As demand mounts for graduates with computer security skills, the question arises: What’s the right training?
When George Mason University announced it would be offering a four-year undergraduate degree in cybersecurity engineering in spring 2015, applicants were so eager they began taking some of the required courses ahead of time. As a result, all 29 students in the initial cohort are scheduled to graduate next May, in just three years. Meanwhile, the program now has 300 students enrolled. Last fall, 300 more students applied, and 93 were accepted. “Our degree in cybersecurity engineering put us on the map,” enthuses program director Peggy S. Brouse.
It’s no surprise the new degree has been such a hit. Job prospects in the field are exploding. Indeed, the upcoming George Mason graduates all have or expect job offers. Global spending on cybersecurity products and services will exceed $1 trillion cumulatively between now and 2021, up from an estimated $120 billion this year, according to research firm Cybersecurity Ventures. ISACA, an information technology governance nonprofit, reported in 2016 there were will be a global shortage of some 2 million cybersecurity professionals by 2019. Cybersecurity Ventures’ estimate of the skills gap is even greater. Worldwide, it says, the industry will have 3.5 million unfilled jobs by 2021.
“Right now, the supply-demand curve is broken,” says Victor Piotrowski, who oversees the National Science Foundation’s CyberCorps Scholarship for Service program, which works to bring recent graduates into government cyber jobs. Mohamad Ali, president and CEO of Carbonite, a Massachusetts data security company, agrees: “We’re growing fast, and the big problem is getting the right talent.” His firm was on course to hire 250 people last year, and it typically has 50 openings at any given time. “We have a significant challenge in recruiting.” he says. But the question of what constitutes “the right talent” in a new discipline with no standard textbook—and a rapidly changing security landscape—has prompted a variety of responses and triggered debate over degrees and curriculum.
One need only be a casual consumer of print, TV, or online news outlets to realize what’s driving the industry. Last year alone, companies ranging from the credit-scoring firm Equifax to telecom giant Verizon to Uber, the Web-based ride-hailing company, were hit by cyberattacks that stole personal data from millions of customers. Meanwhile, the nation’s two top spy agencies, the Central Intelligence Agency and the National Security Agency, were embarrassed when cyberthieves made off with and then published top-secret hacking tools. The code was integrated into the WannaCry ransomware that ravaged computers in 150 countries—and which the White House recently accused North Korea of unleashing. In our ever more digitally connected world, the risk of privacy and security breaches increases daily as technically savvy criminals, terrorists, and rogue nations find new ways to launch sophisticated strikes on networks, hardware, software, and stored data.
It’s hard to believe that 20 years ago the notion of teaching cybersecurity in colleges barely existed; the topic was mainly investigated by a few academic researchers. That began to change in 1998, when federal agencies started to include cybersecurity in their thinking about ways to protect critical infrastructure and then President Clinton ordered them to do more to encourage cyber education. That led to the NSA creating a program now called the National Centers of Academic Excellence in Cyber Defense, which it now runs with the Department of Homeland Security, to recognize schools that offer core curricula in security that meet the program’s “stringent” criteria. Initially, just seven universities qualified. Today, 200 are recognized.
While the NSA’s academic excellence designation earns schools bragging rights, it doesn’t increase their coffers. To address that point and give schools a monetary motivation to hire faculty, set up programs, and invest in equipment and labs, the NSF in 2000 launched CyberCorps. The program typically awards five-year grants in the range of $4 million to $5 million to schools to set up scholarship programs. For each dollar spent on students, the school can spend 20 cents on costs. Enrollees agree to spend one year working for a government agency for each year they’re in the program, up to a maximum of three years. Currently, the program includes 69 universities and 800 students, and it graduates 300 a year. Its budget last year was $50 million—a sum expected to increase to $55 million this year—and 80 percent of that money went to scholarship programs. The remaining 20 percent was earmarked for research to improve cybersecurity education.
It’s a successful program. Piotrowski notes that 94 percent of its scholars graduate, pass security clearances, and take jobs, and 70 percent of them stay beyond their agreed time in service. NSA is the most popular agency for engineering and computer science students, with 25 percent of them joining it. The NSF takes a hands-off approach and lets each school design its program as it sees fit, recognizing that cybersecurity is not just a technical issue. So while around 60 percent of its funded programs focus on engineering and computer science, the others involve schools of business, law, and social science. “The NSF takes a holistic view of cybersecurity,” Piotrowski says. Still, are 300 graduates a year enough to meet the government’s cybersecurity job needs? “The answer is obviously no,” he says.
