Realigning Cybersecurity Education
On the 27th of November 2017, Brendan Hopper presented at UNSW Canberra's International Conference, Realigning Cybersecurity Education
Watch the video or read the transcript below:
I'm here today to present the thoughts and thinking we've done in the UNSW cyber engineering programme that we've been running for about the past eight or nine years in Sydney.
There are about four people who are critical, or, really core to this programme. I'll walk you through their background, because to me, the people who are involved in this programme, their backgrounds and their skill sets and how they complement each other, are actually kind of key to the success we've had at UNSW with cyber security education and engineering.
We haven't done everything we would have liked to in terms of cyber security education, we’re not able to deliver at the scale that the nation needs, but we are very proud of what we have been able to achieve. We've got an education programme at UNSW in Sydney, which is recognised internationally. I get a lot of students coming to me and saying, "When I applied for a job in San Francisco at a tech start up, and they saw that I’d attended the UNSW cyber programme, it skipped some of the steps of the interview process or they were very very interested and essentially they were like, if you’ve passed that with good grades, we definitely want to attract the kind of talent that you represent.”
So, the person who's essentially at the core of our cyber security education programme is Richard Buckland. He's the person who's supposed to be giving this presentation. Richard is a Professor at UNSW. He's extremely focused on fundamental education, so prior to getting involved with cyber security education, he was very focused on first year computer programming and actually teaching students who were doing computer science and software engineering degrees, the basics very, very clearly, so that he embeds the skills in them for their entire lifetime of the fundamentals and the core components of computer science, which don't change or decay over time.
Richard spends most of his research time actually focussed not on researching computer security but actually researching education and working out ways of better educating people, better engaging students. And a lot of that isn't actually focused on the skills transferable saying, "How do we get these skills taught to people?" A lot of it is actually focused on increasing their engagement in the room, making them want to come to lectures, making them excited about classes, making them want to do more than what's prescribed in the courses.
My name is Brendan Hopper, I'm the second person who's involved in the programme. I have been in the cyber security field, I guess, for about 23 years now, since I was 11 years old. I am in a very, very lucky position, a bit of a unique position, almost, definitely not unique to Australia where we're fortunate enough to have a few people who are actually in the same position I am, but I’ve got a bit of an intersection going on of three different fields.
I witnessed a lot of the early development of the kind of "hacker scene" and the formation of, particularly the scenes around vulnerability research and exploit writings, so extremely technical. Definitely not something where people will learn the skills at university; it was all focused on self-education, getting those skills, actually doing the research, and inventing the techniques to perform cyber-attack, back before that was really a big publicised thing.
The second kind of point on this triangle is that I have been teaching at UNSW for eight years now. I started a course, COMP9447, it's the course that's behind a lot of UNSW's success at CySCA. It is effectively teaching students the skills that are required to analyse software at a very, very deep technical level, find out whether there's vulnerabilities in it and develop exploits for those vulnerabilities, and then research counter measures and kind of try and push the industry forward in terms of very low-level tech detail.
The third kind of point of the triangle is that I'm a General Manager of the Commonwealth Banks of Australia. I'm not representing CBA here today, I'm representing UNSW. But effectively, I look after CBA's cyber architecture and assessment practise. That's about 150 people who are basically involved in making sure that everything The Commonwealth Bank builds is secure and then a team of people who do penetration testing, red team secure coding practises, just to make absolutely sure that what we build is bullet proof.
That gives me a little bit of a unique position, or not unique, but definitely very privileged in that I'm hiring a lot of the people that we’re also involved in growing. Over the past three or four years I've probably been involved in the recruitment of maybe 300 cyber professionals. So, I've got a really good grasp of exactly what's in the market, what I'm looking for, what other organisations are looking for, which gives me a bit of an ability to come at things from a different direction.
There's two other people who are very heavily involved in our programme, one of those is Fionnbharr Davies, he's actually moved to Berlin a couple of years ago. His skill set is so unique that we've kept him on at UNSW, providing content for students, interacting with students, we kind of think of it ... we think of Fionnbharr being in Berlin as a bit of a 24/7 capability, and he's on the night shift so literally he'll engage with students late at night or early morning for him, so we kind of have this on-going thing when we're teaching a class, we’ve got this 24-hour coverage online.
