This piece from Communications of the ACM features CYBER.ORG Director of Academic Outreach Kevin Nolten
Kyla Guru created a successful cybersecurity education organization as she started high school. To hear her tell it, the creation of Bits N' Bytes Cybersecurity Education was a fortuitous result of interest and opportunity.
Guru, slated to start studies as a freshman at Stanford University in the coming semester, attended the National Security Agency's GenCyber camp at Purdue University for two years prior to entering high school. After getting the opportunity to study cybersecurity with university students at the camps, and fostering her interest further with lively discussions about security with her father, she approached the mayor of her hometown, Deerfield, IL, and asked what the community was doing to improve cybersecurity awareness.
Not much, she was told, which surprised her and motivated her.
"I knew something did have to happen, so I went to my elementary school and asked them what kind of programming would be most beneficial for their students," Guru said. "They wanted me to create a 5-minute animated video, and they ended up showing it and it went great. From there, it just built momentum and I kept rolling with it."
Guru, who is 18, has built a resume that could be the envy of someone twice her age. Her list of honors includes the Crain's Chicago Business Top 50 in Tech, a She++ fellowship from the We Are Family Foundation's Three Dot Dash Program, a 2018 Global Teen Leader award (also from the We Are Family Foundation), and a 2019 Harvard Book Prize Award. She has also given presentations at Tedx in Chicago, RSA conferences in the U.S. and Singapore, and at the National Initiative for Cybersecurity Education's (NICE) 2018 K-12 conference. Guru said she had not been aware of NICE, a division of the National Institute for Standards and Technology (NIST), when she started Bits N' Bytes, but has since remained current with their work.
"It's really great to see a federal organization starting to think of solutions for K-12 education," she said.
New name, new direction
Guru's experience in finding spotty resources when launching her effort is not uncommon; a new strategic plan and workforce framework at NICE, expected by year's end, and a newly re-branded federally funded K-12 cybersecurity organization could serve as signals the government is placing more emphasis and visibility on developing the next generation of cybersecurity workers.
Increasing visibility and viable career paths for the nation's students appears at present to be a job only halfway complete. Cyber.org, the U.S. cybersecurity education organization known until late June as the National Integrated Cyber Education Research Center, commissioned a national survey of school administrators and teachers by the Education Week Research Center that found fewer than half of respondents reporting their districts or schools offer cybersecurity education. Kevin Nolten, Cyber.org's director of academic outreach, said the organization currently has partnerships with only 26 state education departments (plus those in three territories and the District of Columbia).
"Our goal is to ensure that partnership expands into more technical cybersecurity, and to increase that reach to all 50 states," Nolten said.
Concurrent with that effort, Nolten said Cyber.org, which is funded by a $21.5-million grant from the U.S. Department of Homeland Security through 2023, will continue to offer its curriculum free of charge to teachers nationwide, as well as reaching out to extracurricular and community organizations, and colleges and universities. For example, the Girl Scouts and Cyber.org have partnered on creating 18 cybersecurity achievement badges; scouts earned 200,000 of those badges in the first year they were available. Cyber.org also has partnered with the nation's Historically Black Colleges and Universities (HBCUs) to create degree programs and encourage high school students to pursue cybersecurity careers.
Both partnerships, Nolten said, are intended to broaden the demographics of the cybersecurity profession. "The cybersecurity workforce as it exists today is primarily a white male workforce and that has to change," he said.
That workforce is also badly understaffed, according to recent research from the Center for Strategic and International Studies (CSIS). In a January 2019 report, CSIS researchers William Crumpler and James Lewis estimated the U.S. had more than 300,000 unfilled cybersecurity positions. Lewis said visibility has historically been an issue for cybersecurity training, though a strong job market should help raise awareness.
"Demand will drive it," Lewis said. "The thing we always found most persuasive was when you told parents, 'If your kids do this, they are more likely to get a job.' When you actually put it in front of students, they like it. It is interesting. They like games, they like puzzle-solving, they like understanding how things work. This is a digitally native generation. I think they'll be very interested."
However, Lewis said, emphasizing cybersecurity in the K-12 curriculum must be matched in post-secondary institutions. The CSIS paper cited a 2016 CloudPassage study which claimed only one of the top 36 computer science programs in the country required a cybersecurity course for graduation, while three of the top 10 programs offered no cybersecurity classes at all.
Lewis said the cited underemphasis on cybersecurity in universities has been true for about a decade. "Computer scientists feel cybersecurity is part of their field, that it's something you learn as a computer scientist. In fact, it's not true, but I think it's a very strongly held belief in a lot of computer science departments."
NICE director Rodney Petersen disagrees with the idea cybersecurity is getting short shrift in university curricula, citing Centers of Academic Excellence (CAE) programs sponsored by the National Security Agency (NSA). The NSA supports two cybersecurity vectors, one in cyberdefense and one in cyber-operations, which specifically support NICE's workforce goals. There are now more than 300 CAE-certified higher education programs, Petersen said; additionally, he said the new strategic plan, which is expected to be operational at the end of this year, broadens the appeal of cybersecurity beyond computer science and engineering departments.
"Some of the jobs in cybersecurity include cybercrime and digital forensics, so criminal justice and behavioral science programs are important," he said, "and with law, policy, and compliance issues, people with law or policy backgrounds will be needed. So if you are looking for the graduates to come just from computer science or engineering or technical programs, you're probably thinking too narrowly of the types of people who need to be part of a cybersecurity team in any organization."
Building a foundation
Cyber.org's Nolten said recent analysis of the organization's effectiveness has been promising: a pilot study revealed Louisiana schools with at least one faculty member who had access to its curriculum between 2014 and 2018 sent four times as many students into computer science, cyber-engineering, and information systems programs at Louisiana Tech University. He hopes such data can be used as leverage as Cyber.org emphasizes career paths students can take.
"With this re-brand, we have been able to focus more on the technical cybersecurity knowledge students will need to pursue various careers, and we are able to scale what we have done at the grassroots level and begin working with state education departments to establish standards for cybersecurity education."
Bits N' Bytes founder Guru, who may exemplify the power of the grassroots approach, said the kind of outreach Cyber.org plans to undertake with the bureaucracy has to be a vital component of any effort if the new initiatives are to succeed.
"When I was starting to go into schools and talking about it, I was getting a lot of notes that said there was a core curriculum that would be very difficult to change," she said. "That's the root issue we are trying to combat; we're trying to at least add cybersecurity, or ensure that it is in the core curriculum in some way or form that schools are obliged to teach."
Bits N' Bytes, she said, offers a one-week curriculum to help teachers start the conversation about cybersecurity, but there needs to be a concerted sustainable ecosystem throughout the educational system.
"How do we sustain the conversation outside that one week and start pushing out career opportunities?" Guru said. "How do we make them feel that as a young person in cybersecurity that they can rise and get the mentorships they need to rise and succeed?"
Gregory Goth is an Oakville, CT-based writer who specializes in science and technology.