, Royal Holloway, Shrivenham, Westminster, Whirlpool, NSLEC - particularly those concerned with basic forensics or evidence preservation for tens of thousands of policemen or network administrators to higher level skills for the low hundreds of experts. |
||
Who pays? |
||
|
The production of skills frameworks, let alone the development and accreditation of courses and qualifications is delayed and complicated by a common assumption that the definition of skills needs will be done by employer representatives, for free. Few employers have the skills required. Those with the skills rarely understand the needs. Meanwhile it is rare that anyone has a budget for the professional market research that is needed. But without such research most exercises fail, producing reports with little relation to that for which employers or students will pay and thus the training that is actually delivered. There is a need for clarity as to who is responsible for funding the organisational frameworks and the research needed to produce definitions and forecasts, using the experience to date of what does and does not work. Related to this is the need to discuss the means of aggregating and allocating the necessary budgets to develop qualifications, courses and materials to meet common needs - given that the law enforcement side is almost entirely publicly funded. |
||
|
Finally come the issues of paying for the delivery of the training and the incentive (return on investment, job change, promotion etc.) to those paying, in time as well as money. Currently training providers invest only in markets where there is measurable demand for specific skills training or where such training is funded by sectorial interests – such as with NSLEC for law enforcement or within financial services. Debate on funding structures, let alone levels, must involve those who control decisions and budgets and are tied in to their timescales needs and priorities. Recommendations are needed on: |
||
|
· which public sector decision takers and budget holders in which central government departments (including Treasury) need to be involved and addressed, on which priority issues and with which arguments (names, titles, responsibilities and e-mails where possible), · which private decision takers and budget holders in which private sector organisations that are respected as thought-leaders need to be involved and addressed, on which priority issues and with which arguments (names, titles, responsibilities and e-mails where possible), |
||
Conclusion |
||
|
There is a danger that the sheer scope and complexity of the task facing both government and industry in growing the necessary skills to combat e-crime will overwhelm those involved. It is imperative that the key players get together to decide on the priority areas and how they will be tackled. The Internet Crime Forum has already started on this task with an emphasis on the needs of law enforcement – this work being supported by the NHTCU. However, there has, to date, been little active participation by industry – either those providing training or those requiring appropriate skills. It is, therefore, recommended that an informal co-ordinating group, possibly based on the ICF Training Subgroup, be established to provide a focus in this area. |
||
|
© Copyright EURIM 2003 |