Fionnbharr has a background in vulnerability research, red team testing so another very technical person. Fionnbharr also brings something to the programme which is very important is that he's a very, very deep thinker. I'm the sort of person that, I look at a problem for five minutes, if I can't solve it in five minutes I say I’m not going to be able to solve this, and I pass it along to someone who I think is because they’re a deep long-term strategic thinker. Fionnbharr’s definitely our strategic thinker in this programme.
And our last person is Nina Rodgers, who's in the back of the room. Nina came on board at UNSW a couple of years ago and is focused upon building community around the UNSW lab. So, there are Women in Cyber Programmes we run, there’s high school education programmes, but it’s more than that, it's actually just about building a community, making sure we treat the students as individuals, and just accelerating everything and that's been a really massive thing. We taught the programme for six or seven years, before we actually realised we needed someone who's community-focused and who could really build community about the programme. Since Nina’s come on board, it's massively accelerated what we’ve been able to do.
So, today ... I have a lot of opinions. I don't really have any answers to problems that I'm talking about and I brought a lot of questions, so I'm just kind of going to present my worldview and hopefully that will give you some data points to drive the conversation over the next two days.
My view of the cyber skill shortage and what we need in cyber security is three classes of people, and I feel that a lot of these forums and a lot of the conversations that I've had about cyber education are only really focused on one of the classes of people, and I think that's a bit of an incomplete picture.
The first class of person is a cyber professional, for me, this is someone who either graduates university or has a TAFE education or is even just self-educated, but they go into a role where their job is primarily cyber security. They kind of wake up and say, "I work in cyber security." And we need all kinds of these people. We can't just have a single shared curriculum like when we teach STEM. It can't be a single shared curriculum because there's so many different types of cyber security professionals we need. We need people who are capable of doing research and changing the cyber security technologies. We need people who are capable of writing new tools. We need people who are very good and capable of getting those tools and putting them to use, or practitioners. We need managers. We need all sorts of different people who fit into the cyber professional category.
Typically, what I'm trying to do when I get a class of students, when we teach 9447 is anywhere between 80 and 120 students who are officially enrolled, and then we have about 130% in attendance. If we have 100 people enrolled, we normally have about 130 people turning up for the class. So, everyone who's enrolled turns up, plus some extra, which is a very, very good thing.
Students are generally third year or second year university with computer science or software engineering backgrounds coming into these courses. We have a conversion rate of about 10-15%. So, for every 100 students that are just general-purpose computer science students, they don't really know what their careers are going to be. Let's say, they're at university because they want to do something to do with computers. Of the 100 students that enrol, somewhere between 10 and 15 will actually move into cyber as a profession, every time we teach a class. Which is a high number, but you also kind of have to understand that that other 85% ... is also time that’s really well spent
And that's the second class of person I want to talk about today, because I feel this is something that often isn't mentioned or isn’t really focused upon. We need people who are professionals in other industries, the people who are developers, the people who are lawyers, people who do all sorts of different things where they don't necessarily wake up and say, "I work in cyber security." We need those people to have a good grasp of cyber security fundamentals.
To the question before about whether or not we can actually make this safe enough so that everyone can effectively be not skilled up in cyber security. We can have a small really elite workforce that makes everything so secure that the user doesn't need to worry about intervention. I think that's a great utopia to aim for, I don't think we're going to get there anywhere in the near term, and that's for a bunch of factors. But the big one for me is that attack is so asymmetric. If you get the world's best attackers and the world's best defenders and if you put them two rooms next to each other and basically create some sort of situation, the attackers will win; not because the attackers are better, but just because of where cyber security technology is now, it's asymmetrical and attackers have the massive advantage. If you take any system, whether it's a building, a piece of software, whether it's computers or it's real life, the attacker only has to find one way in. The defender actually has to find and plug every hole, and until we can move past that, technically, and until we can automate a lot of the defence, which is potentially decades away, we do need to educate the general masses on what cyber security is and how to be safe online. If you think about other areas that aren't necessarily in IT, for example lawyers. We're going to need a lot of people in law, who are doing law, who are practising law, but who also understand the basics of cyber because as our lives move online, more and more of these court cases and more and more things that used to be about physical property are now about digital assets or digital property or digital events.
