Cybersecurity Education Receives a Makeover

New methods of teaching cybersecurity might be the best hope for providing the necessary security experts to turn the tide against malicious cybercriminals who have launched constant battles against vital networks. In purely quantitative terms, the number of available information technology security experts falls critically short of what is necessary, while the number of hackers and cyber adversaries grows larger.

The demand for well-educated and trained cybersecurity professionals outpaces the supply, both in the government and private industry. The market for information technology careers is expected to have a 40 percent vacancy rate by year’s end, with the tally higher for positions at the supervisory level. Businesses and government agencies struggle to train—and retain—qualified workers in an environment punctuated by dwindling dollars earmarked for research and development, a lack of enthusiasm from students and young adults and an ever-changing threat environment posed by nimble cybercriminals.

In part, experts say, it is society’s fault as people’s increasing desire and dependence on technology make it easier for criminals to hack their way toward profitable endeavors. “We certainly are in an area right now that has seen explosive growth with the Internet, but more importantly, we have, quite frankly, put our lives and our economy and our ways of interacting with business and friends and colleagues and everything into this digital world,” says Rob Roy, federal chief technology officer with HP Enterprise Security Products. “Sensitive information, intellectual property, financial information—that’s all in this brave new world that we’re living in, and it becomes extremely attractive to the three primary groups or individuals who want to use it for bad purposes.” The three primary groups are hacktivists, cybercriminals and nation states for purposes of sabotage and espionage.

The shortage of cybersecurity experts has created a national security situation in the United States akin to the expansion of radical Islamic militants in the Middle East, Russia’s assault on part of Ukraine, rising tensions between the United States and North Korea, and the mushrooming of China’s navy, according to some experts.

“It’s a tremendous problem, the lack of the numbers of people we need for the cybersecurity work force,” Roy offers. “It’s estimated we’re behind by about 2.5 million people—just in the U.S. federal government—to properly protect the nation’s infrastructure.”

Cybercriminals have moved far ahead in their ability to hack into networks versus the abilities of security experts in industry and government to protect them. “Cybersecurity, for many years, was viewed as insurance,” Roy notes. “You wanted to create the next great cellphone that has a visual interface and a touch interface and boy, it’s great. You don’t necessarily build in the best security into that device as your first priority. Your first priority is to make it usable and make it attractive to your customers. As we saw around the world, you have the negative forces.”

These negative forces easily can download, often for free, all of the tools necessary, he adds. “The education is built into the tools. It gives them all of the help they need. They can do this without any formal instruction whatsoever.”

The primary challenge facing the cyber work force today is the lack of personnel coupled with the lack of experience of those who are employed to fight the fight. “Sending somebody to school for four years to get a cybersecurity degree to me is useless,” Roy contends. “By the time they get out in four years, the field of cyber has already changed 50 times. ... To attack this problem right here and now and to start turning the tide, we need to find people who have the ability to learn cyber and who have a passion about it. We need to get them educated on it. Once they are educated on it, we need to give them a way of sitting in on a real-life environment, whether a government agency or in the private sector, they need to get some of this on-the-job training for at least six months, preferably a year.”

Many programs and curricula exist in an effort to rapidly train and field a new generation of cyberwarriors, such as one offered by the Federal IT Security Institute (FITSI), which administers the Wounded Warrior Cyber Combat Academy (W2CCA) by cross-training combat-wounded veterans who are medically discharged from active duty service. The program, started in March 2013, trains warriors wounded in Iraq or Afghanistan in cybersecurity, with the goal of closing the skill gap of technically proficient professionals and setting the former troops on a path toward employment, says program lead instructor Jim Wiggins. “So the idea is to take some of these guys who are very patriotic, very capable—they have a number of unique attributes—and retrain them in a career field.” The W2CCA offers a blended program of in-class instruction at Walter Reed National Military Medical Center and online. There is no charge to the warriors; the program is funded by donations to the nonprofit FITSI Foundation.    

The students, who can apply on their own or be referred by a military occupational therapist, are presented with 14 different courses taught over a one-year period to make the students marketable in the sector. “This is a huge growth industry and the reason has to do with the fact that the cybersecurity market is directly tied to the use of IT [information technology] within our society,” Wiggins says. “So as society continues to consume more and more IT, the need for properly protecting that IT infrastructure and that information becomes more and more important.”

Industry experts say a shift in training methods is afoot. For example, what does not seem to work well any longer is the old-school method of long lectures in conventional settings, says Peter Tran, senior director of the Advanced Cyber Defense Practice at RSA, the security division of EMC. “The traditional classroom, student-teacher, long lectures, long days doesn’t work. It fails to prepare students to work under duress and in high-tension environments following a breach,” Tran offers. “A traditional warfighter in the field, for example, you’re going to want to train ... to surge and behave in the environment that they’re going to be fighting in. Education and training traditionally doesn’t do that. It was more ‘OK, we’re going to give you the theories. We’re going to give you the practicums … the textbooks.’ It is a very academic environment.”

The first time an incident becomes serious, rookie analysts are caught with the “deer in the headlights stare when presented with a true stressful condition,” Tran opines.

“What is trending now, and what we’ve implemented in the advanced cyber training and education curriculum, is a bridge from what was not working to what we call surge training or burst exercises,” Tran maintains.

The approach places students in situations in which they must respond to a crisis in “bursts” of 10 to 20 minutes in duration. “We’re working on getting the students who are accustomed to traditional classroom environments, or even virtualized environments … and have them get used to these 10- to 20-minute surges where we present real threat cases in lab environments and then they surge. Then they go and recover, and we present them with another stressful environment and they surge for 10 to 20 minutes, and when they go back to their environment, they go, ‘Ah, I’m used to it. I haven’t forgotten.’”

Experts expect cybersecurity threats to worsen, particularly as more and more users will access networks via less secure mobile devices. “The security operation environments are beginning to change now,” Tran continues. “They are very distributed and very federated, meaning as we take advantage of more mobile platforms … the virtual security work force is no longer going to be sitting in one single room or command center. They’re going to be distributed globally.”