The program’s success has led some other agencies and state governments to fund similar programs, and the courses also enroll students who are not receiving scholarships. “So there’s an indirect ripple effect boosting the workforce, we suspect,” says Piotrowski. There have been discussions to create public-private partnerships to bolster the commercial workforce, he adds, “but that hasn’t happened yet.”
Few Undergraduate Degree Programs
The scholarship program also heavily skews toward master’s degrees. Sixty-eight percent of recipients are master’s students, 30 percent are undergrads, and just 2 percent are Ph.D. candidates. One big reason for the lack of undergraduates is pay. Federal pay scales are agnostic when it comes to disciplines, so newly minted graduates with no experience will earn around $37,000, no matter their major. That’s chump change for just graduated computer engineers and scientists, who can easily pocket around $90,000 a year in the private sector. The public-private pay gap is less severe for new hires with advanced degrees, however.
But there’s another reason for the dearth of CyberCorps undergraduates: Not many schools offer bachelor’s degrees in cybersecurity or give computer engineering and science students an option to earn a concentration or minor in the field. George Mason, located in a Virginia suburb of Washington, D.C., is one of only a handful of U.S. engineering schools and colleges offering undergraduate degrees in cybersecurity. “Not many universities are graduating these key people at the undergraduate level,” Carbonite’s Ali says. “It’s not part of computer science at most universities.” At the top 10 computer science schools, none has a requirement for cybersecurity in its curriculum, and only three of the top 50 do, he says, referring to a 2016 study from the security firm CloudPassage.
That may be changing. Piotrowski notes that NSF routinely polls engineering deans on faculty hiring, which is seen as a leading indicator of student demand, and by far the biggest spike in hiring is in cybersecurity, closely followed by big data. But engineering schools remain divided as to whether it’s better to offer cybersecurity degrees at the undergraduate level or embed more security courses into core computer science and engineering curricula.
Should more schools be offering cybersecurity degrees? Brouse—who created George Mason’s cybersecurity engineering B.S. after the Dean’s Advisory Board suggested there was a need for a study of cyber physical systems—says that the degree’s early success shows there is a need and demand for degrees in cybersecurity at the undergraduate level. But not all her academic peers agree.
“It’s an interesting debate whether it’s a good idea or not,” says Jonathan Katz, director of the Maryland Cybersecurity Center at the University of Maryland. Maryland doesn’t offer such a degree, although its Honors College offers what it says is “the first and only honors undergraduate program in cybersecurity” as well as a minor in cybersecurity. Called the Advanced Cybersecurity Experience for Students, and led by Michel Cukier, an associate professor of reliability engineering, the honors program requires students to take a group of electives in courses such as cryptography, network security, and secure operating systems. The minor additionally includes courses outside of computer science, including applied reverse engineering and a group project in cybersecurity. “The concentration is popular, and the demand is there,” Katz says, adding that many of the cyber electives are also popular with students who don’t take the concentration.
He’s skeptical a B.S. is necessary. “Eighty percent of a major in cybersecurity would overlap with a computer science degree, so we don’t see immediate dividends.” It’s better, Katz says, to ensure that students are grounded in the fundamentals and they can specialize once they graduate, perhaps by going to graduate school. That’s also the view of Fred Schneider, a computer science professor at Cornell University. All computer science students need to know how to build systems, he says, but only those who want to specialize in security need to be experts in the field. Moreover, Schneider says, “we are still not sure what to put into security courses. Do we train students to think like an attacker?” Also, he adds, unlike calculus or physics, there are no authoritative textbooks. “There’s not one standard book.”
Beyond the effort that would be needed to create a major, even doing a minor or certification “would need much more thought” just to ensure they receive ABET accreditation, says Radha Poovendran, a professor of electrical engineering at the University of Washington. Still, Poovendran says, “some topics require training beyond what we’ve done in the past,” and “the next wave of training” will likely include more security courses.
Needed: Baseline Knowledge
Shiu-Kai Chin, a professor of electrical engineering and computer science at Syracuse University, doesn’t think degrees in cybersecurity are necessary but says that security should be an integral part of computer science and computer engineering. “It is crucial to study it at the undergraduate level, because that provides the baseline capabilities of the profession. If only a few thousand master’s students and a few hundred Ph.D.’s know how to design secure systems, then we’re screwed.”
