EdFix Episode 6: Educating the Cybersecurity Workforce

Should every student graduate from high school or college with a basic level of cybersecurity proficiency? And how do we best prepare - and encourage - the next generation to join the cybersecurity workforce? Host Michael Feuer speaks with Dr. Diana Burley, an internationally-recognized cybersecurity expert who led the taskforce to produce the first set of global cybersecurity curricular guidelines, about the field's global workforce shortage and diversity gap, the power of the human-cyber interaction, and the many opportunities and risks we all face as users of technology in today's world.
 

 

TRANSCRIPT

DIANA BURLEY:
In this time, all students need to have some level of proficiency in cybersecurity concept.

MICHAEL J. FEUER:
Welcome to EdFix. This is Michael Feuer and I'm your host for EdFix, your source for insights about the practice and promise of education. We're with professor Diana Burley today. Professor Burley is the chair of the Institute for Information Infrastructure Protection, also known as I3P. She's a professor here in the Department of Human and Organizational Learning at the George Washington University where she has been on the faculty since 2007. Professor Burley is a globally recognized cybersecurity expert and she's going to tell us what cybersecurity actually means, and how that relates to the world of education in a moment. Let me just add one more bit of intro, and that is that in 2017, SC Magazine, professor Burley was named one of eight women in IT security to watch. I'll say, welcome Diana Burley-

DIANA BURLEY:
Thank you.

MICHAEL J. FEUER:
... to EdFix. Tell us about cybersecurity workforce, tell us about I3P, and tell us how that relates to what's happening in your faculty role at GW?

DIANA BURLEY:
Sure. Well, thank you for having me. The way that I would describe cybersecurity in general is very simply that it's about ensuring the confidentiality, integrity, and availability of the systems that we use to do everything from our banking to electronic medical records, to anything on an electronic system. So confidentiality is about privacy and maintaining privacy that only people who are supposed to see your data and have access to your data, do. Integrity is about the accuracy of that data and making sure that it is in fact factual, that no one has gone in and changed data in the system. And availability is about access so that when we need to have access to that data, when your doctor needs to see your medical records for example, they're able to do so. So in essence, that's what cybersecurity is all about. My focus specifically on cybersecurity workforce development is about getting people ready to take on the roles within the workforce who can ensure the confidentiality, availability, and integrity of that data.

DIANA BURLEY:
We have a global workforce shortage in cybersecurity across the spectrum of the very technical jobs to jobs related to law and policy, developing cybersecurity awareness programs. But we have a global workforce gap, we certainly have a gap here in the US. And so a large part of my role in cybersecurity education and workforce development is helping the country and the world to develop educational programs that are robust enough to get people prepared to move into everything from the very technical fields to the less technical aspects and work roles within that cybersecurity space.

MICHAEL J. FEUER:
Is it fair to say the technology has advanced more rapidly than our capacity even to ... I was going to say to understand it, but that may be unfair. But certainly to control it?

DIANA BURLEY:
Absolutely. Absolutely. The technology is advancing and it's allowing us to do things that we didn't think were possible. And so when we think about securing the technology and securing the systems, traditionally we have taken ... The community has taken an approach that is very focused on the technology and how to build robust pieces of technology. There has been less attention paid to the human element and the behavioral element, and how to change people's behavior and thinking and addressing those issues. But I'd say over the last 10 years there has been much more of an awareness that it can't just be about building robust pieces of technology, but that there also needs to be a significant amount of attention paid to individuals, how they relate and work with the technology, and how that technology shapes and influences their behavior both individually and in a collective. And so the other part of my work, when I'm not doing work related to developing the workforce, I'm working on those social and behavioral aspects of the technology and of securing our systems.

MICHAEL J. FEUER:
So you're suggesting that with the technology comes a very important imperative to understand and then prepare people for the human and behavioral interaction side of all this?

DIANA BURLEY:
It is becoming increasingly apparent, but the solutions are not as easily available. And so while people recognize that we really have to pay attention to the human and social aspects, the question is how do people behave? How do we adjust and assist them in that behavior? And how do we relate that to other forces? Both the forces of the development of technology, we want everything to be on the market faster and in people's hands to enable us to be more efficient with our operations. But we also have market pressures where we want to get things out into the community. That's what we see with the huge rise in so called Internet of Things, devices where we have computers in everything from our watches to our cars, to our televisions and our refrigerators, and our thermostats. And so while that's very convenient for consumers, it also introduces vulnerabilities into their lives that they don't necessarily think about.

DIANA BURLEY:
So of the education of the society in terms of cybersecurity is not just about getting people ready to go into the field as specific practitioners, but it's also about educating society at large about the risks that they take when they introduce these different devices into their lives so that they can make good assessments and good decisions about what to do, what not to do, when to use different devices, and how to keep their personal data secure.

