Tamara Shoemaker is the director of the University Detroit Mercy’s Center for Cyber Security and Intel Studies. She is also the founder of the MCISSE CyberPatriot program. LinkedIn profile.
How did you first become interested in cybersecurity?
I started out in physical security. I ran a private investigation firm for 12 years — all female-run and owned and operated in Michigan and have transitioned into cybersecurity for the last 16 years.
I started — and this was a really long time ago — I started with listservs and those kinds of things to teach myself how to do some of the legwork online. Instead of sitting in a hot, sweaty car stalking somebody, I could figure out all kinds of things that I was investigating. I could put together some stuff before we actually went out to the field. That’s where I started cybersecurity. Also, I’m married to a techie, which has been really helpful because he helped me work my way through some of that stuff.
He has been teaching forever, like 36 years, at the university, and he started to dabble in cybersecurity. He started moving from quality assurance to cybersecurity. He’s a bit of a standards savant, and so that’s his thing.
Basically, we figured out that stalking in a hot car was really not what I really wanted to do with the rest of my life but that this cybersecurity thing really inspired me. So I continued to go down that track. I am more in administration, and so I leave all the teaching and all the techie, really, really heavy techie stuff to those folks that know that best. I run the center. It was real, real easy for me to do that since I had already run a client-based business.
Can you tell us more about the Detroit Mercy Center for Cyber Security and Intel Studies?
The center was born 15 years ago. The NSA had been putting out calls to try to get folks to start studying and teaching cyber in the late 90s, and we jumped on board. We built out a program with our partners in the criminal justice department and we were able to get funding and some DoD research work to build momentum and build up the center.
We have both the computer information systems department and the criminal justice department working together. Currently, my main thrust as the director is the community outreach for the CyberPatriot program, which is a competition for high school and middle school
Kids. One of the things that just keeps coming up is that there are just not enough people in the pipeline. The pipeline takes a long time for us to turn out a finished product to be able to actually fight this war against all of the cybercrime that’s going on out there.
I contacted some folks and found out about how we could get kids inspired and how I could get them aware earlier about this career track. I know that you’ve seen all of the statistics about the 400 million job openings that just can’t be filled. They just don’t have the people to fill them, but it takes a long time for us to get them through the system. So for the last five years I’ve been concentrating on the K through 12 space hoping to plant the seed and get those kids to start thinking about this as a career and to make sure that it’s a real diverse population.
One of the other things that they find in a lot of studies is that cybercriminals are not one size fits all. They don’t all think the same. They don’t all have the same background. They don’t come at this all of the same way. But what we keep doing is saying that what worked before will work again. So we keep throwing the same sort of people at the problem, which is not getting us anywhere. So I’m working real hard on making sure that we have a diverse population in this field.
Because we are so into the standards — my husband was one of the subject matter experts on the NIST NICE framework — I became involved in that too and it has been really very helpful while I’m working in the K through 12 space because everybody thinks if you want to go into computing, then you must love coding. You must love math and you must love coding. And if not, then you need to go to something else. It’s just so not true. There are so many pathways to these jobs, which are so varied. That framework is a really good resource for me and for everyone to use to look at all of the different skills and abilities needed for the different cybersecurity jobs.
The framework describes all of the knowledge, skills, and abilities you’re going to need. Instead of just guessing about what it’s going to be like when I have this job, you can actually sort of drill down and see oh, this is what I’m going to be doing. I really like to use it as a tool with my middle school and high school kids to say, “If you don’t like coding, then you don’t need to be going into development. You need to be doing some of these other things that are more aligned with what you like to do.” I love to use that as a resource.
So how do you use the NIST NICE framework with your students or the people you work with?
Unlike other bureaucratic standards that are just these big, thick, 500-page, really, really hard to work with documents, the folks at NIST and NICE have spent a lot of time making it easy to use. So if you go on the NIST NICE website, there’s a resource page. They have it actually as very interactive, so you can click on one of the categories and it will drill down to all of the job titles for that. Then you can drill down to, when you go to the job, the name of the job. Then you can drill down to what are the key knowledge, skills, and abilities (KSAs).
They even have career mapping and certifications that go along with and all that kind of good stuff that you’re going to need to know if you’re going to actually plan a career in that area. They spent a lot of time doing that and making it user friendly so that we can use it as a resource. The lexicon was the starting place so that we could all use the same language. When they first started there were, I don’t know, 15 different ways to say cybersecurity.
No one was talking about the same thing as a definition. Particularly when talking about jobs, and so I could be graduating a bunch of people, but I’m calling them this. And the employers are calling them something else, and so we’re not meeting. So we’re not helping the situation. With as many open jobs that we have if we’re not talking about the same thing, then we’re never going to fill those gaps.
That was the goal for the government to make that a standard. They brought in a ton of experts from all over. In fact, they’re doing it right now again. They’re updating it, so they’re revisiting it because they did do that several years ago.
Can you tell us a little bit more about the CyberPatriot program?
