CyberWire Daily - Exploring Cyber Security Education [Special Edition]
Episode Date: October 28, 2016In this CyberWire Podcast Special Edition, we examine the current state of cyber security education, speak to experts in the field, and learn about what it’s going to take to prepare the next genera...tion of cyber security professionals. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
I want to know what's behind the computer, not just like, you know, typing stuff and seeing what I see.
I want to know what is behind in there. I want to see what I can do to protect it.
It's no secret that cybersecurity is a hot field, with many more jobs available than qualified workers.
So what's the best way to become one of those qualified workers?
In this CyberWire Special Edition, we look at some of the available options in cybersecurity education.
We speak to the people who are teaching and designing the classes,
and examine the creative ways people are trying to prepare the next generation of cybersecurity professionals.
We saw this rising tide in the 80s, and then it just totally dropped off.
That's Baker Franke. He's curriculum developer for Code.org. And there was this huge panic at the university level and in education in general.
Students stopped majoring in computer science.
Computer science enrollments
were on the decline. Students were saying that computer science wasn't relevant or interesting
or boring. Code.org was launched in 2013. They describe themselves as being a non-profit dedicated
to expanding access to computer science and increasing participation by women and underrepresented
students of color. They're probably best known for their annual Hour of Code events,
but a large part of their mission is advocating that school districts
adopt computer science classes at every level.
Our mission is to get high-quality computer science taught in every school in the United States,
and we do mean like capital C, capital S, computer science,
because the real key to unlocking the technology gap
is for students to learn something about computer science, stop being consumers of technology
and start being producers.
Part of the reason that computer science doesn't exist in schools is because it can be a turf
war issue.
It can be the sense that there is a sort of zero sum game afoot.
When our outreach team goes into school districts, they'll say, OK, if we're going to add computer science, which sounds great,
what are we going to lose? You have to be real about what those costs are.
Schools have limited budgets for new programs, of course, but they also have limited amounts
of time in the day with their students. Even for schools that recognize the importance of
teaching computer science, it's often a matter of figuring out where in an already packed schedule
these classes can go. But Franke is convinced that exposing kids to these skills is critical
for their development in the modern world. Thinking computationally is such a crucial
way of understanding the world now that you are going to be thinking computationally in math class.
You're going to be thinking computationally in history, in English, in science, in art, in music. Really, I think to get people to recognize that we live
in the 21st century and our school system still largely exists on a model developed by John Dewey
to deal with the effects of the industrial revolution. When I go back and read John Dewey's
writings at the time,
you can almost take his writings, replace the word industrial with technological,
and it's like the current state that we're in. The world has changed as a result of computing,
the internet, and computation in such a lasting and profound way that it also needs to profoundly
affect education. In the early days of home computing, you sat down to a command line
and the machine patiently waited for you to tell it what to do.
The trend with computing devices today, and specifically mobile devices,
is to hide the inner workings of the machine and present the user with a set of tools
that don't require them to know about things like the file system and the underlying structure of the OS.
In our curricula, in our high school curricula, I'm very interested in having people understand
that a computer isn't magic. It's just a machine. In fact, it's a machine that was made by people.
And those people made decisions historically for particular reasons. And there are good reasons,
and there are logical reasons. But unless you can either intuit what those reasons were,
or you can learn what they are, you're never going to be empowered as a programmer.
So there's going to be no end to the amount of abstraction that operating systems put in front of us to make it more easy and convenient and hide the inner workings because that makes it ultimately more useful and more efficient to use. But I think in education, we're going to see more and better learning about computers and how they work underneath the hood so that you do have some foothold into what, you know, iOS is actually doing.
As an educator, when I think about cybersecurity, I'm thinking about where is computer science's place in our educational canon?
And is it important enough
that we kind of change everything? Every single person deserves computer science education. It
is not a subject for a certain elite. It is not a subject that you get to after you've learned
some sort of high level mathematics or anything else. Everybody needs it and to
understand it from an early age on through school. So what about higher education? For someone
interested in a career in cybersecurity, what's the best path for proper training and preparation?
