What’s Missing in Cybersecurity Education

Education is the great domino game in the sky that when played with maximum intention, can catapult its heroes beyond the limits of the board and into new dimensions of thinking and practice. When played poorly, the board actors may just as well have squandered their afternoons playing pool, drinking beer and dreaming of what could have been.

We are relaunching our cyber education platform very soon. It’s called CyberEd.io, and it will be chock full of educational content with guest lecture series by some of our biggest names, certification preparation for any and all possible certifications you can imagine, custom, leading edge training on topics ranging from Zero Trust to Critical and Design Thinking, innovative security awareness training and cyber warrior training, mapped to the NIST/NICE working frameworks and all available under one trusted roof.

All taught by leading experts. All curated by leading CISOs.

Which is great, because our reach will guarantee that everyone in the cybersecurity space or adjacent functional roles, or even those just interested in cybersecurity will be able to have access.

Our goal is to close the gap between supply and demand for skilled, trained resources in cybersecurity.

And that gap represents one of the key challenges in our war.

Government Help

In 2019, Michigan’s Davenport University announced it had received a five-year, $4 million grant from the National Science Foundation (NSF) to train and educate cybersecurity experts as part of its CyberCorps Scholarship for Service program.

That’s nice for Davenport and Michigan, but it does virtually nothing to address the cybersecurity skills gap that we have created over the last 30 years by ignoring the threat and relying instead upon some kind of organic enthusiasm at the corporate level to balance out the demand.

This lack of national focus has resulted in 3 million unfilled cybersecurity positions as of 2021 and the U.S. Bureau of Labor Statistics predicts cybersecurity jobs will grow 31% through 2029, over seven times faster than the national average job growth of 4%.

Our enemies, on the other hand, have trained and developed tens of thousands of highly educated and skilled hackers who are, right now, creating new attack vectors, techniques and technologies that they continue to employ to go after their commercial, industrial and political targets mostly here in the U.S.

Our Adversaries’ View on Cybersecurity Education

North Korea is ironically, our most formidable adversary in education.

While many in Washington have continued to burn calories around a virtually non-deliverable NoKo nuclear threat, North Korea has been steadily developing their cybersecurity education programs. As a result of a committed and highly disciplined educational program, the North Korean cyber operations are more diverse, aggressive and capable than any of our other enemies.

They are not just focused on espionage. Their warriors are perfectly skilled at sophisticated zero-day exploits, and at stealing vast amounts of IP from our most secured computer networks even when they are air-gapped and isolated from the internet, e.g., military servers and power plant control systems.

These North Korean attackers have been trained in measuring electromagnetic radiation leakage from air-gapped computers and extracting critical data after only a few seconds of monitoring.

This is not a course we teach at any cybersecurity graduate program in the U.S.

In the early 1990s, when computer networks were beginning to reach a level of maturity, a group of North Korean computer scientists proposed a massive educational program to teach advanced cyber espionage and cyber hacking with the goal of graduating 10,000 student hackers by the year 2015. To qualify for entry into these programs, applying students had to demonstrate not only outstanding academic ability, but also the ability to read, write and speak flawless English.

It was the North Korean equivalent of India’s IIT in terms of how difficult it was to gain entry.

While they were doing that, we were offering cybersecurity degrees at 17 Universities that same year. Today, we offer rated cybersecurity degrees at over 65 Universities, but the curricula are all centered on or around standardized frameworks for cybersecurity defense or focused on basic criminal forensics.

They are not grounded in warfare.

Pointed at the Wrong Targets

Undergraduate course offerings on subjects like fundamentals of computer troubleshooting, network security, ethical hacking, Windows server: install and storage, Linux system administration, etc., indicate that the intention is to graduate a system admin or network admin with a BS degree in Computer Networks and Cybersecurity.

This is the baseball equivalent of bringing in a minor league class A ball player to pitch to Aaron Judge.

With the bases loaded.

Graduate course offerings like those offered by one of our leading Universities include foundations of cybersecurity, applied cryptography, secure systems architecture, cybersecurity risk management, cybersecurity operational policy, management and cybersecurity, secure software design and development, network visualization and vulnerability detection, cyber intelligence, cyber incident response and computer network forensics, etc.

Opening the syllabus for these courses reveals that all of the content can be found in industry certifications like CISSP, CISM, CEH and CRISC, which can be obtained quickly and easily at a fraction of the cost of that University’s Master’s Degree in Cyber Security Operations and Leadership. Now maybe there’s some magic in how the professor guides students through the material, but if the goal as stated is to “equip students to stay abreast of ongoing changes in threat and mitigation as lifelong learners in the field” the coursework falls far short.

