The “why”: the importance of cybersecurity education.

By Kyla Guru, Stanford University and Bits N' Bytes Cybersecurity Education

Dec 7, 2020

An introduction to this article appeared in the monthly Creating Connections newsletter put together by the women of The CyberWire. This is a guest-written article. The views and opinions expressed in this article are those of the authors, not necessarily the CyberWire, Inc.

The “why”: the importance of cybersecurity education.

My curiosity first blossomed at NSA GenCyber Camp. A cybersecurity graduate student chronicled his research on Wireshark一network packet analysis tool一as we listened to his tales of running vulnerability scans for information. By the end of the week, I understood how deeply cyberattacks pervaded our daily lives. Searching for a common underline for attacks, I discovered one fact I couldn’t ignore: nearly 95% of all cyber-issues were caused by human error. As I explored more, this knowledge gap became exceedingly clear. 65% of attacker groups use spear phishing as the primary infection vector for malware, and a lack of cybersecurity hygiene almost always allows attacker groups to enter, move, and persist in a network long enough to cause damage.

Cybersecurity has always been a human issue: it is humans that build the products that are abused, it is humans that are either the protectors and the attackers, and always, it is humans who are the victims. To me, it made sense that a human-centered approach, through education, would mitigate future risk too.

Approaching my community mayor, I discovered that though STEM was instructed in schools, end-user cybersecurity & digital citizenship were barely discussed. This isn’t uncommon across American school districts either: in fact, less than half of educators (45%) in K-12 say that their students learn about cybersecurity in school. Determined to meet an unmet need, I founded Bits N’ Bytes Cybersecurity Education (BNBCE) in October 2016. BNBCE officially began as I spent my Thanksgiving break voluntarily creating animation videos for my former elementary school, which was a bike ride away from my house. Seeing the curiosity in students’ eyes when given the space to ask questions like, “How does Snapchat store my data?,” I was galvanized to action. I began informally building a business model, Googling words like “tax exemption” and “distributing curriculum” to educator symposiums. I didn’t need a million dollars to launch a project, and I certainly didn’t need a million dollars to spread the message that was in my heart farther than my bike could take me.

Soon after I released animation videos to local elementary schools, parents began voicing questions to me, corporations became interested in our vision, and一perhaps most profoundly一after 4 months of partnership with my local community, teachers noted a significant increase in student ownership of online safety, as well as teacher understanding of cybersecurity/privacy issues.

Through research with industry professionals, I built downloadable curriculum packages that teach vulnerable populations (under-resourced schools, senior homes, etc.) about pressing online-safety topics (safe Internet surfing, password strength, protecting sensitive “PII,” and more). Leading 53+ free training workshops for vulnerable populations in partnership with corporations including IBM and Facebook, and dispersing curriculum to 600+ schools internationally, BNBCE has educated nearly 27,000+ students internationally.

Now, BNBCE is a 501(c)(3) dedicated to educating and equipping vulnerable populations (youth, teenagers, and seniors) with the cybersecurity and online safety skills needed to prepare for our future of cyberthreats. Through creating engaging, multimedia curriculum, animated videos, research-based blogs, and delivering hands-on training workshops, BNBCE simplifies complex global issues including password discipline, maintaining digital privacy, digital citizenship, and social engineering. With national and international partnerships, we aim to create a worldwide synergy around online safety and security, envisioning a world of aware and confident digital users.

Lessons learned about teaching cybersecurity.

1. We must teach cybersecurity in classrooms whether or not a student is considering it as a career.

As reported by The New York Times, Cybersecurity Ventures estimates a staggering 3.5 million unfilled cybersecurity jobs globally by 2021, increasing from one million unfilled jobs in 2014. While we must focus adequate efforts on training and preparing students to enter the cybersecurity workforce, we must also realize that regardless of their future career, they must begin caring about their personal cybersecurity the moment they begin using devices. We must develop programs that support students in understanding their personal cybersecurity and privacy throughout K-12, and curriculum should be updated annually to fit the most common cybersecurity trends and threat actor tactics, techniques, and procedures. That way, the risks of traversing the Internet are ingrained in every fiber of their digital being as they progress through higher education and into their professional lives.

2. To maximize impact, we must tie cybersecurity to the bigger picture.

According to a 2019 study by Girls With Impact, 75 percent of Generation Z wants their work to carry meaning for the world. Their top motivators at work are money/pay (70 percent), the ability to pursue their passion (46 percent) and the challenges/excitement of the job (39 percent). What are we missing? Utilizing education as a vehicle to contextualize cybersecurity as a high-impact, meaningful, challenging, and exciting passion.