We spoke with a number of experts, instructors, and college professors and visited a few learning
institutions in our own backyard to get a sense for what's available. When you look at bachelor's
and master's degrees, they're usually positioned to help introduce you into academia and pursue
something like a PhD, writing, researching, answering questions. Robert M. Lee is CEO of
Dragos Incorporated, and he teaches cyber threat
intelligence and ICS SCADA active defense courses for the SANS Institute, as well as being an adjunct
professor at Utica College in their Masters of Cybersecurity program. Even in terms of hard
skills that you're developing, it's more about the research component more so than becoming a tradesman. And right now there's the need by some
to get a master's degree just to check that box, whether it be for their career or really just
getting hired for jobs. And at the same time, they want to get skills. So I'm starting to see a lot
of cybersecurity programs spin up at colleges that don't have the expertise to go down that path.
And so they're teaching things that are fundamentally wrong. And at the same time,
they've still got to bridge that gap between academia and trade skills. And it's sort of
doing a poor job at both. Now, the optimistic side of this is on the training side, when we start seeing training classes pop up, it's less and less now about a specific tool.
Where I would say, historically, we saw training classes of just a single tool.
And now we're starting to see mindsets and tradecraft and defensive patterns.
And there tends to be a forming community where we're getting better and better people in the community and better trained.
And I think it's great to learn those tools and certainly that will make you very much in demand
when you graduate. That's Jonathan Katz. He's a professor of computer science at the University
of Maryland and director of the Maryland Cyber Security Center. He's also a regular contributor
to the Cyber Wire. But those tools are constantly changing and if you learn a tool now it may be
out of date a year from now.
And so what we really try to do from an educational point of view is to teach students the fundamentals that will basically last them for their entire careers.
Matthew Green is a well-known security researcher, and he teaches cryptography at Johns Hopkins University.
You know, I focus a lot, obviously, on information security.
So one of the things that kills me is that we don't teach more information security in undergraduate colleges. We have kids, you know, and I say kids because they really are kids now that I look back, now that I'm old, coming out of school and going
right into jobs at, you know, big companies, Silicon Valley, and learning on the job security
and making mistakes along the way. And I wish that wasn't happening. So, you know, while I think we're
doing a fairly good job at teaching them how to build things. We're not teaching them enough
how to break things. And as a result, they're not paranoid enough. And I think that lack of
paranoia is hurting us in this field. So I think, first of all, it's important for everybody
majoring in computer science to have a basic understanding of cybersecurity, because when
they get out there, they're going to need to know how to write secure software. That's one of the
fundamental problems we have right now is that very much we're in a state
where we're reacting to cybersecurity threats rather than building things securely to begin with.
So one of the things we try to do is to prepare all of our computer science students
to at least have a minimal knowledge of cybersecurity so that they can build things in a proper way.
Then you have the students who actually want to focus in their careers on cybersecurity in particular. And for those, they might take more advanced classes in
cryptography or in computer security or even specific domains within computer security.
You know, good universities do gravitate to being able to pull in the industry leaders.
The problem is sort of the business of universities has spawned up a ton of other
degrees.
And there is that velocity problem that if, and I don't want to throw any university under the bus, but let's say a mid-sized university or college in Arizona that hasn't been able to attract the cybersecurity talent.
It's not in any of the sort of hubs that we see cybersecurity talent like Silicon Valley or Maryland or around Lackland Air Force Base in San Antonio.
We don't see that maybe in that location in Arizona.
They're having a hard time pulling the talent that can teach the right things, and they want to be able to scale up that program very quickly and aren't able to do so.
Now, this has been complemented a little bit in academia by adjuncts.
academia by adjuncts. So what some universities are doing, like Utica College does very well at this as an example, is they hire adjunct professors to come in and teach. It's basically part-time
instructors that are by day working in the field that they're instructing, and then by night being
able to teach the next generation. I think that is a more practical approach. The problem is,
of course, with adjuncts that it's not as well respected,
it doesn't pay the same, and there's always problems around sort of culture shifts in
academia to having basically part-time workers when academia itself is meant to be a profession.
But I do think there's a balance. I think there needs to be university programs that have bachelor's and master's
degrees for thought processes and methodologies where tools are just used as samples. And that's
one of the reasons I still teach at Utica, because they do that. Then I think that there's an
expectation of cyber journeyman trade school programs, which could absolutely take kids that are in high school
that don't want to stick around to do physics and algebra. And even though I'm biased and say that
that's really important, maybe they would have a lot more fun and be much more productive if they
were just allowed to focus on what they wanted to and develop those skills under the guidance of
somebody who is a master level. And the same way, there's still a big need for five-day training classes, one, two, five-day
training classes, whether it be Black Hat style of training or SANS Institute, and looking
at taking people who have skills or at one stage in their career and propelling them
forward, where for five days they sort of get a kickstart or they sharpen some skills they've been using for quite some time.
