Security Education Gap

Credit: Daniilantiq/Shutterstock.com

Credit: Daniilantiq/Shutterstock.com

A while ago I read about a remarkable man named Salmon Khan, who had a revolutionary vision for the future of education across the globe. What started out as a way to help school his cousins in Florida from his home in Massachusetts via on-line tutorials, has grown into the Khan Academy. This on-line school is based upon many series of educational YouTube videos covering topics from algebra to quantum mechanics. The academy now attracts students completing 1.5 million exercises per day. It struck me as remarkable that this once hedge fund manager, through a desire to help his cousins, has developed a passion to make a real change to the education system of a digital age.

There are many other digital learning establishments now in operation, such as Udemy, offering a wide variety of courses once only associated with bricks and mortar establishments. With our present day world constantly evolving, and what we know to be true changing with each new scientific discovery, the once dominating educational approach that served us well for over 150 years must give way to the needs of educating the next generation for a digital age.

Despite many monikers given to the current generation of students going through educational establishments, with terms such as ‘The Facebook Generation’, what is concerning is that whilst they are highly proficient users of technology, they are not eager to look beneath the cover to understand how the technology works, and how to program and harness the capability of these technologies.

The Engineering Gap

With the current generation of IT ‘users’ we are seeing a decline in the number of engineers who can actually do something with these platforms. This is a common problem across IT and engineering in general, despite an impetus to entice students into the engineering disciplines. Analysis in 2014 by the UK government found that we have entered a ten-year drought in the field of engineers and specialist technologists. What is of great concern is this comes at a time when we are in need of cyber security specialists and engineers as the Internet of Things (IoT) gains momentum, propelling us forwards into a ‘connected everything’ world.

To try to reverse this effect the government is looking to introduce a basic teaching of cyber security and computer engineering into the curriculum for children from the age of 11+. Whilst this is a good start, it is very much a long term strategy, and not a way to bridge the gap the government report details as on the horizon.

There are many scholars around the globe contemplating the same question I found myself asking. How can we embrace new learning methods, as pioneered by Salmon Khan, and what can be done about the gap in engineering and computing talent?

A Slice of Raspberry Pi

In 2009, three professors at Cambridge University in the UK drew the same conclusion regarding future capabilities in programming and understanding of technology, and set about trying to make a change. They surmised that in order to enable the education of the next age of potential programmers and innovators in the digital space, they had to find a way to put affordable computers into the hands of those that would make best use of them.

With this in mind they set about creating what would become known as the ‘Raspberry Pi’. This credit card sized computer board, with 512MB RAM (Model B), had similar processing power to the first iPhone, and the graphical power of the first Xbox.

With HDMI output and the ability to run off a mobile phone charger, they had truly invented a simple but effective mobile development platform, for a cost of around £30. The device runs a choice of Linux based operating systems, and all that is required to use the computer is a keyboard, mouse, and TV screen.

The goal was to create a computer that could be purchased by schools and educational establishments, or individuals, to provide a safe and cost effective learning platform. The platform was engineered to be pushed to the limits and beyond by inquisitive programmers and innovators, who would develop a multitude of different uses for the device in the name of education.

So popular was this concept, that a team from London launched a Kickstarter project back in late 2013 to develop an educational bundle with a Raspberry Pi at its heart.

The Kano project far exceeded its projected funding requirements of $100k, obtaining backing to the value of $1.5m within 30 days. Only nine months later, the Kano team started shipping the 13k units purchased initially, with more to follow. The idea of developing an affordable teaching tool for future generations, and older generations of coders had captured the world’s imagination.

Whilst this is a good start, it is not the answer to all the educational issues facing the world in the engineering and technology space, and more is needed to combat the deficit.

Cyber Security Shortage

The RAND Corporation published an article in InfoSecurity Magazine in 2014 stating they had determined ‘the demand for cyber security professionals began to overtake supply in 2007’.

Reports have since been published by Fortune, NetworkWorld, and many more, repeatedly highlighting the shortage of security experts as we continue to dive further into a digital world of global interconnectivity.