Particularly in a remote learning world like the one we now find ourselves.

What we need instead is coursework centered on actual red-team tactics across a full range of cyber weaponization. We need well-trained cyber snipers and military-grade penetration rangers who can throttle through the most advanced and sophisticated defenses and commit the greatest possible damage in the least amount of time. Our flimsy educational offerings in cybersecurity seem intended to graduate future administrators and bureaucrats when our greatest deficiency is in the working warrior classes.

Pushing North Korea’s cyber educational units to dramatically level up in capability, Kim Jong-un proclaimed, “Cyber warfare is an ‘all-purpose sword’ that guarantees our military’s capability to strike relentlessly.”

In stark contrast, it seems the actual goal of our own university programs can be found in one of the program descriptions where their stated purpose is “to collaborate with important stakeholders in the cyber security community to explore ways to keep the curriculum immediately relevant and to assist in the placement of our graduates.”

This assessment is in no way intended to denigrate the competent and well-intentioned professionals who conceive and guide these programs at these really good schools. The problem is the coursework contains nowhere near the information or education necessary to either create an advanced attack vector or defend against today’s sophisticated cyberattacks.

The curriculum is way too generalized. The syllabus is too lightly challenging. The objectives are too easily achieved, and the graduating students are no more prepared to join the battle than if they had simply been working as a network administrator for a few years in any IT department in America.

We will not win this war with this level of training and education. We need a moon-shot and the impetus for a program of that magnitude must come from Washington. Unfortunately, there are no signs of anything of that nature appearing on anyone in Washington’s to-do list.

And that is a problem.

It’s a problem because a little country like North Korea has emerged as a significant and serious cyber threat to the U.S., with an army of over 10,000 highly trained warriors honing their skills with hundreds of practice attacks on a variety of targets around the world. The probes we see on our own critical infrastructure targets are warnings of future attacks against which we are incapable of defense at our current levels of preparedness.

Our response?

Nowhere Near Enough

In an attempt to ignite some movement of the cybersecurity education front, we created an organization in 2008 that was designed to make the Federal cybersecurity workforce better prepared to handle cybersecurity challenges. The National Initiative for Cybersecurity Education (NICE) is a partnership between government, academia and the private sector focused on supporting the country’s ability to address current and future cybersecurity education and workforce challenges through standards and best practices. NICE is led by the National Institute of Standards and Technology (NIST) in the U.S. Department of Commerce.

Our department of Homeland Security (DHS) has partnered with not-for profits, middle and high schools, universities, and state school boards across the country to help incorporate cybersecurity concepts into our nation’s classrooms. DHS is also partnered with the National Integrated Cyber Education Research Center (NICERC) to provide K-12 cybersecurity curricula and hands-on professional development for teachers at no cost. DHS claims the grant has helped get their cybersecurity curricula into the hands of over 15,000 teachers impacting 820,000 students in 42 States. The curricula is focused on subjects like Cyber Fundamentals, Algebra I and Computational Thinking.

But the important idea here is that it is offered to public school teachers along with grant money that might encourage engagement yet completely without regard to qualifying student interest. It falls right into the civics or history buckets, where the natural question for an 8-year-old is why do I need to know this, and how will it affect my life?

STEM is great if you are interested in STEM. If you’re not, then not so much.

DHS and The National Security Agency (NSA) jointly sponsor the National Centers of Academic Excellence (CAE) program, designating specific 2- and 4-year colleges and universities as top schools in Cyber Defense (CD). Schools are designated based on their robust degree programs and close alignment to specific cybersecurity-related knowledge units (KUs), validated by top subject matter experts in the field. CAE graduates help protect national security information systems, commercial networks, and critical information infrastructure in the private and public sectors.

To encourage students to enter cybersecurity degree programs, DHS co-sponsors the CyberCorps: Scholarship for Service (SFS), providing scholarships for bachelors, masters, and graduate degree programs focusing in cybersecurity in return for service in federal, state, local, or tribal governments upon graduation. The scholarship assists in funding the typical costs incurred by full-time students while attending a participating institution, including tuition and education and related fees. The scholarships are funded through grants awarded by the National Science Foundation (NSF) in partnership with DHS and the Office of Personnel Management (OPM).

It turns out however, you have an obligation to re-pay the scholarship in service to a state, local, tribal government organization or Congressional agency upon graduation and you must commit to a 3-4-year service term depending on your scholarship funding. A graduate will be hired as a G9 at a pay rate of $23/hr. and if you don’t like that wage so much, you can refund the entire scholarship amount. The entire program was funded with $25 million in 2018, which is about the same amount we spend on food stamps for dead people in New York and Massachusetts each year (not a joke).