They do network design, implementation, and administration of network,
cloud computing, virtualization, firewall, access controls,
intrusion detection systems, DMZs, vulnerability assessment,
and penetration tests.
They do all of this.
That's Mengisto Ayane.
He's one of the heads of the cybersecurity department at Howard Community College
and one of their course designers.
The students who are coming, the majority of which constitute our cybersecurity students,
are people who are basically coming from no background.
They don't have networking background, no fundamentals.
basically coming from no background.
They don't have networking background, no fundamentals.
And so that's one of the things I obviously tried to cater for when I was redeveloping the course at first,
how to kind of bring them up to speed with what we expect as a starting point.
Howard Community College, or HCC, is a community college in Columbia, Maryland.
It serves about 10,000 undergrads
and degree programs. Being close to Fort Meade and the federal government, HCC sees a growing
demand for cybersecurity education. Most of the students, I think, attending school are still
finding themselves. That's Sung Lee. He's director of student computer support at Howard Community
College. You know, what do I major in? What do I like? And, you know,
you're still kind of evaluating what you have to do. And so the first year and a half, you're like
going from class to different class, changing majors. And in a community college, you can do
that. But at the same time, you can find yourself very easily because it's very small. And that's
the great thing about it. I think once you have that community and you have the students working together, once you have that friendship and network,
community college is a bargain because you can transfer that credit. You can actually take
whatever you've learned here, the credits that you get, and then transfer over to a four-year
and then finish your school. Being a community college, HCC serves a variety of students coming from all walks of life.
Right now, the students that are taking my course, most of them are just traditional students.
I know one student that I've spoken to, he's only taking two classes at our community college
because he has a job. So he found a job that allowed him to do nothing cyber-wise but to get paid.
And then I have two students that's getting into the program,
and then one student that is under the VA bill, basically.
So he was in the military, and he's actually taking this course.
I think as they progress on, hopefully, as they finish the program,
because it's a 100-level course, that they'll have more interest in the second year
I think they'll be on they'll have more of more concise what they want to do within the cyber do
they want to be just a system administrator or a network administrator or a cyber analyst like
from here I'm also applying for the NSA cyber summer program Aha Raza is a student studying cybersecurity at HCC. And I feel like I
am eligible to do that because the information that they provided, the job description, I know
that stuff. So of course, they are not only focusing on, as I told you, not only focusing
on theory, we have like the labs and hands-on knowledge as well. So they see what is the demand
in the market. So based based on that they decide their
actually courses and everything so when they basically leave they are equipped with a lot
of this concept it doesn't mean that they are you know kind of senior in terms of the position
they are seeking but for entry level jobs such as t1, you know, system administrator, network administrator with security in place.
They could, you know, actually do jobs such as network traffic analysts,
network monitoring analysts, and, you know, all these areas.
Most of the students that we have currently actually are working in higher positions.
We have students who are working in system administration, designing a system
based on Linux, based on Windows servers. We have students who are managing a whole
network who have graduated from Howard Community College. What we are actually giving them
the fundamentals as a very good springboard for them to even understand higher level and more complex system administration tasks.
So it's not just help desk. They also could do a lot more.
I think that is what we have to be proud of.
UMBC is very much a technology-focused university. They always have been very innovative.
UMBC stands for University of Maryland-Baltimore County.
It's a public research university, about 14,000 students, located about 10 minutes south of Baltimore.
UMBC Training Centers was formed in 2000, and it was formed for the purpose of being able to
provide workforce-focused training and certifications for incumbent workers.
That's Homer Minnick III.
He's the director of the Cybersecurity Academy at UMBC Training Centers.
So what we really provide are a combination of either vendor certification courses
or custom-developed content.
A client, again, I'm focused heavily on Department of Defense,
so I'll name no specific clients,
but an Army element that has had a critical need
for people who can do software development in the cyberspace.
The nation as a whole is not producing enough people
that have the computer science background,
and the numbers of those that DOD can get their hands on is an even smaller percentage of that.
So it's just none of those things have worked out.
We were able to partner with this Army organization to say,
tell us exactly what types of skills you need, work with their subject matter experts.
