Dr. Neil Rowe is a professor in the Department of Computer Science at the Naval Postgraduate School, a public graduate school operated by the United States Navy and located in Monterey, California. Faculty profile.
Listen to the full episode
Key takeaways from the interview
- Naval postgraduate school profile: The school is a graduate school for the US Naval Academy, hosting a diverse student body including military personnel from various branches, government civilians, and international students.
- Educational focus: The school primarily offers master’s degrees and some certificate programs. Specializations include cybersecurity and artificial intelligence within computer science. There’s a shift towards promoting certificate programs due to changing student preferences.
- Career path of graduates: Students often have obligations to work in the government or military after graduation, with some programs like the scholarship for service requiring a commitment to work in cybersecurity for the government.
- Role of AI in cybersecurity: Dr. Rowe emphasizes the critical role of artificial intelligence in cybersecurity, particularly in defense against new threats, as manual analysis is no longer sufficient.
Here is a full transcript of the episode
Steve Bowcut: Welcome to the Cybersecurity Guide podcast. My name is Steve Bowcut and I’m a writer and an editor for Cybersecurity Guide, and I’m the podcast host. Thank you for joining us today. We appreciate you listening. Today, our guest is Neil Rowe.
Neil is a professor in the Department of Computer Science at the Naval Postgraduate School, a public graduate school operated by the United States Navy and located in Monterey, California. Today, we’re going to be discussing educational opportunities for cybersecurity students at that institution. With that, welcome Professor Rowe. Thank you for joining me today.
Neil Rowe: Hello.
All right. This is going to be fun. As I mentioned before we started recording, I have some association with the Naval Postgraduate School and some organizations that I was involved in years ago, and I’ve always thought very highly of that institution, so I’m excited to talk with you today.
Before we get into the educational opportunities there, tell us a little bit more about the Naval Postgraduate School. Its role, its mission, where it fits in the whole scheme of things.
Neil Rowe:
Well, we are the graduate school for the US Naval Academy in Annapolis, Maryland. All the graduate students come to us, except we’re on the other coast. We’re on the West Coast, but we’re only 50% Navy students. We also have a lot of the students from the Marines, the Army, the Air Force, and the Coast Guard. Plus, we have government civilians, and then we have quite active internship programs. We got a lot of different kinds of people at the school.
Steve Bowcut:
Oh, okay. It’s mostly military than you would say, but different branches of the military and yet there some-
Neil Rowe:
Yep. Different branches. We also have international students too, from our US allies. They’re quite interesting.
Steve Bowcut:
Yeah, I can imagine. I guess what it doesn’t include, and correct me if I’m wrong here, so just people interested in cybersecurity that are looking for a postgraduate degree, but they have no interest in the military or working for the government or they’re not currently in the military or working for the government, there’s probably not an opportunity for them there. Is that fair to say?
Neil Rowe:
Yeah. The tuition model is that their government agency has to pay for them in one way or another.
Steve Bowcut:
Got it. Okay. All right.
Neil Rowe:
That simplifies the accounting and no student loans or anything like that.
Okay. All right. Very good. Oh, that helps a lot. Thank you. I wasn’t completely aware of that. I was going to ask you another question about your relationship, the relationship between the US Navy and industry as it relates to cybersecurity, and maybe you can help us understand that a little bit.
The other graduates of your programs, and we’ll talk about your programs in here in a minute, is the expectation that they are going to continue in their military or government role, or do many of them graduate then eventually end up in industry after some period of time?
Neil Rowe:
Well, they’re usually obligated when they come to the school to work for the government or the military for a certain period of time, but after that, they’re free. We do have a scholarship for service program, for instance, where the students get a free master’s degree and exchange for which they have to work for the government for three years in the cybersecurity area.
Steve Bowcut:
Oh, very good. Okay. That’s kind of the way Uncle Sam likes to do it. They’re willing to train you with the best training in the world, but they want something in return, which only makes sense.
Neil Rowe:
Yeah. Yeah. That’s a popular program. We get some really good students from that.
Yeah. All right. Let’s learn a little bit more about you. How did you get interested in cybersecurity? Has it been a lifelong pursuit or somewhere along your career you just decided, “You know what, cybersecurity is something I want to know more about?”
Neil Rowe:
Well, I got my PhD 40 years ago. One issue that came up with the PhD, which had to do with numerical artificial intelligence, was related very much to trying to protect private data on systems. I got started to reading about cybersecurity and realized there were quite a bunch of applications. Still, most of my background is artificial intelligence. It’s just that cybersecurity is the application area I’ve spent the most time in. Particularly in the last 20 years, I’ve been mainly focused on cybersecurity applications of artificial intelligence.
Steve Bowcut:
Oh, okay. That’s becoming, just in the last decade or even half-decade, that’s become quite a big deal, at least in industry. All the vendors now have AI-powered solutions, and most of us kind of roll our eyes about that a little bit because we’re not sure exactly what they mean when they say they have an AI-powered solution. You probably have some interesting insights into that having spent decades now studying this before it became popular.