MICHAEL J. FEUER:
Give us an example of a human cyber interaction where there are risks that we might not be conscious of?

DIANA BURLEY:
There was an example a couple of months ago where there were army members, soldiers who were on a base in Germany and they were wearing smartwatches, like the Apple watches. And they had fitness trackers and they were using those fitness trackers to do what they do, stay in shape, jog the perimeter of the base, do all of the activities to make sure that they were maintaining their physical health and tracking that. Well, the challenge is that because those watches were connected to a network, that adversaries were able to also track their movements, also track the perimeter of the base. Also know where they went, when they went there, and gather that information about them. And so that introduced risk and vulnerability into the environment that didn't previously exist. In cyberspace, we have the added element of adversaries. And so when you have an adversarial environment, you have to recognize that there are people who are out there for a variety of different reasons, trying to gather information and data about you.

DIANA BURLEY:
Maybe it's not you specifically that they care about, but maybe it's getting into the system through you or gaining information about the entirety or the collective through the vulnerability that you have introduced from your device. So that's, I think part of the challenge is getting people to understand that cyberspace is not a typical technology environment where you're only worried about yourself and what you do or don't do. But it's an adversarial environment where there are bad actors who are out there and for a variety of different reasons, they are trying to do harm to you, to your network, to the system that you participate in. And so it's a very different risk profile.

MICHAEL J. FEUER:
On balance, with all the risks, with all of the potential dangers, do you think we are or are not better off with having these devices?

DIANA BURLEY:
Well, I'm a proponent of technological advancement, so you're never going to hear me say that we are not better off. I do think that we have to be smart about the way that we use the technology. That have to recognize that there are new vulnerabilities that are introduced, but there are also new possibilities that are introduced. When we talk about putting electronic chips on devices in our bodies that allow us to be able to move when we're previously paralyzed or allow us to send information to our doctors about our hearts and our heart functioning, I don't think that there's anybody that would argue that that advancement in technology, the ability to reduce the size of the computer and increase the computing power isn't a marvelous thing. But it also introduces risk. And so we have to be cognizant of that risk. We have to develop our technologies in a way that ... and implement them in a way that incorporates all of these different discussions.

DIANA BURLEY:
That's why it's so important that we have interdisciplinary types of teams where we have technologists, and ethicists, and sociologists, and anthropologists and all of these different people coming together to ask and answer the types of questions that are inevitably raised when we move forward. But that doesn't mean don't move forward, it just means move forward in a very smart way.

MICHAEL J. FEUER:
Do you think we are ready for something like a federal cyber protection agency along the lines of the EPA, for example?

DIANA BURLEY:
I don't think that we're quite there yet, but we do have federal agencies that are working to structure cybersecurity policy. The National Institutes for Science and Technology, NIST has played a significant and leading role in developing cybersecurity policies for government, for industry specifically to help them shape what the expectations ought to be in terms of how they secure their systems, what responsibilities they have for securing the data of individuals, the data of people within their systems. We have the Department of Homeland Security and their cybersecurity unit that is doing the same thing for the government. So we have agencies that are really looking at these questions. I think eventually we may get to perhaps a separate agency. I know that there is a call for DHS's unit to be rolled out into a separate cybersecurity agency.

MICHAEL J. FEUER:
DHS is Department of Homeland Security?

DIANA BURLEY:
Excuse me. Yes.

MICHAEL J. FEUER:
Right.

DIANA BURLEY:
There is a call for that agency to spin off. And as they continue to move down that path, I'm sure that they will keep looking at the mission and trying to make decisions about what to do and what not to do. So we're not quite at an EPA type of place, but we're definitely moving toward additional government assistance in terms of thinking through these issues.

MICHAEL J. FEUER:
Say a little bit more about the way in which curricular are developed to prepare future cybersecurity workers, employees at various levels?

DIANA BURLEY:
So over the last couple of years I have led a task force on behalf of the ACM, which is the Association for Computing Machinery. The ACM is the largest computing society in the world with over 100,000 members, and they have been developing curricular guidelines in the computing disciplines since 1968. In 2015, they asked me to co-chair a task force to develop the first set of global cybersecurity curricular guidelines. So in February of this year my task force released those curricular guidelines, and the idea was that this document would provide advice and guidance to post secondary institutions around the world on how to develop their cybersecurity programs. Whether those programs are technically oriented, or more focused on some of the social or policy related aspects, we have developed the guidelines in such a way that they can support all different types of institutions developing programs for a variety of different students.

MICHAEL J. FEUER:
Now, it seems to me as though your work in cybersecurity from the standpoint of preparing future cybersecurity workers must at some level touch on these problems of big data and education research. Is that a part of the way we're visualizing this?

