In recent weeks, a pervasive ransomware attack affected systems throughout the world, causing chaos in National Health System hospitals in Great Britain and continuing to cripple hundreds of thousands of computers.
The increase in cyberattacks has led to an increase in demand for qualified cybersecurity employees in government and private industry. Colleges and universities throughout the country are responding by offering degrees, certificates and tutorials in the burgeoning field. Texas A&M University at College Station recently instituted a minor degree program, while other institutions continue to find increased support and interest in cybersecurity degrees.
The uptick in interest is a far cry from when Nasir Memon, a professor at the NYU Tandon School of Engineering and the founder of the school’s Center for Cybersecurity, started organizing and offering some undergraduate classes in cybersecurity at the school in 1999. In 2003, he founded Cybersecurity Awareness Week, which offered collaborative and competitive exercises for interested students.
When it started, Memon said he had barely 30 participants, but it grew exponentially each year. Now there are between 20,000 and 30,000 participants throughout the world. Last year it expanded to India and will be expanding to France and Israel for the coming event in November.
Anticipating future threats
“We design in order to protect against random events happening, but in cybersecurity it’s not random events. It’s malicious. The attacker will find the weakest spot, the thing you didn't anticipate, and will exploit that fact to gain control of your system,” Memon said in describing the hands-on approach to the week and the NYU center. “I started this cybersecurity competition with the feeling that people needed to get this type of experience. This will give them that training that’s not easy to give in a classroom.”
Cybersecurity programs need to be just as flexible to help meet the needs of a dynamic workforce. NYU Tandon offers a Master of Science in Cybersecurity, as well as an MS in Cybersecurity Risk and Strategy. The NYU School of Law offers a JD degree that incorporates training in cybersecurity.
The expansion in programs has happened throughout the country, including a wide array of online degree programs for students interested in pursuing cybersecurity. The College of Information and Computer Sciences at University of Massachusetts Amherst operates a certificate program in information security and is currently starting a master’s program in partnership with its business school. UMass spokesperson Kerry Shaw said the they were created in large part due to spiking demand for cybersecurity professionals in the state, which has a cybersecurity workforce of about 18,000 with 9,000 additional openings.
“In terms of job growth within the state, with information security the demand is supposed to increase by about 20% over the next ten years, just in Massachusetts,” she said. “It’s certainly a priority within the state.”
The uptick in interest in Massachusetts matches national and global trends. In an industry outlook from CSO, it was estimated that there will be approximately 1.5 million job openings in cybersecurity by 2019, up from about 1 million last year, and research also found that the cybersecurity field has an effective unemployment rate of 0%. Collectively, the world will spend about $1 trillion on cybersecurity services and resources between now and 2021. Memon said it was estimated that for every ten IT professionals, you needed one security engineer.
Dr. Charles Clancy, the director of Virginia Tech’s Hume Center for National Security and Technology, said there were more cybersecurity openings in total then there were computer science graduates each year. Clancy joined Virginia Tech in 2010 to help open the Hume Center.
“It was focused on the intersection of national security and technology, and cybersecurity is a big part of that intersection,” Clancy said, noting that cybersecurity had transcended its previously narrow culture of hackers and had permeated a new sphere of visibility, saying it was “increasingly a bigger part of people’s understanding of computer technology.”
Recently, the National Security Agency designated Virginia Tech as a Center for Academic Excellence in Cyber Operations; it was the first college in Virginia to receive the designation and is one of only 16 in the country. To qualify, the NSA must determine that a school’s curriculum treats cyber operations as an “interdisciplinary science,” and that faculty and students must be involved in cyber ops research, among other essentials.
The federal government also supports the development of a cybersecurity workforce via grant funding. In January 2015, then-Vice President Joe Biden announced a $25 million grant from the U.S. Department of Energy’s National Nuclear Security Administration. Norfolk State University was one of the institutions awarded funds through the program to develop its cybersecurity program and increase diversity in the workforce. An online master’s program began that fall, and the school was recognized by the National Security Agency and the U.S. Department of Homeland Security as a National Center of Excellence in Information Assurance Education.
Addressing diversity gaps
Dr. Jonathan Graham, a professor in computer science at Norfolk State, acknowledged graduates were regularly finding work in private industry or government, but said it was vital to open more pipelines to previously underrepresented groups to fill the shortage.
“You need everyone, including formerly underrepresented groups, to come to the table,” he said.
“You can no longer address these shortages in the traditional way. Having underrepresented people in that workforce pipeline becomes even more important now.”
Graham also focused on the increased multidisciplinary nature of cybersecurity education; though technical skills and engineering knowledge were always necessary, other disciplines and backgrounds could also be beneficial, helping cybersecurity experts to better understand the motivation and approach behind specific attacks.
“Before it was just computer science, but now you have to get more operational knowledge and networking knowledge,” he said. “But you also want to study the behavior of these hackers. How do they think, and why do they do these things, so you get a better picture of what you’re dealing with.”
Memon also stressed the importance of attracting different backgrounds into the cybersecurity field, and pointed to a class he was teaching with an attorney on cybersecurity and the law, which included 15 engineering students and 15 law students.
“We are inherently a multidisciplinary center. We have lawyers, we have policy people, businesspeople working with engineers in the same classroom, and we have faculty from all those disciplines,” he said, and lauded the hands-on approach the center took to learning. “We are not sitting in our own little shell, but we are trying to spread this interest in cybersecurity around the world.”
Memon predicted that colleges and universities would continue to expand cybersecurity degrees, certifications and programs, as the interest from students and potential for employment continued to remain particularly high. He also predicted that there would be more cybersecurity education taught in the undergraduate level, even for engineering students not focusing on that particular discipline.
“Every engineer needs to know about cybersecurity,” he said. “Everybody needs to know the basic concepts of cybersecurity, so I think you’ll see more of that happening.”
Clancy also touted the need to consider cybersecurity as a multidisciplinary approach, in part because there were more job openings than students who graduated having focused primarily on cybersecurity during their education.
“Every cybersecurity problem isn’t solved with a new technology solution,” he said. “What we’ve been trying to do at Virginia Tech is to expand the notion of cybersecurity to include the business school, and social sciences, and political science.”
However, Clancy also cautioned that it was important that the technical skills of understanding computer systems and networks did not dissipate with the expansion of the discipline, and also said it was important that students be introduced during their education to ways in which they could understand and conquer real-time threats like they would face in the workplace.
“If we’re not teaching how to stop the attack and prevent the attack, we’ll never get ahead of it,” he said.