With the number of cyber security job openings in the tens of thousands nationwide, the importance of developing the necessary skills to fill open positions is both increasingly critical to our national security and essential for the world’s economic well-being.
To help meet workforce needs, UMUC has been expanding its schedule of career-oriented events, particularly in the high-demand field of cyber security. One such event, Cyber Connections: Academics, Skills, and Professional Expertise, was held at UMUC’s Academic Center at Largo, Maryland, during National Cybersecurity Awareness Month. It brought together industry leaders and UMUC faculty members to discuss academic programs, job prospects, and how to get hired in this high-demand field.
That event followed on the heels of a cyber security career panel discussion held at Naval Station Norfolk, where more than 180 active-duty military personnel learned about the demand in cyber security fields and talked with faculty members, advisors, and others at UMUC about pursuing a cyber security or related degree.
Cyber security experts from defense, government, and private organizations told the audience at the Cyber Connections event that the single biggest threat to information security is an employee who inadvertently—or on purpose—allows a hacker to gain access to a system.
“When you look at incidents in the news recently, you find that it is not a piece of bad code; it’s not something that has gone wrong,” said Emery Csulak, chief information officer/senior privacy official at the Centers for Medicare and Medicaid. “Nine times out of ten it’s people making a mistake somewhere. That shows how valuable every single person is in the security of an organization.”
About 90 to 95 percent of major attacks involve phishing, he said. With a concentrated effort to educate every employee about how to avoid being a phishing victim, the number of hackers gaining access drops dramatically, he added.
Richard Smith, information and security officer for Freddie Mac, said his effort to maintain security for the agency’s $1.9 trillion in tangible assets—as well as the wealth of personal information the agency holds—involves training every employee and keeping the most valuable assets separate.
Information is encrypted both inside the organization and in transit, and it is frequently tested to determine the weak links.
“We have simulated phishing attacks,” he said. Security is “baked into” every application.
BALANCING ACCESS AND SECURITY
One challenge is having enough security to protect information without turning a company into a police state that drives away its employees, said Stephen Gantz, chief security and privacy officer for Cognosante.
“It comes to a philosophical question,” he said. “When I have employees, do I trust them by default until they do something wrong? Or do I have to distrust them by default?”
In a large organization, you might reasonably expect a few bad actors, he said. “As a security officer, I am arguing with the business about where we tip the balance in adding security controls rather than allowing people to feel trusted and a valued part of the team.”
While there is always more you can do to protect your perimeter to keep the bad guys out and to keep your own employees from doing things they shouldn’t, the chance of a break-in is still high, he said.
“We have shifted the focus to protecting the data,” said Gantz. That means applying digital rights management so that if data does get out, it won’t be useful to the hacker who doesn’t have the rights to open it, he added.
“You can’t protect everything,” said Devon Bryan, vice president, Global Chief Information Security Systems for ADP. And protecting an organization’s crown jewels requires a multilayered defense architecture with a lot of depth.
It is one thing to be alerted after an attack happens, Bryan said, but it’s much better to have a system that alerts you when an attack is happening. And with 50,000 employees, it is still critical to have a human firewall layer as the first line of defense, he added.
At the National Security Agency, cyber security is considered a “team sport,” said Gerald N. “Chip” Willard, senior technical leader.
“We partner closely with DHS, the FBI, DOE, industry, academia, and the research community,” he said. “We are helping to harden systems because we live on the same network.”
The key is to understand the nature of the threat, Willard said. If you know what hackers are seeking, you can hone in on protecting those assets instead of trying to protect everything.
The major threat for businesses is intellectual property theft, said Bianca McNair, a strategist at the NSA’s National Cryptologic School’s College of Cyber.
THE INTERNET OF THINGS
The threat rises as Internet connectivity increases, said Bill Morgan, chief information security officer and chief privacy officer at the U.S. Agency for International Development.
For instance, the Internet has transformed automobiles from vehicles that get you from point A to point B, to a place where people conduct business.
“I can make a telephone call, read my e-mail messages, send text messages to edit a document inside of my car,” said Morgan, who investigated a company that offered to help him set up his automobile e-mail system and discovered it was a shady operation out of Poland.
“The moral of the story is, everything is on the Internet,” he said. “We have to train kids at a very young age about phishing. It doesn’t start in college. It’s at the childhood level.”
Nick Oldham, the only lawyer on the panel and of counsel at King and Spalding, said, “The ‘Internet of Things’ scares me.”
