How Do You Get Students to Think Like Criminals?

As a software architect, you try to make sure security is "baked into the design". You try to go for defense in depth, because inevitably something will fail. It's the same way you would build an aircraft. "Reality" somehow gets in the way. Commercial software is shipped "when it's good enough"; before all the bugs are fixed. When you supply software to the DOD, NSA, CIA, it has to be 100% finished, because you can't touch it once it's installed. Obviously that model doesn't work for business customers. Companies want low cost bids, and they want expedited delivery, and they want to avoid "vendor lock-in"; so your code gets installed with other competitor systems, and that can create unknown vulnerabilities. As well, your system my include code modules from other vendors, and the internals are opaque to you; which is one reason "open source" is increasingly so popular. One of the positives of cloud computing is "everyone's code is running on the same hardware". IT can't pretend they have a trusted system running behind a secure firewall. No more "security on the cheap", or wishful thinking, or worse, prayer.

There is a big difference between cyber-crooks and the average criminal. The average criminal is rather stupid, which is why they get caught. (And despite that most crimes still go unsolved.) But other than literacy and numeracy, very few job-specific skills are learned in the classroom. That's why liberal arts grads can get jobs.

Here's a thought: Write a new operating system from the ground up, and address security at the design level. It's no secret that Unix was created as a "departmental operating system" -- any security it had was there to avoid stubbing your toe. And Windows grew out of DOS which was originally the Quick & Dirty Operating System developed by Seattle Computer Products. Enough said. JAVA made a stab at doing security right, but I've not heard anything about that in years. Folks: Creating a new operating system is well within the capability of humans.

Taking the headline literally, you get students to think like criminals by getting them to go to a graduate school of business management.

Have them study Civics, watch Fox "News" and follow Donald Trump on Twitter

My view was shaped many years ago when discussing mainframe security software with an ex-CIA consultant. Paraphrasing: "The weakest link is always a person." Software is necessary to fend off outsiders, but the biggest exposures come from individuals with inside access to the information. Examples in national security and government include Philby, Ellsberg, Ames, Manning, and Snowden.

I can see a great future in hand delivering written documents from person to person. That would be the only way to guarantee absolute security between two people. Why hasn't anyone thought of this before. I'm a genius.

"How do you get students to think like criminals?" Have them study law!

This is something one learns in intelligence branches of the military or in intelligence services, not in a university classroom.

Cyber criminals are not required to have college degrees and they don't have to pass a background check or get a security clearance. They are required to be extraordinarily creative, devious and perhaps brave. According to most in academia, you have to have a degree to do anything, and the higher the degree you have, the more you can do. And they've sold this bill-of-goods to corporate America. They find it difficult to explain why the likes of Bill Gates, Mark Zuckerberg, Richard Schulze and Frank Abagnale Jr. have no college degree. Or, why there is no correlation between grades and creativity. Somehow, I don't think a bunch of people in a cubicle farm are going to outwit the cyber criminals. But they will be good at institutionalized cyber defense. For myself, I have a bachelors degree in electrical engineering. In 2005, I decided to pursue the cybersecurity of microchips. My inventions require the use of open source software techniques, and in 2005 the Board of Regents at the University of Minnesota refused my petition for advanced study on the basis that they must retain all intellectual property rights. I could have challenged their Land Grant status on the grounds that this rejection was based upon my political beliefs (mine was a civil liberties motivation). But that would have drained all my resources. Instead, I perfected my inventions outside of academia, and outside of Government control.

I searched IT security salaries and they don't seem much better than regular software developers and maybe slightly less.

Offer classes in Gray-Hatting, and you’ll find students with the ability to hunt for security vulnerabilities. There is something quite satisfying in searching for flaws in digital architecture, I would imagine, especially if it counts towards one’s college credit.

