Saturday, 25 November 2023

What You Need To Work in Cybersecurity: the secret sauce

I see a lot of rules based 'quick fix' learning opportunities in cybersecurity. These are usually boot camp style condensed programs that promise to turn an accounting or science student into a cybersecurity practitioner in a single semester by showing them how to use tools in a formulaic manner. They treat cybersecurity as though it's an office job: we show you the cybersecurity rules and you follow them. You can see how well this is working by the ongoing shortage Canada faces in finding and retaining cybersecurity professionals.

I got into cybersecurity with my students in 2017 when we started chasing CyberTitan, but I brought something with us that is atypical in the world of STEM: a willingness to hack. I don't like the word hack, it has negative connotations to it in English that have been encouraged by the self appointed masters of STEM (the S&M part), but that willingness to iterate and work outside expected outcomes is the secret sauce in cybersecurity that many ignore, and a major reason for why I've taken to it like I have.

'Necessity is the mother of invention' has been the motivating factor in my relationship with technology since the beginning. I moved quickly from off-the-shelf to customized solutions based on experimentation and need. Within six months of owning my first home computer (a VIC20), I'd figured out how to copy software using a sufficiently low noise audio deck. My first x86 PC was purchased but quickly modified as I came to need more memory and processing power. By the mid-90s I was building my own computers at a time when many people didn't own one.

This process was initially powered by curiosity, which many training programs eclipse with a promise to provide the initiative so you don't have to - something that has never appealed to me and a major reason why I didn't start collecting technical certifications until 2001 (I'd been working in IT for a decade at that point). Schools are bad at nurturing enthusiasm for self-exploration too. Many educators feel that it is their job to impart knowledge in a regimented format (that's why we call them disciplines!) and assess student understanding through a system of providing both the questions and the answers to minimize any frustration. Assessment success is often a measure of compliance rather than cultivating enthusiasm and curiosity.  Many in education call this approach rigorous and disciplined - it's how they demonstrate credibility, and a reason why I haven't continued pursuing academia.

Indians have a term for austere innovation: jugaad (non-conventional, frugal innovation) which doesn't have the pejorative connotations of the English 'hack'. Jugaad celebrates common sense with a solutions focused approach to creative problem solving without needless bureaucracy. It emphasizes an applied approach to making technology work that is especially needed in an industry like cybersecurity where practitioners are often facing edge cases that the people who designed the network never thought of (which is why we're having a cyber problem). WIRED recently did an article on a Ukrainian technologist who demonstrated this start-up/rapid response approach in the war with Russia. There is even an event in cyber that is all about extreme edge cases: the dreaded zero day vulnerability. Jugaad will get you much further than any amount of system think during a zero day attack.

Kintsugi has played a part in my motorcycling.
There is also a term in Japanese that takes the derision found in English out of making old things work. I've long enjoyed the concept of 'kintsugi' or 'golden joinery', which is the repairing of old things using gold to embellish the fix rather than trying to hide it. In typical Japanese fashion it raises what is seen as banal work in the West to an artform. A concept that combines jugaad's celebration of a fix beyond rules based approaches with kintsugi's raising of that fix to an artform is where a good candidate for work in cybersecurity should find themselves inspired. When I started in cyber I found my  IT background helped in terms of understanding the mechanics of what was happening, but my kintsugi powered jugaad approach is what has allowed me to thrive.

This 'secret sauce' is often ignored in education and especially in cybersecurity adult retraining. There are some disciplines that tend to attract rules focused types, but that fixation on systemic order blinds them in the edge cases where cybersecurity often operates. Rather than retraining an accountant or rigorously compliant STEM student, I suspect that those exploring subjects like detective work in policing or creatives in the arts would find the skills they've honed more effective, but that doesn't stop everyone from demanding a computer science degree for any job in cyber.

In 2019 after the Terabytches went to CyberTitan nationals we got invited on the local radio station to talk about the experience. The interviewer asked me a good question about our DIY approach to computer tech. I was annoyed at the lack of resources, but he suggested it might be what gave us an edge. He was right, we'd been jugaading and it made us mighty!

There are many jobs in cybersecurity. People who lean toward the jugaad end where they can problem solve without restrictions can find a comfortable fit in operational cybersecurity where they are monitoring real time threats, penetration testing where they are attempting to exploit a client's system to highlight vulnerabilities, or threat intelligence which focuses on gathering reconnaissance data on threat actors. But even in the policy and compliance work, a willingness to consider and understand threats and solutions that are outside the box is a necessity. The need to nurture and respect those out of the box thinkers working in unexpected end of the cyber-workforce is essential for management. Those industries that thrive on status quo compliance are the ones you see being hacked most often because they don't respect the skillset.