The last big point for me in making general purpose non-cyber professionals really, really cyber literate, is if you think about developers... and I was trying to find out the number of people who are estimated to be actually working in IT in the world, and I found a page that estimated 100 million. So, if you think that there's 100 million people, according to some random website, not a very academic quotation, but it's very hard to find the figures. There's about 100 million people who are involved in some way in administering systems or creating systems or writing software, somewhere in that tech tool chain, and if you think about all of those people who don't understand cyber, when they’re building systems or writing code, they could be inadvertently introducing vulnerabilities. If we can shift their skill level up so that they're introducing less vulnerabilities and they’re doing things more secure from the ground up, then we are going to put less strain on the limited pool of cyber security professionals we've got.
And so, when we talk about the 100 students, we've got 15 in our class that move into cyber professionals, we feel like we've got 85 ... we have 85% that are moving to some other field but who'll have those basic cyber grasps that will remove the pressure from the other 15%. And our goal there is really to inspire these guys about cyber security. So, the 15 who we are actually trying to make obsessed, if you want to get a student to make them so they would spend their entire life or the next 10 or 20 years of their life working in a field we've just introduced them to, you need to find some way to intrigue them in a way, to the point of obsession. Whereas these other 85, the general-purpose people, we just need to inspire them and make them understand this is interesting and deserves more of their time and more of their thought processes going to it.
The third individual, and in my opinion, the most important individual who we really need to be focusing on building, is cyber security educators. And so, the numbers I’ve heard are, we need in Australia something like 10,000 cyber security professionals. Maybe that's off by order of magnitude, but it's a big number, it's in the thousands. We just talked about a number, which was 100 million; that's global, but we still need a lot of people with general cyber education. So, if we're going to be able to deliver at scale, we need some sort of programme that really focuses on developing cyber teachers. Out of running our course for nine years, probably touching 2,500 to 3,000 students, we haven't really produced anyone, we've tried very, very hard. We haven't really produced anyone who wants to make cyber teaching their vocation; they just don't want to. We're not making it attractive enough, we're not saying, "Hey look, these are all the benefits of being a cyber teacher. You get to define your love of community and educating people and this entire awesome process, with also the ability to do a lot of research into cyber space.”
And I think we need two types of teachers, as well. So, I think we essentially need Richards or we need people who are teachers and educators and University Professors whose background is teaching or the more fundamental university education, who then add cyber skills and teach the fundamentals of cyber security. But then I also think we need to get people from industry, like myself, or people with very specialised skill sets, to be contributing more frequently to our educational programmes. Part of this thought process came to me in terms of looking at the hacker scene and looking at you know, 15 years ago, if you were to talk about software exploitation or rootkit writing or something very technical like that, there was two degrees of separation. Effectively, you knew everyone else who was involved, or you knew someone who knew everyone who was involved. And all of those people basically could do all of the work. So, if someone said, "I'm really good at writing exploits," they could write basically an exploit on any operating system, any technical constraints, they weren't so specialised.
But now, we're in a world which is militarised, there's a lot of effort being spent on these technologies, and now we have sub sub specialisation. So, you no longer have someone who's an expert at writing exploits, you have someone who's an expert at writing exploits on a particular type of vulnerability in Windows or a particular type of vulnerability in Linux. And because of this, because the skillset is so diverse and you can actually spend years and years and years just going down a really deep rabbit hole when now we're going to be able to get general purpose university educators who can teach all of these special specialties.
So, this really becomes, to me, about two things: using our universities to give people the basic fundamentals and start treating the university education as a launch pad where we give them the skills to learn these specialties, but also if we're talking it through a lens of we need to inspire these people to either make cyber their ... we need to inspire these people who aren’t going to make cyber their life to become more cyber literate or we need to basically get these people near obsessed in order to make cyber security their career. We really need to get some of these people from industries who have these very deep specialties, to give our students a bit of a view into that world so that they can actually say, "This is what their everyday life is like for someone in this field. This is the cool stuff they get to work on." So, for me, that's a really fundamental point.
