Cybersecurity Education: A Gross Imbalance

blog post

While many in Washington have continued to burn calories around a virtually non-deliverable NoKo nuclear threat, North Korea has been steadily developing their cybersecurity education programs. As a result of a committed and highly disciplined educational program, the North Korean cyber operations are more diverse, aggressive and capable than any of our other enemies.

They are not just focused on espionage. Their warriors are perfectly skilled at sophisticated zero-day exploits and at stealing vast amounts of IP from our most secured computer networks even when they are air-gapped and isolated from the internet, e.g., military servers and power plant control systems.

These North Korean attackers have been trained in measuring electromagnetic radiation leakage from air-gapped computers and extracting critical data after only a few seconds of monitoring.

This is not a course we teach at any cybersecurity graduate program in the U.S.

Ambitious Goal: Met and Exceeded

In the early 1990s, when computer networks were beginning to reach a level of maturity, a group of North Korean computer scientists proposed a massive educational program to teach advanced cyber-espionage and cyber-hacking with the goal of graduating 10,000 student hackers by the year 2015. To qualify for entry into these programs, applying students had to demonstrate not only the outstanding academic ability but also the ability to read, write and speak flawless English.

It was the North Korean equivalent of India’s IIT in terms of how difficult it was to gain entry.

While they were doing that, we were offering cybersecurity degrees at 17 Universities that same year. Today, we offer rated cybersecurity degrees at over 65 Universities, but the curricula are all centered on or around standardized frameworks for cybersecurity defense or focused on basic criminal forensics.

They are not grounded in warfare.

Missing the Mark

Undergraduate course offerings on subjects like fundamentals of computer troubleshooting, network security, ethical hacking, Windows server: install and storage, Linux system administration, etc., indicate that the intention is to graduate a system admin or network admin with a BS degree in Computer Networks and Cybersecurity.

This is the baseball equivalent of bringing in a minor league class A ball player to pitch to Aaron Judge, with the bases loaded.

Graduate course offerings like those offered by one of our leading Universities include foundations of cyber security, applied cryptography, secure systems architecture, cyber security risk management, cyber security operational policy, management and cyber security, secure software design and development, network visualization and vulnerability detection, cyber intelligence, cyber incident response and computer network forensics, etc.

Opening the syllabus for these courses reveals that all of the content can be found in industry certifications like CISSP, CISM, CEH and CRISC, which can be obtained quickly and easily at a fraction of the cost of that University’s Master’s Degree in Cyber Security Operations and Leadership. Now maybe there’s some magic in how the professor guides students through the material, but if the goal as stated is to “equip students to stay abreast of ongoing changes in threat and mitigation as lifelong learners in the field” the coursework falls far short.

Particularly in a remote learning world like the one we now find ourselves.

Academicians, Not Warriors

What we need instead is coursework centered on actual red-team tactics across a full range of cyber-weaponization. We need well-trained cyber-snipers and military-grade penetration rangers who can throttle through the most advanced and sophisticated defenses and commit the greatest possible damage in the least amount of time. Our flimsy educational offerings in cybersecurity seem intended to graduate future administrators and bureaucrats when our greatest deficiency is in the working warrior classes.

Pushing North Korea’s cyber educational units to dramatically level up in capability, Kim Jong-un proclaimed, “Cyber warfare is an ‘all-purpose sword’ that guarantees our military’s capability to strike relentlessly.”

In stark contrast, it seems the actual goal of our own University programs can be found in one of that University’s program descriptions where their stated purpose is “to collaborate with important stakeholders in the cyber security community to explore ways to keep the curriculum immediately relevant and to assist in the placement of our graduates.”

We Need To Re-Think Cybersecurity

This assessment is in no way intended to denigrate the competent and well-intentioned professionals who conceive and guide these programs at these really good schools. The problem is the coursework contains nowhere near the information or education necessary to either create an advanced attack vector or defend against today’s sophisticated cyberattacks.

The curriculum is way too generalized. The syllabus is too lightly challenging. The objectives are too easily achieved, and the graduating students are no more prepared to join the battle than if they had simply been working as a network administrator for a few years in any IT department in America.

We will not win this war with this level of training and education. We need a moon shot and the impetus for a program of that magnitude must come from Washington. Unfortunately, there are no signs of anything of that nature appearing on anyone in Washington’s to-do list for next year.

Author

Steve King

Managing Director, CyberEd

King, an experienced cybersecurity professional, has served in senior leadership roles in technology development for the past 20 years. He has founded nine startups, including Endymion Systems and seeCommerce. He has held leadership roles in marketing and product development, operating as CEO, CTO and CISO for several startups, including Netswitch Technology Management. He also served as CIO for Memorex and was the co-founder of the Cambridge Systems Group.