DIANA BURLEY:
So I would respond in two ways. First, absolutely. When we are preparing future cybersecurity professionals, we want to make sure that they have some content in their education about privacy, understanding both the benefits and the challenges of securing systems, large data systems. And so it's certainly within the content that we would use in a cybersecurity program. But more broadly, I believe that students who are going through programs, whether they're in big data or education or sociology or education research or whatever it is, they also need to understand both the benefits and the challenges. And so the way that we have designed this curricular, certainly our primary audience are students who are in cybersecurity programs, but we have designed it in a way that it is modular so that students in other programs can have pieces. And faculty members who are developing programs can take pieces or chunks of the content and incorporate that into their programs, so that those students have modules where they can understand about data, data privacy, data integrity.

DIANA BURLEY:
Because we really believe that many of the concepts that go in a cybersecurity program are concepts that all of our students need to know and understand at some level. I think that cybersecurity across the curricula is akin to when we say all students should take an English class or all students should have some level of proficiency in mathematics in order to leave high school, in order to leave their post secondary experience. In this time, all students need to have some level of proficiency in cybersecurity concepts. The level of proficiency very much depends on where they are heading career wise, but there ought to be a baseline. And so the way that we have designed the curricular guidelines is we have put that baseline in for students across the board in cybersecurity programs, but we also believe that that can be taken and used as guidance to developing that baseline for students across the entirety of the curriculum.

MICHAEL J. FEUER:
Is there some good news in this whole thing? Are we getting better at this?

DIANA BURLEY:
Look around, the grid has not gone down. The cars are not driving into walls and people. And our IOT devices while vulnerable, we're not hearing stories of people who have had their medical devices hacked in and caused heart attacks. So the good news is that there are a tremendous number of very, very talented cybersecurity professionals who are working diligently day and night to secure our systems, our society, and our way of life. And they are doing a very good job because we go about our daily lives often oblivious to all the work that is being done. That being said, there is a significant role that individual citizens can and should play in helping to maintain the safety and security of themselves and of their communities. So they do need to be smart about the way that they manage risks, smart about paying attention to advice to change your passwords and to use robust strong passwords, and not to click on links from emails that you don't know who they're from, and all the advice that you get in cybersecurity awareness training and those types of things.

DIANA BURLEY:
And we also need the community support in terms of pushing for more security in our IOT devices. If the community ... and by the community, we're talking about the consumers. If the consumers demand protection, protections will be put in place. If the consumers are more interested in having devices come to market that make their life convenient and easy and happy, and don't really care or demand the security, then manufacturers won't put it in. And so we really need people to be aware. We need people to push and say, "Hey, we do need cybersecurity across the curriculum. We do need it in the K-12 classrooms." Because if people push on that, then those changes will be made and it will help to keep us all safe.

MICHAEL J. FEUER:
This business of the car beeping when you don't have your seat belt on, we as consumers of modern automobiles are accepting that kind of slightly coercive intrusion into our otherwise free individual behavior. And we do that because we know that for society at large, we will all be better off if we accept some of that kind of coercion. And I bet that there are lessons from the world of cyber that would relate to many other areas where we have this kind of push and pull between coercion that we accept, and going too far and trying to figure out where we end up on that. So I hadn't actually thought about that, but I hope that's actually part of the cybersecurity workforce curricular development program because I think it's important for people to understand the broader policy implications of all of this.

DIANA BURLEY:
And we do. We certainly incorporate social and behavioral issues related to how to think about humans and human behavior. And part of our goal was to make sure that we had that type of content included even when the programs were highly technical. The expectation is not that someone in a cybersecurity program that's learning how to reverse engineer malware, which is basically taking apart some bad piece of code to understand how the hacker, the bad actor infiltrated the system. Very, very technical. But we want them to at least be aware of the social and behavioral aspects that drive or not policy and policy decisions. And so we have developed the curricular in such a way that says, "Even for you very technical people, you need to have some basic understanding of what this is. Not deep understanding, but at least know what the words mean. At least know who to go to and how to interact with those individuals."

DIANA BURLEY:
And by the same token, the individuals who are developing cybersecurity policies cannot operate in an environment where they do not understand the basic technical issues, because you cannot develop effective policy if you don't understand the subject matter about which you are developing policy. So we have to get to a place where there is a level of understanding across the entire spectrum for individuals who join the workforce, regardless of what part of the cybersecurity workforce they enter into.

MICHAEL J. FEUER:
Tell us about your development and how you got into this line of specialization?

DIANA BURLEY:
Sure. So I have always been interested in the interface between people and technology, we call it sociotechnical system.

MICHAEL J. FEUER:
Now, when you say always, don't tell me that that's what you were doing in elementary school?

DIANA BURLEY:
Perhaps not in elementary school, but certainly-

MICHAEL J. FEUER:
So where did you grow up, and all of that? Tell us about that.