This map of cybersecurity domains gives you an idea of the many specializations that the field offers, though I would argue that in all of them (even those up the compliance end) an ability to work from your own initiative and experience rather a rule book is essential.


Sam Sheepdog & Ralph Wolf know the score.
I sometimes describe cybersecurity types as sheepdogs. I think many in law enforcement also fit this description. You can't send a goat to fend of wolves, but having a wolf of your own will do the trick. Early on in my transition from IT into cybersecurity I found myself leaning on IT administrative habits that don't work in cyber, and came to realize that the jobs are very different, though the technology is the same. If you have an IT person running your cybersecurity you're likely to be constantly surprised by the attacks you face because they tend to see systems in an architectural way rather than as an opportunity to be compromised.


It would be easy to say something silly like, 'there are no rules in cybersecurity!' but that's pointlessly reductive. It would also be easy to describe all the people in it as hackers, but this isn't true either, though a mentality that tackles problems from a place of curiosity and jugaad is far better than a rules compliant myopic who can't see beyond the framework they maintain. At the end of all this I firmly believe that you need a bit of the wolf in you if you want to consider a career in cybersecurity. I wish more cybersecurity training and especially adult retraining would emphasize that when looking for candidates rather than demanding STEM grads often missing these skills. If it's a formulaic job that you're looking for, cyber isn't it.

STEM students are often missing skills which "include teamwork, collaboration, leadership, problem-solving, critical thinking, work ethic, persistence, emotional intelligence, organizational skills, creativity, interpersonal communication, and conflict resolution." Adding an 'A" to STEM doesn't fix this, incorporating an iterative, resilient, interrogative, team-based problem solving mindset into STEM subjects would, but that doesn't tend to be how we teach it.


Another piece of Canada's cybersecurity puzzle came into focus from the last post on how our cybereducation system is broken. In response to that, Francois Guay from the Canadian Cybersecurity Network followed up with the observation that the cybersecurity talent pipeline in Canada is also in tatters.

I've been thinking about that post and believe all of the responses from both new cybersecurity practitioners and veterans are valid. It would appear that when you try to fix a talent shortage with rushed retraining based on incorrect assumptions about the skillsets needed in cybersecurity, no one trusts the results. Problems such as absurd requirements for entry level positions like asking for 5 years of experience on a tool that only came out last year or demands for that vaunted yet irrelevant computer science degree continue to strangle entry level workers coming into the field, even though they have hacked (cough) their way through our broken cyber education system to do it.

Not to sound hopelessly jugaad, but the simple solution would be to introduce cybersecurity apprenticeships that give a more diverse set of potential candidates the opportunity to see if cybersecurity is a field of study that suits them. Those with the right combination of fearless curiosity, critical thinking and tenacity might find their way into it instead of continually opening the doors to STEM grads who are good at being told what to do and enjoyed the privilege growing up of being able to handle the enormous homework loads STEM subjects demand as part of their compliance regime. Students with a background in science and technology might be familiar with the medium that cybersecurity operates in, but that doesn't mean they'll be able to handle the stochastic demands that resonate across cybersecurity work. It's better to find those with the right jugaad mentality; technical familiarity will build quickly powered by enthusiastic initiative and tenacious problem solving.

I've always told my students that if they can bring a willingness to explore, experiment and a fearlessness in breaking things in the process of figuring them out, they don't need to sweat the technicalities, I can teach them those by harnessing the curiosity they bring with them. I've had strong technical students struggle in cyber because they lean on formulaic approaches to computing (they are often maths strong coders) that let them do the bare minimum. If your natural talents in mathematics and computer science have blessed you with a compliance based work ethic, cyber with its changeable success criteria isn't for you. Another favourite adage of mine in the classroom is, 'if you're looking for a way to do less, you'll usually find it.' Those that want to work in a framework often do it so that they can delineate where they can stop; in other words it's used as a way to limit their involvement. That's no way to approach cybersecurity. If solving a problem is a nine to five gig for you, go find work elsewhere.



Much of this comes back to the reductive way we have approached digital skills development (when we're not ignoring them entirely). Cyber Education is the hidden, much larger part of the digital skills iceberg.


