After hearing the insights of government and industry experts at the White House Summit on Cybersecurity and Consumer Protection, in February, I am more convinced than ever that to keep our nation safe we must make a serious and sustained investment in cybersecurity education. Our goal should be to prepare a work force with the knowledge and skills to deal with the countless and increasingly sophisticated digital attacks that invade our privacy, cost us money, and threaten our economy and national security.
As dean of a college of computing and information technology, I have a vested interest in this issue. But it is in my role as dean that I have regular contact with representatives from a wide variety of industries — and these interactions continue to shape my perspective on what constitutes effective cybersecurity education. Such expertise is, and will continue to be, in high demand. The cybersecurity work force is projected to increase at a rate of 12 percent annually, and programs like CyberCorps, a federal initiative that provides scholarships and stipends in exchange for future government service, are a piece of the solution.
Our best defense against cybercrime is a knowledgeable, intellectually curious work force.
Our best defense is a knowledgeable, intellectually curious work force. We need inventors of technologies that reduce the vulnerabilities that criminals exploit, software developers who can devise systems that minimize those vulnerabilities, and individuals prepared to defend the systems and protect the data that criminals are after. All of these individuals must understand the evolving techniques used to commit cybercrimes as well as the sociotechnical nature of the problem.
Creating an educational program that achieves all of those goals poses many challenges. The number of platforms and devices we use to communicate is growing, and cybersecurity is essential for everything from our personal computers, cellphones, and automobiles to our nation’s digital infrastructure, including utilities, air traffic control, and traffic signals. Computers and Internet-connected devices are central to daily life, helping us conduct business and share information. These technologies enable creativity and innovation, but they also provide opportunities for cybercrimes. Cybersecurity experts need to be ahead of the curve, always staying current with emerging technologies.
But understanding the technical issues is insufficient. Effective preparation of our cybersecurity work force requires an interdisciplinary approach. Cybersecurity professionals must understand legal and policy-related issues as well as the crucial role of human behavior. Understanding how people inadvertently enable cybercrimes — for example, by sharing confidential information and using passwords that are not secure — helps experts create safe and usable systems. Additionally, a grounding in ethics is vital to the curriculum; we must ensure that students understand individual privacy concerns.
Learning in the classroom is useful, and lab-based experiences are important, but hands-on experience is essential. We should encourage students to participate in activities like the National Collegiate Cyber Defense Competition, in which teams assume administrative and protective duties for a computing infrastructure and compete by demonstrating their ability to detect and respond to outside threats. The mission is to provide institutions with “a controlled, competitive environment to assess their students’ depth of understanding and operational competency,” which is in line with our educational goals.
Classroom learning is useful, and lab-based experiences are important, but hands-on experience is essential.
While that is a good start, we also need to develop more competitions that allow students to exercise additional skills. An industry or internship experience integrated into the educational experience, such as a cooperative work program, can provide both income and hands-on experience that complements classroom and lab-based learning.
Those seeking to steal cyberinformation and exploit computer systems are constantly adapting and developing new strategies. The people defending those systems and securing that information must also adapt, studying the evolving techniques being used by cybercriminals, and developing new solutions. As a result, we must prepare students with a solid foundation as well as an appreciation for lifelong learning.
In addition to focused computing-security programs, we need to more effectively integrate security into all computing-focused programs. Computer scientists, software engineers, and game, app, and web developers must understand the importance of developing more-secure systems. Currently, computing security is not a component of all computing-focused degree programs, and when it is, it is rarely integrated throughout the curriculum. This is an area where we must make progress.
I would also argue that focusing on college-level education isn’t enough. Cybersecurity should be part of everyone’s education, starting long before students are thinking about which college they want to attend. This serves several goals. First, we need a more informed citizenry, which reduces the risk of cybercrimes. All of us need to understand how to protect ourselves so we can be part of the solution.
Second, we know that introducing students to new ideas during middle and high school can inspire them to pursue career paths they might not otherwise have considered.
And third, a coordinated effort, engaging four-year and community colleges as well as middle and high schools, will allow us to attract more students, from diverse backgrounds, who are excited by the challenges of protecting information and defending our computing infrastructure.
Higher education, backed by preparation in the earlier grades, will play an increasingly important role in preparing the workers who will be responsible for the day-to-day tasks of protecting our information and securing our systems. It is an opportunity, and a duty, that we cannot afford to ignore.