So, the second thing I want to talk about, it's effectively the type of people we need. To summarise, I think we need cyber professionals, we need non-cyber professionals with cyber skills, and we need strong focus on creating cyber educators of two kinds. So, I wanted to talk a little bit about what qualities we need in an individual. There's been a lot of presentations, I've done one previously, a bunch of venues about what skills we need in an individual, but that was always a very point-in-time view. This was a "looking at the industry we think we need these kinds of people. We need pentesters, we need incident responders, or ... CBA right now, are looking to hire this many people, these are the skills we need."
I don't want to have that conversation today, and I actually wanted to have a conversation about a more broad programme and what qualities we need to encourage. Not just in the students that UNSW are producing and not just in these ... UNSW cyber security is a factory that produces a certain sort of cyber security professional. We don’t, at the moment, produce broad spectrum coverage. We don't have someone who becomes a specialist in all those different sub-categories, we generally produce someone who has technical niche skill sets backed by some very firm fundamentals about things like risk management
All of the people I want to hire in my CBA professional life, all of the people, all of the colleagues and all of the CISOs I've spoken to in major organisations, they're all looking for the same qualities in individuals. So I figured, I would like to talk through what some of these qualities are. So, the first one is, I think we need to build people who are deep-thinking, and this is for a number of reasons. We need to be instilling in our students whether or not we're teaching them rootkits, something really technical like that or whether we're teaching them forensics. Whether we're teaching them risk management or cyber law or policy making, we need to encourage all of them to think very, very deeply, strategically, and long-term about the situation. Because I don't think we need to have short term, six-month, twelve-month thinking influencing our cyber policy decisions or our law making. We need really long-term thinkers and we need to find a way to encourage this. I have the privilege of speaking with a lot of CISOs in Australian and international organisations; they come from lots of diverse backgrounds. Some of them are technical some of them have cyber security backgrounds, some of them don't. Some of them have actually never done technical cyber security work. All of them that I meet are great at their jobs and I don't actually think that technical cyber security skills are a firm prerequisite for a cyber leader at that level, but what is common amongst all of them is that all of them ... all of them that I sit down with and have a chat to, that person's a really good CISO, all of them aren't talking about what they're going to do this week, or this month, or this year; they're talking about their vision for five years, ten years, fifteen years and how we keep not just their companies, but Australia, and more and more frequently now, how we actually build a secure internet for everyone. So, I think that that kind of vision starts with us instilling deep thinking into our students.
The next thing, which I think is critical and which needs to be present in every student we produce at any university or TAFE educational institution, is that the students need to be self-educating. And this seems quite of a strange thing for someone who's directly involved in educating to be saying, but I don't feel as though my job is to go along and teach the students the specifics they need to know. My job, and where we've been successful, is teaching what they need, to learn what they need to know. Because they're all going to go down into these sub-specialties and they're all going to get really good at a bunch of different things.
At the start of the course, I can look across the room and say, "For 90% of the students, I’m better at everything in cyber security than them”, particularly ones that have never done it before. At the end of that 13-week course, all of them will generally be better at one aspect of cyber security than I am. We need to encourage them to have a culture that is self-educating, and also, we need to be trying to teach them the culture ... the documents they need to read, in whatever specialty they’re going into. They need to understand the culture situation then.
In the hacker scene, there's a bunch of information in magazine like Phrack, which are zines that were written in the 80's and 90's and 2000's that were very, very fundamental to the formation of many of both the attack and the defensive technologies we're talking about. And I've noted a very real thing, that students find it hard to read and engage with that content, because they don't understand the culture of that time. They don't understand who these people were, what was going on in the world, what the internet policy looked like. Particularly, since a lot of the early papers were written when cybercrime laws weren't quite established and a lot of what they were talking about wasn't so ... it was a much smaller thing for someone to break into a system and now it's a massive thing. We make it very, very clear students never do that.
But a lot of what they're learning ... the context of a lot of these, particularly, early things that are formative and they need to read to understand the history of cyber security. They're written in a different culture, and we need to be clear on what that culture was so they can clearly distinguish and they can actually say, "I'm going to pick up the technical details from this, and I'm going to treat this as an historical piece, but necessarily because I'm aware, I can look at the cultural situation that was surrounding them and not pick up some of those elements, such as it's okay to attack openly on the internet,” when the papers were written in the 80's and 90's, etc. So, I think culture is really fundamental. I don't think that there's been much focus, globally, in cyber education, in actually getting university professors to understand hacker culture and being able to instil that in students and I think it's really important.