What makes computer security so difficult is that you have an intelligent adversary, and one with no ethical constraints. There are few, if any, other fields with this property. Imagine if you had to design a car which was impossible to misuse - one that couldn't be driven in violation of traffic laws, that couldn't be left stopped in the street as an obstacle to others, that couldn't drive anywhere it wasn't authorized. This gives a sense of what computer security professionals are up against. "Security mindset" is the ability to think about a system and see the hidden flaws, the dubious assumptions, and the unintended uses. Someone without any security mindset might try to crack a password by making many guesses. With a little security mindset, you might send phishing emails to trick someone into revealing their password. With more, you might attach an RF scanner to their desk to pick up the signals from their keyboard as they type their password. With still more, you might think of an approach that nobody has thought of yet. Now, how do you teach this?

First of all, like IT in general, cybersecurity is likely awash with people whose involvement is supervisory at best (as opposed to impedimentary, which is often the case). Secondly, with a "yield rate" of 1% or 2% of the general population for people with real ability in software development, it's all too apparent that the cybersecurity requirement right now is equal to about 10 years of new software graduates. On the other hand, you could persuade the larger number of IT users to stop behaving like idiots, or using their inflated opinions of themselves to demand access they have no right to or need for. Very few attacks within a network are the result of outside intrusion: far more are the result of internal incompetence.

Wolff: "... college classroom settings and the students who thrive in them are not a natural fit for the kinds of disruptive, rebellious and troublemaking instincts that lend themselves to finding new ways to compromise computers." Wolff is talking about *creativity*, and many college graduates have gone on to highly creative careers. Take, for example, Richard Feynman (physicist) and Roy Lichtenstein (artist). Further, creativity can be taught. There are many books on the subject of creativity. See, for example: * "Lateral Thinking: Creativity Step by Step" by Edward De Bono. * "Thinkertoys: A Handbook of Creative-Thinking Techniques" by Michael Michalko. * "The Creative Mind: Myths and Mechanisms" by Margaret A. Boden.

THE GREAT IMPOSTOR, Ferdinand Waldo Demara, Jr. displayed such extraordinary skills in check forgery that the FBI made a special arrangement to have him on work release to help them solve problems, rather than having him sit in a cell, wasting his time. The movie is worth seeing, for people who want to see examples of how breaking into any system is successfully done. Another forger with great talent is Adolfo Kaminsky, who learned stain removal while working at a dry cleaning shop, then transferred the skills to forging documents to save persecuted people during WW II. The graphic novel describing his work is useful. These two have highly developed skills in creativity and originality. Evaluating the strengths and weaknesses of different systems is the key to hacking computers as well as protecting them. As a group, musicians would probably do well, because they are constantly solving problems in real time while performing, along with probing the limits of the systems used by the composers to convey her/his thoughts and intentions. But discovering who does cyber security well will be like discovering the original computer hackers who got jobs and used their skills to protect the systems they had designed. Eventually online "robots" will be designed to detect and prevent hacking. In fact, in the field of genetics they already use sophisticated algorithms to read and interpret the functioning of DNA at a rate far faster than human beings could perform the tasks.

With apology, this is not to the point of the article, but may be relevant. The field of cybersecurity is being hyped as did Y2K. In today's climate, most people do not understand technology well enough to critically understand its implications. People often confuse cybersecurity with trolling on social media or faux news spread by Russians trolls or Fox News or other similar events where no break in a computer system has occurred. This is coupled with the hype that jobs will be lucrative and will not be transient in nature. My fear is that we are relying on predications and projections for future job markets where there are no evidence for such projections based on good data and without undue hype. Yes, there are serious issues which cybersecurity education will be needed and it important to ensure that we have that, to what extent, that is open for debate as this point in time. If you wish to go to technology, look into computer science programs which give you a comprehensive education with perhaps a focus on software engineering/development. One good source for reliable data for future opportunities is the BLS: https://www.bls.gov/ooh/computer-and-information-technology/information-security-analysts.htm https://www.bls.gov/careeroutlook/2018/interview/cybersecurity-consultant.htm?view_full