One of the main critical things that employers have is that many of the kids that graduated from programs don’t have any hands-on experience. This hits all of the boxes for me and it’s why I’ve been working so hard for the last five years to get it adopted in all the schools across Michigan. At a high level, CyberPatriot is a program where students work on a team of two to five and they are given a virtual business. And in that business, they have what normal IT businesses would have. They have some of their operation on Microsoft operating systems. Some of their operation is on Linux systems. They have some Cisco networking, obviously, if they’re going to be on the internet. Participants are given a six-hour window in which to take this business and secure it, to find all the vulnerabilities, find out if there’s any malware, find out all the things that they need to about the systems that are interacting with each other, and make sure that this business stays up and running.
The beautiful part about the program is that it is very inclusive. It was really important to me that there aren’t too many things that would prohibit folks from being involved in this. The competition piece is geared for middle school and high school, but there are other parts of the program for K-5 that includes video games that are free to anyone who wants to download them.There are also resources for teachers that include talking points and live presentations that go along with it, so it teaches them just an awareness level. They’re playing these little games that say things like, they’re walking down a neighborhood and some stranger says, “Hello, what’s your name?” Then do they tell them what their name is or do they say, “Nope, sorry. I don’t talk to strangers.” Then it explains that you also don’t talk to strangers when you’re on the internet.
Then by middle school, we’ve built it enough so that students actually understand some really cool cybersecurity principles, and then they can start competing. Middle school kids only compete against middle schools across the country. Then there are two divisions for high school kids. It blew up. The open division is just amazing. Last year we had over 6,500 teams across the country playing each other.
The nice part is it’s virtual and it has rounds. So every month from October to February they go head-to-head in a virtual competition over the weekend. But the other cool thing is that since it is virtual, there are no travel costs. They get a ton of swag and it costs $205 to do a whole season. And teams don’t necessarily have to be from schools. They could be homeschooled kids or Boy Scout or Girl Scout troops. It could be a rec center group. It could be a church group. As long as you’ve got two to five kids and an adult that supervises them, you’re good to go.
Also, the other really, really important part is a mentor, and that mentor we bring in from industry. You get folks that want to volunteer their time to help those students so the heavy lift is not on the teacher to teach them tech and teach them cyber. The people who are doing that are the people in real life who really are doing it. I love it because that brings it to life.
And I make sure when I talk to mentors to tell them, “Hey, talk to them about everything. Talk to them about how you got there. Was it a straight line, you went from right out of high school into four years of college and you went that way, or did you take a couple of detours along the way? How did you get there? How did you afford it? And now, are you making a good living? What do your hours look like? What does your day look like?” They get to make it real and they get to teach this stuff to the kids.
The thing that’s really cool is that the mentors always thank me. It’s like wait, you volunteered your time and you’re spending a lot of time with high school and middle school kids. What are you thanking me for? They are because they said they get so much from it, they just can’t believe it. Not only do they get just the satisfaction of working with these really beautiful, shiny new pennies that have everything in front of them and an imagination and intelligence that we just don’t understand because they’ve grown up with all this technology. It’s not scary and spooky and weird to them. It’s like ooh, what can I make it do next? And they also learn so much from the experiment. These are people who are seasoned cybersecurity people, but when you’re breaking it down and you’re teaching it to students, they suddenly are learning a ton too.
There are three different levels, and so any level of skill can do this. If they can just turn on a computer, that’s fine. Then they will be at the silver level. If they’ve got some good skills, there’s a gold level. And then there are the kids that have been doing this stuff since forever, and they could reverse engineer the game if they wanted to. Those are the platinum kids and they are at a level that competes in the national finals.
After the regular season is over, the top 28 teams, that’s the only time that it’s physical, that they actually get to see their adversaries.They’re flown to Maryland for the national competition, and then they go head-to-head. Then they’re still given a company and they have to secure it. But now they can see who they’re playing against, and there’s a red team on the premises that’s attacking them. Then they have a bunch of challenges that are thrown at them from folks like Facebook and IBM and Cisco, and all those guys that are our sponsors now get to have a whack at them and get to see them under fire and how they react and how they work as a team.
That’s another component — they do have to work as a team. We call the person sitting behind the keyboard a pilot. They tap in and out. It takes two computers, by the way, really three, to run the program. To run a team, one will have Microsoft virtual image, one has the Linux virtual image, and then the other one is for research.
One can only imagine where they’ll go after the experience of these competitions. Also, for me working in higher ed, it does take us so long to get them through, but when they’re in middle school and high school, if they’re getting the basics and the beginnings, we don’t have to spend that first two years in university getting them up to speed.
What does the cybersecurity program look like at Detroit Mercy?
The cybersecurity program began as a combination of information assurance and criminal justice programs. Like I said, it was a long time ago, about 15 years, the criminal justice folks were also working on an intelligence analysis program. So we started to work together on our research and started to work together on forming this center and how we would have it all go together. It’s been a really nice synergy between both sides. We actually have each department on either side of the hallway and then labs at the end of the hallway.