Neil Rowe:
Yeah, there’s just no way we can keep up with new threats unless we use some artificial intelligence to analyze them. Manual analysis is just not working anymore.
This question just came to my mind. Are we seeing the threat actors moving in that same direction? Maybe they’re using artificial intelligence to propagate their threats or to help them.
Neil Rowe:
Yeah, we’re seeing a bit of that, but AI is more important for the defenders and more valuable for the defenders than it is for the attackers because attackers can focus on just one kind of threat and get really good with that one kind of threat.
Steve Bowcut:
They only have to be right once but we have to be right every time, right?
Neil Rowe:
Right.
Okay. All right. Let’s get into the meat of why we’re here. Tell our audience, if you will, about the cybersecurity educational opportunities that they’ll find at the Naval Postgraduate School. We’ve determined that they’re going to be either government or military personnel and it’s all postgraduate work, but what kind of programs do you offer?
Neil Rowe:
Well, we mainly do master’s degrees. We have a few PhD students who are all really wonderful, but mainly, we just graduate various master’s degrees. We do have some certificate programs. For instance, I’m head of the artificial intelligence certificate, which you take four courses over a year, one course per quarter, and you get a certificate, but as you know something… It’s a bit more detailed than many approaches to artificial intelligence that are a bit shorter and superficial.
Steve Bowcut:
Oh, okay. Those degrees-
Neil Rowe:
Certificate programs are really good for people that are working. They can do those in the evening, those programs.
The degrees, master’s degrees that you offer, are they in cybersecurity or are they in computer science and with an emphasis on cybersecurity? What is the actual degree that I could get if I was going there?
Neil Rowe:
Oh, there are all sorts of degrees. Mainly, I’m associated with a computer science degree, which does have a specialization in cybersecurity. That’s a very popular specialization. There’s also an artificial intelligence specialization. We also have a modeling and simulation program, which I’ve been associated with. We used to have a software engineering program, but we don’t have that anymore. I used to be associated with that too. Mainly, we’re trying to push these certificate programs because people just don’t want to go to school for a whole master’s degree very much anymore.
Yeah. I would assume that that’s driven largely because more so than just, let’s say, a state university, I would think the employer has a lot of input with the employer being the US Military, whichever branch of the military and/or the government agency who is sponsoring these students.
Their desires, I would think, would be feed well or feed a lot, having a lot of impact on the kinds of certificates or degrees you offer. Is that a fair assumption?
Neil Rowe:
Yeah. Yeah. For instance, we’ve got a PhD student right now who’s coming from the Naval Information Warfare Center in San Diego who’s been told by his organization to do something related to his job.
Right. Yeah. “This is what we want you to learn.” Okay, perfect. Maybe you’ve covered this, but I’m interested in learning about what your students, your current students, are interested in and what kind of projects they’re working on.
I guess what I’m trying to do here is understand if a student decided to come, they worked for a government agency, and they thought, “Yeah, I’m going to go to the Naval Postgraduate School and get a graduate degree or a certificate,” are there projects, or team activities, or those kinds of things that they could expect to be involved in?
Neil Rowe:
Yeah. There are lots of projects going on at the school and they’re all pretty practical. We need to get funding just like any university, but in our case, we have to get funding for the six or seven or eight months of a year, whereas at most universities, you only have to get funding for the summer. We’re deeply involved in research projects and we work those into our classes, but also we have a required thesis.
The students have to do a master’s thesis with all the master’s programs and the PhD students have to do dissertations. There’s a lot of ongoing research programs. Mainly, I’ve been doing lately industrial control systems, because the Navy has all the systems that are equivalent to industrial control systems that need to be protected. The state of the art is pretty poor in protecting these legacy systems that have a lot of old software. We’ve been spending a lot of time looking at that, and my collaborator here has been working that.
Interesting. I know that that’s also a major issue for municipalities, state, and local governments who are operating critical infrastructure. Do those kinds of organizations fall under the government people that are invited to attend or does that need to be federal government agencies only?
Neil Rowe:
Well, we have some state people, but mainly, it’s federal organizations. There’s plenty of federal organizations that are involved with activities and protecting government.
Steve Bowcut:
Absolutely. Yeah. Okay. Interesting. Thank you.
Neil Rowe:
We work on that. We also work on a number of other types of things. There’s things with networking. We have a big networking group in the department. We’re very interested in protecting network protocols and things like that and we do research on that. I’ve looked at a lot of other things, for instance, human factors issues like insider threats and stuff like that, trying to… One of the big good challenges for the government is purchasing software.
Acquisition and trying to ensure cybersecurity as held with that is really tricky because the laws for purchasing things are very complicated. I had a student who did a thesis on that recently. There’s all kinds of complicated issues that we get into. Since we’re a small school, we have to cover a lot of different areas. Each professor has to cover quite a broad range of interests.