The other thing that I want to touch on again briefly is this idea that university and all education programmes inside of it, they need to be launch pads, not “someone's finishing a degree in cyber security, they've got a Master of Cyber Security, and they're certified good for life,” that's not how this industry works.
The best example I can think of is, there's a NIST password standard, which is the reason why a lot of our passwords are eight characters, have uppercase, lowercase, a jumble of letters and numbers and some symbols. The person who wrote that standard has actually come out multiple times now and said, "This was the wrong thinking. This isn't what we should be doing." There's a comic, which is like horse battery something stapler whatever is a much better password than an eight-character jumble.
But in cyber security, once something's out there, particularly once it's standardised, it becomes very, very hard to change the thinking, to steer the industry. So, we need to be creating, basically, cyber leaders who will kind of question that status quo and say, "Actually, this advice was valid five years ago, one year ago, one month ago. Everything is changing, and this advice is no longer valid" So, if we think about it in those terms, we're giving people the basics. They're launching them from here, it's not like you are certified with everything you don't need to learn anything about security again.
So, the third aspect or the quality that I really like us to encourage in all of our students is to, what I call, self-replicating. So effectively, this is a concept that they need to start, we need to start making cyber teachers but at s smaller scale, we're not necessarily going to be able to grab 100 students and produce one teacher in every class. That would be incredibly fortunate, but I just don't think it's going to happen in the short term. But what we do need to do is we need to be looking for those maybe 1 in 1,000, 1 in 10,000 people that are willing to devote their lives to cyber education and we need to be honing in on those skills and increasing our chances of success by getting the students to be teaching each other during our courses.
And this is why at UNSW we focused a lot on building labs, on building clubs, on giving students safe spaces, on giving students teacher-free spaces. Because if there's no teacher in the room, the students are forced to teach each other. Because they're at a university and the fact that their physically on campus means they woke up and said, "I'm going to go learn something." And if we give them the space that's focused on cyber security, where there's no teachers allowed, they're going to have to teach each other, and we've done a lot of that. We found it very beneficial and we're slowly getting some momentum upon making people actually ask the question, "What's it like to be a cyber security educator?"
The last part of self-replication I’d like to talk about is the hacker scene that I've referred to a couple of times. It was before there were textbooks on hacking. Before there were textbooks on computer fundamentals that give you the basic understanding you need, to even build something that gives other educational on top, lots of people were still learning the techniques, and they were learning it by cross-skilling, they were learning it by talking, typically in closed, private groups. Because of what's happening in the industry in the third space, the professional space, that hacker scene is going away a bit. If we have a look at what a hacker conference looks like, if we look at what's happening in that space, those conferences are becoming more and more commercial, they're more about companies and they're actually less about individuals. And I'd really like to see universities and educational institutions pick up that slack and actually be the fun place for people who want to learn cyber security. To give them something before they enter the industry. Because I don't see there being much long-term future, for a big self-education hacker scene, but I do see universities being able to step in and both, from an education perspective, but also from the social perspective, fill that place and actually fill that place with a construct, which is slightly safer.
So, cyber security research, typically the hacker scene, has always been completely unsupervised and it's always had a lot of people who are extremely smart who have a lot of latent energy and that energy isn't necessarily always directed in the right place. I think if we can get our educational institutions to analyse this scene, pick up some of the values that attracted these kinds of people, and then put some frameworks in place to make it safe and to channel that ... almost aggression or energy towards research, or whatever it is, into a safe direction. That would be really, really interesting.
That goes on to the fourth quality that I think that everyone who's a cyber professional should have, which is responsible. I think that we need to create a generational ... many generations of cyber security people who we trust absolutely. And to me this comes down to the concept that we have a very limited ability to teach people, even if we had a degree that's entirely focused on cyber security, we've still only got three or four years and there's just more information than that. And, because of the asymmetry of computer security, and because essentially what we're really doing as defenders is we're stopping attackers. And the attacker has always been the person… If this was a game of chess, the attacker is actually the white person; they move first. So, they attacker made some kind of innovation that they make a move, the defender has to analyse that move.
