Training tomorrow’s defenders: higher education’s impact on cyber security
By Molly Gluck
In Part Three of Boston University’s National Cyber Security Awareness Month Medium series, security experts highlight higher-education’s critical role in closing the skills gap and strengthening cyber security defenses
Research indicates that in the United States the cybersecurity workforce gap will widen to 1.5 million job openings by 2019, up from 1 million last year. Globally, it’s projected that by 2021 cybercrime will cost the world $6 trillion annually with an expected 3.5 million unfilled cybersecurity positions. With the talent gap continuing to grow, attackers have the advantage. In an effort to address this escalating problem, the Department of Homeland Security (DHS) outlined “increasing and strengthening the cybersecurity workforce across all sectors” as a key focus of this year’s National Cyber Security Awareness Month (NCSAM).
In part three of Boston University’s NCSAM Series, professors David Starobinski, Manuel Egele and Ari Trachtenberg from the Department of Electrical and Computer Engineering, and Ran Canetti, professor of Computer Science and director of the center for Reliable Information System and Cyber Security, discuss why the academic community is in a unique and influential position to close the cyber security skills gap.
Q1: In today’s cyber landscape, what is the major skill, talent or knowledge gap that needs the most attention from higher education?
Professors David Starobinski and Manuel Egele both consider the ‘adversial mindset’ to be the number one skill required to strengthen cyber security:
“The most important skill, in my opinion, is the ‘adversarial mindset.’ When deploying any new technology at home or at work, one should always consider how an adversary may exploit that technology for nefarious purposes. Hence, any new technology must have security protections built-in from the beginning, including authentication of connections and encryption of data.” — David Starobinski
“While we train our workforce (reasonably) well to build or engineer products and services to specification, what I see missing is the adversarial mindset that is necessary to anticipate what attackers might do and pro-actively design systems in a more security-focused way. For example, instead of merely making sure a system or software fulfills the stated requirements, an adversarial mindset will prompt questions such as ‘how could I attack this program?’, ‘how could I use the service without authorization?’, etc. Such a mindset will then show potential security vulnerabilities before deployment where they can be fixed before any harm is caused. While this will not solve all security problems, it would be a significant step forward.” — Manuel Egele
Professors Ari Trachtenberg and Ran Canetti both highlight the importance of equipping future cyber defenders with broad, holistic skillsets:
“Cyber security is a holistic art — it requires a deep technical understanding of a wide variety of theoretical and applied fields, ranging from psychology, law and anthropology through machine learning, mathematics, operating systems, and software design. It is also an ever-changing and dynamic field — as threats are understood and mitigated, they become less significant and new threats bubble to the surface.” — Ari Trachtenberg
“The main challenge we are facing in cybersecurity is the need for professionals with a very broad expertise. To understand cybersecurity and be an effective defender, one has to:
· have deep knowledge in how computers are built and how they operate, from the hardware to all layers of operating systems, applications, and networking;
· understand the mathematics of cryptography and the logic of program analysis and verification;
· comprehend human-machine interfaces and their fallibility;
· evaluate the social and emotional constraints of both legitimate users and attackers;
· weigh the economics of cyberattacks and cybercrime through a deep understanding of the law — both national and international.
Finally, and perhaps most importantly, one has to understand the foundations of human dignity, fulfillment, freedom and security — in order to make sure that cyberspace does not harm these precious foundations.” — Ran Canetti
Q2: What role does higher education play in helping to bridge this skills gap?
“Higher education is the only place where such a broad set of skills can be possibly acquired. This is not to say that today’s universities all give these foundations: there is a lot to be done and improved. But certainly, the academic framework is the most conducive to (a) educating professionals that can effectively protect society from cyber threats and (b) educating the general public to be more aware and vigilant about cyber threats.” — Ran Canetti
Q3: What aspects of cybersecurity must be incorporated into higher education curriculums? Why?
“Many of the nascent cybersecurity education programs try to focus on elements that are directly relevant to today’s trendy security threats — but this is not what will be useful for (quite literally) tomorrow’s threats. The best preparation for the upcoming cyber landscape is a holistic technical education in a wide variety of fields. A well-trained generalist would be able to produce solutions to the specific threats that we cannot predict today.” — Ari Trachtenberg
“A lot of, even current, software contains bugs and vulnerabilities whose underlying root causes have been known for decades. As such, an immediate educational goal should be to educate the entire workforce (but at least current engineering and computer science students) to make them aware about these well-known problems in the hopes these students will not repeat these mistakes once they join the workforce.
Furthermore, merely explaining security problems to students will likely fail in realizing this goal. Students need to experience what it means for such vulnerabilities to be present in software. This experience can be created by having students attack such software and vulnerabilities in a secured environment.” — Manuel Egele
Q4: As the threat landscape gets more dynamic, what areas of research should the academic community be prioritizing to strengthen policy and defense initiatives?
“In my opinion, the priority of academic research should be on understanding and reducing the threats of crippling attacks on critical infrastructure. For instance, in my lab, we are concerned with preventing attacks on Wi-Fi and 5G networks that could paralyze communication over a large geographic area, such as a city. We are also concerned with attacks on connected and autonomous vehicles, and are developing novel security solutions ahead of the deployment of this transformative technology.” — David Starobinski
Although NCSAM will come to a close next week, the top security concerns outlined in Part One, Two, and Three of Boston University’s NCSAM series will remain a high-priority for consumers, businesses, and governments well beyond October 31. Remember to consider the security risks and best-practices for protection brought to light by Boston University’s experts in order to make yourself, and our nation, safer and more secure.
You can follow Boston University College of Engineering at @BUCollegeofENG, Boston University Department of Computer Science at @BUCompSci and Boston University Hariri Institute for Computing at @BU_Computing on Twitter.
