Your Questions Answered Part II: Cybersecurity Education and Policies

Three leading experts share their thoughts on certification, ethical hacking, and the government’s role in the field

7 April 2015

Photos: CASED/Anuja Sonalker/Greg Shannon

Clockwise from left: Michael Waidner, Anuja Sonalker, Greg Shannon
This article is part of our March 2015 special report on cybersecurity , which highlights IEEE’s efforts to help engineers defend systems against security and privacy threats.

In the second of a two-part series, our three cybersecurity specialists address readers’ concerns about education in the field and the role government should play to improve security.

The experts are IEEE Senior Member Greg Shannon, chair of the IEEE Cybersecurity Initiative, and chief scientist of the CERT Division in Carnegie Mellon University Software Engineering Institute, in Pittsburgh. IEEE Fellow Michael Waidner, director of the Fraunhofer Institute for Secure Information Technology in Darmstadt, Germany, a leading organization for IT security solutions. And Anuja Sonalker, vice president of engineering and operations for TowerSec Automotive Cyber Security, in Columbia, Md.


How can people become educated in cybersecurity when it is constantly evolving? For example, if it takes a year or two for students to complete a course, by the time they are finished the field will be overtaken by new technologies, trends, threats, and risks.

SONALKER: Security is a mind-set. The best practice is to teach students the art of security, security fundamentals, how to apply security as a daily practice, and how to think like an adversary. It’s true that the threat landscape is evolving and underlying technologies are changing, but so has our understanding of the adversaries and their ways. Researchers are going deeper and deeper into technologies’ layers to provide protection from the ground up. At that level, there is not much that can evolve and change.

WAIDNER: Security must become part of being a computer scientist or engineer. It requires as much continuing education as anything else. Computer scientists and engineers should regularly attend cybersecurity trainings, workshops, and related courses.

SHANNON: For developers and engineers, security and privacy is a mind-set—a contrarian attitude—that allows one to get into the mind of the adversary. They’re looking at an app, a piece of software, or a website, and they ponder, ‘What can I do here that the designer didn’t think of? Is there a way to get information through channels or through tricks that weren’t anticipated? Is there some frailty in humans that I can exploit to get information out of them that they wouldn’t normally give?’ (I talk more about this on the Information Security Media Group podcast.)


Some believe that certifying cybersecurity specialties will result in more problems than they solve. Do you agree? And if so, why?

WAIDNER: It depends on the granularity of the certifications. In general, anything that motivates people to learn about cybersecurity in depth helps.

SHANNON: Certification is not a panacea. However, it is one way to efficiently remove the burden of everyone having to always consider the depth and breadth of security and privacy challenges and solutions. Certification has limited value without appropriate training, accreditation, and oversight. The challenge is, what’s the alternative?

SONALKER: On the positive side, certification provides a common base to all professionals who carry the same certification. It allows organizations to enforce a minimum qualification or gauge a candidate’s knowledge. On the negative side, it results in an ecosystem of rigid learning with professionals who may not be able to think outside the ordinary when it comes to protecting their organization’s assets. Attacks are far more sophisticated, socially engineered, and leverage atypical resources that may not be considered during a standard evaluation.


What do you think about the emerging discipline of ethical hackers, in which professional engineers are taught the latest hacking methodologies, tools, and tricks? Could this lead to training unethical people to become hackers?

SHANNON: Engineers and developers should hack their own systems and designs. That’s the essence of auditing software for security and privacy. Yet, ultimately, we need to reduce the role of humans in the mechanics of assessing the security and privacy of systems.

WAIDNER: Ethical hackers play an important role in improving cybersecurity. The exploits and hacking skills are readily available on the Internet and can be used by attackers. Defenders need to have a thorough understanding of these attacks and exploits in order to configure and deploy suitable countermeasures. Security experts need to know what they are up against. Or, in other words, how to hack.

SONALKER: It is a good practice to teach engineers the latest hacking methodologies, tools, and tricks. If people with adversarial motives have access to these technologies then developers of systems must also. However, along with hacking methodologies, engineers must be taught about laws, the legality of their actions, consequences, and responsible disclosure among other things to ethically ground them to the good side.


What role should governments play when it comes to cybersecurity?

SONALKER: Government has a very crucial and delicate role to play. The best examples are governments that are facilitators among commercial entities, consumers, producers, and operators in the cyberecosystem. The government can listen to and protect the voice of the consumer, but in a manner that does not disturb the delicate commercial fabric of the Internet. Government can provide a friendly environment with policies that facilitate easy information sharing and reduce liability burdens from practitioners who make best efforts to keep systems secure. This kind of approach will find the greatest traction and will lead to widespread security adoption, which is the goal.

WAIDNER: Many effective security, and even more so, privacy measures will not be widely adopted without government policies and legislation that mandate them. Mandating security turns it into the cost of doing business.

SHANNON: Create and share evidence of effective practices, such as those found in the U.S. National Institute of Standards and Technology (NIST) cyberframework, which provides a way for organizations to identify and mitigate potential threats. Also foster and accelerate industry security and privacy ecosystems that are naturally emerging.


What do you believe needs to take place to improve the field as a whole, and what need to happen to have more qualified candidates? 

WAIDNER: It is important to bring security skills into general education for all computer scientists and engineers. There is certainly the need for more security specialists. But only when everybody in IT has a basic understanding and the skills is there hope that the field as a whole has made significant progress.

SHANNON: Clarify and communicate a long-term goal for eliminating easy-to-compromise software and systems. Raise the status and respect for security and privacy professionals to be on par with other highly regarded professionals, including pilots, doctors, and lawyers.

SONALKER: More awareness is key. Common everyday people who use mobile phones, credit cards, and social media need to be more cognizant of what happens to their data, transactions, and their digital trail. This will lead to an overall increase in awareness among practitioners and a more comprehensive mind-set to continuously assess and improve security.

Learn More