A Cybersecurity Education Conundrum

CYBER.ORG just commissioned a survey that found that less than half of elementary through high school students are getting any cybersecurity education at school, and compared to schools with higher-income students, schools with lower-income students are providing even less training.

The first step in securing our cyber future is education, and that means everything from educating individuals to companies to the next generation of IT professionals.”

― Dan Lipinski, U.S. Congressman

Earlier this year, Congress introduced legislation called the Providing Resources for Ongoing Training and Education in Cyber Technologies, or PROTECT Act, which would help support the Department of Homeland Security’s Cybersecurity Education and Training Assistance Program (CETAP) to promote career awareness, provide resources and help to develop the cybersecurity skills of students in elementary and secondary schools across the country.

Michigan’s Davenport University announced last year that it had received a five-year, $4 million grant from the National Science Foundation (NSF) to train and educate cybersecurity experts as part of its CyberCorps Scholarship for Service program.

That’s nice for Davenport and Michigan, but it does virtually nothing to address the cybersecurity skills gap that we have created over the last 30 years by ignoring the threat and relying instead upon some kind of organic enthusiasm at the corporate level to balance out the demand.

This lack of national focus has resulted in 508,000 unfilled cybersecurity positions in the U.S. and over 4 million globally as of January 2020 and what will soon translate to over 1.8 million vacant information security and cybersecurity positions in the U.S. by 2022.

In this day and age, when education, industry and government all rely heavily on the safety and reliability of the technology, it is the responsibility of K-12 and higher education to develop cybersecurity programs that will ensure students have the skills and experiences to fill the increasing demand for qualified cybersecurity experts.

Let’s face it: the future is now. We are already living in a cyber society, so we need to stop ignoring it or pretending that it’s not affecting us.”

― Marco Ciapelli

Highly-Skilled Adversaries

Our enemies, on the other hand, have trained and developed tens of thousands of highly-educated and skilled hackers who are, right now, creating new attack vectors, techniques and technologies that they continue to employ to go after their commercial, industrial and political targets mostly here in the U.S.

North Korea is ironically our most formidable adversary. While many in Washington have continued to burn calories around a virtually non-existent NoKo nuclear threat, North Korea has been steadily developing their cybersecurity education programs. As a result of a committed and highly-disciplined educational program, North Korean cyber operations are more diverse, aggressive and capable than any of our other enemies.

They are not just focused on espionage. Their warriors are perfectly skilled at sophisticated zero-day exploits and at stealing vast amounts of IP from our most secured computer networks even when they are air-gapped and isolated from the internet, e.g., military servers and power plant control systems.

These North Korean attackers have been trained in measuring electromagnetic radiation leakage from air-gapped computers and extracting critical data after only a few seconds of monitoring. This is not a course we teach at any cybersecurity graduate program in the U.S.

We’re in the stone age of cybersecurity. Real learning will only come after the 1st major incident.”

― Dr. Christopher Frei, Secretary General of World Energy Council

In the early 1990s, when computer networks were beginning to reach a level of maturity, a group of North Korean computer scientists proposed a massive educational program to teach advanced cyber espionage and cyber hacking with the goal of graduating 10,000 student hackers by the year 2015. To qualify for entry into these programs, applying students had to demonstrate not only outstanding academic ability, but also the ability to read, write and speak flawless English.

It was the North Korean equivalent of India’s IIT in terms of how difficult it was to gain entry.

The Education Gap

While they were doing that, we were offering cybersecurity degrees at 17 universities that same year. Today, we offer cybersecurity degrees at over 187 universities, but the curricula are all centered on or around standardized frameworks for cybersecurity defense or focused on basic criminal forensics.

They are not grounded in warfare.

Undergraduate course offerings on subjects like fundamentals of computer troubleshooting, network security, ethical hacking, Windows server: install and storage, Linux system administration, etc., indicate that the intention is to graduate a system admin or network admin with a BS degree in Computer Networks and Cybersecurity. This is the baseball equivalent of bringing in a minor league class A ballplayer to pitch to Aaron Judge.

Graduate course offerings like those offered by one of our leading universities include foundations of cybersecurity, applied cryptography, secure systems architecture, cybersecurity risk management, cybersecurity operational policy, management and cybersecurity, secure software design and development, network visualization and vulnerability detection, cyber intelligence, cyber incident response and computer network forensics, etc.  

Opening the syllabus for these courses reveals that all of the content can be found in industry certifications like CISSP, CISM, CEH and CRISC, which can be obtained quickly and easily at a fraction of the cost of that university’s Master’s Degree in Cyber Security Operations and Leadership. Now maybe there’s some magic in how the professor guides students through the material, but if the goal, as stated in one leading university’s curriculum description, is to “equip students to stay abreast of ongoing changes in threat and mitigation as lifelong learners in the field” the coursework falls far short.

Curriculum to Close the Gap

What we need instead is coursework centered on actual red-team tactics across a full range of cyber weaponization. We need well-trained cyber snipers and military-grade penetration rangers who can throttle through the most advanced and sophisticated defenses and commit the greatest possible damage in the least amount of time. Our flimsy educational offerings in cybersecurity seem intended to graduate future administrators and bureaucrats when our greatest deficiency is in the working warrior classes.

Pushing North Korea’s cyber educational units to dramatically level up in capability, Kim Jong-un proclaimed, “Cyber warfare is an ‘all-purpose sword’ that guarantees our military’s capability to strike relentlessly.”

