Once a field of self-taught hackers, cybersecurity education shifts to universities
For years, the best way to learn about your computer was to take a screwdriver it.
That鈥檚 how Jon Miller learned cybersecurity: trial and error, advice from friends, and constant tinkering. In the 1980s and early 1990s, that鈥檚 how everyone else did it, too. Network security was self-taught in basements and bedrooms. And it worked pretty well. Without formal training, Mr. Miller worked his way into a role as vice president of strategy at the security firm Cylance. He鈥檚 lectured at colleges 鈥 without ever taking a class in one.
鈥淚 learned from getting new hardware and problem solving,鈥 says Miller. 鈥淏ut if colleges had offered courses in security at that high level, I would have taken them.鈥
There's a sea change occurring in how information security is taught. Millions of dollars are pouring into universities to launch cybersecurity programs. While cybersecurity is still an industry that celebrates self-taught outsiders听and hackers working for good, the future is sure to bring more engineers and specialists trained in the classroom.
It's been year of incredible growth for college departments in the field. A host of schools such as Utah Valley University, University of Texas at El Paso, Missouri State, and University of Tampa launched or started degree programs in the field. A multimillion-dollar multiuniversity National Science Foundation cryptography initiative broke ground at top universities across the country. A bevy of community colleges announced specialized training programs. And the Obama administration announced a $25 million grant for historically black universities to train students in cybersecurity.
It's a stark change from the days听Sushil Jajodia launched the country's听first academic center devoted to computer security, the听Center for Secure Information Systems at George Mason University, more than two decades ago.
鈥淲hen we started, there was no World Wide Web,鈥 says Dr. Jajodia, who opened the center in 1990 and still runs it today.听鈥淭here were no security products, and no security classes. The only people interested in our work were the Department of Defense and National Security Agency for the protection of their networks.鈥
In 2000, a decade after Jajodia started his George Mason center, he was the main interviewee in a Chronicle of Higher Education story on the 鈥渟truggle鈥 to establish cybersecurity education programs in colleges. 鈥淚 don鈥檛 see things getting better in the near term,鈥 he told them. At the time, there were only a handful of programs and the few professors in the field were regularly poached by higher paying industry jobs.
鈥淚f they have one course I鈥檓 happy,鈥 Jajodia said at the time, of computer science departments around the country.
Today he's happy (well, happier). This year鈥檚 undergraduate catalog at the University of Alabama lists six classes mentioning 鈥渟ecurity鈥 in the computer science department. In 2008 it listed zero.听
But for all the growth over the past few years, nothing nurtured听higher education鈥檚 interest in cybersecurity like the recent growth of threats.听鈥淔our or five months ago, I went to the dean and said, 'This is the time we鈥檝e been waiting for! Finally the awareness has hit everyone,鈥 Jajodia says.
Balancing academics with real-world training
There are real advantages to learning a subject such as cybersecurity in a school rather than in a basement workshop.
Throughout history, novices turning to online cliques of experts have been told 鈥 often in colorful ways 鈥 to听鈥渞ead the manual.鈥 For people who broke through, including Miller, being self-taught means occasional knowledge gaps.
Miller also听acknowledges that he got lucky by being able to afford equipment 鈥 there has always been a high financial barrier to learning cybersecurity. And without today鈥檚 gigantic code repositories (GitHub wouldn鈥檛 start until 2008), there was a need for a level of patience and an ability to pick things up quickly.听Some of those hurdles can be overcome with the help of teachers, standardized curricula, computer labs, and textbooks.听
While听Jajoda and other academics welcome the new attention to their field, they still worry about schools offering computer science and engineering degrees without integrating security training.听It baffles Jajodia that students can still take a software design class that doesn鈥檛 incorporate principles of security. That, he says, is a problem in the academic perception of cybersecurity 鈥 it鈥檚 still seen as a separate discipline from听mainstream computer science. 听
And while schools work to shoehorn cybersecurity into computer and software design, they also face an issue that听reports from the White House, the nonprofit RAND Corp., and the Association of Computing Machinery all describe as the tent-post problem: Classes often devote more time to academic theories about cybersecurity, rather than the rote training in real world scenarios professionals will need.
The state of Michigan along with tech nonprofit Merit got out ahead of this problem. In 2012, Michigan launched the 鈥淐yber Range,鈥 a "live fire" facility many of its colleges use to simulate real-world cyberattacks. But that is not a common feature in higher education. Even as the funding flows into cybersecurity education, Jajodia worries the money will be earmarked solely to research rather than to improving training.
鈥淧rofessors,鈥 he says,鈥 don鈥檛 have the modern tools students need to train on.鈥
New focus on cybersecurity policy
But with the influx of new funding, some schools are taking cybersecurity education into bold directions, including new degrees in law and policy.
