Random Thoughts on Cyber Education
Radical changes need to be made, now!
Education presents a tempting unitary point of influence over a whole host of social problems, with potential downstream effects touching everything from childhood poverty to economic malaise to racial inequity, not to mention existential concerns.
-Sanjay Sarma
Inside out learning (the chess method)
When I was a young soldier stationed in a tiny post in South Korea, I found I had a lot of free time on my hands, and I was bored stiff. We had no computers or television, so I spent a lot of my time playing basketball and reading. A fellow soldier always asked me if I wanted to play chess, and I always turned him down. Chess seemed boring to me. Eventually, I agreed to learn how to play chess. He started explaining the game to me and spoke of strategies, mid-game, openings, and such. I stopped him. He was confusing me with the language of chess, using words that I could not understand. I told him I only need to know two things to learn the game; what is the primary purpose of the game and how did each piece move. He told me that bit of information, and we started to play. In the first game, he beat me in three moves. We played again, and I beat him. We played several more times, and I beat him repeatedly. We started playing chess daily, and he never beat me again. He swore that I had played chess before, and I assured him that I did not play chess before playing him. I still think he did not believe me.
Chess came easy for me to learn. I did not have to read a book, watch videos, or spend a bunch of hours trying to understand the game before I was even able to play a real non-practice game. However, I was still not a good player yet. And honestly, the guy that taught me how to play was most likely not a very good player himself. But here is the main point; if I had been lectured about the rules of the game and all of the tactics that go along with it, it would have been an arduous undertaking for me, and I am sure I would have been bored or stepped away from it permanently. But by learning hands-on and letting my mind be free to explore and experiment, the learning came quicker, the retention was more significant, and there was a certain feeling of freedom of how I went about learning to play this way. I could be slightly corrected while learning, but by taking in the new data from that experience and continuing to play, I could play chess immediately.
I learned the basic concept of chess, but I knew I was not a good player. However, I started to play and enjoy the game so much, and I noticed that I had reached the ceiling of my skill. The time had arrived when I would have to learn more to improve. My eyes opened when I noticed that I could only be at a certain level of player. I wanted to get beyond that group of players. Reading chess books was the key to reaching my goals. I learned the opening principles, sacrifices, and endings. I was a decent player, but I lacked the skills needed to move up the competitive ladder. The books let me know I was on the right track. By that time, I understood the language and the strategy of the game on a new level. It is like learning how to talk and then learning about how to conduct an intelligent conversation.
Inside Out learning is learning by examples. Or like in math, worked examples as opposed to doing it from scratch. That’s how I learned to play chess, by actually playing and making mistakes, improving, and continuing the process in a perpetual loop. One of the practical methods of inside-out learning, one of the things I used that worked well, is the worked example teaching method.
Teaching basic networking is not the most exciting course you could take. Sometimes you have to entertain. But being animated and entertaining is not sustainable. (or even sensible). Students will not be up to paying total attention, especially if they are not already interested. From my own experience, not by research or questionnaires, I noticed that using Cisco’s Packet Tracer software is a great way to teach networking. It is a gamification of learning. Using the Packet Tracer software gains the attention of even the most jaded student. Being able to drag and drop equipment to a white digital easel and configuring routers, and watching the actual packets travel (or not) across a network is 100 times more engaging than the most charming teaching. Using applications such as Packet Tracer is a great way for a student to learn about networking.
In my high school introduction to networking class, I used Packet Tracer software. I did not use any textbooks. I gave All of the students were given assignments written as scenarios that called for a network systems administrator to make several network configurations to meet the company’s particular needs. Without textbooks, self-paced lessons, samples of correct networks, and the teacher changing from a lecturer to a guide, this method helped me build one of the most robust networking programs in the country. During cybersecurity competitions, we constantly placed near the top of the best high school cyber teams. At a local community college, networking students do not even use Packet Tracer until the third class. My students who attended the community college were able to skip those classes and received credit for them. The reason is not only because colleges articulated my classes with that school, but more importantly, they did not need to take those two classes because they already knew the material. Even though I was happy that my students did not have to take the first two classes, I still thought that the community college was making a mistake by not introducing Packet Tracer earlier. This resulted in a considerable waste of time and resources.