Workforce shortages exist for almost every position within cybersecurity, but the most acute needs are for highly skilled technical staff.

Nine years ago, a Center for Strategic and International Studies (CSIS) report entitled “A Human Capital Crisis in Cybersecurity” found that the U.S. not only has a shortage of the highly technically skilled people required to operate and support systems already deployed, but also an even more desperate shortage of people who can design secure systems, write safe computer code, and create the ever more sophisticated tools needed to prevent, detect, mitigate and reconstitute from damage due to system failures and malicious acts.” At the time, we only had about 1,000 security specialists with skills and abilities to take on these roles, compared to a need for 10,000 to 30,000 professionals.

In 2016, CSIS found that IT professionals still considered technical skills like intrusion detection, secure software development, and attack mitigation to be the most difficult to find skills among cybersecurity professionals.

A 2018 survey revealed that a lack of required technology skills was one of the greatest challenges facing organizations when hiring cybersecurity candidates. These challenges were particularly acute for mission critical job roles, with over a third of organizations reporting a lack of technology skills for vulnerability assessment analyst positions and half of employers reporting deficiencies for cyber defense infrastructure support candidates.

Closing the Skills Gap?

What follows is the brief yet remarkable history of the Federal government’s attempt at closing the skills gap:

In May 1998, a presidential directive was signed by Bill Clinton requiring that the Executive Branch assess the cyber vulnerabilities of the nation’s critical infrastructures; information and communications, energy, banking and finance, transportation, water supply, emergency services, and public health, as well as those authorities responsible for the continuity of federal, state, and local governments. The directive also called for the federal government to produce a detailed plan to protect and defend America against cyber disruptions.

This National Plan for Information Systems Protection was the first major draft of a more comprehensive effort to protect our nation’s critical infrastructure.

In 2000, The CyberCorps® Scholarship for Service Program (SFS) was created under the Federal Cyber Service Training and Education Initiative, a component of the National Plan for Information Systems Protection, Co-Sponsored by National Science Foundation and Department of Homeland Security, to enhance the security of critical information infrastructure, increase the national capacity of educating IT specialists in Information Assurance (IA) disciplines, produce new entrants into the Government IA workforce, increase national Research & Development (R&D) capabilities in IA, and strengthen partnerships between institutions of higher learning and relevant employment sectors.

In 2001, the first grants were awarded to 4 schools and the first graduating class made up of 9 students entered the Federal IA workforce in 2002.

In 2014, more than 16 tears after the Clinton directive, the Cybersecurity Enhancement Act of 2014 was signed into law (Public Law No: 113-274). Its stated intent is to provide for an ongoing, voluntary public-private partnership to improve cybersecurity, and to strengthen cybersecurity research and development, workforce development and education, and public awareness and preparedness.

It also reflects the critical need for Information Technology (IT) professionals, industrial control system security professionals, and security managers in federal, state, local and tribal governments. The SFS program is managed by the National Science Foundation (NSF), in collaboration with the U.S. Office of Personnel Management (OPM), the Department of Homeland Security (DHS) and, in accordance with the Cybersecurity Enhancement Act of 2014 (Public Law No: 113-274). Section 302 of the act addresses the SFS program specifically.

In 2018, the National Defense Authorization Act of Fiscal Year 2018, mandated SFS program updates and enhancements, among them the requirement that students identified by their institutions for SFS Scholarships must meet selection criteria based on prior academic performance, likelihood of success in obtaining the degree, and suitability for government employment.

Since the inception of the program in 2001, approximately 3,600 SFS graduates have found placement in more than 140 government entities, or roughly 1% of the projected US InfoSec job openings by the end of this year.

What organizations are truly desperate for are graduates who can design secure systems, create new tools for defense, and hunt down hidden vulnerabilities in software and networks. None of these skills are being taught in any of the coursework that we find in the Davenport University Cybersecurity program.

Modern Day National Threats

Russia and China have been running rigorous cybersecurity educational programs for years and have trained upwards on 100,000 cyber warriors. As a result, both countries possess the highest levels of technical sophistication, far more advanced than the U.S.

China has moved into the lead position in Quantum Computing having even installed their own Quantum-based communication system between Beijing and Shanghai.

