Special Editions 10.28.16
Ep 9 | 10.28.16

Exploring Cyber Security Education


Ayesha Raza: [00:00:03] I want to know what's behind the computer not just, like, you know, typing stuff and seeing what I see. I want to know what is behind in there. I want to see how - what I can do to protect it.

Dave Bittner: [00:00:12] It's no secret that cybersecurity is a hot field with many more jobs available than qualified workers. So what's the best way to become one of those qualified workers? In this CyberWire Special Edition, we look at some of the available options in cybersecurity education. We speak to the people who are teaching and designing the classes and examine the creative ways people are trying to prepare the next generation of cybersecurity professionals.

Dave Bittner: [00:00:42] Time to take a moment to thank our sponsor Cylance. Are you looking for something beyond legacy security approaches? Of course you are. So you're probably interested in something that protects you at machine speed and that recognizes malware for what it is no matter how the bad guys have tweaked the binaries or cloaked their malice in the appearance of innocence. Cylance knows malware by its DNA. Their solution scales easily. And it protects your network with minimal updates, less burden on your system resources and limited impact on your network and your users. Find out how Cylance is revolutionizing security with artificial intelligence and machine learning. It may be artificial intelligence, but it's real protection. Visit cylance.com to learn more about the next generation of anti-malware. Cylance - artificial intelligence, real threat prevention. And we thank Cylance for sponsoring our show.

Baker Franke: [00:01:36] We saw this rising tide in the '80s. And then it just totally, like, dropped off.

Dave Bittner: [00:01:40] That's Baker Franke. He's curriculum developer for code.org.

Baker Franke: [00:01:44] And there was this huge panic. At the university level and in education in general, students stopped majoring in computer science. You know, computer science enrolments were on the decline. Students were saying that computer science wasn't relevant or interesting or boring.

Dave Bittner: [00:02:00] Code.org was launched in 2013. They describe themselves as being a nonprofit dedicated to expanding access to computer science and increasing participation by women and underrepresented students of color. They're probably best known for their annual Hour of Code events. But a large part of their mission is advocating that school districts adopt computer science classes at every level.

Baker Franke: [00:02:22] You know, our mission is to get computer - high-quality computer science taught in every school in the United States. And we do mean, like, capital C, capital S Computer Science because the real key to unlocking the technology gap is for students to learn something about computer science. Stop being consumers of technology, and start being producers. Part of the reason that computer science doesn't exist in schools is because it can be a turf war issue. It can be the sense that there is a sort of zero-sum game afoot. When our outreach team goes into school districts, they'll say, OK, if we're going to add computer science, which sounds great, what are we going to lose? You have to be real about what those costs are.

Dave Bittner: [00:03:00] Schools have limited budgets for new programs, of course. But they also have limited amounts of time in the day with their students. Even for schools that recognize the importance of teaching computer science, it's often a matter of figuring out where in an already packed schedule these classes can go. But Franke is convinced that exposing kids to these skills is critical for their development in the modern world.

Baker Franke: [00:03:21] Thinking computationally is such a crucial way of understanding the world now that you are going to be thinking computationally in math class. You're going to be thinking computationally in history, in English, in science, in art, in music, really, I think to get people to recognize that we live in the 21st century. And our school system still largely exists on a model developed by John Dewey to deal with the effects of the Industrial Revolution. When I go back and read John Dewey's writings at the time - you can almost take his writings, replace the word industrial with technological. And it's, like, the current state that we're in. The world has changed as a result of computing, the Internet and computation in such a lasting and profound way that it also needs to profoundly affect education.

Dave Bittner: [00:04:14] In the early days of home computing, you sat down to a command line. And the machine patiently waited for you to tell it what to do. The trend with computing devices today, and specifically mobile devices, is to hide the inner workings of the machine and present the user with a set of tools that don't require them to know about things like the file system and the underlying structure of the OS.

Baker Franke: [00:04:33] In our curricula - in our high school curricula, I'm very interested in having people understand that a computer isn't magic. It's just a machine. In fact, it's a machine that was made by people. And those people made decisions historically for particular reasons. And they're good reasons. And they're logical reasons. But unless you - you can either intuit what those reasons were or you can learn what they are - you're never going to be empowered as a programmer. So there's going to be no end to the amount of abstraction that operating systems put in front of us. You like to make it more easy and convenient and hide, you know, the inner workings because that makes it, ultimately, more useful and more efficient to use.