Saturday, 18 November 2023

Cyber Education in Canada is Broken, Here's How to Fix It

I've been sitting on this one for some time. What's below is more like brainstorming than a clear solution, but I feel like it's moving in the right direction...

The Problem: Canada's Cyber-education system is broken - or doesn't exist at all

I've been ruminating on this since virtually attending the "How to protect our children in an increasingly digital and online world" meeting by Economic Development Ontario and the Canadian Trade commission a couple of weeks ago. James Hayes from Cyber Legends is a man on a mission. His keynote was both insightful and frustrating - the main point being that Ontario (and by extension Canada)'s cyber-education ecosystem is broken. I'd go so far as to say that in most places it doesn't exist at all; broken implies that there was something there to begin with.

This observation speaks to a cultural challenge that Canada faces. Other countries are able to leverage a collaborative approach to the asymmetrical global threat cyberattacks pose, but Canada's history and the loose confederation it has produced creates many gaps between levels of government. Those gaps are where cybercriminals operate.

The Problem: cybersecurity, cybersafety and online privacy are barely mentioned in Canadian school curriculum and educators are some of the least digitally experienced professionals able to resolve this skills crisis

In Ontario we've mandated mandatory eLearning for all students, but cybersecurity only just got into the computer studies curriculum in this year's rewrite, and what's there is thin (it immediately devolves into personal online data awareness and ignores the many interesting technical specialities in cybersecurity). This optional course doesn't run in most high schools (it was cancelled locally in mine), so this one mention isn't seen by most students.

Many other provinces don't mention cybersecurity at all even as they all depend on it every day with networked education technology delivering material in every classroom. Cyberskills are now essential skills if we want to keep the learning happening, but aren't treated that way in our education systems. New Brunswick is the exception with a full cyber-learning pathway for students interested in heading into the field professionally. Why does that matter? There is a global shortage of cybersecurity professionals, so Canada's usual approach of immigrating in solutions to its education failings won't work in this case.

James mentioned teacher cyber-illiteracy in his keynote as well.
There are solutions like CyberBytes that offer upskilling...
Our oblivious response to cybersecurity awareness is part of a larger problem in public education. When I first came into teaching in 2003 I was surprised to see the education system rocking early 90s information and communication technology. Throughout my career education has dragged its feet at every opportunity in terms of adopting digital transformation and the benefits it delivers. The result of this decades long drag is that people in education tend to be less digitally literate than the general population, even as they are expected to teach students essential digital skills like cyber awareness. 
Teachers are precisely who you want to be raising general cyberawareness and the skills needed to safely navigate our online world, but decades of status quo leadership means educators are missing the digital media literacy necessary to do it.


The Problem: we're happy to make online edtech solutions mandatory (usually as a cost cutting measure) but a surprising percentage of the people doing it don't think they should be held legally responsible for its safe delivery


I spoke on a panel about cybersecurity at the Canadian Edtech Summit the week before. The event had an online component so I started a poll aimed at the education administration and technology companies in attendance. Recently the SEC in the US sued a company for their failure to respond to cybersecurity problems that they were very much aware of that resulted in many clients' data being spilled onto the darkweb. This raises an interesting policy question: should school boards and provincial education ministries be held legally responsible for cybersecurity in Canadian classrooms? Canadian educational ministries and their school boards have increasingly adopted cloud based solutions to reduce costs on what used to be locally managed technology integration, but with internet based 'cloud' solutions come cybersecurity responsibilities. This US decision will likely influence our lax cyber responsibility policies in Canada and I was curious what the people implementing these technologies (often poorly) thought of the potential for liability penalties for failing to protect student data (which often also includes staff and family personal data too).

I expected the people delivering online edtech (school boards, ministries, not-for-profits and private edtech companies) to recognize that cybersecurity is very much their responsibility if their technology is vulnerable online, especially if they are going to demand that students use online learning tools. This should be especially obvious when our 'clients' are vulnerable sector children whose safety should be a primary concern.

Most did recognize the importance of taking responsibility for their technology delivery, but I'd love to have a chat with the quarter or so who thought they should be putting student learning online while bearing no legal responsibility for it. One of those people could well be managing your local school board's technology department.

If we've got a problem with the people delivering online edtech understanding that they are responsible for cybersecurity, we need to back the bus up and clarify those responsibilities with policy - legally binding policy.  I recently saw a memo which said data privacy wasn't even a paid job in the school board and is done outside of regular work responsibilities by IT staff, most of whom have no cybersecurity experience. Until we begin taking public sector cybersecurity seriously we will continue to see our public services being disrupted by breaches and system failures.