Many of my friends, family, and former students know that chess story. Admittingly I love to tell the chess story. Not because it is an exciting antidote from the past, but I took that experience and used it in my classroom. When students came into my cybersecurity class, I taught them the bare bones of protecting and hardening their operating systems and network. Then I asked them to perform the task on a computer. Many students looked at me as if I was crazy. Some would whisper to me that they did not know anything about how to harden their computer system. I told them to try, based on the information that I gave them, and after all, they had the entire Internet at their fingertips. Use it! The upshot: I managed to use this method and built one of the best high school cybersecurity programs in the country, putting three of my teams in the top 20 nationwide during the national CyberPatriot cybersecurity competition. Again, using non-traditional methods helped the students.
Learning is applying an algorithm, a pathway that leads to a goal or destination, like a roadmap. Another way to learn chess (or anything for that matter) is to understand it in a larger context, such as living in a society. This way, you can learn chess at a deeper level; how does chess relate to the world, and how does the world relate to chess. However, most importantly, you can use that skill as a tool to be applied in any situation.
Think about this: If playing video games can alter someone’s perception of the world, what can learning how to build a video game do to someone’s perception of the world? A sensible person would agree that building something instead of using something is separated by such a large magnitude of reality; it is unmeasurable.
Classroom Arrangement
In addition, I also changed the physical layout of the class. It did not take me long to figure out that the traditional classroom, the way we think about traditional classrooms, with rows and columns of desks, and a teacher standing in the front of the room with a whiteboard, was not the way to teach cybersecurity. Putting the student desk in islands of four improved collaboration and communications between the students. Learning came about naturally when we started doing project-based assignments.
Since I started teaching late in my life, I immediately found out that traditional classrooms and traditional teaching were not teaching cybersecurity students. I immediately went about dismantling everything about the system that was in my power to do so. Since I spent all of my adult life in the same industry that I was teaching, it was apparent that we were going about this the wrong way. My idea of teaching networking effectively, for example, was not learned in a class about pedagogy but was based on empirical knowledge that I picked up in the workforce. Getting rid of the textbooks was the easy part; don’t use them. What took the most time was dismantling the curriculum and building it back up to reflect more on what needs to be learned today instead of forcing square pegs into round holes by pursuing STEM education the way we taught history 150 years ago.
Even now, many classrooms are set in rows and columns. Yet, we still teach and learn from these same rooms. There are plenty of studies that cover the best classrooms setups for learning. But again, I search pragmatically and make my own decisions based on experience. I was lucky enough to have a modular desk in my room instead of the desk I sat at as a kid, which was bolted to the floor. I made seven islands that accommodated four students each. The new setup allowed me to group students according to my needs at the time. Sometimes students were working on project-based assignments and were put together because of their portion of the projects. Other times students were grouped according to their progress in the course. The benefit from each group is that collaboration and teaching emerged organically among the students. A great deal of learning could be done in a short amount of time, and the data retention was higher.
The Massachusetts Institute for Technology (MIT) has experimented with Technology Enabled Active Learning (TEAL). Teal is designed for courses such as cybersecurity that use computer-based learning. Studies have shown that TEAL can enrich a student’s experience in learning cybersecurity. IT promotes hands-on learning, experimentation, collaboration and becomes like a maker space for cybersecurity.
Teaching and learning is a complicated topic. The methods I write about are not from the ivory towers of academia or stodgy research. Though some of my methods and outlooks on teaching have been formed independently based on my experience, many of the thoughts and ideas that I tried were already in existence, such as MIT’s TEAL program. My acknowledgment of some of the origins of my ideas serves me: I now know that what I was doing was viable.
Textbooks — You don’t need them!
I mentioned ditching textbooks already. But why? Lectures and lessons were not enough to keep the students’ attention, let alone teach them something they could retain. It took me a while to figure out what methods worked better than the standard model. One of the first things I figured out was that textbooks were useless. There will always be room in education for textbooks. I do not want to predict the demise of the textbook. Thomas Edison wrongly predicted the end of textbooks over 100 years ago when his team developed the motion picture machine. The area of cybersecurity is changing too rapidly for schools to retain up-to-date information on the subject matter. In a concise amount of time, textbooks would become obsolete. However, in place of textbooks, the Internet has a remarkable amount of relevant information that was current and from a good source.
The class went well without textbooks because I retained the information that was supposed to be taught. I kept the curriculum’s structure and content. The curriculum is designed to meet state standards most of the time. The only difference is where I retrieved my information. There are literary hundreds of websites that have excellent cybersecurity curriculum. The work I needed to complete is to capture this information and incorporate it into the current curriculum. I will not highlight those websites in this piece because this writing aims not to give you tips but to give you the best methods to teach cybersecurity.