At the Massachusetts Institute of Technology, for instance, the school is using a $15 million grant from the听Hewlett Foundation to launch a听Cybersecurity Policy Initiative. The grant is one of three that Hewlett announced last year for cybersecurity efforts at MIT, Stanford University, and the University of California at Berkeley.听
Daniel Weitzner is heading up the MIT center. As a former听deputy chief technology officer at the White House and the founder听of the advocacy group the Center for Democracy and Technology,听he's familiar with the policy issues and process surrounding cybersecurity. That experience has given him deep insight into the听current need for educated government advisers and for the policy research听necessary听to inform them.听
鈥淚magine if the chairman of Federal Reserve听had absolutely no guidance in what the outcome of their policies would be. We鈥檇 never let them say, 'Oh, let鈥檚 just raise the interest rate half a percent and see what happens.' That's where we are today," says Dr. Weitzner. Programs like his, then, could have a tangible effect on national policy.听
The MIT program will focus on metrics, ways to calculate the effects of different actions.
Beyond helping society make more informed choices, he says programs such as his will position students for a growing number of unaddressed positions in a听rapidly expanding field.
鈥淵ou see it in big companies 鈥 the Googles 鈥 looking to hire student鈥檚 with a computer science background and a public policy background,鈥 he says. And the Center for Democracy and Technology, he says, "is now hiring as many lawyers as computer scientists."
The law school and Center for Health and Homeland Security at the University of Maryland are partnering to offer new masters in cybersecurity to fill the same need, which they also see as massive. As Michael Greenberger, director of the CHHS puts it: 鈥淚n our consulting work, we see continued interest in cybersecurity law. We are doing this because there is a demand for knowledgeable people. We aren鈥檛 just doing this for tuition.鈥
Will classrooms replace self-taught hacking?听
Mr. Greenberger's comments about tuition represent a serious concern among some security experts. Jajodia, the George Mason professor, worries that the thirst for cybersecurity programs will encourage schools looking to add prestige or cash flow to offer inferior programs. It's not so much the traditional universities he worries about. It's for profit schools.
But whatever the school,听there's no real听consensus on how graduates who wait until college to start their learning fit in to an industry largely staffed with those who learned on their own, whether there will be a culture clash or differences in the quality of education. With a growing job market, new modes of education aren't just inevitable 鈥 they're necessary. But there may never be a full shift to the academy, and it's doubtful the industry would want it.
鈥淪ome of our best people have no security background,鈥 says听Jay Kaplan, chief executive officer of the penetration-testing firm Synack.听鈥淭hey鈥檙e motivated software or hardware engineers with an interest in security. Some of the best experts didn鈥檛 train for this, or practicing it full time.鈥
Synack operates as a curated network of freelancers, so Mr. Kaplan has recruited a lot of cybersecurity professionals over the years. And he has no interest in where their knowledge base came from. He tests applicants with simulated security projects. University of Phoenix students face the same quiz as ones from Harvard University 鈥 the same quiz self-taught hackers take.听
Mr. Kaplan says that having learned cybersecurity both at a university and on his feet. He went to George Washington University during the last influx of money into cybersecurity education, one of the first few students to receive the Clinton-era听鈥淐yberCorps鈥 scholarship intended to create a well-trained army of computer savvy public servants. The scholarship, which still around today, permits students to go to National Security Agency-certified 鈥淣ational Centers of Academic Excellence鈥 in information assurance or equivalent programs. When Kaplan applied to college in 2003, there were only a handful of qualifying schools. Now there are more than 100.
He earned a bachelor鈥檚 degree in computer science before working as an internal network analyst at the NSA, but the NSA required different skills than the conceptual academic training he received in school. So Kaplan had to pick up practical skills in the workplace.听鈥淥bviously it required a very technical understanding very specific to the job,鈥 says Kaplan. 鈥淚t鈥檚 a common problem for people coming from a theoretical background.鈥
There is, he says, one advantage of learning pen testing from schools rather than a lifetime of hacking 鈥 it鈥檚 tougher to trust someone to guard your network whose last job was breaking into it. 鈥淎t conferences, I ask them where they live and what they do for a living. If they don鈥檛 have a good answer to how they live in a nice area but have no job, I can鈥檛 hire them.鈥
But will universities exceed, or even meet the self-trained educations of years past. From his office at Cylance, Jon Miller is optimistic but not entirely sold.听
鈥淚 don鈥檛 think a four year program alone will by any means be enough. I鈥檓 a strong believer in putting in the time and students need to put in a lot more time outside of class,鈥 he says. Self-trained security professionals spend lifetimes learning a field colleges claim to teach in four. 听鈥淏ut kids now have had next generation Internet all of their lives. It鈥檚 possible they could be prepared to learn cybersecurity in four years.鈥
听
