Dr. Shouhuai Xu serves as the Gallogly Chair Professor in Cybersecurity at the University of Colorado Colorado Springs (UCCS). At UCCS, Dr. Xu is renowned for his instrumental role in various cybersecurity initiatives.
He architected the UCCS Cybersecurity Strategy, POWER, which focuses on partnership, outreach, workforce development, education, and research.
He’s also contributed to earning prominent designations for UCCS, such as the NSA/DHS National Center of Academic Excellence – Cyber Defense, and securing the university’s membership in the USCYBERCOM Academic Engagement Network.
As part of his ongoing efforts, he’s spearheading the creation of a Cyber Range and new courses in cybersecurity at UCCS while also striving to expand the institution’s cybersecurity programs and research capabilities.
Listen to the episode
- AI and machine learning (ML) in cybersecurity: AI and ML will be increasingly utilized in cybersecurity. Current defenses, like Microsoft Defender, employ ML algorithms to detect malware.
- Evolving threat landscape: Attackers are becoming more sophisticated and can manipulate malware to evade ML-based detection. This evolution predicts a future of AI vs. AI in cybersecurity, with attackers leveraging AI just as defenders do.
- Cybersecurity job market: Despite the advancement of AI, there is an ongoing need for human cybersecurity professionals. The field is considered very secure employment-wise due to the perpetual arms race between attackers and defenders.
- Need for research and education: There is a significant need for more research and education in cybersecurity. This includes fundamental research to advance the field and education to prepare new professionals to handle evolving threats.
- Cybersecurity and healthcare analogy: Dr. Xu compares cybersecurity to healthcare, suggesting that just as we need hospitals for ongoing health issues, we need ‘cyber hospitals’ to address continual cybersecurity threats. This emphasizes the need for robust, responsive cybersecurity infrastructures.
Here is a full transcript of the episode:
Steve Bowcut: Thank you for joining us today for the Cybersecurity Guide Podcast. My name is Steve Bowcut. I’m a writer and an editor for Cybersecurity Guide and the podcast’s host. We appreciate your listening.
Today on the show our guest is Shouhua Xu, and I hope I’m saying that correctly, Dr. Xu. And Dr. Xu is the Gallogly Chair Professor in cybersecurity at the University of Colorado Colorado Springs. Our topic for today is going to be cybersecurity educational opportunities at UCCS. Let me tell you a little bit more about our guest before I bring him in.
Dr. Shouhua Xu serves, as I said, the Gallogly Chair Professor in cybersecurity at the University of Colorado Colorado Springs. At UCCS, Dr. Xu is renowned for his instrumental role in various cybersecurity activities. He architected the UCCS Cybersecurity Strategy POWER, which focuses on partnership, outreach, workforce development, education, and research. He’s also contributed to earning prominent designation for UCCS as the NSA/DHS, National Center for Academic Excellence in Cyber Defense and securing the university’s membership in the USCYBERCOM Academic Engagement Network.
As part of his ongoing efforts, he spearheaded the creation of a cyber range and new courses in cybersecurity at UCCS while also striving to expand the institution’s cybersecurity programs and research capabilities. With that, thank you very much Dr. Xu. Thank you for joining me today.
Shouhua Xu: Thank you Steven. Glad to be here.
Okay. Well, we appreciate your time and this is going to be very informative for our audience. Again, I’m going to apologize for my pronunciation of your name. I did my best. So let’s get to know you a little bit better. So tell us how you got interested in cybersecurity. How did that happen for you?
Thank you. This is a very interesting question. So when I was in graduate school and I forgot, I read the paperwork book, popular book. The book is about the database and then there is a small chapter or a subsection in the book which gives the example question, which is the following: suppose you’re a company and then you have the salary table for your employees.
This is a confidential data, but there are many reasons, there are now people to query your salary table, for example, the administration or someone. They’re certainly not allowed to query, say what is Steven’s salary, right?
But they are not to query questions, what is the total salary of the people in certain categories? For example, the age between say 30 and 40 or things like that. And then you can imagine a malicious actor who can tailor the query such that I can make the query kind of specific to Steven and then I can immediately learn what is your salary and that breaches your privacy.
So quickly, that is kind of the aha movement, which I never thought of there is such kind of sense. So that quickly get me excited about now we call privacy. At that time I don’t even know what it is.