Baker Franke: [00:05:10] But I think in education, we're going to see more and better learning about computers and how they work underneath the hood so that you do have some foothold into what, you know, iOS is actually doing. As an educator, what I think about - when I think about cybersecurity, I'm thinking about, where is computer science's place in our educational canon? And is it important enough that we kind of change everything? Every single person deserves computer science education. It is not a subject for a certain elite. It is not a subject that you get to after you've learned some sort of high-level mathematics or anything else. Everybody needs it and to understand it from an early age on through school.

Dave Bittner: [00:06:00] So what about higher education? For someone interested in a career in cybersecurity, what's the best path for proper training and preparation? We spoke with a number of experts, instructors and college professors, and visited a few learning institutions in our own backyard to get a sense for what's available.

Robert M: [00:06:18] When you look at bachelor's and master's degrees, they're usually positioned to help introduce you into academia and pursue something like a Ph.D. - writing, researching, answering questions.

Dave Bittner: [00:06:30] Robert M. Lee is CEO of Dragos, Inc. And he teaches cyberthreat intelligence and ICS/SCADA active defense courses for the SANS Institute, as well as being an adjunct professor at Utica College in their masters of cybersecurity program.

Robert M: [00:06:44] Even in terms of hard skills that you're developing, it's more about the research component more so than becoming a tradesman. And right now there's the need by some to get a master's degree just to check that box, whether it be for their career or, really, just getting hired for jobs. And at the same time, they want to get skills. So I'm starting to see a lot of cybersecurity programs spin up at colleges that don't have the expertise to go down that path. And so they're teaching things that are fundamentally wrong. And at the same time, they've still got to bridge that gap between academia and trade skills. And it's sort of doing a poor job in both. Now, the optimistic side of this is on the training side. When we start seeing training classes pop up, it's less and less now about a specific tool, where I would say historically, we saw training classes of just a single tool. And now we're starting to see mindsets and tradecraft and defensive patterns. And there tends to be a forming community where we're getting better and better people in the community and better trained.

Jonathan Katz: [00:07:55] And I think it's great to learn those tools. And certainly, that will make you very much in demand when you graduate.

Dave Bittner: [00:08:00] That's Jonathan Katz. He's a professor of computer science at the University of Maryland and director of the Maryland Cybersecurity Center. He's also a regular contributor to the CyberWire.

Jonathan Katz: [00:08:09] But those tools are constantly changing. And if you learn a tool now, it may be out of date a year from now. And so what we really try to do from an educational point of view is to teach students the fundamentals that will basically last them for their entire careers.

Dave Bittner: [00:08:22] Matthew Green is a well-known security researcher. And he teaches cryptography at Johns Hopkins University.

Matthew Green: [00:08:28] You know, I focus a lot, obviously, on information security. And so one of the things that kills me is that we don't teach more information security in undergraduate colleges. We have kids, you know - and I say kids because they really are kids now that I look back, now that I'm old - coming out of school and going right into jobs at, you know, big companies in Silicon Valley and learning on the job, security and making mistakes along the way. And I wish that wasn't happening. So, you know, while I think we're doing a fairly good job at teaching them how to build things, we're not teaching them enough how to break things. And as a result, they're not paranoid enough. And I think that lack of paranoia is hurting us in this field.

Jonathan Katz: [00:09:03] So I think first of all, it's important for everybody majoring in computer science to have a basic understanding of cybersecurity because when they get out there, they're going to need to know how to write secure software. That's one of the fundamental problems we have right now is that very much, we're in a state where we're reacting to cybersecurity threats rather than building things security to begin with. So one of the things we try to do is to prepare all of our computer science students to at least have a minimal knowledge of cybersecurity, so that they can build things in a proper way. Then you have the students who actually want to focus in their careers on cybersecurity in particular. And for those, they might take more advanced classes in cryptography or in computer security or even specific domains within computer security.

