Better Cybersecurity Education

The article claims that "according to a worldwide survey of over 1,000 cyber security professionals, half said the availability of cyber security or information security courses in formal higher education was either poor, or very poor"

It is some small comfort to see industry catching up with what I have been writing about for years in the Times Higher and elsewhere. Let's unpack some points from the article to address.

Firstly there is something of a non-sequitur in the above claim. Re-reading it carefully; it says the survey identified a lack of availability. Quality of courses is not mentioned. We'll come back to that in a moment, but the issue of availability is clear and borne out by hundreds of comments I have received.

Our problem is that there's too much money in tech. Or rather, the salaries of university professors are appalling. Pick either, because the upshot is that it's almost impossible to attract good cybersecurity experts to academia. Salaries in the private sector are three to five times those in higher education for the same skill-set.

But I'd like to qualify that further. Presently, the streets outside the university that I recently quit on ethical grounds, are filled with striking professors. If the mainstream media are to be believed, the issue for teaching unions is pay. I disagree. The real issue for universities, indeed for all education, is working conditions. Universities have become utterly toxic learning environments and nasty places to work.

They are plagued by clueless 'professional managers' with no domain knowledge, broken systems, micro-managing administrators, callous and brutal treatment of students, very poor pay, low job security and complete lack of vision. After 30 years as a professor of computer science in universities across Europe I had finally had my fill last year. I quit all university work. After my experiences at a minor university in Southampton UK I no longer believe they are fit places for teaching, learning or research. British universities have been ground into the dirt, and it is a profound tragedy and scandal.

The article goes on to claim that "cyber security courses focus heavily on the theoretical, not the practical" and that research respondents were "negative about the theoretical knowledge they gained on their courses"

Here we see a classic false dichotomy, as if theory and practice were at odds. The fact is, you need both. Indeed, you need a very careful balance of theory and practice.

Too much toward the theory side and we get graduates who know all the abstract mathematics of encryption and key-exchange protocols, but they cannot connect via an ssh shell and perform the simplest action like review a log file.

Too much toward the practical side and we get students who are masters of products instead of principles. They can drag a mouse cursor around the latest Big-Tech cloud security monolith, clicking boxes whose function they do not really understand, and which will change tomorrow.

The former kind know exactly how everything should be, but are hopeless when faced with even a minor incident. The latter are simply operators who will need retraining year after year, as the winds of Big-Tech managed services change.

From the linked article;

"Part of the problem is that the tech industry moves fast, but cyber security moves even faster. It’s driven not by the rhythm of product releases, but by the discovery of new hacking techniques and zero-day flaws."

However, as noted in the article by Dr. Daniel Prince of Lancaster University, this is precisely where theory is vital. Except in the specific case we call "fuzzing", zero day exploits do not appear out of thin air as a result of random or exhaustive search.

An adjacent field called Software Engineering, and indeed Security Engineering as pioneered by Ross Anderson, are concerned with creating software that comes without security bugs in the first place. Here lie the roots of problems like the currently topical Fujitsu-Horizon software at the Post Office.

Yet both Anderson and software engineering stalwart Prof. Ian Sommerville have thrown up their hands in despair at the poverty of investment into these subjects, and the unwillingness of industry to take them seriously. Commercial expediency and "convenience" always trump security thinking, which relegates the entire field of cybersecurity to the reactive and responsive.

Careers in firefighting preventable crises are unsustainable and lead to burnout and cynicism. So it is necessary to incorporate pro-active cybersecurity practices much earlier on. This requires a full-stack knowledge.

It also requires companies to give their new cybersecurity hires more early-start support and responsibility. They need to integrate hot new theoretical skills with real-world problems in a managed way and find their career path. Few companies have either the time, money or understanding to create that bridge and leave new hires to do little more than checking boxes on webmin interfaces of managed products.

According to Prof. Prince;

"The focus is on developing individuals who can critically think about the complex problems that cyber security throws up and grounding that thinking on evidence"

When we peel back the layers of many seemingly insurmountable problem, at the heart of it is a contradiction, conflict or lie.

We've all read those job descriptions extolling "passion". Candidates must "show a passion for…". Only we find, in reality, passion is the last thing bosses want. Passion is a damned nuisance when what they really want is quiet, compliant workers who will get on with the job as asked.

