Barbara Endicott-Popovsky is the executive director of the Center for Information Assurance and Cybersecurity at the University of Washington. She has taught and mentored cybersecurity students in a variety of courses and formats and frequently consults with government organizations about the future of cybersecurity education. Linkedin profile
How did you first get into cybersecurity?
Well, I was in IT at a large commercial company, and presided over the implementation of some of the first early local area networks and observed what I believe was our first “man in the middle attack,” once we began to bring computing out from behind locked doors.
So, I was able to observe the transition from mainframes to distributed processing. And what struck me was how little attention we gave to the security problems we were creating. There didn’t seem to be much attention or awareness or consciousness that every computer, every wire, every device in the system that we were creating offered potential vulnerability.
And that puzzled me because up until that point in time, cipher locked doors, sign-in sheets, cameras, limited access had really been a mainstay of corporate mainframe computing.
When I reported this first “man in the middle attack,” I got puzzled looks. I believe my boss thought I was an unmedicated paranoid actually! And recommended that I shouldn’t share this information with just anybody because it would make them think that there was something wrong with me!!
At that point, I became intrigued and I started to dive into reading about cybersecurity. The Israelis were doing some interesting things at the time, and doing some pretty advanced thinking along the same lines. I feasted on this new information!
Eventually, curiosity led to my pursuing a doctorate in computer science/cybersecurity and a career in academia. It took me about seven years to complete my Ph.D. working full time. But once I completed my studies, opportunities opened up. The University of Washington approached me about heading up their cybersecurity center, and I’ve been at the U ever since.
Can you explain a little bit more about what a “man in the middle” attack?
In those days we weren’t connected by WiFi. Everything was wired. You could trace someone’s computer on their desk directly to the mainframe on the campus where I was working, the industrial campus.
During this time, we knew that computers were being installed and linked to the local area network by union workers working third shift. I would come in each morning and I’d get a progress report.
One morning the director of human resources computer was disconnected at the patch panel in his office building and I thought that was really strange. It took quite a bit of doing to remove a peg from the patch panel and I thought, well perhaps his computer was being repaired. Two days later when it happened again, that wasn’t a coincidence and I put two and two together.
We were having leaks of management planning information to the union regarding an upcoming strike. The human resource director, whose peg was at the bottom of the patch panel, happened to have been the chair of the management strike planning committee. Further, there had been buzz about how in the world strike plans were leaking to the union.
As I said, I put two and two together and I can tell you how it happened. To begin with, many of the people who were wiring up computers on third shift, were graduate students at the University of Washington, because you can work six hours and get paid for eight.
You could fund your graduate program with your hourly wages and have time to study. They were extremely well paid and knowledgeable. This was the report I put together and it turned out to be correct but again, there was an initial reaction of disbelief, even in light of evidence shown because people lacked imagination about the security problems we were creating when we built those local area networks.
When I started at UW, I launched a television series called Unintended Consequences of the information age on our university’s television station, leveraging that experience. The idea was to explore all of the vulnerabilities that society had opened up, unwittingly, as a result of embracing interconnectedness.
It took a while for people in industry out here on the West Coast to really grasp the problem. But the federal government was tuned in immediately for national security reasons– understanding that the federal government was an incredible target.
I would give credit to Richard Clark and the Clinton administration for being the first to recognize that we were putting critical infrastructure online, and increasing national vulnerability to cyber-attack in that space.
This was not something that constituents I worked within the Northwest were ready to hear or see or be concerned about. For a long time, management — industry and local government — put up with (or ignored) cyber attack. It wasn’t until we hit critical mass and had some very significant breaches that had a significant impact on companies like Target and Sony, that awareness changed.
Concerns about cybersecurity rose to the C-suite on the industry side. As I said, government was much more aware. The National Security Agency (NSA) provided federal government leadership in this space.
The NSA assumed a national security perspective; they also provided advice to government agencies about how they could defend against cyber-attack.
I had the opportunity to work at the national level with the NSA, heading up an NSA designated center of excellence that was recognized as one of the top 10 in the country. It gave me the ability to view how the field of cybersecurity was forming. (It has also given me an opportunity to participate on various national committees that are shaping the development of cybersecurity as a profession.)
Can you explain what your work looks like now as the Executive Director of the Center for Information Assurance and Cybersecurity at the University of Washington? What kinds of projects are you working on?