Robert M: [00:09:44] You know, good universities do gravitate to being able to pull in the industry leaders. The problem is sort of the business of universities has spawned up a ton of other degrees. And there is that velocity problem that if - and I don't want to throw any university under the bus - but let's say a mid-sized university or college in Arizona that hasn't been able to attract the cybersecurity talent, it's not in any of the sort of hubs that we see cybersecurity talent like Silicon Valley or Maryland or around, you know, Lackland Air Force Base in San Antonio. We don't see that maybe in that location in Arizona. And they're having a hard time pulling the talent that can teach the right things. And they want to be able to scale up that program very quickly and aren't able to do so.

Robert M: [00:10:26] Now, this has been complemented a little bit in academia by adjuncts. So what some universities are doing - like Utica College does very well at this as an example - is they hire adjunct professors to come in and teach. It's basically part-time instructors that are, by day, working in the field that they're instructing and then, by night, being able to teach the next generation. I think that is a more practical approach. The problem is, of course, with adjuncts that it's not as well-respected, not pays - it doesn't pay the same. And there's always problems around sort of culture shifts in academia to having, basically, part-time workers when academia itself is meant to be a profession. But I do think there's a balance. I think there needs to be university programs that have bachelor's and master's degrees for thought processes and methodologies where tools are just used as samples. And that's one of the reasons I still teach at Utica because they do that.

Robert M: [00:11:27] Then I think that there's an expectation of cyber, you know, sort of journeyman trade schools programs, which could absolutely take kids that are in high school that don't want to stick around to do physics and algebra. And even though I'm biased and say that's really important, maybe they would have a lot more fun and be much more productive if they were just allowed to focus on what they wanted to and develop those skills under the guidance of somebody who is a master level. And in the same way, there's still a big need for five-day training classes, one to five day training classes, whether it be, you know, black hat style of training or SANS Institute and looking at taking people who have skills or are at one stage in their career and propelling them forward, where for five days, they sort of get a kick start or they sharpen some skills they've been using for quite some time.

Mengistu Ayane: [00:12:21] They do network design, implementation and administration of network, cloud computing, virtualization, firewall access controls, intrusion detection systems, DMZs, vulnerability assessment and penetration tests. They do all of this.

Dave Bittner: [00:12:36] That's Mengistu Ayane. He's one of the heads of the cybersecurity department at Howard Community College and one of their course designers.

Mengistu Ayane: [00:12:43] The students who are coming, you know, the majority of which we consider our cybersecurity students, are people who are, basically, coming from no background. They don't have networking background, no fundamentals. And so that's one of the things I obviously tried to cater for when I was redeveloping the course at first - how to kind of bring them up to speed with what we expect as a starting point.

Dave Bittner: [00:13:07] Howard Community College or HCC is a community college in Columbia, Md. It serves about 10,000 undergrads in degree programs. Being close to Fort Meade and the federal government, HCC sees a growing demand for cybersecurity education.

Sung Lee: [00:13:22] Most of the students, I think, attending school are still finding themselves.

Dave Bittner: [00:13:26] That's Sung Lee. He's director of Student Computer Support at Howard Community College.

Sung Lee: [00:13:31] You know, what do I major in? What do I like? And, you know, you're still kind of evaluating what you have to do. And so the first year and a half, you're like going from class to different class, changing majors. And in a community college, you can do that. But at the same time, you can find yourself very easily because it's very small. And that's the great thing about it. I think once you have that community and you have the students working together, once you have that friendship and network, community college is, you know, a bargain because you can transfer that credit. You know, you can actually take whatever you've learned here, the credits that you get, and then transfer over to a four-year and then finish your school.

Dave Bittner: [00:14:09] Being a community college, HCC serves a variety of students coming from all walks of life.

Sung Lee: [00:14:15] Right now, the student - the students that are taking my course, most of them are just traditional students. I know one student that I've spoken to, he's only taking two classes at Howard Community College because he has a job. So he found a job that allowed him to do - nothing cyber-wise - but to get paid. And then I have two students that's getting into the program. And then one student that is under the VA Bill basically. So he's, you know, he was in the military. And he's actually taking this course. I think as they progress on, hopefully as they finish the program - because it's a 100-level course - that they'll have more interest. And the second year, I think they'll be - they'll have more of - more concise what they want to do within the cyber. Do they want to be just a system administrator or a network administrator or a cyber analyst?