In stark contrast, it seems the actual goal of our own university programs can be found in one of that abovementioned university’s program descriptions where their stated purpose is to collaborate with important stakeholders in the cybersecurity community to explore ways to keep the curriculum immediately relevant and to assist in the placement of our graduates.”

Education has always been a profit-enabler for individuals and the corporation. Education, both conception and delivery, must evolve quickly and radically to keep pace with digital transition.”

― Stephane Nappo

This assessment is in no way intended to denigrate the competent and well-intentioned professionals who conceive of and guide the programs at these really good schools. The problem is the coursework contains nowhere near the information necessary to either create an advanced attack vector or defend against today’s sophisticated cyberattacks.

The curriculum is way too generalized. The syllabus is too lightly challenging. The objectives are too easily achieved, and the graduating students are no more prepared to join the battle than if they had simply been working as a network administrator for a few years in any IT department in America. Which, by the way, is the essential skill required to be an effective cybersecurity professional regardless of specialty. If you don’t understand networking, you will never have the building blocks necessary to complete a useful education in cybersecurity.

It is like a student completing a chemical engineering degree without an understanding of the periodic table.

A Simple Solution

In fact, when I was a working CISO, I addressed our own skills shortage by simply offering our most competent network engineer a course in cybersecurity fundamentals, and in 90 days, I had a new and very competent Cyber Security Analyst. That approach has always been my recommended solution to the skill shortage and I am continually amazed by its failure of adoption.

We will not win this war with this level of training and education. We need a moon-shot and the impetus for a program of that magnitude must come from Washington. Unfortunately, there are no signs of anything of that nature appearing on anyone in Washington’s to-do list. And that is a problem.

It’s a problem because a little country like North Korea has emerged as a significant and serious cyberthreat to the U.S., with an army of over 10,000 highly trained warriors honing their skills with hundreds of practice attacks on a variety of targets around the world. The probes we see on our own critical infrastructure targets are warnings of future attacks against which we are incapable of defense at our current levels of preparedness.

Our response?

NICE. In an attempt to ignite some movement of the cybersecurity education front, we created an organization in 2008 that was designed to make the federal cybersecurity workforce better prepared to handle cybersecurity challenges. The National Initiative for Cybersecurity Education (NICE) is a partnership between government, academia and the private sector focused on supporting the country’s ability to address current and future cybersecurity education and workforce challenges through standards and best practices. NICE is led by the National Institute of Standards and Technology (NIST) in the U.S. Department of Commerce.

Our Department of Homeland Security (DHS) has partnered with not-for-profits, middle and high schools, universities and state school boards across the country to help incorporate cybersecurity concepts into our nation’s classrooms. DHS has also partnered with the National Integrated Cyber Education Research Center (NICERC) to provide K-12 cybersecurity curricula and hands-on professional development for teachers at no cost. DHS claims the grant has helped get their cybersecurity curricula into the hands of over 15,000 teachers impacting 820,000 students in 42 States. The curricula is focused on subjects like Cyber Fundamentals, Algebra I and Computational Thinking.

But one important pitfall of this idea is that it is offered to public school teachers along with grant money that might encourage engagement yet completely disregards qualifying student interest. It falls right into the civics or history buckets, where the natural question for an 8-year-old is, “Why do I need to know this, and how will it affect my life?” STEM is great if you are interested in STEM. If you’re not, then not so much.

But wait. There’s more.

DHS and The National Security Agency (NSA) jointly sponsor the National Centers of Academic Excellence (CAE) program, designating specific 2- and 4-year colleges and universities as top schools in Cyber Defense (CD). Schools are designated based on their robust degree programs and close alignment to specific cybersecurity-related knowledge units (KUs), validated by top subject matter experts in the field. CAE graduates help protect national security information systems, commercial networks, and critical information infrastructure in the private and public sectors.

To encourage students to enter cybersecurity degree programs, DHS co-sponsors the CyberCorps: Scholarship for Service (SFS), providing scholarships for bachelors, masters and graduate degree programs focusing on cybersecurity in return for service in federal, state, local or tribal governments upon graduation. The scholarship assists in funding the typical costs incurred by full-time students while attending a participating institution, including tuition and education and related fees. The scholarships are funded through grants awarded by the National Science Foundation (NSF) in partnership with DHS and the Office of Personnel Management (OPM).

It turns out you have to be physically on-campus for this program however, so there are no online degrees available (here in 2020). You have an obligation to repay the scholarship in service to a state, local or tribal government organization or congressional agency upon graduation and you must commit to a 3-4-year service term depending on your scholarship funding. A graduate will be hired as a G9 at a pay rate of $21/hr. and if you don’t like that wage so much, you can refund the entire scholarship amount.

The entire program was funded with $25 million in 2018, which is about the same amount we spend on food stamps for dead people in New York and Massachusetts each year (not a joke).

Worldwide, the prospects of the fast-advancing quantum computing (r)evolution, will challenge the pre-quantum way of conducting scientific and industrial development by making digital transformation of societies, organizations and financial markets fundamentally different.

Beyond the commercial research and development made possible by global corporations, universities, scientific communities, research laboratories… the nation-states, we could presume, are interested the most in practical applications of quantum technologies.”

― Ludmila Morozova-Buss
*Note: This is the first in a two part series of posts on the state of cybersecurity education today. Read Part 2 Here.


Previous Post
Artificial Intelligence meets Cybersecurity
Next Post
A Cybersecurity Education Proposal