DIANA BURLEY:
Well, I grew up in Pittsburgh and so the big elephant in Pittsburgh is Carnegie Mellon and I thought that I wanted to be an engineer. Turns out that I didn't really want to be an engineer, but I still was very interested in technology. I went to undergraduate in DC at Catholic University. I actually was an economics major, but I did a lot of computer science as an undergraduate and then returned to Pittsburgh and to Carnegie Mellon for all of my graduate work. And it was there that I really started to get entrenched in the study of sociotechnical systems, understanding that interface between people and technology. Did some of my graduate work at the Heinz School, so focusing on public policy and how we shape policies related to the use and management of technology. And continued to look at those types of questions throughout my graduate work. So I've always been interested in this notion of how does technology shape people and the interactions between people?

DIANA BURLEY:
And how do people shape the technology that is being developed and implemented? I found myself often being the lone voice in a room that had the particular perspective that I had. In part, I think because I'm an African-American woman, but also in part because I'm just an individual and my mind works differently just like everyone else's does. But in this space, in sociotechnical systems, in the study of technology and cybersecurity, that is an asset. We need all voices, all perspectives, because all people use the technology both in good ways and in adversarial ways. And the only way to truly understand that is to bring that diversity of perspectives into the space. And so I have found that this is my home, this is where I belong, and everything that I do has something to do with understanding how technology is influencing our society.

MICHAEL J. FEUER:
How are we doing in terms of the diversity of the cybersecurity workforce?

DIANA BURLEY:
We have a lot of work to do.

MICHAEL J. FEUER:
We have a lot of work to do?

DIANA BURLEY:
Yes. But there are a lot of smart people working on that. There are a number of initiatives designed to bring more women into the cybersecurity workforce. Right now, we're just over 20%, which is not good. But there are initiatives to bring more women in, to bring members from underrepresented minority groups into the workforce. So we're working on it, but it is definitely an uphill climb.

MICHAEL J. FEUER:
And it would probably require increased attention to communicating to prospective students, for example, career opportunities in this field.

DIANA BURLEY:
Absolutely.

MICHAEL J. FEUER:
And then figuring out, well, what kinds of prior educational qualifications, experiences are most likely to set a young person on a path to success?

DIANA BURLEY:
That's right.

MICHAEL J. FEUER:
And I'm sure we have some data about that.

DIANA BURLEY:
That's right. We definitely have pipeline issues in terms of making sure that people have basic backgrounds. STEM is a very important component of those backgrounds. And so we need students to take more challenging courses in high school, but we also have a marketing problem. When we talk about the different types of jobs and roles, we don't often explain them in terms that help students understand what that means you'll be doing every day. When I say reverse malware engineering, to me, I know exactly what that means. And that's a highly coveted position in the cybersecurity workforce, and it's only a very small number of people who can do it. But to anybody else, they would have no idea what that person would do on a daily basis. And if you don't know what the person would do and you can't see it, it's hard to imagine becoming it.

DIANA BURLEY:
So we have some work to do on helping our next generation understand exactly what it would mean to become a cybersecurity professional or all of the different, not one, because it's not one thing. But what all of the different possibilities are, and then to put people in front of them so that they can see. It's one thing to look out a window and imagine, but it's a whole other matter to look in a mirror and see yourself. And so we have to get more people out into the schools at whatever level to say, "Hey, this is what I do. And you can do that too." So we have some work to do.

MICHAEL J. FEUER:
We have some work to do. I'm going to spend the next half hour changing all my passwords, but I'm going to do that with a renewed sense of optimism that because of the kind of work that you're involved in and your colleagues are involved in, that we are increasingly able to manage the bounty of computing technology against some of the downside risks. And I just am delighted to have had this chance to talk to you for this edition of EdFix. My guest has been Diana Burley, professor of Human & Organizational Learning here at the George Washington University. Thank you very much, Diana.

DIANA BURLEY:
Thank you.

MICHAEL J. FEUER:
It's been wonderful. If you enjoyed this episode, then you will most likely want to subscribe to the EdFix podcast on iTunes, Spotify, iHeartRadio, Stitcher, or SoundCloud, all of which are password protected ... No, I don't even know. But we encourage you to look for us, and you can visit our website at go.gwu.edu/edfix.


 

EdFix (podcast logo)

EdFix: A Podcast About the Promise and Practice of Education

Hosted by Michael Feuer, Dean of GW's Graduate School of Education and Human Development (GSEHD), EdFix highlights the effective strategies and provocative ideas of researchers, practitioners and policymakers on how to improve our education system. Listen in as Dean Feuer connects their worlds to take on some of education's most complex issues.

From preschool to postsecondary, get your fix with EdFix!

Subscribe on Apple Podcasts, Spotify, iHeartRADIO, Google Podcasts, YouTube, or wherever you listen to podcasts.