Tuesday, August 01, 2017

Cybersecurity–This Summer's Computer Science Education Buzzword

Cybersecurity seems to be all the rage these days. It was a big topic of conversation at this summer's CSTA conference, I've had a number of parents ask me if we teach it at my school, and it is been big on the CS ed social media scene. The NSA even came to talk to teachers at the CSTA conference! It's a big deal! But what does it really mean? Well to quote the great philosopher:

"When I use a word," Humpty Dumpty said, in rather a scornful tone, "it means just what I choose it to mean—neither more nor less."

Or perhaps the story of the blind men studying the elephant is even better? In short, every seems to have a different idea or no idea at all of what cybersecurity means or how it should be taught in schools.

I've been asking around for people's thoughts on this lately. One of the people I asked is a former student who does security work at a local university. Some of his thoughts are below with some edits of my own.

There are two 'tracks' in education that I've seen as a result of this. 

1. Security IT people.  These people think at a business-process level at best, and simply IT service provisioning at worse.  They clean viruses, install operating systems, evaluate products, establish procedures, write policy, inspect network traffic etc.  Security for these people is either strategic or tactical.  They are concerned about 'doing the right thing' as far as security goes, even though they are usually not a technical nerds as one might generally like.

When I've seen people do this at a college level, they do blue-team/red-team hacking and defending either as a class or in clubs.  I personally _hate_ this approach, but I get why people do it. 

A. its fun,

B. its sexy

C. it can be competitive and cooperative and

D. it give something much closer to real world experience.

its also E. Not what _most_ people spend any serious time doing.  That pen-testing stuff gets outsourced to whatever place can do it the cheapest.  Its usually done as part of audits and other really-boring activities and the burnout rate for new people in those professions is 2-5 years.  In my experience, students that do it need lots of oversight so they don't go hacking things they shouldn't and sometimes people need to make a 'safe' lab environment so they don't affect anything else.  That can translate to a lot of time and resources. 

A better approach would be to do a IT modeling course of some reasonable kind.  At one university, there was an course on networking at the grad level, and while they didn't do much actual networking, they would work in teams to design IT technology layouts.  The students learned a lot about modern IT systems, servers, desktops, networking, software management, firewall, IDS/IPS tools, etc.  The Big Project was, given a somewhat real-world-ish scenario (a courthouse, a college, a city, etc) design an IT system from the ground up.  There was a presentation to a small panel and the winners won a prize. 

2. The other track, secure programming.

This is an extremely useful skill too, but its absolutely not sexy.  These people design good algorithms, write solid encryption, read and debug code, do proper QA and acceptance testing, etc.  The lower-level code, the better.  I'm not sure how useful this is though to the average programmer.... never-mind a high school student.... given the fact that if you are using reasonable libraries and sticking to a high-level language, you are usually fine for most development.

A similar approach that might have less direct programming, would be to look at a book like 'Threat Modeling' by Adam Shostack.  He's a Microsoft guy and has done a lot of work thinking about applications of a threat model to different situations.  You would have to do a little 'translation' of the book to high-school programming skills, but in it he talks about software design and thinking through potential security use-cases using a standard model.  Being able to read and debug code someone else wrote, thinking about things in psuedo-code before writing something ('Ready', 'Fire', 'Aim'? ;-), and understanding Information Security goals of Security, Integrity, and Availability without getting all theoretical about it. 

The first category, Security IT, seems like the natural thing for high schools. It fits in very well with network management type courses. And there are all those CTF (Capture the Flag) contests that many students seem to like. Plus is plays into a desire that seems to be prevalent to learn hacking.  It's not for everyone though and for some it doesn't feel like "real computer science." A term that is hard to define for many as well.

The second category, secure programming, is more interesting to me personally. I spent some time doing operating system development where among other things I was responsible for maintaining the code that allowed users to log on and off. Plus we made major security changes to the OS while I was part of the team so threat analysis and design for security was a big part of what we were doing.

It's not so glamorous as "hacking into computers" or even preventing malicious users fro breaking into your network for many students though. But it is oh so important.

I'm still quite a way from deciding what a cybersecurity course might look like at my high school. I can easily think of a couple of ways it could work at the higher education level but fitting it into the high school curriculum seems harder.

What I have decided is that I need to include some discussion of various cybersecurity issues in several existing courses. We talk about some security issues already, good passwords and their use for example. We could do more though. And in my programming courses we could talk about secure programming more. Most of all we could be including discussion of various cybersecurity issues in Advanced Placement Computer Science Principles. For the time being that is my plan. But I'm going to keep working on the idea of a dedicated computer security course. Let me know if you have suggestions or know of good existing cybersecurity courses at the secondary school level.


Peter Vogel said...

Excellent piece Alfred.

Garth said...

Another issue that could use some professional development material. When I look for cyber security stuff most of it is way over my head. Passwords, AV, hazards on the internet are all common sense that many kids (and adults) need to be taught. Getting a whole course written would introduce stuff I, and most programming teachers, would know nothing about. A high level magnet school might be able to teach cyber security at one level, a run of the mill high school needs something at a completely different level simply because of the staff assets; most of us do not know didly squat about cyber security (other than using "password" for your password is a bad idea).

cooltech.blogspot.com said...

Awesome piece!

Ben I. said...

When I answered your question here I also outlined an entirely different approach, with a nominal hacking course that was designed to get at the low-level and foundational operations of working programs rather than at modern hacking techniques. It was an approach that got my high school students deeply interested in the operations of stacks, pointers, and the way that programs are structured in memory in real life. Computer security provided a rich and motivating playground, but CS was always the goal.