Ayesha Raza: [00:15:06] Like, from here, I'm also applying for the NSA cyber summer program.

Dave Bittner: [00:15:11] Ayesha Raza is a student studying cybersecurity at HCC.

Ayesha Raza: [00:15:15] And I feel like I am eligible to do that because the information that they provided at the job description, I know - I know that stuff. So of course, they are not only focusing on - as I told you - not only focusing on theory. We have, like, the labs and hands-on knowledge as well. So they see what is the demand in the market. So based on that, they decide their actual courses and everything.

Mengistu Ayane: [00:15:36] So when they basically leave, they are equipped with lots of this concept. It doesn't mean that they are, you know, kind of senior in terms of the position they're seeking. But for entry-level jobs, such as T1, you know, system administrator, network administrator, with security in place, they could do - you know, actually do jobs such as network traffic analysts, network monitoring analysts, and, you know, all these areas. Most of the students that we have currently, actually, are working in higher positions. We have students who are working in system administration, designing a system based on Linux, based on Windows servers. We have students who are managing, you know, a whole network who have graduated from Howard Community College. What we are actually giving them, the fundamentals, as a very good springboard for them to even understand higher level and more complex systems administration tasks - so it is not just help desk. They also could do a lot more. I think that is, you know, what we have to be proud of.

Homer Minnick: [00:16:47] UMBC is very much a technology-focused university. They always have been very innovative.

Dave Bittner: [00:16:53] UMBC stands for University of Maryland Baltimore County. It's a public research university, about 14,000 students, located about 10 minutes south of Baltimore.

Homer Minnick: [00:17:03] UMBC Training Centers was formed in 2000. And it was formed for the purpose of being able to provide workforce-focused training and certifications for incumbent workers.

Dave Bittner: [00:17:16] That's Homer Minnick III. He's the director of the Cybersecurity Academy at UMBC Training Centers.

Homer Minnick: [00:17:22] So what we really provide are a combination of either vendor certification courses or custom developed content. A client - again, you know, I'm focused heavily on Department of Defense, so I'll name no specific clients - but an Army element that has had a critical need for people who can do software development in the cyberspace. The nation as a whole is not producing enough people that have a computer science background. And the numbers of those that DoD can get their hands on is an even smaller percentage of that. So it's just - none of those things have worked out.

Homer Minnick: [00:18:01] We were able to partner with this Army organization to say, tell us exactly what types of skills you need, work with their subject matter experts. And effectively, what we have done is looked at, what is the meat of a computer science degree? Strip away all of the electives. Strip away all of the humanities, all of the, you know, everything else that's not solely focused on computer science. Take that and develop curriculum that can provide that in an accelerated format. And the way that we are achieving success with this, given that it's an accelerated program, is the program is built to have a huge amount of hands-on practical exercise.

Homer Minnick: [00:18:43] So a typical course could be a semester-long course. In our case, it's a two-week-long course. And it is - you know, the mornings from 8 to noon are lecture and instructor-led demo and getting shown how to do it. Every afternoon from noon to 4 is lab. So it's practical exercise - four hours - or, really, 3 1/2 hours' worth with a lunch break in there of what they've earned just that morning. Each course has graded exercises - one per week. Everything that a software engineer or software developer in an organization is going to be expected to do these guys are expected to do. We're just doing it in a more rapid fashion.

Homer Minnick: [00:19:27] If you look at - across the whole program, they're getting more than 50% of the time spent on just writing code. They build a portfolio throughout. So those projects that they create build a portfolio that is then used because these soldiers have to go and interview for their jobs. So the same as a contractor would, the same as a civilian would, they have to go interview and prove that they can do what they say they can do. These - they have the portfolio to show their actual work, their actual code, to that manager of that section.

Dave Bittner: [00:20:00] With so many unfilled job positions in cybersecurity, there's a huge demand for getting people trained quickly. That, according to Minnick, is leading to some creative thinking and the exploration of educational paths that aren't typically associated with high-tech careers.

