Cybersecurity, Rising

Illustration by Martín Elfman for The Chronicle

Once head of the Transportation Security Administration and deputy director of the FBI, John S. Pistole doesn’t have to struggle to explain the value of teaching cybersecurity.

Now president of Anderson University, in Indiana, Mr. Pistole notes that the computer systems of American companies both big and small are routinely getting hacked, costing them hundreds of billions of dollars annually. Hacking has also meant breaches of financial and personal privacy for millions of Americans. It is widely suspected of having played a key role in deciding the most recent U.S. presidential election. And right in Anderson, Ind., county-government leaders recently paid thousands of dollars in ransom to a foreign hacker who had shut down their computer systems.

“There’s a critical shortage” of the workers and skills necessary to confront such problems, Mr. Pistole says.

That realization is spreading among colleges. But they aren’t yet producing enough graduates or offering the broad training that many experts regard as essential to meet the growing threat. Cybersecurity job postings grew 114 percent from 2011 to 2015, with 86 percent of the jobs requiring at least a bachelor’s degree, according to Burning Glass Technologies, a job-market-analytics company. Colleges are meeting only about 24 percent of the entry-level demand for those with four-year degrees.

Institutions like Anderson are adding undergraduate and graduate programs, seeing opportunity in a field long dominated by technical schools. Just this academic year, the university has added majors in cybersecurity and computer engineering.

Cybersecurity graduates can anticipate “negative unemployment as far as the eye can see in this realm,” says Joseph F. Sawasky, a former chief information officer at Wayne State University who now leads a cybersecurity training effort in Michigan.

Encouraged by federal incentives, many colleges are teaching computer code. But hacking is a crime that involves creativity, an understanding of human behavior, and expertise in the full range of endeavors that involve computers. A bachelor’s degree seems crucial to such training, and colleges are only beginning to identify what courses it should include.

“This is a serious shortcoming,” says Jeremy Epstein, deputy director of the Computer and Network Systems Division at the National Science Foundation. “Many people are saying we need to turn out more cybersecurity people. But we don’t agree on what ‘cybersecurity people’ means.”

The confusion stems from the history of the discipline. One of the organizational structures for teaching cybersecurity at the college level is the National Centers of Academic Excellence in Cyber Defense, run jointly by the National Security Agency and the Department of Homeland Security.

More than 200 American colleges have earned the Centers of Academic Excellence designation, which affirms to students and employers that their cybersecurity curriculum meets a set of detailed standards.

The program was founded by the NSA in 1998 with an eye toward producing graduates for the agency’s specific needs — focused mostly on coding ability.

Its certification is enough for a university like Anderson to build a pipeline to government agencies, and to attract faculty members and students, Mr. Pistole says. It’s about “building a brand, frankly, which is an important thing for schools to do.”

In recent years, the national program has started to adapt, shifting toward a more comprehensive idea of what cybersecurity training could mean, says Daniel R. Stein, who directs cybersecurity education and training at the Department of Homeland Security. The federal certification process now requires colleges to show that a wide range of students, not just those in computer science, receive some cybersecurity training, Mr. Stein says.

Among the institutions that are shifting to a more comprehensive notion of cybersecurity is Clemson University. Its Humans and Technology Lab conducts research aimed at making automated systems better reflect the ways people actually behave, with protections designed accordingly. Recent projects include studying how patients use electronic health records and exploring the risks to privacy posed by wearable devices.

Nationwide, colleges have a long way to go to incorporate that kind of broad approach into their educational and research agendas, says Kelly Caine, an associate professor of human-centered computing at Clemson, who heads the lab.

But even for institutions still focused mainly on teaching code, extensive worker shortages mean that cybersecurity graduates will find jobs, especially if they come with a solid liberal-arts education. Companies are accustomed to taking entry-level workers with raw ability and teaching them additional skills specific to their jobs.

Lisa Cannon, director of the IT department in Madison County, Ind., takes that approach. After paying foreign attackers who held the county’s computer systems hostage — blocking access to official records for courts, tax collection, property deeds, and other services affecting 130,000 residents — she found a graduate of Ball State University to manage the county’s newly tightened computer systems.

With his education, the technician was “a jack of all trades and a master of none,” she says. A week of “boot camp” run by Cisco made him proficient in the specific skills the county needed, Ms. Cannon says.

The hackers’ attack happened less than two months after she was named director of technology, on the Friday evening before a scheduled Monday meeting to sign a contract establishing an off-site backup system. With more training, her predecessor might have recognized the need for the backup system, along with stricter rules that would have limited the access afforded to outside vendors — one of which accidentally allowed the attack.

Colleges can’t fight cybercrime alone. Incorporating holistic strategies requires incentives such as regulations and legal codes that put more responsibility on product designers for preventing computer-security problems, says Carl E. Landwehr, a cybersecurity research scientist at George Washington University.

Researchers and product designers also need to look anew at computer languages, says Mr. Landwehr, who previously worked at the Naval Research Laboratory. Many products and systems rely on programming languages that are prone to mistakes and were not designed with security as a primary objective, he says.

“Right now,” Mr. Landwehr says, “we’re not building with very good lumber.”

Paul Basken covers university research and its intersection with government policy. He can be found on Twitter @pbasken, or reached by email at paul.basken@chronicle.com.