And then I explore more and then I get into cybersecurity in general. So this is very interesting to me. I hope that this will inspire our future generation students, cybersecurity scientist and engineer to seek this kind of aha movement to get them excited.
Very good. Thank you. I appreciate that. All right, so let’s change our focus a little bit and let’s think about or talk about UCCS. So tell us about if a student was thinking of going to UCCS for their cybersecurity education, what kind of programs are offered there?
Perfect. So at the undergraduate level we have a bachelor of science in computer science, for which the student can choose a cybersecurity track or certificate, meaning that a student is going to take a systematic consider of cyber security courses. And then we also have a BA, bachelor of arts in computer science, which also has a cybersecurity track. And then we have actually degree BI in cybersecurity. BI means bachelor of innovation in security.
So this is very unique as the BI program created by my colleague many years ago because back then I think they are very insightful. They realized that cybersecurity or security is a field, not only needed the technical skills, but also needed the softer skills so that you can effectively communicate with say your managers or non-tech folks. So in that sense, we have a very unique spectrum of the undergraduate level education. So should I go?
Yeah, talk about your-
Okay, great. So yeah, that is at the undergraduate level and at the master level we have a master’s of science of computer science. This is typical, but very unique is that we have master’s of engineering in cybersecurity. So this is a very unique meaning school to not have this particular scheme. So that’s at a master’s level.
And then at the PhD level, in addition to traditional computer science department, which has a PhD in computer science, we have a PhD in security or PhD in cybersecurity. Means we have the PhD degree specifically designated to cybersecurity, so this again is very unique.
So at the bachelor level we have a BI cybersecurity, which is a very unique, and then we have the other cybersecurity tracks in BSCS, BSCS. At the master level will have a unique ME cybersecurity degree and as then a PhD, will have a PhD cybersecurity degree.
Excellent. So there are some unique opportunities at UCCS that I’ve never heard of that comprehensive collection of degrees that are specific to cybersecurity. So that’s excellent.
For just a moment, let’s change our focus again and let’s look at extracurricular activities. So if a student was thinking about coming to UCCS, are there cybersecurity clubs or events or boot camps or that kind of thing that they could be involved in outside of the classroom?
Absolutely. So first of all, we have what we call Mountain Lion. That’s our MOSCO cyber club. So these are the students who are excited about the hacking and the defense. So they do the various kind of capture the flag type of competitions. And we have the university committee resources to supporting them and actually I’m the faculty advisor to this group…
So this is a very exciting and many students get to participate in that. Then now we have research opportunities for our students. Of course PhD, masters, that’s by default, even for undergraduate students. For example, I sponsor MSF grants to sponsor REU students in research, which means research experience for undergraduate students. So right now I’m actually supervising two REU students. They did great in my cryptography class in the last spring and then they started to do research in the summer, and then they already determined that they’re going to.
One student already, he said he’s going to do PhD immediately after graduating with bachelor’s degree. Lazar is actually doing what we have. Okay, this is. We have accelerated master’s program, meaning for our undergrad student, that they can get a master’s degree within a shorter period of time. So we have mechanism to do that. So the other REU student is taking this trajectory.
I really want to highlight that these two students, undergraduate students right now, they’re still doing outstanding research and I have no doubt that the research we’re doing work at a high quality publication, which will be ready for submission towards the end of this year.
This is the research opportunity and then we encourage our students to do summer interns or even a regular semester they can do interns in the companies. We have a very strong industry in the Colorado Spring area. There are many companies, especially DOD contractor companies. So there are many opportunities because they are eager to hire our graduates.
Very good. All right. So excellent. This is great information and I wanted to ask you next about things that you think make your cybersecurity program unique, but you’ve already mentioned so many of them with the various degree programs that students can choose from, research at an undergraduate level, as well as research at a postgraduate level.
Is there anything else that you want to mention that makes your cybersecurity program unique from other schools?
Absolutely. I want to mention a few things. First, Steven already mentioned the cyber range we’re creating at the UCCS. So many schools, they also use cyber range, but they use a commercial service, which is to us, which is very expensive. And we here, or I cannot say in order to use that service we have to raise the tuition students. I don’t do that. That’s not our philosophy.
