The Duck of Minerva

Leveling Cybersecurity Challenges with Graduate U.S. Public Policy Programs

21 March 2022

In December of 2020, the U.S. government announced that hackers – most likely from Russia’s military intelligence agency, the GRU – had compromised over two hundred companies and federal agencies.

What sets the SolarWinds attack apart from previous incidents is its sheer scale. The company has over 300,000 customers worldwide, according to filings made to the U.S. Securities and Exchange Commission… Targeted institutions include the U.S. departments of Defense, Homeland Security, State, Energy, and the Treasury; all five branches of the U.S. military; the National Nuclear Security Administration, and 425 of the Fortune 500 companies, including Cisco, Equifax, MasterCard, and Microsoft. There have been other major cyberattacks in the past, but none has achieved this kind of penetration. By compromising powerful governments and businesses, including some of the most successful technology companies, the SolarWinds exploit shatters the illusion of information security.

Hackers, whether working for private interests or foreign governments, have long targeted U.S. government agencies. In 2018, for example, the number of attempted hacks of Department of Defense networks reportedly topped 36 million. Cybersecurity in the private sector also implicates many different public policy concerns, including energy, finance, health, technology, and trade.

One might therefore expect that public-policy degree programs would make sure to offer concentrations in cybersecurity issues.

This is not the case. I looked at the U.S. News and World Reports’ top 10 MPP and MPA schools  to see which of them offer cybersecurity programs. As you can see in Figures 1 and 2, the answer is “not very many.”

Figure 1: MPP Programs

1The schools are ranked in sequential order by U.S. News.
These schools have separate policy degree programs housed in the school’s public policy department that specifically concentrate on computational analysis or analytics. The University of Chicago has a degree in Computational Analysis and Public Policy and Carnegie Mellon University has a degree in Public Policy and Management: Data Analytics. * 

Figure 2: MPA Progams

1The schools are ranked in sequential order by U.S. News.
9 These schools are tied in the U.S. News ranking.
This school has a separate degree program for science, technology, and environmental policy (MS-STEP)*

As best I can determine, most cybersecurity “white papers” and policy reports ignore the failure of many policy schools to adequately prepare their students to understand the subject. This is a real problem, since these schools provide an important pipeline into government service and professional policy analysis; they also provide important mid-career training for civil servants.

There are initiatives that seek to better integrate cybersecurity into policy schools. For example, Johns Hopkins University’s School of Advanced International Studies recently announced the creations of the Alperovitch Institute for Cybersecurity Studies, named after its major patron, Dmitri Alperovitch, the co-founder of the cybersecurity firm Crowdstrike. Indeed, Alperovitch recently argued that leaders need to think about cybersecurity issues within the context of geopolitics, rather than treating the two arenas as separate silos.

Still, it’s telling that none of the essays in the recent Foreign Affairs issue on cybersecurity – including Apleprovitch’s – specifically address the need for cybersecurity programs in the field of public policy.

Better integrating cyber, including as areas of concentrations, into MPP and MPA programs would be an important step toward enhancing public and private sector cybersecurity.