Besides maintaining our NSA designation which must be renewed every four to six years, my responsibilities are to mentor other universities external to the University of Washington and other departments inside the University of Washington that want to develop academic programs in cybersecurity. Thus, in my tenure at UW, we’ve developed several different master’s degrees on the various campuses, each with a different concentration or thrust.
We have a master’s degree in Bothell that looks at secure software development because Bothell’s Computer Science Department emphasizes software engineering. Whereas in Tacoma, we have a master’s of cyber leadership that has been developed initially for the military, it’s a one year program.
That program takes a more networking perspective based on the expertise in the department at Tacoma, and also in response to local demands for those skills. Whereas, Bothell sits near the software development corridor on the eastside: Microsoft, the medical device manufacturers, where students are likely to go to work.
Graduation statistics indicate that students go to work within 30 to 50 miles of where they graduate. Thus, as faculty develop programs, they will be mindful of the jobs in their locale and will develop programs accordingly.
I mentioned reaching out to other universities. I have been assigned a seven-state territory by the NSA that allows me to provide initial mentorship to universities and colleges that want to develop cybersecurity programs aligned with the national direction.
I also manage a 100 percent online cybersecurity certificate that maps to all of the standards that are considered essential for cybersecurity expertise. It is offered through outreach at the University of Washington. I teach and prepare industry experts to become faculty in that program in order to share their expertise as teachers.
I also research educational and pedagogical questions and develop special programs like the Cooperative Learning Program co-developed with a local major company that was interested in developing a cadre of cybersecurity employees.
This answers the question about how you get experience before you graduate since employers hiring cybersecurity graduates want experience. How do you get experience if you don’t have experience? It’s a catch-22. The co-op program we developed addresses this.
We created what I would call a lightweight cooperative learning model. In fact, our textbook is coming out this summer that describes the model to other universities. We’re hoping to encourage others to do what we did, which is to partner with local industry to develop cohorts of up-and-coming cybersecurity experts who come to work ready to contribute.
We’ve also offered scholarships, they’re various government programs to the Department of Defense, to DHS to NSA that will fund students to go through for a master’s degree or to finish their undergraduate program. If they agree to work in the field for a couple of years beyond graduation.
By the way, our graduates from our CAE programs are given hiring preference by the federal government. That has appeal to students that wouldn’t mind relocating to DC or working for state and local government. We also pursue funding for — and run — scholarship programs.
You are involved in so many different kinds of teaching formats — from the traditional, academic on-campus courses, to MOOCs and online education opportunities, and also doing masters certificates and mentoring students one-on-one.
How do you kind of think about all of those things and at a high level, can you just explain the way you look at the value and utility of each kind of educational format?
The main audience that I have mentored since I’ve been at the University of Washington are students that already have their undergraduate or graduate degrees that want to earn a professional credential in cybersecurity, looking to move into cybersecurity as a career path.
I take great pleasure that we’ve had close to 800 students go through our certificate program since we began in 2004. that maps to all the cybersecurity standards that the NSA requires for cybersecurity competency. Many of those students are now chief information security officers, have started their own companies or occupy various senior roles within government.
For example, I have one student who has a GS-15, working for the Department of Homeland Security on a forensic fly-away team. Any time there is a need for a digital forensics analysis of some event that has implications for national security, he’s there. He’s one of those people that fills that role.
I have another student who is also a GS-15 at the Federal Reserve Board. Through the years we’ve been known for developing talent and placing it in the workplace where the preparation that we’ve given allows our graduates to move up commensurate with their other work skills.
I’m very proud of the chief privacy officer in the city of Seattle, the first in the country. She came out of one of our scholarship programs and took a degree that emphasized issues of local government and cybersecurity. She also took the certificate in cybersecurity that I described to you.
As far as making recommendations to students about what way they should go. Number one, they should make a decision based on what niche in cybersecurity they wish to pursue. And I would refer students to our MOOC (Essentials of Cybersecurity) hosted on Harvard’s EdX platform. They can either audit it or take it for very minimal costs and get a sense of what the field is all about, how it’s organized.
The fourth course guides students in how to use government tools that exist to help them find their appropriate career path. I tell students that there is no one university certificate, educational entity, that will ever give them everything they need for a career in cybersecurity. They need to take responsibility for their own education after they get their feet wet with either an undergraduate program, a two-year program at a community college, a master’s degree, or a certificate.
The programs that any institution offers just simply get you started on your career path. All of the successful examples that I alluded to previously have taken charge of where they want to go and make decisions about what they want to study beyond whatever credentials they may get from us.