The answers to these problems that I came up with were all practical solutions. Empirical knowledge trumps surveys and research. I did not intend to change any pedagogy; I tried different methods, and I stuck to what worked to teach cybersecurity students to retain the information. Getting rid of the textbooks was a massive step in the right direction. I am unchained to textbooks. Not having textbooks allowed me to concentrate on the latest technology that was current. Still, it also allowed me to become more flexible, sometimes even coming up with lessons on the spot. I took news articles on big stories about cybersecurity and incorporated them into those current lesson plans. This effort added a freewheeling appeal to the lessons and linking them to the real world in a meaningful way added a freshness to the course that text box and traditional quizzes did not provide.
Lockstep Lesson Delivery — can’t happen.
The next thing I learned was that it was almost impossible to keep students in sync with the material. Some students would be way ahead of my pace, and some would be way behind. The reason for this? First, some students were not interested in cybersecurity. Since my cybersecurity classes were an elective, counselors often funneled students in my room as if it was an art class (nothing against art). But electives are looked upon by some students as throwaway classes. They could still graduate even if they failed the ones that are beyond their mandatory allotment. By the time some students arrived in my class, they may have already taken the required electives and were on permanent cruise control. Counselors did not always inform students about what cybersecurity was. It is like putting a student into ROTC if they had no interest in a career in the military at all, or putting someone in auto mechanics class that had no intrinsic interest in repairing cars, even if it is a great skill to have.
Another issue was that many students come into the class with vastly different skill levels. Using a textbook and proceeding through the same content simultaneously for every person is a huge mistake. Unlike common core courses such as English, math, and history, where there are always a couple of students ahead of the class, cybersecurity students have an even more significant gap between top and bottom students. Most of the cybersecurity skills that students learn are attained outside of the classroom. Students interested in cybersecurity are doing this at home, and it is treated as a hobby the same way that sports and gaming are to other students. The diverse skill levels made it extremely difficult for me to keep the class together in any meaningful way. Some students were left behind, and some students I did not challenge enough.
Cyber Range — part of the answer
When we speak about TEAL, we must remember that this idea is not new, nor wait patiently for it to arrive. We are in the middle of a transformation in the cybersecurity community. When A cyber-attack breaches American companies, we are inching closer to overhauling how we teach cyber, if for no other reason than realizing that what we are mostly doing now is not working. The term cyber range first started to appear around 2006. Cyber content is a perfect answer to cyber training. Foremost, it allows students the hands-on experience that students desperately need for cybersecurity training. It provides a secure environment for training. Teachers can set up courses to mimic a virtual world that is sometimes inextinguishable from the natural environment that it emulates.
Students can earn industry-recognized badges for their skill levels. Some of the units are so vast and robust that they can be mapped to different entry-level certifications such as Security Pro and Network Pro and upper-level certifications. Imagine having access to this cyber lab 24/7 and using the units to map your way to whatever cybersecurity job or skill you desire. Each person will configure their private path to success. Some lessons can be guided, and other lessons can be self-paced. Lessons will come in the form of gamification, capture the flag type competition, and the more traditional methods. Fluff will be eliminated because students will only apply for the courses they need, just like the insurance commercial. Anyone that has been in the industry knows that once a person is on the job, they will get enough experience to learn other skills through mental osmosis.
Purdue University has one of the best cyber ranges. Four series of training modules must be completed. The core badges are cybersecurity foundations, Enterprise security, vulnerability management, and ethical hacking. With state-of-the-art simulations and a robust environment, I cannot think of a better way to learn cybersecurity. The problem, of course, will be how can an extensive cyber range be implemented on a large scale. The answer is the Internet. With the Internet, cyber ranges such as the Purdue lab will not only be available to those lucky Purdue students, but it can also be available to those schools in underserved areas and serve as a standard for cybersecurity training across the country.
Teaching linear may work for math or other traditional classes, but it is not the best way to teach cybersecurity. This is another reason I’m not particularly eager to use textbooks. Textbooks go through the material in a piecemeal fashion, giving you bits of information about the basics of the course, and it covers a wide breadth of knowledge. This method causes anguish in some students, who only have an abstract idea of the what of the instruction and no idea about the why of the instruction. Instead of giving students linear style conceptual instruction, give them projects.
Bird Watching Example
One example: We want to determine what type of birds migrated and what birds did not in our area. By the end of two semesters, the finished product will be a report and presentation given to the science department. A remote camera was hooked up to a network through solar-powered batteries and a router covering the area and physically based in the school. Cameras recorded three bird feeders over six months, from the end of summer to early spring. Students filmed videos, took photographs, and downloaded them from the servers.