I was involved in an interesting conversation a couple of years ago that I've shared with some people from agencies like the NSA. It's not classified or anything, but effectively, they were talking about ... they try to become the white player in a game of chess. They're trying to put gates up for what the bad guys are wanting to do, and they invested millions, and millions, and millions of dollars in building defensive technologies to stop what they thought the next generation of attacker would play. The next generation of attack didn't work anything like that. And all of that technology was effectively not useful, in any way. There were some people who had fun building it, and there were some lessons learned, but essentially you can't really pre-empt attack in that manner.
Which means, in my opinion, that if we need to teach people only… if we're time-constrained, and we need to teach people either only defence or only attack, I think we should actually have a really open conversation with each other about perhaps, perhaps a little more focused on the attack side of things is sensible as long as we can trust these individuals, as long as we put the right frameworks in place. Because as a defender, the most important skill is actually understanding the attacker. Being able to look at an attack and go, "Oh, I know why they've made their decisions." If you understand the attacker, you can create the defences as you need. If you only understand the defender, you're basically not going to be able to that; you're not going to be able to create new defences.
I also think that some qualities that I put under the category of responsible we need to focus on, as well, is respectfulness. And this is really interesting because there's a bit of a view in a lot of circles that the hacker’s things from the 70's and 80's was very disrespectful or anti-authoritarian. And whilst it did have very strong anti-authoritarian elements to it, there was almost, to me, a single unifying part of that hacker culture, was a shared respectfulness. And effectively, if anyone wanted to enter that culture and said, "I am willing to put all of my effort and all of my focus in getting really, really good at this, at cyber security, at attack and defence at anything. If I am obsessed with this and this is what I want to do," there was always a culture of welcome. It doesn't matter how good you are, as long as you are open and honest about that. And you were willing to put the effort in to learn, there's always been that respectfulness, and I think we need to continue encouraging that.
The last one is that I think that we need to instil a sense of community focus on these people. I think that they need to put the community, and benefit of Australia, the benefit of a secure internet ahead of their own individual benefit as much as possible. (I'm almost finished.)
The last quality that I think is essential that we instil in students is a very Australian concept to me is larrikinism. I think that we need to create people who are larrikins. Like I said before with the password example, we need to be creating students, we need to be growing people, who are actually going to, very quickly, become the new authorities in cyber security. The vision for me isn't that my students right now will always work for me. I want them to be bosses in three years, five years, 10 years. I want them to go out and make decisions and drive the community forward and fix a lot of the problems we have in security across the internet.
One of the techniques, which I find ... one thing that I find very interesting in terms of this almost larrikin quality that all of our really top students have, is for a long time we were teaching people how to assess software for vulnerabilities, find the vulnerabilities, write the exploits, take advantage of the software, and then fix the problem and write the counter measure. We’d set up very clear prerequisites so we knew everyone who was taking the class had the technical fundamentals. They all understood all the very technical computer bits they were going to need to understand to get to where they needed to go.
And even though we have really high engagement, about half the students we're very good at this, at picking up the lessons and understanding, and the about half of the students we had just couldn't grasp the fundamentals. And it took us several years to realise that it was a certain kind of frame of mind that we had to focus on. It was teaching them to think like the attacker. It wasn't ... it was getting them to mentally prepare a model of all the assumptions they had made and then challenge each of those assumptions individually and say, "Actually, I haven't personally verified that all of these assumptions are true, so I'm going to go and mentally challenge all of them."
So, the final point is that ... I'll touch on this very quickly, I think we need to create a culture to support, and underlying all of this, that’s more collaborative than competitive. And what I mean by this is that we had a very recent ... we had workshops over summer session where students were actually given real-world problems from real-world companies and they had to solve them. We had some students who were involved in one of these things, and we knew we needed expertise that wasn't available in our university. And I suggested they reach out to some Australian universities, and they actually said, "No, we don't really want to do that because they're our competitors in the cyber challenge." And then they reached out to some international universities and made some good friends with people out of Maryland University and they started getting the information that way. And whilst competition is good and whilst the cyber challenge and things like that we've done are actually often things that convert people to cyber security as a profession so we shouldn't stop, I think we need to put some cultural things in place so keep the same amount of competitiveness, but we really, really, amplify how much collaborative work we do and try and look at things where we get a multitude of universities to collaborate.