NIST's cybersecurity framework offers a technical policy approach to cybersecurity that clarifies what organizations need to do to provide viable online security. ISED has a Canadian version called ITSG-33 which is more policy focused.  This isn't an all or nothing thing with a solution for every problem. Any time you put data online you risk being hacked, but by following these best practices you can at least know you've taken reasonable steps towards preventing abuse. What you want to do is get up to Tier Four of the NIST framework where you're proactively defending against threats, but public education in Canada can't get out of Tier Two because "implementation is still piecemeal", and no one has "the proper resources needed to protect themselves." Our cyber failures in Canadian education are the result of poor policy and the resultant lack of funding. I'd hope that we'd follow best practices in protecting student data, but that ship sailed years ago. If that carrot isn't available, then a legal policy stick might be the only thing left that prompts ministries and schools to make student data privacy a priority.


The Problem: Public services in Canada are siloed bureaucracies that are difficult to work with


This isn't just an education problem, it's a
CANADA problem. Canada's history hasn't
produced a culture that can collaborate
against asymmetrical global threats.
During the panel talk at the EdTech summit one of the speakers said, "working with public school boards is very difficult. It can take years just to find the right person to talk to. Even if you can find that person, they'll tell you there are no resources." I talked to Kyle Bokyo, another of the panelists, after the event and we commiserated on this point.

There are not for profits and businesses in Canada who are attempting to provide solutions to Canada's ongoing cyber-education failures, but attempting to engage with any public service in Canada is a a difficult prospect. If you talk to the ministries they hold up their hands and say they only manage the funding and not the implementation of cybersecurity solutions. If you talk to the regional school boards they say that they aren't provided resources to do it.

In Canada's uncoordinated cyber policy landscape I suspect it's easier to play victim even as you assume greater cyber risk pushing user data into the cloud than it is to develop a coordinated response to this very asymmetrical problem. These gaps in responsibility make it easy for the people paid to protect student data to point the finger at each other rather than solve the problem, even as breach after breach occurs.

Canada's failure to
coordinate cyber response
is recognized as an
problem globally
.
What I learned through COVID as a classroom teacher is that the people running public education will ask all manner or ridiculousness just to maintain the illusion of a functional system. It's what got them into their offices and they aren't about to jeopardize that. Public education, along with other public services, are insular industries with generational employees and tightly knit networks of political operatives managing them. This might sound like immigrant complaining (and it is), but the best way to get into education 'leadership' is to have had family who did it, or marry into one. The next best way is to be willing to maintain the status quo at all costs. Agility and responsiveness aren't words often applied to this sector.

Cybersecurity in public education is dangerously under-prioritized even as we continue the rush to cloud based edtech solutions in an attempt to save money. On top of that a surprising percentage of the people delivering these solutions don't think they should be held legally responsible for its safe delivery. This deadlock suggests that we need policy that not only enforces best cybersecurity practices in education, but also makes resources for it a requirement rather than a politically motivated shell game.

But the fix needs to go further in education because we also have a responsibility for providing graduates with opportunities to learn the skills they need to survive in a rapidly changing world; something we're not doing as many jurisdictions continue to studiously ignore cyber education and digital skills in general. The key piece to this puzzle is policy that creates a responsive, responsible Canadian cybereducation system. In aligning resources to create cybersecure online learning we might also usher in a new era of relevant, richer digital skills development.


The Solution: A Viable 21st Century Canadian Digital Education Ecosystem

As both James and Kyle mentioned in their talks, technology moves so quickly that large public services are always going to struggle to keep up, but an agile edtech sector could help with that. Startups and small businesses can pivot to keep up with technology emergence in a way that larger organizations struggle with - that's why Google and the rest buy agility rather than trying to produce it in-house. The problem has been Canada's pigeon hole approach which doesn't aim to produce a coherent ecosystem of interrelated programs that provide a comprehensive Canadian shield.

As mentioned previously, the issue of regional school boards and provincial ministries making it difficult for anyone outside of these insular systems from collaborating with them is a key problem. We can't leverage digitally literate industry partners if they have no way to effectively communicate with education delivery systems.

