Contact The Editor
Articles By This Author
Jacob Miller and Sandra Gorka, both Pennsylvania College of Technology computer science professors, will outline a grass-roots program they developed to get high school students prepared for cybersecurity careers at ShmooCon, an annual hacker convention held in Washington, through advanced level classes and hands-on training. They'll also lay out how ShmooCon attendees - which typically include security and policy professionals and students - could launch similar programs across the nation.
"By the time kids reach college they've often decided what they want to do for a career. You need to get them interested in cybersecurity at an earlier age," Miller told me.
The address comes as the United States faces a deficit of nearly 300,000 cybersecurity workers that threatens to leave large swaths of the U.S. economy underprotected against criminal hackers, according to a May report from the Homeland Security and Commerce departments. More than half of cybersecurity workers say short staffing has left their organization more vulnerable to hacking, according to another report from the cyber credentialing organization (ISC)2. That workforce shortage will only become more damaging as criminal hackers become more sophisticated, and traditional college cybersecurity programs aren't doing enough to fill the talent gap, Miller and Gorka told me.
Miller and Gorka won a 2016 National Science Foundation grant to pioneer a college-level cybersecurity course that high school students can take for college credit and that they say can be a model for early cyber training programs in other states. After two years offering the course to students in a handful of high schools near Pennsylvania College of Technology in Williamsport, Pennsylvania, they plan to transition it next year to a dual enrollment program that could offer the course in dozens of high schools across the state.
Under that program, high school instructors are trained to teach college courses, and their students receive college credit. It's too early to say how many high schools will offer the cyber class, Miller told me. The course covers technical topics as well as legal, policy and ethical challenges in cybersecurity, he said.
Despite widespread concern about the shortage of cyber workers, there's no national program to surge education and training.
The May report from the Homeland Security and Commerce departments included more than 65 recommendations, sub-recommendations and action items to increase the federal cybersecurity workforce, but most were vaguely worded or lacked concrete mandates or timelines.
A National Cyber Strategy released in September that built off that report was even shorter on details. It described working with Congress on programs to re-skill workers from other fields for cybersecurity jobs and bringing in more cyber pros from abroad through merit-based immigration programs.
The Commerce Department's National Institute of Cybersecurity Education division offers scholarships and tutorials aimed at high school-aged students, but on a relatively limited scale.
As a result, most of the work of training new cyber workers is being done in a bottom-up fashion by small programs such as Miller and Gorka's.
In connection with the ShmooCon presentation, the pair is planning to offer their course materials online for teachers in other states who want to emulate their program, they told me.
They're also working on a separate grant to develop cyber curriculum for junior high and middle-school students.
"If you go into a first- or second-grade class and ask what do you want to be when you grow up, it's doubtful anyone would say information security analyst," Miller told me. "But we want to raise the profile so when they're thinking of doctors, nurses and firefighters, they'll also think of IT pros and security in IT. That's the holy grail of where we want to see this project go."
Instead of directly attacking U.S. utilities, Russian hackers started by targeting hundreds of small contractors and subcontractors such as construction companies to carry out "the worst known hack by a foreign government into the nation's electric grid," the Wall Street Journal's Rebecca Smith and Rob Barry reported.
The Journal's play-by-play of the 2017 attack, shows operatives taking aim at small companies as well as larger utilities. Two energy companies that were targeted in the campaign also make systems to provide emergency power to Army bases. Two dozen or more utilities were breached in the campaign, according to some experts. The hackers took advantage of relationships of trust between businesses and "worked their way up the supply chain," according to Smith and Barry.
"The hackers planted malware on sites of online publications frequently read by utility engineers," the Journal reported. "They sent out fake résumés with tainted attachments, pretending to be job seekers. Once they had computer-network credentials, they slipped through hidden portals used by utility technicians, in some cases getting into computer systems that monitor and control electricity flows."
Georgia's Secure, Accessible and Fair Elections (SAFE) Commission recommended the adoption of voting machines that print paper ballots instead of hand-marked paper ballots to replace the state's paperless direct-recording electronic voting machines, the Atlanta Journal-Constitution's Mark Niesse reported. "The commission voted 13-3 to endorse touchscreens and ballot printers when the Georgia General Assembly considers buying a new statewide voting system during this year's legislative session, which starts Monday," according to the Journal-Constitution.
Election security experts say paperless electronic voting machines are significantly more vulnerable to hacking than paper-based voting systems or machines that include a paper trail. "Ballot-marking devices with verifiable paper ballots ensure that a voter's selection in each contest is captured in a manner that will be accurately counted," the SAFE Commission's report said, according to Niesse. "The Commission believes that moving from one form of touchscreen voting to another will be an easier transition for Georgia voters than it would be to move to hand-marked paper ballots."
Ring, a company that makes home security cameras and was acquired by Amazon, used loose protocols in managing its customers' video feeds, potentially allowing employees to watch customers in their homes, according to the Intercept's Sam Biddle. "Beginning in 2016, according to one source, Ring provided its Ukraine-based research and development team virtually unfettered access to a folder on Amazon's S3 cloud storage service that contained every video created by every Ring camera around the world," Biddle wrote. The video files were not encrypted and could be viewed, downloaded and shared easily.
Meanwhile, the company also allowed executives and engineers in the United States access to live feeds of cameras from some Ring customers even if those employees might not have needed that access in their jobs. Those with such access only needed the email address of a customer in order to be able to watch cameras from the customer's home, but a "source said they never personally witnessed any egregious abuses," Biddle reported. (Amazon founder and chief executive Jeff Bezos owns The Washington Post.)
Every weekday JewishWorldReview.com publishes what many in the media and Washington consider "must-reading". Sign up for the daily JWR update. It's free. Just click here.
(COMMENT, BELOW)