And in fact, with our massively open online course (MOOC), we list other options. We refer people to other community colleges for certain specialties, certifications that will add to specific knowledge. So, we don’t claim to be the fount of all wisdom, nor should any single educational entity in this field ever do that. That would be my first sign that maybe they don’t know what they’re doing because the field is so vast and so ever-changing that you are committing to life-long learning when you get into cybersecurity if you want to be successful.
One of the things that we teach in our certificate program and in our MOOC, is how to develop a reading program so that you stay current, how to join professional organizations to continue to network. The bottom line, it’s a field that you must love because you’re going to be studying constantly, reading constantly, growing constantly expanding your mind.
From your vantage point, given your career and your involvement in the field for a while now, do you think there is a shortage of knowledgeable cybersecurity professionals and why or why not?
Without a doubt, there is a shortage and I would refer you to www.cyberseek.org, which indicates that there are ~300,000 open jobs in the United States alone, double that if you want to consider openings in the entire West, including Europe, etc.
The talent gap comes from a lack of programs that teach and prepare students for cybersecurity. The NSA has, since the late 1990s, had a program that encourages universities to create centers of academic excellence that teach cybersecurity according to standards that have been evolving among DHS, NIST, and NSA. But there are only about 300 some universities now that have these programs, representing hardly 10 percent of all the universities and colleges in the United States.
Another limiting factor — and I’m talking now about four-year higher ed institutions — is that we don’t have enough faculty to teach in our cybersecurity programs You will have faculty that will graduate in related fields and perhaps develop dissertations and research interests in cybersecurity-related to the discipline they’re in, whether it’s computer science or double E or international policy. But we don’t really have sufficient people teaching.
Their remuneration from academia is not nearly what you can earn in the private sector. That has been a problem since I’ve been active in this field, going back to the year 2000 when I first started my Ph.D. program.
What do you think about when you’re looking ahead into the next five or 10 years of cybersecurity, how do you think things will change? What do you see as big opportunities, especially maybe framing it from the perspective of students that are kind of just beginning their careers and thinking about their educational opportunities? How do you think about that?
I think that cybersecurity is going to model other professions like law, like medicine — the kinds of programs that have evolved over the centuries, in medicine, for example, the profession has produced standardized medical curricula, medical boards where you must pass common exams, ethical regimes, like the Hippocratic oath that describe appropriate behavior for professionals and encourage professionals to act with integrity and ethical concepts in mind.
You’re going to see more of what we were pioneering in our Cooperative Learning Program, which is essentially like a residency in the local industry. That program has been very successful in helping students to bridge the classroom into the workplace, quickly preparing them to take on responsibility and grapple with real problems as soon as they can.
I think students must be prepared to understand that there are no recipes in cybersecurity, no checklist menus to follow. What corporations, industry, and government are looking for are people who can think outside-the-box to solve problems. You know the basics, you understand how networks operate. You understand how the bad guys get in. now put them together in a way that creatively solves the problems at hand.
While there’s a certain common understanding that you’ll come to, as your career progresses, you’re going to want to be the type of employee who can take on responsibility. And as I said, think-outside-the-box, do critical thinking to solve problems.
Adversaries on the other side are highly motivated to keep trying and they’re well-funded by nation-states and criminal organizations. They are constantly changing, modifying, moving, trying new gambits and you need to be on your toes to defend.
Last question. In the context of us talking about cybersecurity and again, our audience is students or early career professionals, trying to enter the field. What’s the best piece of career advice you’ve gotten or that you give?
I tell my students they need to do a couple of things outside the classroom. They need to develop their reading list. There are sites — blogs, newsletters — that they can subscribe to that will keep them current so they develop the habit to constantly read. One of the exercises I have them do is to come up with a reading plan. How are you going to stay current?
The second thing I encourage them to do is to join professional organizations. Every major city has a Cloud Security Alliance (CSA) group or an ISACA group or an ISSA group. Go online to ISSA or ISACA and look for the local chapter. (CSA is the same).Then I join those chapters: they meet once a month; typically, student membership costs only around $25 to 35.
Membership allows you an opportunity once a month to hear a lecture on a subject of interest and, more importantly, to network with other cybersecurity professionals. This is, of course, an opportunity eventually to share your resume and to meet and greet people who could possibly become an employer. These are things I really encourage my students to do.
Thank you very much for your time and insight.