Both China and Russia have demonstrated competency in full-spectrum operations, including the ability to coordinate the capabilities in cyber-operations with the other elements of state power, including conventional military force and foreign intelligence services that have global reach. Their exhibition of cyberattack prowess demonstrates the potential to cause complete paralysis and/or destruction of an adversary’s critical systems and infrastructure, resulting in significant destruction of property and/or loss of life.

Under those circumstances, regular business operations and/or government functions cease, and data confidentiality, integrity, and availability are completely compromised for extended periods, including forever.

For an example of how good the Russians are at this stuff, consider the average amount of time it takes for a Russian cyber-attacker to conduct a “breakout” which is the act of leaving the entry beachhead and moving laterally within the network to prepare for an attack. The gold standard for detection, investigation and remediation in the cybersecurity industry is what is known as the 1-10-60 rule and only the best and most prepared businesses can manage it.

It translates to detection within 1 minute, investigation within 10 minutes, and remediation within 1 hour (60 minutes). The Russian average breakout is 17 minutes with the fastest recorded as low as 7 minutes. Today’s best prepared businesses in cybersecurity defense terms will never catch a Russian intrusion in time to prevent damage.

This threat is very real and very present, yet we continue to ignore it both at the state level and within all public and private businesses.

In response to this incredible imbalance in capabilities, we make a childlike political gesture of outlawing the best cybersecurity research on the planet from use by federal agencies because it is headquartered in Russia (Kaspersky).

Then to apparently be sure we are fully cooperating with our adversary’s advancement in cybersecurity capabilities, we encourage their participation in U.S. investments and welcome Chinese venture capitalists and their LPs into our startup eco-system and allow them to take a large enough position in AI/ML cybersecurity ventures where they become entitled to unfettered access to the venture’s IP.

That access goes right to the Chinese ministry of National Defense because nothing happens in commercial markets without the Chinese government’s approval and control. There is no such thing as an independent business in China. As the former CTO and CISO of a Cybersecurity Systems Integrator doing business in China for 7 years, I can assure you that all Chinese businesses, including venture capital firms in the US, are by default, acting as Chinese government agencies.

The Worldwide Threat Assessment of the U.S. Intelligence Community is a document published each year, which itemizes the significant threats to the U.S. and its allies. This year’s report claims that China and Russia pose the greatest espionage and cyberattack threats to the US but also warned that other adversaries and strategic competitors like Iran and North Korea will increasingly build and integrate cyber espionage, attack, and influence capabilities into their efforts to influence U.S. policies. It warned that rivals to the U.S. are successfully developing capabilities to “shape and alter the information and systems” that the U.S. relies on.

And on a daily basis, as we connect and integrate tens of billions of new digital devices into our lives and business processes, adversaries and strategic competitors will be able to gain even greater insight into and access to our protected information. In particular, the report warned that China and Russia present a “persistent cyber espionage threat and a growing attack threat” to U.S. core military and critical infrastructure systems, businesses and social media, as well as attacks designed to aggravate social and racial tensions, undermine trust in authorities, and criticize perceived anti-Russia and anti-Chinese politicians.

In summary, we don’t have enough educational programs, the ones we do have are focused on the wrong skills and the degrees are too easily obtained. A degree in Cybersecurity isn’t like a degree in Political Science where the assumption is that the student will learn how to apply the training once engaged with real-world dynamics, through mentors and the process itself. Or a degree in Statistics, where the application of the training will be relevant immediately because the rules that govern the domain haven’t changed in a hundred years.

Cybersecurity changes every minute and the real-world realities have little to do with our current curricula.

Additionally, we have insufficient national emphasis on cybersecurity education and at the highest levels of government we fail to recognize or acknowledge the severity of the threat. Instead of making progress over the last decade we have regressed dramatically.

The attacker/defender dynamic in education has become even more asymmetric and the gap between what is necessary, and the state of our current skill base has expanded even further.

Look. I get it.

Our four principal adversaries operate within totalitarian government structures and can dictate whatever form of education their leaders deem necessary for national defense. And I certainly am not arguing for America to adopt any of those characteristics. On the other hand, I see nothing wrong with the declaration of a national emergency and the organization of a Manhattan-like project that could transform a volunteer army into a competent cyber-defense military unit who could operate within a new set of rules for the engagement of a clear and present enemy.

Try This Proposal

Let’s spend $60,000,000 in new tax-payer dollars on a National Cybersecurity Masters Education program where we invite 500,000 college graduates with undergraduate degrees in engineering, math and science to participate in a fully funded, 2-year graduate program focused on building cyber-warrior skills. When I say fully funded, I mean $40,000 in tuition and $20,000 in living expenses each year. The entrance requirements would be similar to any graduate degree program in Engineering, Law or Science at any leading University. Upon graduation, these students would be free to do what they want. Most would pursue a job in private industry. Some would become civil servants. Others may abandon the profession altogether.