The students who did the photos and the videos had to be trained on the Adobe Suite to edit videos and pictures. The students who programed the cameras had to learn and use code to instruct the cameras to take photos when the sensors were tripped and automatically download images and videos. Another batch of students was in charge of connecting and maintaining the connection of the cameras to the router, and students learned the basics of networking. The students from the science department kept track of the bird species as well as other pertinent data such as numbers, dates, etc. This project-based approach combined several STEM disciplines and expanded into two departments. Students were not working on an abstract idea; they worked on a purposeful project with a beginning, middle, and end. The students sat in a TEAL environment. They were not restricted to their tables; they sometimes had to walk over to other tables to get some of their questions answered.
This is an excellent opportunity to learn using TEAL. The best way for the mind to grasp a concept is to combine that learning with your hands. They work in harmony, and it is the best way to retain the learned information.
Winnowing — eliminating deviance
In the book, Grasp: The Science of Transforming How We Learn, Sanjay Sarma and Luke Yoquinto explain how a large part of the population have their paths shunted through winnowing. Winnowing is the lack of access to resources, who teaches, and who we teach. Testing also plays a significant role in winnowing. Think of a factory where there’s mass production of a product. Any product that does not fit the standard throws away the products that do not fit the mold. Sometimes whole batches (of student products) are thrown away.
One of the significant problems with education is that we have an idea of what a student should be from the time they enter school. If there is any deviation from the norm, that student is illuminated or separated from the standard. From the beginning, many parents walk their children into a school that has limited resources. This is not only in kindergarten; that is only where it starts. For those students, their entire educational experience will lack the opportunity to reach for the resources that could make them successful. It is all about access. If your family lacks money, everything is a problem, transportation, health, crime, age, cost, and education. Stephen Jay Gould, American paleontologist, and evolutionary biologist, once stated in 1979,
“I am, somehow, less interested in the weight and convolutions of Einstein’s brain than in the near certainty that people of equal talent have lived and died in cotton fields and sweatshops.”
Lack of opportunity is a thought that I have always carried with me. I experienced and watched so many of my friends and family members be cut off from opportunities and thus be blocked on their pathway to education and, consequently, housing and healthcare and financial stability. One way to make this situation better is to make learning more user-friendly and identify and eliminate any unnecessary filters.
Algorithms and Automation — Another way to eliminate people
Where money can be made, money will definitely be made. We are living through a venture capital bonanza. There are for-profit companies that use algorithms in their assessments. The short part of this story is that all students who fall outside of what is considered the best attributes for a person entering a cybersecurity career will be promptly eliminated from the competition. Sometimes these assessments are in the form of competitive capture the flag competitions. Students will make a lot of money for the high-tech companies, which give a small part of their earnings to the students in the form of grants and scholarships. However, the winners of such competitions are the usual suspects, in other words, those students who already have a lot of experience in cybersecurity. The people that are new to cybersecurity will be eliminated according to the algorithms. Think about calculus, which, if used correctly, becomes a tool that people can use in many beneficial situations. The algorithms used in some of these systems only perpetuate eliminating the people who are already underrepresented in cybersecurity. I must point out that these algorithms are not made maliciously by people to purposely eliminate the people who should benefit the most. The problem is less about teaching cultural sensitivity to those making the algorithms. The algorithm problem could be easily solved by ensuring a diverse programming pool of people from every corner of our society. This way, we can organically make the type of algorithms without diving into social and political upheaval on things like education that should not be politized. But a diverse population of programmers will do well to stave off the ill effects of our blind march to automating every process that is not already automated.
Solutions
There are many innovative ways to teach cybersecurity. Self-paced courses, teacher-guided cyber boot camps, TEAL, and cyber ranges, are a few of the methods we will need to use. Shortly, all information will be available for free. In a way, it is already available. There is not one lesson you can find in a calculus or engineering textbook that is not available for free if you only take the time to find and to learn. The difference between access to the information and understanding the information in a meaningful way is how the information is retained. The role of the educator and the method of delivery is essential. Somewhere along the way, hands-on discovery style tactics are critical to cybersecurity education, just as it is to STEM education in general.
