For many of my blog postings, I have written about many different issues as they relate to Cybersecurity. They have ranged all the way from the threats that have come about to even what the latest cert is all about. All of these issues that I have addressed underscore one common theme, even of which I have blogged before as well: The need for Cybersecurity workers, especially those with either an undergraduate or even better yet, a grad degree.
Many educational institutions have just started to realize this need, to train people at an early age, and to give them the education and the tools that they will need in order to stay motivated long term in the field of Cybersecurity. In fact, just over the last few months, I have noticed some colleges and universities have started to offer undergraduate degrees in Cybersecurity.
While I highly applaud these programs and I think that they are a huge stepping stone for anybody wanting to venture into Cybersecurity, a lot of them still stay focused much more upon the technical side of things.
For instance, these curriculums are heavy into teaching how to write secure code, how to conduct a deep dive analysis into a data packet, how to examine log files outputted from servers in order to find any anomalies, how to conduct penetration testing exercise, etc.
While it is true that the Cybersecurity professional needs to have all of these deep technical skills, there is one thing that is still missing: The qualitative aspect of Cybersecurity. By this, I mean there is really nothing taught to the students as to how to deal with a Social Engineering Attack, a Social Media smear campaign, how to deal with extortion issues, how to advise a company in case their employees fall victim to an Identity Theft Attack, the mindset of nation state actors, etc.
I guess what I am trying to get is that the Cyberattacker of today is no longer just relying upon the hard-core use of technology to launch their attacks. Nor are they simply focusing just on pouncing upon IT Infrastructures, servers, workstations, and wireless devices.
Rather, they are now using the softer side in order to launch their specific threat vectors – especially preying upon human emotions, feelings, and the way they react to certain situations.
The above is probably best exemplified by the Business Email Compromise (BEC) attacks. In this instance, the Cyberattacker is trying to prey upon the sense of urgency in an administrative assistant of a CEO in order to wire large sums of money to a phony, offshore banking account.
In my view, this is much of a “qualitative” kind of attack, much more than that of a “quantitative” type of attack that we as Cybersecurity professionals, are so used to in dealing with every day.
Seeing this now as part of the reality in 2019, there is one educational institution that has picked up on this, and as a result, they have just started to offer a brand-new Master of Science in Global Security, Conflict, and Cybercrime. It is currently being offered by the NYU School of Professional Studies Center for Global Affairs.
Apart from teaching just the hard-core stuff that one needs to learn about Cybersecurity, the main emphasis is about teaching the more human side of it, which includes critical issues including disinformation, espionage, and terrorists’ use of emerging technologies, misuse of Social Media, and of course, much more.
This degree program has been specifically designed for those individuals who seek Cyber related positions across the private and public sectors, and even governmental organizations.
In other words, the emphasis of this degree program is not so much teaching about Cybersecurity, but rather, much more about the Cybercrimes themselves. From what I read on the press release, it appears that this curriculum is built upon these, core foundational levels:
*Cyber criminology, Cyberlaw, and Cyberliberties;
*National and International Cybercrime Investigation;
*International Critical Infrastructure Protection;
From within this, there are five specialization areas that the student focus upon, which are as follows:
*Terrorism, Technology, and the Internet;
*Social Media and Terrorism;
*Open Source Intelligence and Social Media Forensics.
This program requires 36 credit hours of course work, and can be completed full time in two years, or in five years if the student is going part time.
My thoughts on this?
I think its fantastic that this program is being offered, and in fact, if I could do it, I would even apply to it. As I have stated before, the world of Cybersecurity is no longer about learning hard score skills – it is also about learning how the Cyberattacker engages and preys into their victim from the human and emotional side as well.
Also keep in mind (and as you probably know as well), Cyberattackers are not just homegrown here in the United States. Rather, they evolve from many nations, most notably those of China, Russia, North Korea, and who knows where else. Thus, it also takes a particular mindset in learning how these individuals think as well. It seems like that this degree program teaches the fundamentals into this aspect of Cybersecurity as well.
One other thing that I really like about this program as well is that it puts an emphasis onto Cybercrimes. Remember, a Cyber attack is just a one-time thing, that can happen repeatedly. But a Cybercrime is a much more ongoing and continuous process, such as that of money laundering.
In some instances, there have been some cases in which the US Secret Service and the FBI have had to investigate for a couple of years before they could make any arrests and bring people to justice. It is also important to remember that in dealing with a Cybercrime and its syndicate, it takes a person with a special mindset to deal with them. After all, we are not talking about issuing arrest warrants for US citizens, we are talking about negotiating with other nations for the extradition of suspected Cyber criminals. A prime example of this is the recent arrest of the CFO of the Chinese cell manufacturer, Huawei from Canada.
Also, many nations (such as that of Vietnam and Thailand) and even that of the United States, are starting implement laws with regards to Cybersecurity and related privacy issues that seem to impede upon the civil rights and liberties of their citizens. It is important for a Cybersecurity professional to be kept aware of these issues, and to understand their implications when dealing with an actual Security Breach.
One should note also that the Cyberattacker is doing just more than simply injecting lines of malicious SQL code into a Web based application. Rather, they are also going after the Social Media sites of both organizations and individuals alike in order to launch so called smear campaigns in an effort collect money by using extortion tactics.
Finally, this advanced degree program teaches one aspect which is so lacking in other curriculums – potential attacks on Critical Infrastructures and what that means to not only the city or town that has been impacted but to an entire nation as a whole.
Think about it – it can be severe. Just because a Cyberattacker can bring down a few power lines in a very small Midwestern city doesn’t mean that they don’t have the potential to go after the entire power grid of the United States. One thing that I would have to liked to seen as a subject matter in this degree program is that of the Internet of Things (IoT) and what all of its interconnectivity means from the standpoint of Cybersecurity.
Whether we like it or not, the world of IoT will soon be upon us – and in fact, this will be main the main topic of discussion in one of my podcasts next week.