Teaching the next generation of cybersecurity professionals
Each morning seems to bring new reports of hacks, privacy breaches, threats to national defense or our critical infrastructure and even shutdowns of hospitals. As the attacks become more sophisticated and more frequently perpetrated by nation-states and criminal syndicates, the shortage of defenders only grows more serious: By 2020, the cybersecurity industry will need 1.5 million more workers than will be qualified for jobs.
In 2003, I founded Cyber Security Awareness Week (CSAW) with a group of students, with the simple goal of attracting more engineering students to our cybersecurity lab. We designed competitions allowing students to participate in real-world situations that tested both their knowledge and their ability to improvise and design new solutions for security problems. In the past decade-plus, our effort has enjoyed growing interest from educators, students, companies and governments, and shows a way to closing the coming cybersecurity workforce shortage.
Today, with as many as 20,000 students from around the globe participating, CSAW is the largest student-run cybersecurity event in the world. Recruiters from the U.S. Department of Homeland Security and many large corporations observe and judge each competition. (Registration for this year’s competition is still open for a little while.)
But the pipeline for cybersecurity talent cannot begin in universities. High school students and teachers also participate in CSAW events to teach young people the computer science and mathematics skills that will allow them to succeed at the university level.
Teaching students to be adversarial
The main draw of CSAW is our Capture the Flag event, a contest in which the team members must pool their skills to learn new hacking methods in a series of real-world scenarios. Named after the outdoor game where two teams play to find and steal the enemy’s hidden flag, it includes multiple games that cover a broad range of information security skills, such as cryptography (code-making and breaking), steganography (hiding messages in innocent-looking images or videos) and mobile security.
Teams start by being assigned systems that have security flaws, and are given a certain amount of time to identify and fix them. Then each team is set against an opponent, and must protect its own system while attacking the other team’s. The hidden “flags” are data files stored on the opposing system. In the real world, these would contain critical information – such as credit card numbers or codes for controlling weapons. In the game, they contain information that proves a team “captured” that “flag,” with which the team is awarded a certain number of points, based on how difficult that particular challenge was.
There are many Capture the Flag competitions held throughout the country, which helps make our event the most popular of the week’s six competitions. It is also the most grueling: Teams must work for 36 hours straight, testing each participant’s ability to stay focused enough to create new solutions to emerging problems.
This type of challenge-based learning is vital in a field in which new threats emerge regularly. It also instills in students an adversarial mindset, which is an essential quality for successful security professionals. Learning the different ways to break a system firsthand is a vital first step to learning how to secure it.
Adapting on the fly
In one CSAW competition, the Embedded Security Challenge, students break into teams that must be able to work quickly at both attacking and defending each other from various threats. This is an attack/defense game like Capture the Flag, but focuses on vulnerabilities in hardware, rather than software. Last year, competitors were tasked with altering the digital results of a mock election – exposing potentially real threats to everyday elections.
This ability to quickly adapt as new threats are perceived is a top priority for security personnel. That’s a key element of all CSAW competitions – the idea that successful cybersecurity is not limited to mastering what’s known. Rather, students and professionals alike must constantly push their abilities to intercept future threats in an ever-evolving field. The cybersecurity industry – and all operations that rely on it, from small businesses to major military installations – depend on its practitioners’ ability to innovate. Every year, we change the types of challenges to reflect new threats, such as the recent rise of ransomware, for example.
Cybersecurity efforts must extend well beyond national borders; this year CSAW will dramatically increase its international activities. A collaboration with NYU Abu Dhabi and the Indian Institute of Technology Kanpur will allow teams in the Middle East, India, North Africa and the United States to compete simultaneously. The competitors in these games in an educational setting, in the U.S. and around the world, will – not long from now – be the protectors of our most sensitive personal and national data. We need them to be prepared.