So we have a grant from Universal Credit System. We’re building cyber range and we’re corresponding a sequence of courses, which is the first course is called Introduction to a Defensive Cyber Operation. And the second course more the ones is the defensive cyber operation. So this course are not like the other universities because actually when we prepare these courses, we look at all the materials available like in the internet and then we realized that actually there are many teaching students how to hack.
A lot of them are curriculum material are available there like ethical hack and however, so the how to do defense is actually there’s not much material available. So we kind of need to do a lot of things from scratch. This may reflect why we call it defensive with several operation. That’s because I worked with a collaborator, a colonel at the DOD and he suggests that defensive cyber operation or DCO in the language of DOD is the probably most wanted or needed skillset.
So this is the one and what is unique here is that we not only teach students to say the experience learning or hands-on experiment, but we also encourage students to conceive and come up with their own design of cyber attack defense game so that we can do the war gaming in our cyber. So this makes our education super unique. I have to say you don’t see this opportunity in other universities. So this is the one thing I want to highlight.
And of course we are treating cyber range of education. The research is kind of two year one. So then it’s not just for education or just for research. They actually help each other. So for example, when we do the research, we find interesting scenarios. Then we use other scenario in our curriculum teaching. Other thing I want to highlight is that as Steven mentioned, that we are member of the US Cyber Com and Academic Engagement Network.
So I just want to highlight of our student project I supervised and it was a mentor by a colleague at the US Cyber Com and we won earlier this year. We won the Analyst Award. So that is a great honor and that shows that our students can do outstanding job.
Yes, rather same unique to UCCS I want to highlight is that kind of on par with the US Cybercom AN. We’re also the US based Com AEE, Academic Engagement Enterprise. So this mechanism also offer, they basically provide the kind of questions of interest to them and then our students can form team just do the research like we did for the US Cybercom AEN. So these research or training experiences I would say will give our graduates a big bonus point, when they apply the job to US Cybercom US Space Com. You have that token already on your resume, right?
Yeah. Yeah. Excellent. Thank you so much for that. And I know again, you’ve mentioned some of these already, but I want to give you an opportunity to expand on this if you care to. So we all know that performing well in an academic environment may not translate directly to doing well on the job and being prepared for the real world of working in cybersecurity.
So are there any other things that you do or maybe you just want to talk about the importance of preparing students above and beyond having the academic knowledge but also what it’s like to work in cybersecurity?
Perfect. This is a bigger problem because we have the bigger shortage in supplying a skill for graduates because as far as I know, the government and the industry, when they hire graduates, often they need to retrain them for several months. So this is the bigger problem. It’s at the national level. So this is why the least National Institute of Standardization of Technology, they have worked on some framework to help solve the problem.
And we here, we realize this is a very important problem. That is why I had led the initiative to create the sequence, of course introduction to defense with separate operation and the defensive with separate operation. So we have many courses. We teach students the knowledge, which are certainly important because of the knowledge. We always inspire students to ask the why question, which is certainly important. But we also need our graduate able to ideally immediately cannot work on job duties or assignments.
So this is why we created this sequence such that for these courses, the primary lab based, project based and this project, like I say, supposed to have a network as this, how do you defend your network? So these are the courses or training we created by kind of transferring the knowledge learned into skillset so that this skillset can be used in real world daily job. And I’m having a close relationship with industry and the DOD and I invited them to give lectures. So this where also here for, me to make sure the curriculum material are even closer to what they lead.
Perfect. Okay. And that’s what I was going to ask if you had some kind of a industry advisory board or what mechanism you have in place for gathering input from the industry to pass on to your students. So that’s excellent. Anything else that you wanted to add to that?
Yeah. So actually I joined UCCS in 2021. So prior to that I was a professor at the larger institution. So the first major center, as Steven mentioned, I architected the UCCS cybersecurity strategy power. So if you have visited Carrabas print, we have the highway cross tongue, it’s called Powers. So I feel this is very interesting. So power versus the Powers. That’s one, my first accomplishment, I would say.
And of course we get our re designation of SSCAE, that’s another one. And the yet last one is we created the annual Research Exchange, which is one day event with the local industry and our faculty members doing cybersecurity research. This is to foster the research collaboration and it is already become productive because we already have colleagues have joined the grant with them, successful funding from the federal government. And the next thing, the nexus and which is happening right now is kind of duplicating the success in the Research Exchange, but it’s the education exchange.