Right. I should have asked, but I didn’t think to ask, what is the student, the approximate student population at the school at any given time?
Neil Rowe:
It runs about 1,500. Sometimes it gets up to 2,000.
Steve Bowcut:
Okay. All right. Interesting.
Neil Rowe:
We don’t have every possible degree that you can get, only something like 20 different master’s degrees.
Steve Bowcut:
Well, that’s pretty good though for graduate school.
Neil Rowe:
Yeah.
All right. I wanted to ask you, and again, we’ve touched on this a little bit, but I’m trying to explore, in the series of interviews that I’m doing, how much academia is responding to what we call, some people refer to, the skills gap. There’s a real shortage of trained cybersecurity workers out there and industry is just clamoring for people.
Some industries say, “We don’t even care if they have a bachelor’s degree, we’re just going to put them in a SOC, and then we’ll train them ourselves from there.” There’ll be a SOC analyst, a workup. Other organizations and consulting firms are saying, “No, we need people that are coming right out of college with an advanced degree and able to do nation-state threat intelligence work.” I’m just wondering if that shortage, is it something that even is on the radar for your institution, and if so, is there any way that you can respond or are responding to that skills gap that is in industry?
Neil Rowe:
Yeah. Well, often the students are told when they come here that they’re supposed to do cybersecurity. That simplifies their choice of what they’re going to focus on quite a bit. Other students have more flexibility, but we have such an active cybersecurity program in computer science and also some of the other departments.
There’s an information sciences department, which is more sort of putting building blocks together. We have a systems engineering department. We have a defense analysis department, which looks a lot in information warfare. All these different curricula, people have expectations and they’re having no problem getting students.
Right. Excellent. Okay. Thank you. All right. I’ve got a couple of questions left and these are just fun questions. The first one is about a cybersecurity reading list. If you were to provide some resources or recommend some resources to someone who wants to learn more about cybersecurity, and it could be books, or papers, or lectures, or websites, or conferences, but where would you direct people who want to learn more about what it would actually be like to work in the field?
Neil Rowe:
Well, that’s a real tough question. I’ve got so many books in my library. It’s hard to pick favorite books and stuff like that. It depends on what area you’re going to go into, because cybersecurity is becoming quite diversified now. I can’t really pick anything to recommend. I mean, you probably don’t want to start with cryptography because that’s pretty mathematical, but there’s plenty of less mathematical areas that important to… There are good books about trying to introduce you to the area. Intrusion detection, for instance, is not too complicated to follow. There are a number of good books on intrusion detection.
Steve Bowcut:
Okay. That might be a good place for somebody to start and-
Neil Rowe:
Yeah. Yeah. That’s an area that I used to teach quite a bit, but right now, I’m writing a book on digital forensics. That’s an interesting area right now. Even though there’s a lot more encryption than there used to be, there’s still a lot of things you can find out from examining a memory or a storage of a computer. That’s the main thing we talk about in that area. There’s going to be quite a few books now on digital forensics that are interesting.
Steve Bowcut:
Okay. Very good. All right.
Neil Rowe:
I don’t generally recommend books on how to defend against hackers because they’re also specialized. What works for certain types of windows attacks doesn’t work for other ones, or doesn’t work for other machines. There’s a lot of overly specialized books out there.
Got it. Okay. We’re about out of time, but our last question, and this one is purely fun. This is where we ask you to dust off your crystal ball and look down into the future, maybe five years or 10 years. What do you think students today need to know to be prepared for what may come in the future? Given your background, I’m guessing it may have something to do with artificial intelligence, but maybe not. What do you think?
Neil Rowe:
Yeah. Well, they’re definitely going to need to know more artificial intelligence than they do today. There’s so many different tools out there that can analyze traffic and analyze attacks. They’re going to have to master a lot more tools than they are today.
Steve Bowcut:
Got it.
Neil Rowe:
We’ll see about that. As far as other tools, it’s hard to say. I mean, there’s lots of network monitoring tools around.
They’re not too hard to use. I mean, they have all different types of notation for what they’re indicating, but you can often pick that up pretty quickly. But the artificial intelligence, you do have to understand basically what it can do and what it cannot do too. There are ways that AI can be fooled too by malicious attackers. That’s going to be a continuing issue in the future. People are deliberately trying to fool your AI methods and try to get onto your systems.
Steve Bowcut:
Got it. Okay. Very good. Thank you. Well, Professor Rowe, thank you for your time today. This is about all the time we have, but I want to thank you for giving part of your day to us and to act as a resource for students that are trying to educate themselves on cybersecurity and make decisions about what they want to do in their academic careers.
Thank you for that and a big thanks to our listeners for being with us. Please remember to subscribe and review if you find this podcast interesting, and join us next time for another episode of The Cybersecurity Guide Podcast.