And effectively what we have done is looked at what is the meat of a computer science
degree, strip away all the electives, strip away all the humanities, all of the, you know, everything
else that's not solely focused on computer science, take that and develop curriculum that can provide
that in an accelerated format, and the way that we are achieving success with
this, given that it's an accelerated program, is the program is built to have a huge amount of
hands-on practical exercise. So a typical course could be a semester-long course. In our case,
it's a two-week-long course. And it is, you you know the mornings from eight to noon are lecture and
instructor-led demo and getting shown how to do it every afternoon from noon to four is lab so it's
practical exercise four hours or really three and a half hours worth with a with a lunch break in
there of what they learned just that morning. Each course has graded exercises,
one per week. Everything that a software engineer or software developer in an organization is going
to be expected to do, these guys are expected to do. We're just doing it in a more rapid fashion.
If you look at across the whole program, they're getting more than 50% of the time spent on just
writing code. They build a portfolio throughout.
So those projects that they create build a portfolio that is then used
because these soldiers have to go and interview for their jobs.
So the same as a contractor would, the same as a civilian would.
They have to go interview and prove that they can do what they say they can do.
They have the portfolio to show their actual work, their actual code, interview and prove that they can do what they say they can do.
They have the portfolio to show their actual work, their actual code to that manager of
that section.
With so many unfilled job positions in cybersecurity, there's a huge demand for getting people
trained quickly.
That, according to Minick, is leading to some creative thinking and the exploration of educational
paths that aren't typically associated with high-tech careers. It's interesting that there's a lot of discussion right now around
apprenticeship within the field of cybersecurity. Not only in a little a apprenticeship,
internship, fellowship, call it what you will, but actually the development of a big A registered apprenticeship
that produces a cybersecurity person with a credential that is able to perform certain functions,
much along the lines of a plumber, an electrician, a welder, HVAC, something like that.
The skills that they're able to perform
and have demonstrated are codified.
Our vision is that cybersecurity should be seen as not just technical, but interdisciplinary.
Misha Kukie is director of the ACES program at the University of Maryland.
He's also associate director for education for the Maryland Cybersecurity Center.
I'm director of ACES, which is one of the honors program and is the first and for now only honors
program in cybersecurity in the country. We have seven different honors program and ACES,
which stands for Advanced Cybersecurity
Experience for Students, is the seventh, which was established in 2012.
The University of Maryland is a big state school with about 38,000 students, and they
offer traditional computer science degrees, including a specialization in cybersecurity.
This ACES honors program is brand new and takes an innovative
approach. The Honors Program, its philosophy is not to be part of the college, of a specific
college. It's part of the undergraduate studies college. And so that the students who are part
of ACES are students with different backgrounds from all different majors. So we do have computer scientists, but we have computer engineers, other type of engineering majors. We have students in
criminology, in psychology, in business, in math, even a student in music. And the idea
and the originality of the program is that we don't award a degree in cybersecurity,
is that we don't award a degree in cybersecurity,
but we award a citation from the Honors College in cybersecurity after two years for the students.
So it's a two-year program
where students work together and live together.
And then after two years,
they can decide whether they want to continue.
And at that point,
they join the minor in cybersecurity
also offered by the Honors College. And they continue for another two years so that they join the minor in cybersecurity also offered by the Honors College.
And they continue for another two years so that they get a minor in cybersecurity through ACES.
One of the innovations here, one of the things that they're trying,
is that many of the students in the cybersecurity honors program aren't computer science majors.
And that's intentional. It's by design.
We don't want the students to change majors. What we want to do
is to attract students into the field and see how they can contribute to the field. So let me give
you two examples. One is the woman who had really no knowledge, prior knowledge on cybersecurity,
was surprised that she was invited to join ACES.
Stayed for two years, so she only did the living and learning program, got her citation,
got interested in cybersecurity, got us interested in the policy aspect.
So she's a major in mathematics.
And so now she is involved with the FBI working on cybersecurity issues.
So that's an example of someone who would not have really engaged or been in the field who keeps a major in mathematics,
but is still contributing to national security because she has been through ACES.
Another student right now is a major in music.
So that's probably a very surprising major if you want
for someone who might touch cybersecurity.
So it's a similar story, no prior background,
and was interested and has a way of very carefully analyzing things
and being able to really synthesize things at a very precise level,
and has done an internship at NSA.
NSA, of course, would not have considered usually a student if you come as a music major.
But that's another success story, that a student stays involved with NSA on the research part.
The ACES program is a collaboration with industry partners too.
It started with a major gift from Northrop Grumman, $1.1 million. What the companies have
found is that because these are the best students on campus and they're interested in cyber security,
de facto you have there the best best students in cybersecurity in the region.
