Diverse cyber security work force must have technical expertise, flair for problem-solving
As in past times of national crises, the United States faces a shortage of people with a particular set of advanced technical skills. According to a 2014 study by the Ponemon Institute, an information security and privacy research center, the demand for cyber security professionals in both the public and private sectors far exceeds the supply. There is a need for people with expertise in computer science, math, programming, electrical engineering, and logic, but also for people with a range of technical and nontechnical problem-solving skills.
Cyber security is a young, rapidly evolving field that encompasses many different jobs and roles. A 2010 Bureau of Labor Statistics report estimated that there were about 72,670 people in the "information security analysts" job category, which does not include all cyber security positions. The need-much greater than demand, which is actual job openings-for cyber security professionals in the United States is staggering, considering there are about 6 million businesses and 90,000 local governments and school districts, all of which must, to some degree, protect their data and their networks.
Does the cyber security job boom mean opportunities for women? Eugene Spafford, PhD, professor of computer science at Purdue University, believes inclusion in the field of cyber security is a must, and that attracting and retaining women is crucial to finding the kind of technical talent needed. He says when women get shut out or leave the field, their strengths are lost and the profession suffers. Dr. Spafford, who is also executive director of Purdue’s Center for Education and Research in Information Assurance and Security, said, "If you have women on the design team, you’re more likely to get discussion about privacy side effects and human/ computer interface. Having a diversity of views and experience always leads to better results."
Jeremy Epstein, longtime board member of Applied Computer Security Associates (ACSA), agrees. ACSA is a 30-year-old nonprofit organization whose mission is to improve understanding of the theory and practice of cyber security. It sponsors cyber security research conferences, including ACSAC (Annual Computer Security Applications Conference) and NSPW (New Security Paradigms Workshop). Epstein, who has been a cyber security professional for 25 years, said, "Women are historically very underrepresented in computer science and in computer security. When I started in computer security 25 years ago, the field was 20% to 30% women. Now it’s between 5% and 10%. That’s obviously going in the wrong direction."
Troubled by this trend, Epstein persuaded ACSA’s board to fund scholarships for women who want to study cyber security and need financial help.
The first scholarships were awarded in 2012. Since then, ACSA has been able to increase the number of awards it makes by partnering with HP and the Computer Research Association’s Committee on the Status of Women in Computing Research (CRA-W). For the academic year 2014-2015, there are 11 scholarship winners, both undergraduate and master’s degree candidates, from colleges and universities across the United States.
The National Science Foundation (NSF) also has awards for cyber security education, including the CyberCorps Scholarships for Service (SFS) program, which offers full scholarships to students in academic cyber security programs. In addition, the NSF supports interdisciplinary, cyber security-related research and education programs, such as the NSF/Intel Partnership on Cyber-Physical Systems Security and Privacy (CPS-Security) and Secure and Trustworthy Cyberspace (SaTC).
In response to the demand for a larger, more highly skilled cyber security work force, a growing number of universities, and even some community colleges, are adding cyber security classes. With the help of a $200,000 NSF grant, the departments of electrical engineering and computer science at Cleveland State University and Case Western Reserve University (CWRU), both in Cleveland, are collaborating on an undergraduate cyber security curriculum. The sequence includes courses in hardware, software, and information security. The final exam for the hardware class is a hacking exercise in which students hack their classmates’ computers and defend their own. Although controversial as a teaching method, hacking, which exploits a system’s weaknesses, is one way to learn how to identify and remedy these weaknesses. CWRU Professor Swarup Bhunia, PhD, contends that hands-on, simulated attack-and-defense classes prepare students to come up with solutions to the specific security vulnerabilities they will encounter in the workplace.
Pablos Holman, an inventor, futurist, and hacker, said in a TedXMidwest talk, "Hackers have minds that are optimized for discovery." He pointed out that hackers methodically attempt to compromise every aspect of a system’s defenses, "just to see what will fall into their laps." The hacking mind-set, however, can be applied in an ethical way to other kinds of problems. Holman is part of a multidisciplinary team of scientists at Intellectual Ventures Laboratories that is analyzing the lifecycle of the malaria parasite. By understanding every stage of malaria and looking for weaknesses, the team has come up with some novel ideas for controlling the disease, which kills hundreds of thousands of people annually, mostly children in Africa.
Land, sea, air, and cyberspace
Carrie Gates, PhD, is chief scientist for Dell, specializing in security research. Dell provides network security products such as firewalls, identity management systems, data leak prevention, encryption technology, and intrusion detection and prevention to corporate and government customers. Dr. Gates is responsible for determining how these products can be improved and what new security technologies can be developed. She monitors academic research for trends and discoveries that might be put into products.
Cyberattacks can be thought of as a new twist on conventional military aggression. In the past, nations launched attacks by land, sea, or air, but cyberattacks are not geographical; they don’t occur in a physical space. In general, attacks are either politically or economically motivated. "What’s interesting about the political attacks," Dr. Gates said, "is that they can be carried out by individuals who are not employed by a nation state. This makes for a much broader threat than we’ve seen in the past."