So we are going to have our first meeting on November 8th by inviting the local industry, the managers, admins, high level ratios to come to UCCS. Then basically I’m going to present to them our degree or curriculum and I want to listen them what would be the material they want us to teach our students, but we are not teaching and we want to work together. For example, how can we get their employees who already have, for example, a bachelor’s degree so that they can get a master’s degree which would benefit their company in the long run. So these are the kind of things our blueprint.
Yep. That is so valuable to get that input from the industry so that the graduates you’re producing are really ready to go to work and can do the tasks that will be assigned to them. So I applaud that. Thank you so much. So one of the things that we like to do is we like to include in our show notes any kind of resources that you might think of, and I won’t ask you to come up with those right now.
But just for the audience after this recording, then Dr. Xu will send me any resources that he can, books, lectures, YouTube channels, anything that he thinks would be useful for your academic career in cybersecurity. So look for those in the show notes.
And I like to end in this. It’s kind of a fun question for our last question and I’m going to ask you, Doctor, to dust off your crystal ball and look into the future and tell us what you think the future of the cybersecurity landscape is going to look like.
Are there any big things that we should be watching for? Is it AI, is it something else or is it really just that we should be focused on the fundamentals? What’s your perception there?
Thank you, Steven. This is an outstanding question. So AI and the machine learning certainly will be widely used and as our research shows, and actually I just want to mention one research to get the audience excited. So we know the notion for computer malware which hack into your computer. And then right now I have many solutions like if you use Microsoft Defender and others. So they’re going to use some kind of algorithm and they typically machine learning algorithm to detect your malware, to detect the malware.
The thing is that their attacker, if they are sophisticated enough, they know the algorithm we are using, they can easily manipulate the malware behavior to evade the detection. Let me use a simple example. Suppose FBI has a profile say why is the terrorist, if you eat, drink and smoke, then the terrorist can easily evade that profiling by just eat, smoke and drink, right?
They see the kind of sense their adversary is going to do and as the time goes by, their attackers are going to become more and more sophisticated, later known nation city attackers. In other words, their attackers are also going to use the AI machine learning. So you mentioned it, we’re going to become your sense AI versus AI or machine learning versus learning in the cyber field.
So this may make some students think, oh, I’m going to lose the job because AI is going to do everything for me. So I heard this concern and I laugh about it because just at work, what we call adverse malware detection in that example, right? So in 2019, the MIT link lab organized the worldwide challenge, how to defeat that adversary malware detection. Basically the attacker manipulate their behavior of their malware to evade the detection. So my team won first place in that worldwide competition.
So this is just a manifestation that as they attack and the difference technology get more and more advanced, the challenge is going to become even more demanding. The how can we defeat such capable attacks. So AI machine learning is going to certainly, will certainly play a very important role in the future for the long term, but there are so many technical problems. So this is why I said that we need the hundreds, maybe I exaggerated, but the hundreds of thousands of PhD dissertations, but even more master’s undergraduate graduates.
And therefore, especially for the undergraduate students, they should not feel that AI will make them lose the job. Actually, they should think cybersecurity is the safest job because they never ending arms race between attack and the defense. So depends on their perspective. So simply I want to say the challenge is going to become even more significant. That’s why we need more people to do research. And then we also need more people to do fundamental research.
I’m going to use medical science or healthcare as an analogy. So as time goes by, we can cure many diseases, but we still have many diseases we cannot cure. So we need to do fundamental research. This on the one hand. On the other hand, we need to create many high quality hospitals because of people getting sick. So this is kind of analogy, similar or parallel to a cyberspace. We need to do a lot more fundamental research. We also need to create quote unquote cyber hospitals because competitors get hacked and network get hacked.
Very good. Thank you so much. Thank you for your time today. This has been enlightening. I appreciate you doing this and I know that our audience is going to love this as well. So thank you. I appreciate it.
Thank you. My pleasure.
You bet. And a big thanks to our listeners for being with us today. And please remember to subscribe and review if you find this podcast interesting. And join us next time for another episode of the Cybersecurity Guide Podcast.