I suppose it sounds logical.
We're hearing that the best way to deal with the shortage of cybersecurity professionals is to funnel students into cybersecurity degree programs.
And while we're at it, let's address the problem of all those hackers who are thinking outside of the box by recruiting them for these degree programs.
Unfortunately, the logic of these statements is about a micron thick.
Let's look at those cybersecurity degree programs first. In no other computing discipline do you have a specialized degree program. You do not earn a bachelor's degree specifically in software engineering, computer graphics, artificial intelligence, database management, systems administration, Web applications programming or project management. Why should there be a bachelor's degree specific to cybersecurity? (And please note that I am talking about undergraduate cybersecurity programs, not graduate-level programs.)
There shouldn't be. Security professionals need to function in a variety of disciplines. They can be called upon to evaluate software for security vulnerabilities, to determine whether a user interface is suffering from information leakage, to design secure databases, to secure operating systems, to assess and shore up the security of websites, to incorporate security requirements into new developments and so on. The person you ask to do all of those things needs to be well rounded. But a cybersecurity degree program offers many security classes at the expense of classes that would normally be required to get a general degree in computer science or information systems.
With exceptions like architecture and nursing, bachelor's degree programs are not intended to be trade schools. The best college degrees strive to help people have a broad understanding of not just their field, but culture in general. Personally, the skills that have helped me most in the cybersecurity field did not come from computer courses, but from the mandatory writing and business classes I took, which taught me to be a better communicator and how to determine what was valuable to decision-makers.
To paraphrase Jim Rohn, the value of going to college is not in the degree you are awarded, but in what you had to become to earn that degree.
My feelings about cybersecurity degree programs isn't bias of the "that's not how it was done in my day" variety. I sincerely believe that cybersecurity degree programs are producing graduates inadequately prepared for the positions they believe they are training for, and quite possibly compromised in their ability to get any job at all.
Consider the National Security Agency, a promoter of the cybersecurity degree movement and a highly coveted employer in the field. The NSA designates some cybersecurity degree programs as Centers of Excellence in Information Assurance Education. So, the graduates of those programs should have no problem getting hired by the NSA in a cybersecurity capacity, right? Well, maybe not. Take a look at the NSA's cybersecurity professional development program. It wants people with strong programming skills. But many cybersecurity undergraduate programs do not offer any programming coursework. It's been cut out to make room for more classes in things like writing security policies.
Now, a general degree in computer science can pretty much qualify a person for any entry-level position in the computer profession, including a cybersecurity position. But a person with a highly specific degree may have a problem getting a broader position. And I don't think new graduates armed with a bachelor's degree in cybersecurity are going to want to limit themselves to that relatively small subset of available jobs.
Think of it from a hiring manager's perspective. She has an opening for a database manager and must choose between two candidates. One has a general CS degree, and his studies included classes in database management. The other has a cybersecurity degree, but though he says he can write a database management security policy, he never took a course in database management. Welcome aboard, CS graduate!
While you might contend that the cybersecurity graduate will look for the plethora of cybersecurity job openings, and not a database management position, this first assumes that the new graduate wants to limit themselves to a very specific, and small, subset of computer related job openings. Again, they will still be competing with general computer degree holders.
My Magic Wand
If I could wave a wand to fix the problem of a lack of information security knowledge in college graduates, I would have the NSA and other stakeholders invest their time and money not in developing Centers of Excellence, but in influencing computer science and information systems departments to incorporate security into all relevant courses and degree programs.
This is actually the direction recommended by the Association for Computing Machinery and the IEEE Computer Society in their most recent update to their recommended curriculums for computer science programs and for information systems programs.
Unfortunately, I recently reviewed introductory computer science courses from a wide variety of prestigious universities, and none of the courses that I looked at seemed to be implementing the guidance. Incidentally, in the course of doing some volunteer work, I spoke to some college officials about adding a security course to their curriculum. Next to impossible, they said, since curriculums go through lengthy approval processes. To get a course to include security, you have to find a textbook that covers the subject. Good luck. Few of the most popular textbooks used in computer science classes have even one chapter devoted to security, and many have no specific content. Some of the newer introductory IS textbooks cover security to some extent, but I have yet to see any detailed security content in textbooks for advanced courses.
So, magic wand, let the NSA and other organizations begin to write content for such textbooks, and then offer grants to colleges to enhance their curriculums.
The issue is to create not a handful of people who have a little extra specialized education, but to ensure that the future computer professional community, as a whole, at least has the fundamental knowledge to begin proactively securing their work products.
Thinking Inside the Box
And what about the idea that the graduates of cybersecurity programs should be drawn from students who somehow are better at thinking outside of the box? Quite simply, it is a notion that is grossly ignorant of what has actually been working for decades.
Until recently, the NSA had never hired anyone with a cybersecurity degree. And yet the NSA is widely considered to be the world's leader in information security and information warfare. How then did the NSA establish such pre-eminence in the field?
It searched among its employees for high-caliber people and then cross-trained them. It is that simple. The NSA continues to do so in many fields, including information assurance.
But will cybersecurity degree programs give the NSA and other employers people who think outside of the box? And will such new graduates have an edge over experienced professionals? No; that is frankly delusional. The proponents of such nonsense argue that hackers are able to get through the strongest security countermeasures by dint of some unique thought processes.
Wrong. Teenagers have been able to break into systems not because of superior skills, but because the people running the systems in question have inadequate professional security training. The hackers aren't thinking outside of the box; they are just thinking about the task at hand.