At Syracuse, he adds, “a lot of what we’re doing is moving that knowledge into the bachelor’s program.” For example, the Introduction to Computer and Network Security course is now part of the core computer engineering curriculum and is an elective for computer science students. The school is, however, considering whether to require all computer engineering and computer science undergrads to take courses in security. Meanwhile, next fall, Syracuse will begin offering computer engineering and computer science juniors and seniors a Cyber Engineering Semester (CES). It piloted the program in 2011 with the aid of the U.S. Air Force Research Lab, but it’s been on hiatus since then because of a lack of funding and changes in leadership at the school. In the meantime, says Chin, the three bespoke courses it created for the pilot—computer science and engineering courses that were infused with security and assurance topics—have become part of the curriculum: Certified Security by Design; Introduction to Computer and Network Security; and Access Control, Security, and Trust. Chin expects the courses to be popular, though for the first year he hopes to limit enrollment to 15 to 20 students.
Within engineering schools there are more graduate programs geared toward cybersecurity. Some offer degrees in cybersecurity, while others offer computer science and computer engineering degrees with a focus on security. Some highly rated programs include those at the University of California, Davis; Boston University; Johns Hopkins University; George Washington University; and Iowa State University. Some master’s programs, including Maryland’s, are aimed at early- or mid-career professionals. George Mason’s isn’t, but, given the school’s proximity to Washington, D.C., most grad students are returning professionals. Syracuse offers an M.S. for newly graduated students and an online M.S. that’s more geared toward professionals.
Offense and Defense
One top-rated graduate program is at Carnegie Mellon University, in the College of Engineering’s Information Networking Institute (INI). It offers M.S. degrees in information technology and information networking at its Pittsburgh campus, and two versions of an information technology M.S.—one with a emphasis in mobility, the other with a focus on information security—that include classes at both its Pittsburgh and Silicon Valley campuses. Enrollment has been growing steadily. Accepted students typically have a B.S. in either computer engineering or computer science, strong GPAs, and superb programming skills, says INI director Dena Haritos Tsamitis. “Students entering our program have a strong technical background. The program teaches principles of building secure systems and incorporates both offensive and defensive security.” There are various ways students can customize their degree so they can concentrate on specific areas, such as cyber operations, forensics, or incidence response.
Given the ever changing landscape of cyberthreats, curricula at both the B.S. and M.S. levels must be regularly refreshed to stay current. At Carnegie Mellon, for instance, Tsamitis structured the curriculum to accommodate one-shot, semester-only special topics on emerging issues that are usually based on faculty members’ latest papers. The courses “pop up as new hot areas emerge. Their [faculty] research transits into the course in real time.” Recent event-driven topics included security and fairness of deep learning, and safeguarding the Internet of Things. George Mason regularly adds topical electives to keep students up to date. This year’s included courses on blockchains and cryptography. Planned for next year is one on drone vulnerabilities.
Practical experience is an essential part of all programs, and it’s mainly handled via internships and industry-sponsored projects. George Mason seniors work the entire year on projects developed by such top-flight companies as defense contractor Raytheon and consulting firm Booz Allen Hamilton. Firms pay $10,000 to get five-member teams of students to work on their projects. The money is used to keep the program’s six physical labs current. One recent project asked students to create a tool to help companies determine how vulnerable they were to cyberattacks; another wanted a team to investigate how drones might be compromised. All grad students in Carnegie Mellon’s cyber program are required to do a 14-week internship at a company, government agency, or nonprofit, or with an academic researcher. Each year, just three weeks into the initial semester, there is a campus job fair, and Tsamitis’s students are already being interviewed for internships. “It’s a very competitive process.”
As the NSF learned, engineering schools are keen to hire faculty who can teach—and research—cybersecurity, and that demand is clearly creating a tight market. Says Syracuse’s Chin: “We absolutely need more faculty in this area. At the end of the day, that’s the constraint. It’s an opportunity-rich environment” for academics qualified to teach the subject. Graduates are a hot commodity, too. But can they expect to enjoy long careers? Cybersecurity, like many other professions, is rapidly being automated. Many companies are turning to artificial intelligence to help keep pace with the growing onslaught of intrusions and data thefts. Nevertheless, no one expects the need for skilled humans to evaporate anytime soon.
“If you think of the pyramid of jobs, there are a lot of guards at the front desk doing monitoring, and those jobs will go away,” says Peder Jungck, CTO for intelligence and security at consultants BAE Systems. But, he adds, there will be plenty of jobs for many years to come, particularly for those who can write the algorithms that run AI. When new features are added to digital technologies, Schneider says, “there are many ways that they can come back to bite you. It will be decades before machines can help us find them all.” And, as Washington’s Poovendran notes, AI also opens doors to new businesses and jobs. “The coming age of AI is going to be interesting for everyone to adjust to. We want to make sure that our students are at the front, taking advantage of the technologies and starting companies based on these emerging technologies.”
By Thomas K. Grose
Thomast K. Grose is Prism’s chief correspondent, based in the United Kingdom.
Design by Nicola Nittoli