Defending political and economic targets on the cyberfront requires a new mind-set and a new skill set. Cyberattacks can take many forms; they can be launched against hardware, networks, and software. Attackers may operate in unexpected ways, such as infiltrating an organization gradually, without being detected, then waiting to launch an attack. The tactics of a cyberattack are different from those of conventional political aggression. For example, attackers might steal information to gain understanding of an adversary’s capabilities, to develop counterfeit technology, to blackmail someone, or even to demand a ransom.
Dr. Gates, whose PhD is in computer science, acknowledges that cyber security is a very specialized field. "But not necessarily because it’s a computer science field," she said. "To be successful in cyber security, we need not just computer science and computer engineering; we need a broad spectrum of backgrounds. Psychology and sociology, for example, enable us to understand an attacker’s motivation. People who can apply a broad background-social science, statistics, and math-to specialized security problems are extremely valuable."
While Dr. Gates says the profession has been welcoming to her as a woman, she is acutely aware that the climate for women varies widely from organization to organization. "I think there are tremendous possibilities in this field—in government and industry and in operations, research, and software—and that it’s at least equal for women in terms of opportunity." Having a competitive personality is also an asset. "If you like playing games and trying to outwit people, this is the field for you," she said. "You’re pitting yourself against an adversary, and that can be very interesting."
Security, privacy, public policy
Susan Landau, PhD, a researcher with a doctoral degree in theoretical computer science, is an internationally recognized expert on cyber security policy. Her early work in algebraic algorithms had applications to symbolic computation, cryptography, and computational geometry. She is currently a faculty member in the Worcester Polytechnic Institute’s (WPI) department of social science and policy studies. She has been a senior staff privacy analyst at Google, and a distinguished engineer at Sun Microsystems. Dr. Landau is the author of several books on cyber security, including Surveillance or Security: The Risks Posed by New Wiretapping Technologies (MIT Press, 2011) and (with Whitfield Diffie, the inventor of public key cryptography) Privacy on the Line: The Politics of Wiretapping and Encryption (MIT Press, 1998; revised, 2007).
Like many issues that seem to spring fully formed into the headlines, cyber security is something experts have been expressing concern about for years. "There have been papers about how we need to secure our cyberinfrastructure since at least the mid-1990s," Dr. Landau said.
In the aftermath of World War II, cryptography and the science of secret communication, which advanced rapidly as it was deployed for intelligence and counterintelligence by both Allied and Axis nations, was almost exclusively the province of government. The invention in the 1970s of public-key cryptography—that is, computer algorithms allowing exchange of information without a shared secret—changed that. Public key cryptography made e-commerce possible and set off a controversy about access and privacy sometimes referred to as the "crypto wars." This controversy persisted into the 1990s when the explosion of e-commerce required new, more advanced encryption standards.
Dr. Landau characterized the crypto wars this way: "It’s a conflict between the ability of law enforcement to do investigations and the ability of the private sector to protect itself against criminal activity, such as theft, espionage, and extortion. It’s often framed as a conflict between security and privacy, but I think it’s a conflict between security and security—or security and surveillance."
Cyber security is not a dualistic issue, however. There are multiple "threat models," many stakeholders, and a wide variety of interests to consider in establishing secure systems. Governments, parents, business owners, and medical facilities, for example, all have different things they want to protect.
Dr. Landau explained, "We began by thinking that cyber security was a purely technical problem, but there are social issues involved. It’s not one-size-fits-all. There are economic issues, such as engineering costs and product delay. There are psychology issues: How do you design usable privacy? There are anthropology issues: Different groups approach security and risk differently."
A longtime advocate for women in science and technology, Dr. Landau started "Researchers," a mailing list for women computer science researchers in academia, industry, and government labs, and also created, with Elaine Weyuker, PhD, the ACM-W Athena Lectureship to recognize outstanding women researchers.
With Terry Benzel and Hilarie Orman, Dr. Landau has organized GREPSEC II, to be held in May 2015. The first iteration, GREPSEC I, took place in 2013. Supported by the NSF and CRA-W/CDC, this workshop is for women and underrepresented groups interested in computer security research.
"On the one hand, this field is growing by leaps and bounds," said Dr. Landau. "But it has few women, few minorities, and far fewer women than other areas of computer science, such as cryptography, machine learning, or theoretical computer science. This creates a chilly climate for both women and minorities."
Her advice to engineers and engineering students interested in cyber security? Take some courses outside your discipline, such as law, public policy, or social science. "You will understand the systems you’re implementing in a much better way," Dr. Landau said. "I know from my experience at Google that engineers who can speak many languages-and I don’t mean French or Mandarin; I mean the ability to talk to lawyers, users, and policy makers-those were the most effective engineers."