And so companies are really supporting the program because they'd like to reach out to the students.
On our side, it's something that provides a huge plus to the program
because by engaging these field experts, students have access to experts much earlier than they usually would have had.
So these students are really taking a leading role in cybersecurity and will get involved in many different activities.
And they work together and live together and take several classes through ACES.
Our goal is for the students to become leaders in cybersecurity.
So we're not looking at students of being able just to implement a firewall
or improve a firewall or just do some coding.
We really want them to have a broad horizon of cybersecurity
so that they become the leaders of tomorrow.
cybersecurity so that they become the leaders of tomorrow.
We spend a lot of time kind of professionally counseling executives.
Of course, career education doesn't end when you get your first job or even when you reach the C-suite. Joyce Bataglia is CEO of Alta Associates, an executive search firm specializing
in cybersecurity. So many times people come to me and say, hey, you know, I want a seat on the board.
And I say, well, that's great, but you really don't have any table manners yet.
And this is what you need to do.
You know, so a lot of information security people all of a sudden feel, hey, you know,
I think I could have a seat on the board.
But they really have never had P&L responsibility.
They've never had governance responsibility.
They don't understand, you know, the broader aspects of what it takes to actually, you know, not be considered by the
board as a one-trick pony and what kinds of things they may have to do in their own career
to broaden their perspective and to make themselves more attractive to those kinds of roles. So,
you know, I think that, look, we've been in security for 20 years, as long as security has existed, and I have seen the evolution of the role of the CISO, and I continue to see these folks are, you know, either presenting
to the board or working with the regulators or, you know, some type of outside third-party
regulatory establishment.
And, you know, they really have to understand a much, much broader and more comprehensive
area than the old days of just being deep and technical.
You will find that this career field has a very, very low unemployment rate.
That's Robert M. Lee.
I've heard people say zero unemployment rate. That's not true. There's a lot of people that
do look for jobs. My common advice to folks that are just starting out is, number one,
try to figure out what interests them most.
And this may change a dozen times, and that's okay.
But what aspect of the field do you care most about?
Because cybersecurity itself is a wide-ranging topic.
Do you really like digital forensics?
And if it's digital forensics, do you like network forensics, host forensics, Mac forensics? Whatever it might be.
Are you penetration testing inclined? Okay,
well, do you want to pen test web applications? Do you want to pen test the enterprise?
So figuring out right from the beginning what sounds most exciting to you,
focusing one thing at a time, and then taking advantage of all the free and online resources. I generally don't recommend people who aren't already employed
to look for academic classes or training classes to teach them skills. There are so many free
resources to get started. And the reason I push that is when you use the free resources and sort
of test out your own skills, first of all, you'll make sure that you're in the right approach.
Maybe you're a pen test and you find out that man, forensics is really cool.
And so that you can pivot before you make financial investments.
And the other aspect is when you finally do make the financial investment or have a job
send you somewhere, you're going to be able to take much more out of the class.
When I get new people in class, they leave knowing something more than
they came in with. When I get experienced people, though, they know how to ask the right questions
to really push them farther. So the more you know coming in, the more you're going to get out of
structured learning. Me, if you look at my office, you know, my master's degree, bachelor's degree,
education is hugely important to me. That's Homer Minnick III.
For anyone and all of my soldiers when I was in,
and all the soldiers that we see coming through here,
yes, you're here, you're getting some great skills and certification and experience,
and you're going to be able to kick ass on your job.
And we need that, and we need that now.
Get the education. Get the degrees too.
Don't let what you have, you can apply this to the degree
like you're already down the road a little further than than you were don't waste that
go get your degree yes you can get qualified to do a job and you can get a good job
you can get best qualified to get the best potential opportunities for the highest levels of income by combining things.
If you've got training and certification and experience and degrees,
you are the best qualified type of candidate for a position.
So the education is certainly important too.
And that's our CyberW Wire special edition on cybersecurity education. Our thanks to all of our
experts for taking the time to be interviewed and to share their expertise. Not to put too fine a
point on it, but I learned a lot doing this show. And that is time well spent for me too.
If you enjoyed our show, we hope you'll share it with your friends, co-workers and on social media.
Check out our daily news brief and podcast at our website, thecyberwire.com. The Cyber Wire Thanks for listening. cyber threats are evolving every second and staying ahead is more than just a challenge
it's a necessity that's why we're thrilled to partner with threat locker a cyber security Thank you. and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.