Online learning is not the best method to delivering instruction, but it would be an understatement to say that it is better than no instruction at all. That may not sound very desirable, but online learning can be a valuable path to learning cybersecurity if appropriately implemented. But with online learning and certification, many people will be able to learn a skill that will be sustainable into the future. We have to deliver knowledge and teach in a way that will nurture creativity. The other essential needed is apprenticeship opportunities. A student’s cyber education is not completed until the student receives practical experience in their field. The apprenticeship allows for the student’s knowledge to be directly applied to the real world. Studies have shown that online classroom students can outperform traditional in-person classrooms if the online version had live instruction to go along with the curriculum.
TEAL classrooms allow for discovery-style pedagogy. This will help develop creativity and innovation, just the thing that makes good cybersecurity experts. The hands-on component embedded in TEAL will enable students to learn with the help of peers and instructors and allow for collaboration. TEAL promotes the retention of new information by doing instead of lecturing to or following a textbook. It is like the difference between learning how to use an application and building an application.
A foundation has to be made before TEAL is implemented. This foundation will look much like a traditional classroom. Students need to learn the technical aspects of cybersecurity; they also have to know its history and how it came to be. Learning about the technology without putting it in context would be a huge mistake. Learning the technical concepts of cybersecurity is one thing but understanding how it affects society is another thing altogether. Cybersecurity cannot t be taught incorporeally and separated from current events. An organic connection is needed. All STEM students should have a solid foundation in biology, humanities, physics, and math.
Project-based
The lessons should all be project-based. Working through a project is a more realistic way to learn. Just as in the real world, risk can be taken, mistakes can be made, and there is no chance that it will affect their grades. Students do not get to move on to the next level until they prove mastery in their present level. After mastering all of the levels for the course, then they will pass that course. When I was a network analyst for Time Warner Telecom, our new employees came in with little or no experience with our proprietary applications. We gave those new employees time to learn the system. Sometimes it was only a matter of days, sometimes weeks, but to master the system, took months. But along the way, from beginner to master, most employees made plenty of mistakes and had to be guided at specific points in their journey toward mastery. But by acknowledging that mastering the applications took time and giving the employees the time to learn the system, and giving them the liberty of making mistakes with no discernable consequences, it was rarely a time when those new employees did not reach the master level. They learned from their own mistakes; their co-workers taught them.
What is to become of teachers? Nothing can take the place of an in-person teacher to help guide and mentor a student. But teachers in the environment I envision will be more of a guide during the student’s educational journey. In a TEAL environment, much of the teaching will be done by the student’s peers. Sanjoy Mahajan, an MIT educator, put it perfectly when he said a teacher “is a guide on the side, not a sage on a stage.” Teachers have a huge role in the future of cybersecurity learning. Emphasis will be more on course configuration as the teaching mode itself. There is a skill to be learned to know how to put the various multimedia curriculum together in a way to make it both flexible and predictable at the same time.
In a TEAL environment, having a well-experienced and educated teacher is the key to success. This person does not have to be a professional teacher all the time, but it can also be someone from the industry. The cybersecurity industry has to partner if we are going to increase the number of cybersecurity professionals in the United States.
Online learning, as well as boot camps, are good ways to combine knowledge and hands-on experience. The third part is apprenticeship. Without apprenticeships, education and certification are not completed. The practical application of learned knowledge is the best way to round out cybersecurity training and education. There is no shortage of ways to gain a better cyber posture in the world. It is essential to know that the current educational environment will have to change drastically, and it is also critical to ensure a secure future for our country.
What can we do to switch the student culture from cyber illiteracy into a cyber-dominant culture? We can take a cue from world religions, which indoctrinates children as early as e cradle. Their moral compass and intellectual capacity are still being developed. For thousands of years, technological advances have knocked aside superstitions such as witchcraft, magic, and sorcery. However, religion is still standing tall. It is not like technology has not tried to push religion to the side. Technological advances have always been in direct conflict with religion. And the Gods of religion have been moving further and further away. The Gods keep moving to new neighborhoods where we cannot see them. Deities changed addresses from living within nature, to living on the mountaintops, to living in the sky. Now, those deities are living beyond the furthest stars, waiting for technology to find them again and move on to perhaps another reality. We need to indoctrinate our children early.
Religion may be a bad example. Some readers may even be offended by it! However, I hope it holds your attention long enough to realize that this type of indoctrination is what is needed to defend this country against the ever-increasing Russian and Chinese aggression that is currently toying with methods for destroying the peripherals of our critical infrastructure. First, we have to start this training in pre-school. And we need to constantly indoctrinate them in cybersecurity all the way through the 12th grade. We can disagree on how we will reach our goals to have a cyber-literate society, but we cannot afford to wait a minute longer while our enemies are consistently poking, prodding, and tinkering with our critical infrastructure.