Skilled professionals are not usually asked to break into computer systems. As a rule, violating laws is not their task at hand. But look at what happens when you make it their job. When I recruit a new trainee for penetration testing, I look for the smartest, most experienced computer professional available -- not a teenager. When I tell them what I want them to do, they're generally shocked. They have never applied their skills to such a purpose. But after they get over the surprise, they do things that make my head spin. What they tend to do is to perfect the attacks that they have had experience repelling on a regular basis, and incorporate their detailed knowledge of operating systems gained from years of administering systems.
(Some IT professionals do indeed pursue such activities as part of their job, but we only catch glimpses of the successes of these U.S. government "hackers," who break into highly secure foreign government systems, such as Iraqi air defense systems. They were also prepared to cripple the Iraqi financial system. There are also claims that U.S. cyberwarriors designed the Stuxnet virus to damage Iran's nuclear capability. These hackers accomplish tasks that teenagers think are science fiction. Their exploits are just rarely publicized.)
But we give young hackers more than their due. Some people say we should harness their supposedly superior knowledge of security and recruit them to protect the systems they break into. Need I point out the absurdity of this idea? It is akin to thinking that just because some idiot is capable of stealing a car and crashing it into a wall, he should have the skills to fix the damage. I'm sorry, but anyone claiming that the idiot could fix the car should likewise be thought an idiot. It is exponentially easier to break something than it is to fix it, especially when computers are concerned.
The System Ain't Broke
I find the idea that what the U.S. government really needs is a crop of new cybersecurity graduates to be insulting to the hundreds of thousands of current government computer professionals. The government needs to stop this nonsense and focus on expanding programs to cross-train highly skilled and immediately available workers.
Similarly, private organizations need to properly invest in their staffs. Just as they expect to train new employees in their job functions, they need to expect to have to invest in the training of their cybersecurity professionals.
What we need are not a bunch of cybersecurity degree holders, but a willingness to invest in current employees. Employees who earned a broad-based CS degree and then gained years of experience on the job are quite simply a better resource than a green graduate.
Don't get me wrong. I have nothing but admiration for the young people who are pursuing cybersecurity degrees. Most of these degree programs are tailored to part-time students, who usually have to juggle full-time jobs, coursework and a family life during a program that can take more than seven years to complete. That demonstrates true character and perseverance, which is more important than skills. However, a breadth of knowledge is still more important than the topic of the degree.
Unfortunately, the colleges are often selling these people hype, not reality. For example, one college is telling people that they are training them to be cyberwarriors, while the actual coursework teaches them to write security policies, not to be hands-on practitioners. This is like telling someone that you are training him to be a Navy SEAL, while you are only training him in logistics, qualifying him at best to be a quartermaster for the SEALs.
When you come right down to it, though, there is little in the world of information security that is more valuable than experience. And new graduates nearly always lack it to any significant degree. Just think about someone who takes a class in security policy. Say there are 15 class sessions that average three hours each. Then let's generously assume that the student does 115 hours of work outside of class. By putting in 160 hours, the student can rightly be said to have worked hard for his grade. But all that time is still the equivalent of just four workweeks. Would you trust someone with that level of experience to develop a policy document for a large office or to meet some regulatory compliance standard? Clearly not. It is nice that they have this experience, but it just makes them better than a person with no experience at all.
Undergraduates don't have expertise in their major; they have a slightly enhanced background. As for being qualified to combat the most elite hackers in the world, well, what exactly in a degree program that focuses on policies is preparing you to take on the hackers?
If the NSA and other parties want to reward promising students with scholarships for studying cybersecurity, then they need to think long and hard about what they expect to gain from such programs.
Scholarships are great. I believe in giving a hand to young people who show aptitude. But highly targeted scholarships can go wrong when the grantors expect to get certain results in return. And just consider some of the ways they could be disappointed in the results of their cybersecurity scholarship programs.
First of all, up to 80% of college students change their majors in college at least once. This means that as many as 80% of the people who receive cybersecurity scholarships are likely to not want to be in the cybersecurity profession by the time that they earn their undergraduate degrees.
Worse, in a way, are the incompatible goals of an organization such as the NSA. It wants to give cybersecurity scholarships in particular to young people who have a tendency to think outside of the box. The funny thing about young people who think outside of the box: They often do things that will disqualify them for the security clearance they will need to get a job at the NSA.
Let's say that they are encouraged to develop their hacking skills. Will they resist the urge to use those skills, or will they do something like join up with Anonymous? If they do, the NSA is not going to get the benefit of their education in cybersecurity. Even more common, though, are young people who download music and other intellectual property illegally. I have heard that this has become a reason for denying clearances. What I hear is that there is a floor in the value of what was downloaded for a clearance to be denied. OK, but students who were selected because they are on the edge are probably more likely than other students to breach that floor.
When you come right down to it, there is more than a little bit of wishful thinking in this entire drive toward granting cybersecurity degrees. This is actually a case where the thing that we have been doing for years, specifically taking high-caliber people and cross-training them for cybersecurity roles, is a better approach than what has been proposed to replace it. It puts highly skilled people to immediate use, solving immediate problems. We simply have to fully commit ourselves to expanding a proven model, instead of grasping on to what is literally a science fiction plot and hoping we will get results many years from now.
Ira Winkler is president of Internet Security Advisors Group and author of the book Spies Among Us. He can be contacted through his Web site, irawinkler.com.