Cyber security needs “rascals” not hand-raisers who won’t question authority. But the problem is that the education system is not typically geared towards generating the kind of rebellious spirits that the sector needs, according to UNSW professor of cyber security Richard Buckland.
Universities have been struggling to train cyber security pros because “to be a good cyber security student, you have to be a rascal,” he told the SECedu summit at UNSW.
“Someone says to you, ‘Don't do this’ and you go ‘Oh okay’ and you go and do it. That's a cyber security student.”
To teach at scale the education system typically employs an approach to students that’s akin to “battery chickens,” Buckland said. “We try and get everyone treated the same and doing the same thing, and to make that manageable everyone has to obey the rules, everyone has to say the right answer; there’s just one answer, things to be markable have to have a limited range of options.”
“We want people who are good and compliant and seek to please us as teachers, who give us the answer we want,” he said. “The troublemakers actually cause all sorts of problems and are really hard and expensive to teach. Yet it's troublemakers we want.”
“So how do you produce rascals?” Buckland asked. “Often these people haven't even done well at high school, because they didn't want to please the HSC system. Often to please the HTC system, you almost have to give up some of this sense of being cheeky.”
One approach that Buckland has used is getting students to teach each other: “We create a warm, and here’s a silly word I’m going to say, loving community of students who care for each other and who look after each other and follow this philosophy of paying it forward.
“Our older students help younger students, and the younger students when they grow up, they help the next generation of younger students.”
That attitude of supporting each other follows them into industry, he said. “And we just make it fun,” he added.
“There’s many problems in cyber space; there’s many issues in cyber security that we have to deal with,” Buckland told the conference. In many cases those issues can be dealt with, given enough time and money, Buckland said.
“The biggest problem we’ve got is that we don't have enough people,” the UNSW academic told the conference. “We don't have enough hands.”
“I think all the problems we're facing are solvable, if only we had hands to do them,” he said. As a result he believes cyber security education “is, in fact, the problem of cyber security.”
“I don't know anyone here that employs people that has enough cyber security people and if so you just must pay them lots of money and have stolen from somewhere else; you've tugged the blanket over to your side of the bed, but the blanket is too small for the bed and someone else is cold,” Buckland said.
The shortage of cyber security professionals is a worldwide problem, he added.
The latest edition of AustCyber’s Cyber Security Sector Competitiveness Plan found the local sector was grappling with an immediate shortage of 2300 people. Australia is expected to need up to 17,600 additional cyber security workers by 2026, according to the SCP.
Buckland said there are four key issues that need to be addressed.
“One, the funnel is too small,” he said. “We’re not getting enough people doing STEM... we’re not getting a diverse enough range of people even potentially interested in doing cyber security. So coming in at the beginning, this is very small number of people trying to even select it as a career.”
Secondly, universities “don't really know how to teach it”. “We’re not really very good at teaching it,” he told the conference.
Thirdly is the question of making sure students graduate with work-ready skills: “A lot of my students go and they’re the only security person in their company. They can’t be slowly mentored like in other disciplines by experienced people; they’re alone. The buck stops with them.”
Fourthly is a broader problem than just the lack of cyber security professionals: It’s the widespread lack of understanding of security and the digital world
“That’s even more worrying for me,” he said, “because cyber security, the digital world, the threats of it, affect every human on the planet.”
“It affects children and parents and grandparents,” Buckland said. “Children are giving up data and losing data privacy now in ways they’ll never get back. People are being scammed; elderly people are losing their superannuation.”
“I think it's like crossing the road: I don't think cyber security now is something for cyber professionals, though we need more of them, heaven knows. I think cyber security is something to be a citizen. It's like knowing good nutrition. It's a set of skills that we need to have.”
The problem is that cyber “has appeared so abruptly out of the blue” and that outside of infosec experts there’s no-one able to pass on fundamental survival skills.