Through my work with BNBCE, I have learned that our mission is much larger than what I originally envisioned. In fact, a peaceful society is one with security, where citizens know how to protect their data and mitigate cybercrime. Without online security and safety, and aware students of all ages and demographics, peace is simply not possible. Educating and caring about cybersecurity education means strengthening our democracy. It means more educated and aware cyber-warriors who can actively leverage technology for innovation without interference. It means cultivating a culture of safety first, and understanding that by being safe, we can not only protect ourselves, but our neighbors, our communities, and our country. By educating with this core message, we can connect personal cybersecurity to national security and collective safety.

Additionally, cultivating the conversation around the challenging and meaningful nature of the work can be rooted in the multitude of real-world examples: single cyber-attacks shutting down entire school-districts for over a week’s time, ransomware attacks stopping hospitals from serving patients, and malware cripping our national energy, oil, and gas infrastructure. Additionally, teaching about cybersecurity in the context of civics will help convey the ‘impact’ piece. For instance, we can contextualize global cybersecurity through topics like disinformation, election security, and by contextualizing our positioning in the international cyber-arms race at large.

One way of conveying this is by fundamentally teaching that democracy is not something handed down by the previous generation. The fight for democracy never stops with a single generation. Our democracy is always becoming. When the time comes, when any enemy, foreign or domestic, arises, we must fight for our democracy to keep moving closer to our founding ideals and values. I used to think that when a war was won, democracy was secured. While this is true to some extent, service takes an incredible amount of forms, whether we are in war or not. These actions can be seen through being cyber-secure and safe, understanding the ethical issues surrounding technology use, or teaching someone else to value their personal privacy miles away from our nation’s capital.

3. We cannot underestimate the power of peer-to-peer connection in learning cybersecurity.

I’ll never forget a defining moment I experienced while speaking at a conference in the border town of Laredo, Texas, after stepping off stage at Laredo’s Technology Summit. As I reached for a local student’s hand to greet her, she questioned, “How can we believe we are a part of the future when we don’t have access to it?” This single encounter pushed me to confront my ignorance. I hadn’t realized that Laredo, unlike other schools I had spoken to about engaging in cybersecurity, did not have the same technological opportunities to do so. Her stories sparked further questions. How could we increase accessibility for Laredo’s students? What vehicles of community building could we use to mobilize classrooms? Are there cultural differences we should account for?

Immediately, the students and I began bridging vision and action. Throughout their lecture halls we filled whiteboards with programming for classrooms. We drafted emails, illustrated potential marketing materials, and penciled a potential timeline for a cybersecurity women’s fellowship program that would come to fruition four months later.

Additionally, over this past year, BNBCE partnered with ISACA’s One in Tech (OIT) to create a for-youth, by-youth 6-part video series curriculum package in cybersecurity. Bits N’ Bytes and OIT’s junior board led through the ideation, research, and execution stages, and helped create content designed to help students stay safe online, build skill sets to help e-learning, and begin cyber careers explorations. By understanding the peers we are building for, we were able to brainstorm ways to make the learning more effective: adding in fun, talking Animoji characters to add a personal twist, giving short, attention-grabbing podcast/movie recommendations at the end of each video, and discussing the importance of mental health online and offline in the age of the pandemic.

With 65% of Generation Z wanting to create something world-changing, we stand as a generation that carries an inventive spirit. Additionally, growing up in the age of social media, more than ever before, we are using those platforms to understand and empathize with communities halfway across the world from us. These are the same characteristics we can emphasize in building out cybersecurity education programs: community, innovation, and the interdisciplinary nature of cybersecurity.

4. Protecting our K-12 schools from cyber-attacks is a first step.

In the 2018 Education Cybersecurity Report by Security Scorecard, the education industry itself was ranked as the bottom performer out of 17 industries. In fact, the report also outlined that only 15% of K-12 schools have implemented a cybersecurity plan, just 29% have purchased cybersecurity products and services, and 31% had not provided end-user training.

Just this week, the Huntsville City School (HCS) district closed all K-12 schools and campuses this week due to a ransomware attack that was detected on the morning of Monday, November 30th. The district, which is home to 40 schools, advised 2,000 educators and nearly 23,000 students to shut down their district-issued devices and avoid logging into any HCS platforms at both school and home. The Huntsville Police and the FBI have partnered to investigate the source and scope of the attack, but have not yet shared details about whether any personal information was compromised.