It may be worthwhile to mention here that the SANS Institute (more technically, their regionally accredited subsidiary) was recently approved to offer an upper level certificate program in Applied Cyber Skills to people who hold an Associates degree. This program will launch in the first half of 2019. This program tests for 'aptitude' and tenacity *during the admissions process* to determine which students may be accepted into the 'honors' program that will grant the program free-of-charge if the student doesn't get a good-paying job after graduating. Relative to the article, this is important because it brings SANS' proven ability to teach the "how" of doing security and the "mindset" to interact within a constantly-changing landscape to the undergraduate level, and employers have been pleased with the graduates of the similarly-constructed SANS CyberImmersion and VetSuccess Academies. N.B. I work at SANS (the largest provider globally of training and certification to information security professionals) and serve as Chairman of the Board of the school. I responded because I agree with the author that too many educational programs have sprung up around the country chasing the money and purporting to prepare undergraduates for these jobs. Employers are finding many graduates lack an understanding of the technologies, how to learn how attacks work, and how to respond. We need to fix this - the defense of our nation and key commercial enterprises depends on it.

This is no different than any other field - you need two types of education. Take medicine - you need practitioners, who apply known procedures, and you need medical researchers, who go beyond the existing rules to search for new advances. These are typically taught in different schools by different staff with different mindsets. They even have different degrees - M.D vs. PhD. Cybersecurity is no different - you need (lots of) people to apply the known rules (no default password on admin accounts, etc.), skills which courses can teach. You also need researchers, who need a different mindset, but one that can also be taught by like-minded people, likely a different set. And you'll always have a few people that are good at both, but this will be rare, and best covered in the advanced courses.

As an ex-IT professional, any type of coding is difficult because of the very nature of the job, plus the fact that coding languages change often and all that hard learning soon becomes obsolete. You can try and teach children beginning at an early age but this will only be marginally successful. Instead, use incentive. Simply offer a free, or mostly free education, or some other incentive to kids to develop the state of the art in penetration or defense. They’ll rise to the occasion out of necessity.

I am curious as to whether there is a debrief for something like the Kobayashi exercise and what it might sound like. The necessity to stand back and examine in a course such as this seems essential as well as grounding in coursework that provides a bigger picture of what the work means. Fascinating.

In my experience learning and teaching these topics, a lot of creativity comes from understanding the human side of the equation. Degrees and certificates that focus ONLY on the technical skills won't stop creative individuals from having a successful career, but it won't produce very many MORE creative thinkers. Economics, policy, political science, sociology... these are the courses that will produce a deeper understanding of the incentives and emotions that drive malicious actors. A huge percentage of computer crimes exploit the human components of systems... we have to understand humans in order to create a security mindset.

Interesting article. I spent 50 years in the software/IT world. Anymore than I could get programmers to think creatively, I couldn't, I doubt you can get security professionals to think "out of box". I say teach them the fundamental, give them the tools and hope they will use them in a wise way. There will always be a few people who have imagination beyond the edges to help us be safe. Of course teaching would-be security professionals is great, but teaching everyday users about secure techniques would sure help a bit. Having spent a lot of years in the legal area, I still marvel all these years later how many (a majority) of lawyers refused the idea of good passwords or to take security as a real job to protect their work products.

The author opines on the theme that "The skills needed for cybersecurity jobs aren’t easy to learn in the classroom." I have no doubt she is correct. But change the nouns and this article could apply to essentially *every* type of job. The classroom should prepare students to think broadly, critically and creatively, and to express ideas clearly both verbally and in writing (and in code, in some cases). To view education as a means to impart specific job skills is a dead end--the world, and technology, keeps changing. When I graduated, the internet was available only to a few university campuses and government agencies. A few years later, I earned my living by facilitating the growth and spread of the Internet in the private sector. When I was in college and grad school, there were no courses I could have taken that dealt particularly with my future employment. I have great respect for professors; but I don't assume they can correctly predict the economic and vocational future.