At the beginning of 2016 Forbes predicted that the cyber security industry would grow from $75 billion in 2015 to $170 billion by 2020. Some reports estimate a current shortage of one million cyber security experts, with demand expected to rise to six million globally by 2019. With cyber warfare and targeted attacks on the increase, this is a dangerous shortfall in a key area crucial for economic stability and prosperity.

Cyber Warfare

In a move to rebalance the playing field where stealth and covert tactics of the growing number of actors in cyber-attacks have an advantage, there have been many investments by governments and corporations in educating on the topic of cyber security.

In late 2015 the UK government pledged to invest £165 million in cyber security start-ups, with a total spend in the cyber security sector of £1.9 billion by 2020, which includes establishing a new National Cyber Centre, and employing and training around 1900 staff. This investment is not only for defensive measures, but includes something referred to as the National Offensive Cyber Programme, to be developed through an existing GCHQ and Ministry of Defence partnership.

The Cyber Security Challenge UK is a series of competitions and trials aimed to find the best and brightest in the security space, culminating in a Masterclass that takes place each November. This challenge includes simulated real-world problems and attacks designed to test forty-two finalists to identify an ultimate winner who, as well as receiving prizes, is often offered employment by those willing to pay for the best. In the years this challenge has run, over 50% of the finalists have landed senior roles at top cyber security employers.

The 2015 masterclass saw the finalists begin the challenge at QinetiQ’s head office in Farnborough, before being hustled to Church House in London where they had to work against the clock to regain control of Westminster Abbey’s environmental control systems in order to prevent a potential biological attack.

 Details of the challenge are kept a secret, and hence information about the 2016 challenge will not be released until the day the finalists arrive at the start location.

IoT Security Pressure

Whilst the skills shortage in the security sector is well documented, and the globe moves to try to readdress this balance, one area not being factored into the equation as hastily as it should be is the internet of things (IoT). This rapidly growing area of development is enticing more coders and makers to start innovating, unhindered by the conventional restrictions imposed on production and data collection.

The freedom this development capability allows for is inspiring, and enabling all manner of new approaches to predicative maintenance and communications, but with no specific regulations or auditability around the data being collected, and the ease with which new devices can be connected to the internet, there are genuine concerns around the lack of security the IoT innovations are including.

The concerns being expressed are that the coders are focussed on rapid creation and connecting the world, without putting the necessary thought into the potential security risks this brings. In 2015 there was a demonstration of this oversight when a security pen-tester hacked an iKettle, and consequently was able to obtain the Wi-Fi password to enable further access to the network the kettle was connected to. This hack was demonstrated on several occasions, and showed how a lack of security knowledge on the user’s part can lead to real consequences if not addressed by the coders. Competent coders work to address this situation and ensure that there are security protocols in place before connecting an alien device to a secured network, but this is very much down to the individual.

A more professional approach to coding IoT devices needs to be followed to ensure this incredible evolution of connectivity is not tainted by security breaches due to bad practices, but how is this taught?

Cyber Security Education

Investment made into cyber security so far is a good start, but we also need a way of building our future security workforce. With this in mind the government are looking to increase spending on cyber security education through an initiative modelled on a successful Israeli programme aimed at 14 to 17 year olds. The idea is to drive interest in cyber security from an early age, and therefore increase the prospective undergraduate intake to our universities to study this subject.

There have also been programmes launched in recent years like CyberCenturion, a joint initiative backed by Northrop Grumman, manufacturer of the USAF’s B-2 Stealth Bomber, which aims to get 12-18 year olds hooked on cyber security through competitions and team challenges.

The UK government has published educational guidance notes on the government website - ‘Cyber security: guide to programmes and resources for schools and further education’, to help educators focus on key topics in this area, and incorporate into their syllabuses.

The government and private sector are incentivising entry into the security sector, and is a practice we will see continue in a bid to reduce the skills shortage we are now facing. With the volume of cyber-attacks through malicious emails received during 2016 projected to be an increase of 800% over previous years, and Cisco predicting the number of IoT devices connected to the internet to hit 50 billion by 2020, we now need security experts trained in cyber defence more than ever.