The Huntsville City School shutdown comes only days after Baltimore County Public Schools announced a school closure due to a “catastrophic” ransomware attack just days before Thanksgiving. Over the last few months, there has been an uptick in the number of ransomware attacks against school districts across the United States, with large spikes occurring around times when schools are most vulnerable: during school opening and on holiday breaks. Educational institutions, particularly those with limited IT staff, funding, and resources to manage cybersecurity, are highly susceptible to ransomware attacks when data is not backed up and not secured by the latest cybersecurity protections.

To protect from malware, schools can ensure that basic security hygiene controls are in place, such as vulnerability patching and frequent backups of data. Additionally, to fortify defenses against attackers, schools can leverage free security services offered by the Multi-State Information Sharing and Analysis Center. Currently, only 2,000 of the 13,000 U.S. K-12 school districts have signed up for free membership in the Multi-State Information Sharing & Analysis Center (MS-ISAC), which offers school systems network vulnerability assessment, cyberthreat alerts, and other related services. Additionally, only about 120 schools are using the MS-ISAC’s no-cost federal service called "malicious domain blocking and reporting," which helps prevent IT systems from connecting to harmful web domains.

5. Apart from our education industry, corporations must bake creative utilities into their products to reinforce cybersecurity education.

Instead of blaming the user for not taking enough cybersecurity precautions, consumer-facing products must bake cybersecurity education/awareness training into their platforms. Whether this be social networks, apps that connect individuals to other individuals/groups/communities, or data sharing apps, safety and cybersecurity should be emphasized.

This starts with fighting policy attestation and urging users to be aware of their privacy, their rights, and their controls of their accounts. A Deloitte survey of 2,000 consumers in the U.S found that 91% of people consent to legal terms and services conditions without reading them. For younger people, ages 18-34 the rate is even higher with 97% agreeing to conditions before reading. In fact, the average attention span of Generation Z on social media is only about 8 seconds: solutions to present this information must be dynamic, attention-grabbing, and visually-attractive. Given the diversity of Generation Z and our digital divide, solutions must be crafted for specific user-groups, taking into groups that are more vulnerable, and also focus efforts on the “emerging market” populations that are joining social media now or will be in the near future.

Other cybersecurity controls that products could bake in exciting and engaging visual explanations include: the significance of including two-factor authentication, blocking and reporting potential bot accounts (in addition to simply ignoring them), the meaning of a hack versus a data breach, good privacy reminders to keep in mind when sharing personal pictures, and conducting regular checks on the other devices where a user is logged in on. When a user first signs up for any account, other good reminders could simply be to reinforce lessons of digital citizenship.

The fact of the matter is that students are eager to learn about cybersecurity, but may simply lack the resources, channels, or means to do so. This gap is even larger in areas of low socioeconomic status, rural areas, and areas that are called “Cybersecurity Deserts” that lack local cybersecurity companies or universities that study or offer coursework on the subject. In fact, 80 percent of educators who report no cybersecurity resources live in rural areas. By conveying/reinforcing this education through “nontraditional,” non-classroom environments, and getting their questions answered when they ask them (even those about Snapchat’s server storage), students will be encouraged to pursue their curiosities further and feel empowered to prioritize personal security.

Moving forward in cybersecurity education: what you can do. (Your homework!)

Now that I have shared my learnings with you, I urge you to do the same in your communities. The most impactful step you can take as a practitioner is to spread your cybersecurity knowledge outward to the groups you are connected to. Whether that takes form through conversations with your children, training educators on feeling more comfortable teaching cybersecurity to their K-12 classrooms, or even speaking on a career day panel at your local school, your insights can strengthen our human firewall. Additionally, if you would like to lead a workshop in your local community using curriculum that has already been created, check out the BNBCE website that includes:

Cybersecurity Workshop Package (K-5th, 6th - 8th grade)
Cybersleuths Cybersecurity Package (6th - 10th grade)
Includes courses in cybersafety, pathways in cyber (career exploration), e-learning tips for managing online learning, and our video series!
Disinformation Curriculum Package (Launching in Early 2021 for 9th - 12th grade)

Another way to support the pursuit of cybersecurity standards is to support the initiatives of both BNBCE and CYBER.org. Currently, only three out of fifty states have standards for teaching cybersecurity in classrooms. CYBER.org is working on fixing that: bringing together educators, practitioners, and organizations like BNBCE to develop standards that can be deployed across the industry. These cybersecurity education standards will help improve the retention of diverse talent in cybersecurity, strengthen our “human firewall,” and empower educators to integrate cybersecurity education across class subjects.

By understanding the needs and unique qualities of this generation of digital users (and the rising Alpha Generation), we can truly work together to ensure that our nation’s critical data security needs will be met for years to come. Without a cross-generational effort to do so, we may be opening the floodgates for the next iteration of cyber-adversaries.