Homer Minnick: [00:20:16] It's interesting that there is a lot of discussion right now around apprenticeship within the field of cybersecurity, not only in a little-A apprenticeship, internship, fellowship - I mean, call it what you will. But, actually, the development of a big-A registered apprenticeship that produces a cybersecurity person with a credential that is able to perform certain functions much along the lines of a plumber, an electrician, a welder, HVAC, in something like that, but you - that their skills - the skills that they're able to perform and have demonstrated are codified.

Michel Cukier: [00:21:03] Our vision is that cybersecurity should be seen as not just technical but interdisciplinary.

Dave Bittner: [00:21:09] Michel Cukier is director of the ACES program at the University of Maryland. He's also associate director for education for the Maryland Cybersecurity Center.

Michel Cukier: [00:21:18] I'm director of ACES, which is one of the honors program. And it's a first and, for now, only honors program in cybersecurity in the country. We have seven different honors program. And ACES, which stands for Advanced Cybersecurity Experience for Students, is seventh. It was established in 2012.

Dave Bittner: [00:21:40] The University of Maryland is a big, state school with about 38,000 students. And they offer traditional computer science degrees, including a specialization in cybersecurity. This ACES honors program is brand-new and takes an innovative approach.

Michel Cukier: [00:21:55] So honors program - its philosophy is not to be part of the college - of a specific college. It's part of the undergraduate studies college, and - so that the students who are part of ACES are students with different backgrounds from all different majors. So we do have computer scientists, but we have computer engineers, other type of engineering majors. We have students in criminology, in psychology, in business, in math, even a student in music. And the idea and the originality of the program is that we don't award a degree in cybersecurity. But we award a citation from the honors college in cybersecurity after two years for these students. So it's a two-year program, where students work together and live together. And then after two years, they can decide whether they want to continue. And at that point, they join the minor in cybersecurity also offered by the Honors College. And they continue for another two years so that they get a minor in cybersecurity through ACES.

Dave Bittner: [00:23:00] One of the innovations here - one of the things that they're trying is that many of the students in the cybersecurity honors program aren't computer science majors. And that's intentional. It's by design.

Michel Cukier: [00:23:11] We don't want the students to change majors. What we want to do is to attract students into the field and see how they can contribute to the field. So let me give you two examples. One is a woman who had, really, no knowledge - prior knowledge on cybersecurity - was surprised that she was invited to join ACES, stayed for two years - so she only did the living and learning program - got her citation and got interested in cybersecurity, got us interested in the policy aspect. So she's a major in mathematics. And so now she is involved with the FBI working on cybersecurity issues. So that's an example of someone who would not have really engaged or been in the field, who keeps a major in mathematics but is still contributing to national security because she has been through ACES.

Michel Cukier: [00:24:12] Another student right now is a major in music, so that's probably a very surprising major, if you want, for someone who might touch cybersecurity. So it's a similar story - no prior background and was interested and has a way of very carefully analyzing things and being able to really sensitize things at a very precise level and has done an internship at NSA. And NSA, of course, would not have considered, usually, a student as a - if you come as a music major. That's another success story. And that student stays involved with NSA on the research part.

Dave Bittner: [00:24:53] The ACES program is a collaboration with industry partners too.

Michel Cukier: [00:24:57] It started with a major gift from Northrop Grumman - $1.1 million. What the companies have found is that because these are the best students on campus and they are interested in cybersecurity, de facto, you have - they are the best students in cybersecurity in the region. And so companies are really supporting the program because they'd like to reach out to the students. On our side, it's something that provides a huge plus to the program because by engaging these field experts, students have access to experts much earlier than they usually would have had.

Michel Cukier: [00:25:38] So these students are really taking a leading role in cybersecurity and will get involved in many different activities. And they work together and live together and take several classes through ACES. Our goal is for the students to become leaders in cybersecurity. So we're not looking at students of being able just to implement a firewall or improve a firewall or just do some coding. We really want them to have a broad horizon of cybersecurity so that they become the leaders of tomorrow.

Joyce Brocaglia: [00:26:15] We spend a lot of time kind of professionally counseling executives.