Likewise, everywhere we read that cybersecurity requires "critical thinking". That is absolutely true. Tepid and ineffectual computer security engineers lack that gnawing curiosity, scepticism, relentless questioning, experimental drive, over-active imagination and borderline paranoia.

The truth is, in most organisations critical thinking is as welcome as a fart in a spacesuit.

Many organisations are captured by Big-Tech products and values. They have little if any in-house autonomy. They dare not stray far from the folds of Microsoft, Google or Cisco, even when those products are proven to be full of holes. Somewhat unsurprisingly we find the research in the article was commissioned by Kaspersky, another vendor of 'after the fact' security products.

In such environments the brightest and best are not able to exercise their powers. Their insights and creativity that stem from a deep knowledge and proper theory are wasted. And I think this is where a dishonest objection to "theory" comes from. Such organisations want "productised graduates", and they want public funded education to serve as outsourced training camps that deliver ready-to-go operators.

In a competitive, innovative economy the real purpose of universities is not to simply supply trained labour to industry, It is not to "meet the demands of industry" as we so often hear. The purpose of higher education is to shape the future of industry by supplying the next generation who will redefine it.

Cybersecurity is not a done deal. It is not a fixed problem. Very little is cast in stone outside broad compliance legislation, and even that is subject to constant review and interpretation. Cybersecurity is always in motion. There is always more to do and more creative insight welcome.

Indeed the article recognises that;

"Workers later in their careers seemed to have more appreciation of the theoretical grounding."

The mismatch then is, for those hiring, theory seems "useless" for entry level cybersecurity engineers, but it is essential if those people are ever to develop and provide lasting value.

There is one thing the article gets absolutely correct - that "change is coming".

I no longer believe that universities are places where we can teach subjects like cybersecurity. It is too much of a dynamic and challenging subject for what are now quite stuck and regressive institutions.

They are grindingly slow. I found myself screaming in frustration dealing with parochial universities in the South of England, where the lead time to change even the most basic curriculum, to get a port opened, a website unblocked or other permission from over-compliant, over-cautious ICT was measured in years!! These are completely dysfunctional teaching environments.

I also found these universities to be unethical. I raised many objections to us training overseas students in only black-hat skills, which I likened to the flight instructors before 9-11 taking on trainee pilots who were "not interested in how to land the plane". Despite my concerns that we were training the next generation of cybercriminals and scammers, and that national security was as stake, I was dismissed. The cynical profit motives of universities are utterly suspect.

More odious was the sexism and phobia of neurodiversty and diversity in general, including the exclusion of disabled and trans students which I witnessed. Universities seemed unable to accommodate the qualities that make the best hackers.

Clar Rosso of ISC2 is quoted in Ranger's article opining the superiority of smaller colleges, saying;

"Community colleges and historically Black college and universities in the US excel at this"

I think Steve Ranger's article contains a lot of truth, and the comments tally with my own experience of poor value from university courses. However, I disagree on some of the quite short-sighted ideas from industry. More understanding is needed from business on how academic, theoretical and practical skills must be synthesised and structured throughout the career of cybersecurity engineers, from tier-1 help-desk to CISO, and beyond…

It is also clear that delivery of difficult knowledge and theories must move outside univerities, and alternative educational paths must be trodden.

That's why we set up British cybersecurity company Boudica to address exactly this gap. Boudica offers an extraordinary synthesis of academic level-7 (MSc.) theory tightly integrated with very hands-on practical defensive hacking work. From the get-go the material is extremely challenging in both its sceptical dimensions, and combination of infosec, opsec, humsec, psychology, computer science and basic daily system administration.

Our courses are based on BCS and NCSC values, plus 30 years of experience in computer science and systems design. We deliberately avoid commercial products and go straight to timeless command-line skills and principles, like how to parse logs, monitor traffic, harden systems, analyse and quarantine files, manage identities, utilise practical encryption and so on.

While it is not possible to squeeze a computer science or software engineering degree into a single day, one week or six week course, we try to send students away feeling like they are on a path to deeper knowledge, continued self-development and original thinking around cybersecurity… and with the critical thinking to bring big improvements to their companies.