The solution is to connect the federal government with the Council of Ministers of Education, Canada and The Insurance Bureau of Canada and design a centralized approval process that connects Canadian not for profits and industry edtech expertise with provincial ministries and clears the way for access to credible cybereducation materials through direct internal communications channels with education systems. Instead of individual boards doing cyber badly, a national partnership with a wide range of technology specializations and strengths would work together to build solutions at scale while also ensuring that these solutions are prioritized with mandatory funding. This relationship would also prompt meaningful updates to curriculum instead of the current 'in a bubble' approach that produces material well short of what is needed to prepare graduates for our technically challenging future.

I made this graphic after last year's CPI conference
at University of Waterloo
, where I first met James,
Cheryl and Cyber Legends.
In such an environment a startup like James' Cyber Legends, or an internationally partnered and long running national competition like CyberTitan would pass NIST levels of cyber-review nationally and then be welcomed into a Canada-wide edtech ecosystem that works through each provincial and territorial education ministry directly into school boards. Any edtech company working outside of this framework would find itself where we all do now: on the outside unable to make any significant change. But those who meet this national standard would be considered trusted internal partners with access to federal funding and direct internal access to provincial education at both the ministry and district levels. No more trying for years to find a person who may (or most likely doesn't) exist in a local school board who is in charge of cybereducation.

This ecosystem would reward collaboration. Members would only be accepted if they are producing complementary resources that create a full range of learning opportunities to all aspects of our increasingly digital world across all subjects, including cybersecurity. This nationally curated resource allows teachers from all corners of the country to develop meaningful digital skills, including the difficult ones to deliver like cybersecurity. This equity of access to resources would end nationally embarrassing PISA results that prevent smaller provincial education systems who lack resources from producing results below the world average.  Members of Canada's edtech program would find funding easier and be able to work with partners who ensure that their programs are successfully integrated and in a constant state of improvement in order to keep up with the impressive rate of technological change we're all dealing with. This would also give those providing federal funding clear guidelines for who they should be supporting.

The stick would come through policy changes that are both legal and regulatory. Any school board (and by association ministry) not making use of these secure, partner provided resources for improving student data protection would find themselves both liable for any breaches, and also uninsured. Educational cybersecurity would no longer be a political blame game. Local implementation would still very much remain the purview of school districts, and ministries would remain very much in charge of funding their province or territory, but with focused federal support many of the associated expenses would be reduced through the centralization of resources. These savings would also be a carrot. With national cyber standards and partnerships that leverage the strengths of all members of Canada's education ecosystem (federal government, private industry, national not for profit, education ministries, and local school boards), Canadian students would enjoy access to more Canadian made digital learning opportunities that raise digital fluency in a meaningful way, and they could do this while also exploring cybersecurity in a way that creates a more secure Canada. Imagine what all these cyber-aware students could do for our national security. It's the only solution we have that scales to meet the problem. Those students go home and raise cyberawareness in their families and communities, reducing the main reason for successful cyberattacks.

We have a habit of regionalizing our approaches to government in Canada, but in the face of wildly asymmetrical threats like cybercrime and (increasingly) international cyber espionage, we need to push back against this culture and build a collaborative defence. In doing so we would also create much richer digital learning opportunities in our schools that would make Canada more secure and competitive in the networked, global economy.


The Solution: collaboration doesn't end locally, regionally or even nationally in Canada

I'm attending The Global Forum for Cyber Excellence's inaugural Global Conference on Cyber Capacity Building in Accra, Ghana at the end of November. 

"It is paramount for all nations to have the expertise, knowledge and skills to strengthen their cyber-resilience"

I'm presenting a research paper a former student and CyberTitan (Louise Turner) and I have written about the disruption quantum computing will cause to cybersecurity encryption in the coming years. Doing this research with Louise has been both eye opening and very intellectually satisfying, but after 20+ years in the classroom I'm still very much a cyber-educator first and a cyber researcher second. It's why I invited one of the next generation of cyber professionals to write the paper with me.

Looking at the program for the conference, the lack of talent and focus on developing cyberskills both in the population and in those interested in pursuing work in the industry isn't a Canada only problem, it's a global one. If we can repair Canada's internal cyber-education system, we can then work with international partners to help them do the same. The cyber battlefield inherently favours the anonymity of hackers damaging our systems with impunity for their own gain, but through collaboration the defenders could become mighty. A cyber-aware population would be foundational for reducing cyberattacks in our public services.

As the GFCE so eloquently puts it: "Nations should work together and support each other with these capabilities, so that no country is left behind in their digital evolution. After all, a chain is only as strong as the weakest link."  Look for the Accra Call: a global action framework that supports countries in strengthening their cyber resilience being announced during the conference.