But we will have created a fast program that highly incentivizes participants, removes all reciprocal restrictions on post-graduation service and has a high probability of success.

The best part is that it will cost each U.S. taxpayer exactly $11.18. That is less than we spend on a standard Netflix subscription for one month. Let’s get even crazier and throw in a $20,000 recruiting fee to help the graduates find a great job upon graduation. That will cost another $1.40 each.

That math is powered by 143 million taxpayers in 2020.

A simple program like this, with origins in Zero Trust thinking, run by our public and even private University systems, and not under the auspices of any government agencies, could quickly close the skills gap and flood hundreds of thousands of future CISOs and skilled Cyber-warriors onto a thirsty market. Instead of bureaucrats and administrators, this brand of CISO would be trained in hand-to-hand cyber-enemy combat and equipped with the appropriate tools necessary to take the fight to the enemy, shifting the attacker-defender dynamic to offense and away from detect, respond and remediate.

We should supplement that with a purpose-driven cybersecurity education and training program that is offered on a just-in-time basis on-line, and delivered through a modern platform designed with the user experience as the top priority.

A program that has been vetted by CISOs and not a bunch of cybersecurity practitioners who drive curriculum creation through a necessarily narrow view of the landscape owing to their limited prior experience.

A program that delivers all levels of training, for cybersecurity practitioners, engineers, analysts, CISOs, non-CISO executive suite and board members, along with everyone else in an organization in a curated context that will insure everyone is getting exactly what they need, when they need it and in a consumable, consistent and repeatable set f programs overseen by an assigned success manager who assures that value is continuously extracted and applied.

An online learning program designed to be an extension of an organizations’ expanding purview over cybersecurity education, delivery, absorption and execution.

A program unlike any other on today’s commercial markets, and one in harmony with NIST guidelines and the NICE framework that, in addition to preparing students for certification exams in over 150 specialties, can also bring outer dimensional thinking to the creation and building of new cybersecurity architectures and programs like Zero Trust, designed to move away from traditional, heritage programs and toward those best suited for modern cyberwarfare.

Because we all now live in a digital world and cannot continue to ignore our individual responsibilities to manage our digital environments with dutiful care, it has been recommended that, in addition to the above described solutions, a model for a National Cybersecurity Service (NCS) program be mandated as a two-year public service requirement for every college graduate in the country – a war-time peace corps – less than half the service requirement for graduates of Annapolis – and/or 18 year olds who want to pursue a career path in cybersecurity without attending college.

The Israeli’s didn’t manage to survive all these years by pretending their enemies were their trading partners. In much the same way as the IDF (Israeli Defense Forces) accommodates varying interests, our own NCS would offer different specialty educational opportunities, but the program concentration would be on a warrior-level and offensive cyber training.

Framed as a Manhattan project, such a program can be both authorized and funded by Presidential order (ala FDR) and Congressional mandate (though many would question whether any recent Congress would have either the political appetite or courage to do so). Regardless of cost, it would likely be dwarfed by legislation that we push through our law-making process on a daily basis and would be the only initiative aimed directly at a true existential threat, and one acting as a clear and present danger, and not just a measurable, abstract probability ten years into the future.

What if We Don’t?

But if we don’t do something really soon, it won’t matter how many new technologies we invent, how much new cyber-threat awareness we create in our corporate boardrooms or how many new initiatives we create around the traditional approaches to managing cybersecurity. If we don’t shift our approach to a risk management model, re-build our cyber-defense infrastructure on the basis of a Zero Trust architecture, and staff it with an abundance of trained warriors, we will continue to retreat from this cyber warfront in the business of business, out-resourced, out-smarted and out-intimidated by opposing forces unencumbered by layers of social justice and political correctness, just as we have been doing for the last 20 years.

And at a national security level, it won’t matter how many submarines, aircraft carriers, jet fighters or other military hardware and human resources we can muster against our enemies in some conventional theater of war either.

The next International war will be fought in cyber-space and right now, things don’t look too good for the U.S. team.

“Cybersecurity’s response to bitter failure, in any area of endeavor, is to try the same thing that didn’t work … only harder.”

~ Marcus Ranum, an early developer of the first commercial bastion host firewall and the first Internet email server for the whitehouse.gov domain, who also is the author of the eponymous Ranum’s Law, “You can’t solve social problems with software.”

Read more: