Cybersecurity

What's wrong with cybersecurity training?

Navy person using keyboard

This unidentified woman is part of the Navy's cyber force, but agencies are having a hard time finding enough people with real-world cybersecurity skills. Is our approach to training part of the problem? (Source: Navy Cyber Forces.)

Are we training our cybersecurity professionals in all the wrong ways?

Agencies have been ramping up efforts in training, education, recruiting and hiring, and still the government faces a shortage of skilled cyber professionals. According to some, the problem is rooted in a wrongheaded approach – and as a result, the United States is losing its competition.

Increasingly, government officials and private sector executives are training their focus on younger students in science, technology, engineering and math. However, there also needs to be more emphasis on the real-word, technical aspects of cybersecurity and cyber defense, rather than the academic and soft-skill side of things that too often get policy attention, insiders say.

"Other nations are building world-class talent," Alan Paller, founder of the SANS Institute, said at a June 25 Institute for Defense and Government Advancement event in Arlington, Va. "The U.S. is saying, 'We should have centers of academic excellence,' but they put out people who don't know what they're doing. We're nice to people in the field; we've got to stop that if we actually want protection for our systems."

However, some such efforts may already be underway. Douglas Maughan, cybersecurity division director at the Homeland Security Advanced Research Projects Agency, outlined measures the Homeland Security Department is taking to build up the next generation of cyber warriors, starting with high school and college.

One of the prime examples is the National Collegiate Cyber Defense Competition, a system of intensive, annual cyber battles held among dozens of universities across the United States. They eventually lead to a national finals round – a "March Madness for nerds," as Maughan described it.

"We put them in an environment where they have to defend against a real red team. It's about real defense in an operational environment," he said, adding that new DHS tools, such as new access management technologies, are constantly being added to the competition, forcing participants to learn them as they go along. "We're looking for the next generation of cyber defenders; that's what it's about. It's all about the next generation."

At the Defense Department, cyber training within the services are continuously undergoing scrutiny and changing as priorities, technologies and the cyber environment evolve.

According to a June 25 Army Times report, the Army is working on plans to consolidate its Cyber Center of Excellence at Ft. Gordon, Ga., with its Signals Center of Excellence in under a new school that would bring together training and modernization efforts. The transition is set to begin this August and last through 2015.

Will such efforts be enough? According to Paller, only if the right people are doing the teaching – the ones who have the technical skills that are critical to national cyber defense, and not those who merely have the policy and book training and "CSI-whatever" credentials after their names, he said.

"We've got these people pretending to teach cybersecurity, but they're putting out policy people or researchers...that's causing us a problem," Paller said. "If you're a fighter pilot, you don’t want your squadron leader to be someone who learned it out of the book yesterday."

Featured

Reader comments

Sun, Jun 30, 2013 Kevin Hock

Take it from a current undergrad who knows all too well what is wrong with education in this field. Pretty much all college classes aren't good. Dan Guido's NYU Poly course and OpenSecurityTraining and other resources available free for people who self-teach themselves are where a valuable education is. You can't make people be self-motivated and teach themselves but you can at least teach them some useful real world security skills and colleges are not doing that at the moment. "(1) In MOST professions, you have book learning and you learn how to really work after you are hired. NO one comes out of college (or the 1 week course) ready to design the next gen CPU for Intel. They work their way up after years of effort." No one comes out of college learning any valuable security information inside of a classroom. CTFs are a perfect example of this. People who play CTFs do it outside of any classroom and are always top security people. The defense competitions mentioned in the article aren't good either. "They are exercises in system administration and frustration and will teach you little about security or anything else. They are incredibly fun to play as a Red Team though."-Dan Guido Defense in security is called "incident response and network security" and require network security monitoring skills and for malware, reverse engineering and many other skills you won't find taught well at any college or "academic excellence". "(2) We want them cyber ready but their 4 year degree is WORTHLESS if they don't have A+, SEC+, and/or CISSP." A+ is a hardware certification and CISSP requires 5 years work experience and SEC+ is worthless. Ask Richard Bejtlich or Thomas Ptacek or Raytheon SI.. what they think about certifications. I don't know what industry you work in but it isn't mine. "What we don't understand is that those launching cyber attacks have a different moral compass than we do. We do not train our folks to go no holds bar when researching, developing an offense or going on the defense as our assailants." What? Do you think Hovav Shacam contemplated how moral it would be to publish his paper on ROP? I bet you don't know what ROP is.

Sat, Jun 29, 2013 Angus Blitter Battle Space

There are efforts out there to create training and assessment standards. Without standards we can't properly scale the education system to support the need. Packetwars, Edurange, Netwars (SANS) and the collegiate games try to create environments where "Cyber Warriors" can be trained and assessed. Simulated Cyber Operations can be a very effective tool for addressing the lack of actual real world experience.

Fri, Jun 28, 2013 Kathleen Smith

What we don't understand is that those launching cyber attacks have a different moral compass than we do. We do not train our folks to go no holds bar when researching, developing an offense or going on the defense as our assailants.

Thu, Jun 27, 2013 rb CA

I think you miss the point entirely. (1) In MOST professions, you have book learning and you learn how to really work after you are hired. NO one comes out of college (or the 1 week course) ready to design the next gen CPU for Intel. They work their way up after years of effort. (2) We want them cyber ready but their 4 year degree is WORTHLESS if they don't have A+, SEC+, and/or CISSP. (3) 2210s are generally hired at comparatively low wages as the category does not require a 4 year degree. So hiring the best is nearly impossible.

Thu, Jun 27, 2013

The mostly government-run education system has been like this for many decades - driven by people who base their accomplishments on words rather than deeds. In fact, our elected officials have became the same way. How many of them now have any serious experience in the military or business? In my government engineering organization the people who become managers get promoted by how much flash they have rather than any serious technical ability. Basically, the government mindset has become so image oriented that real abilities, such as cybersecurity expertise or engineering in my case, are no longer valued above flash and what sort of paper documents you have. Until that culture changes, do not expect much from the Government in technical expertise in areas such as cybersecurity.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above