“It’s turning into one grid that connects everything. We are all just pieces of this single grid,” he said. “We have to know how we fit into the problem so we know how to protect ourselves.”
As personal devices perform more functions and store more information, the value of what they hold increases and their risk factor goes up, said Clifford Wilke, chief technologist for Hewlett-Packard.
“The driverless car is coming closer to reality,” he said. “Think of what would happen if someone decides to play a silly game or hacks the car—what the potential loss of life would be.”
At the panel discussion at the Vista Point Center on Naval Station Norfolk, moderator Steve Foster held up his phone and said this: “It’s 100,000 times more powerful than what powered the system that got a man to the moon.”
His comment set the tone for the rest of the event, as members of the panel—including two faculty members from UMUC, a representative from the FBI, and an executive with energy giant Schneider Electric—described the challenges facing industry, government, and education in preparing a new generation of cyber security talent for a field that is growing more complex and more important to everyday life than ever before.
EMERGING FRONT IN CYBER SECURITY
With the Internet of things, cities are becoming savvier by using smart parking, for example, to manage the limited number of parking spaces in downtown areas.
Jack McCauley, director of the federal government segment at Schneider Electric, an energy management, software, and automation company, said cyber attacks now come through operational systems, like heating and air conditioning systems.
“We’re now looking for people that have not only the typical IT certifications but also backgrounds in electrical and mechanical engineering,” McCauley said. “We are bringing in people with cyber security backgrounds and cross-training them on building systems. But we are also taking our industrial-controls people and getting them trained in the IT side of operations.”
Melanie Hayes, who is with the Federal Bureau of Investigation in Chesapeake, Virginia, touted the agency’s new website, as well as its talent networks, for recruiting cyber professionals.
Hacktivism, methodologies, and malicious code are changing on a weekly basis, she said. Through its FBI Academy, which trains special agents and intelligence analysts, and its Citizens Academies across the country, which provide local business and civic leaders an opportunity to learn how the FBI works, the Bureau is looking for talent to help them meet the latest cyber challenges and catch increasingly sophisticated cyber criminals.
Hayes pointed specifically to those in the military who have cyber security skills. They are particularly attractive to the FBI, because two important attributes of FBI career success are typically ingrained in them: they respect procedures and demonstrate high levels of loyalty. “We found military veterans to be very quick learners, very good with process, and very good with change,” McCauley added.
KEEPING ACADEMIC PROGRAMS CURRENT
Jimmy Robertson, PhD, program chair, computer science and software development and security in UMUC’s Undergraduate School, says universities have to be quicker and smarter in developing programs that are relevant to today’s challenges.
“UMUC makes sure we have the latest and greatest faculty,” Robertson says. “Our faculty are practitioner-scholars who teach for us at the same time they are working to catch the bad guys.”
UMUC cyber security, cyber forensics and investigation, and cyber security policy programs are kept current through an advisory board that keeps the curriculum matched to the current skill requirements of industry and government.
The university also eliminated publisher textbooks in The Undergraduate School and is now using open educational resources, which are embedded digital materials that can be updated immediately.
This is extremely important in the rapidly changing field of cyber security. Course materials are kept fresh and nimble and include case studies of recent cyber attacks, like the release of confidential data belonging to Sony Pictures Entertainment and other high-profile breaches.
“Sony was a good case study to see how it could have been prevented,” said Balakrishnan Dasarathy, PhD, program chair, Master of Science in Information Technology. “How should companies like Sony put in place policies to educate employees so this type of incident doesn’t happen again?”
The Naval Station event was designed to educate prospective students about cyber security professions and also to help develop a pathway to a career in the field, said panel moderator Stephen Foster, who retired in 2000 after a 20-year career with the FBI.
The technology fields that are looking for cyber security talent are both expanding and multiplying.
It was the FBI’s Hayes who said her agency is now looking for people with skills in digital forensics, computer programming, mobile application development, malware analysis (reverse engineering), computer networking, and network traffic analysis. The FBI also needs people who understand computer hardware and software and those with industry-recognized certifications who understand Windows, Linux, Android, and OS operating systems.
“Programs like UMUC are doing very well at helping us recruit for internal IT systems,” said McCauley from Schneider Electric, adding that his company sees the biggest gaps on the operational side, in areas such as industrial control systems and building automation systems.
“Don’t limit yourself to only traditional companies when you think of cyber security,” McCauley emphasized. “Any company that has products or services that are connected to the Internet are going to need expertise in cyber security.”