Dave Bittner: [00:26:19] Of course, career education doesn't end when you get your first job or even when you reach the C-suite. Joyce Brocaglia is CEO of Alta Associates, an executive search firm specializing in cybersecurity.

Joyce Brocaglia: [00:26:32] So many times, people come to me and say, hey, you know, I want a seat on the board. And I say, well, that's great. But you really don't have any table manners yet, and this is what you need to do, you know? So a lot of information security people all of a sudden feel, hey, you know, I think I could have a seat at the board. But they really have never had, you know, responsibility. They've never had governance responsibility. They don't understand, you know, the broader aspects of what it takes to actually, you know, not be considered by the board as a one-trick pony and what kinds of things they may have to do in their own career to broaden their perspective and to make themselves more attractive to those kinds of roles.

Joyce Brocaglia: [00:27:08] So you know, I think that - look. We've been in security for 20 years - for as long as security has existed. And I have seen the evolution of the role of the CISO. And I continue to see how it is, you know, growing and expanding. And I think there's a lot more to come. I think reporting structures are going to change. And to your point, I think a different kind of education is going to be valued because more and more, these folks are, you know, either presenting to the board or working with the regulators or, you know, some type of outside third-party regulatory establishment. And, you know, they really have to understand a much, much broader and more comprehensive area than the old days of just being, you know, deep in technical.

Robert M: [00:27:57] You will find that this career field has a very, very low unemployment rate.

Dave Bittner: [00:28:03] That's Robert M. Lee.

Robert M: [00:28:05] I've heard people say zero unemployment rate. That's not true. There's a lot of people that do look for jobs. My common advice to folks that are just starting out is, number one, try to figure out what interests them most. And this may change a dozen times, and that's OK. But what aspect of the field do you care most about? - 'cause cybersecurity itself is a wide-ranging topic. Do you really like digital forensics? And if it's digital forensics, do you like network forensics, host forensics, Mac forensics? - you know, whatever it might be. Are you penetration testing-inclined? OK, well, do you want to pen test web applications, or you want to pen test the enterprise?

Robert M: [00:28:39] So figuring out right from the beginning what sounds most exciting to you, focusing one thing at a time and then taking advantage of all the free and online resources - I generally don't recommend people who aren't already employed to look for academic classes or training classes to teach them skills. There are so many free resources to get started. And the reason I push that is when you use the free resources and sort of test out your own skills, first of all, you'll make sure that you're in the right approach. Maybe you're a pen test, and you find out that, man, forensics is really cool. And so - that you can pivot before you make financial investments.

Robert M: [00:29:22] And the other aspect is when you finally do make the financial investment or have a job send you somewhere, you're going to be able to take much more out of the class. When I get new people in class, they leave knowing something more than they came in with. When I get experienced people, though, they know how to ask the right questions to really push them farther. So the more you know coming in, the more you're going to get out of structured learning.

Homer Minnick: [00:29:46] Me - if you look at my office, you know - my Master's degree, a bachelor's degree - education is hugely important to me.

Dave Bittner: [00:29:53] That's Homer Minnick III.

Homer Minnick: [00:29:54] For anyone and all of my soldiers when I was in and all of the soldiers that we see coming through here, yes. You're here. You're getting some great skills, some certification experience. And you're going to be able to, you know, kick ass on your job. And we need that, and we need that now. Get the education. Get the degrees, too. Don't let what you have - you can apply this to the degree. Like, you're already down the road a little further than you were. Don't waste that. Go get your degree. Yes, you can get qualified to do a job, and you can get a good job. You can get best qualified to get the best potential opportunities for the highest levels of income by combining things. If you've got training and certification and experience and degrees, you are the best qualified type of candidate for a position. So the education is certainly important, too.

Dave Bittner: [00:30:51] And that's our CyberWire Special Edition on cybersecurity education. Our thanks to all of our experts for taking the time to be interviewed and to share their expertise. Not to put too fine a point on it, but I learned a lot doing this show, and that is time well spent for me, too. If you enjoyed our show, we hope you'll share it with your friends, co-workers and on social media. Check out our daily news brief and podcast at our website, thecyberwire.com. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.