We started working on projects together as a group and it just made more sense to combine our efforts. We look at things differently. We do not look at it just from the technical lens, while that’s a really important part that you must secure. There’s also that psychology of the criminal mind and all the criminal procedures. It really just makes sense for us to all be together in one place and to be sharing those ideas and to be building out programs to do that. In fact, the university is working on a joint degree that will be both cyber and criminal justice as one study.
What about online degree offerings?
My husband’s program, the master’s in cybersecurity, or it used to be called information assurance/cybersecurity, that’s the master’s program that’s been alive for 15 years. It went all online six years ago, so he had all of the bugs worked out on how that all works. The program can be completed in a year if you go full time. If you go all spring, summer and fall, you can get it knocked out in a year.
He did that on purpose because most of the folks that are getting a master’s degree in this, are working individuals. They’re not traditional students, and so he wanted to make it so that it was something that they could get done quickly if they needed to, especially if they were retooling from a different career. He wanted to make sure that it was doable in a finite amount of time. You can also take it part-time. It’s just the way things are scheduled, it’s on a year loop. So you’ll always know when those classes are scheduled and when you need to take them, and so there’s no, “Oh no, I’m missing some classes,” or something as long as you have looked at the whole year.
Our undergrad in cyber has been half-and-half. Some of it is online. Some of it is in person. Some of the more technical hands-on kinds of things tended to be labs that you come into the lab and worked on, while then some of the lectures you could do online.
It will be interesting to see how all of the recent changes with online and remote learning will impact the future of university-based education.
It is very thought-provoking. But I mean, as we move through, we really need to start thinking about how education will change. What’s the bare minimum we can get by in those core classes that will help a traditional aged student become a well-rounded adult at the end of the day. Keeping in mind we have to make sure there’s enough room in there to cram them full of all the things they really are going to need when they hit the ground running in their career. Again this is why I strongly believe in pushing some of the basic knowledge in cybersecurity down into K-12.
Switching gears a little bit, what kinds of things have you seen change during that time in terms of the conversations people have about cybersecurity or the interest in cybersecurity?
It’s changed quite a bit — 15 years ago when we talked about cybersecurity, they sort of looked at us like maybe we were talking about Y2K and the big thing that would wipe us out, but that never happened.
Since I was a private investigator, I know that databases have been around forever. We’ve been giving away our information for free — forever. Just for that little discount card, we’ve been giving all of our information. Here, have our date of birth and all our personal identifiable information(PII). So we’ve been giving away information for a long time, but now ordinary people understand because they are being hacked. It’s not just the big companies that people are after. In fact, my husband loves to use the bear in the woods analogy where you don’t have to outrun the bear — you just have to outrun the people that you’re with.
That’s what it’s become now, and so a lot of the really big companies and the big databases that were hit all the time, it was like, “Oh, too bad for them, but I’m never going to get hit.” Well, it’s not the case anymore. Now every little penny counts. So if they hit a lot of regular people for small amounts, that still adds up.
I mean the law took a long time to catch up. They weren’t even prosecuting people correctly for a really long time. And even to this day it’s difficult to get folks like the FBI or anybody interested if it’s not tens of thousands of dollars that’s been stolen.
There are a lot of statistics out there that say that everybody is listening to the cybersecurity message because the hackers are going after small to medium businesses. The last article I read said that small and medium businesses have become the hardest hit because they are the slower bears. Let’s get real here, they don’t have a huge IT department and cybersecurity folks. When shut down by hackers, one in four will go out of business because of that exploit. That makes it real, right. If you’re going to have to close the doors because you got hit, or couldn’t pay a ransomware so you were down for a couple of days and you lost business, and you can’t recoup, it makes a big difference and it makes it real.
Romance scams are hitting our seniors like crazy. So the most vulnerable populations right now are our young people and older people. The young people because they’re making themselves vulnerable by oversharing, and they don’t really know who they’re talking to online and all of that awful stuff that could happen there. Then the same thing is happening to seniors. Seniors are trying to stay connected, and so they’re embracing this technology, yet they don’t completely understand it. They also don’t understand about the oversharing either.
The bad guys are really persistent and dedicated. They could spend six months to a year grooming someone before they ask them for money. Again, they’re working with hundreds of people at the same time and they’re getting money from them all at a different time. That’s enough for them to make a living.
If you were to create a cybersecurity reading list or a resource, what would you add? What things would you recommend for people to read to get up to speed on some of the things we’ve been talking about?
I want to put in a shameless plug for my husband’s book series because I’m just really proud of the stuff that they’ve worked on. He’s got this really great book series where he takes these things that are important and makes them more understandable. That’s why I said his book series. And it’s not just textbooks that he wrote. They’re written so that anybody in business could pick this book up and understand how cybersecurity fits in the grand scheme of things.
From your perspective what do you see as the future of cybersecurity? Or when you’re looking forward 5 to 10 years, what kinds of things are you thinking about or maybe the students you’re working with, what are they talking about or thinking about?
I’m truly inspired by the kids now. My generation was really worried about how much money they would make. But the thing that’s really cool about the generation right now that I’ve been working with is they want to do service. They want to know what they’re doing is important, which this definitely is. So I’m encouraged by that spirit of wanting to give back, wanting to be involved in something that’s important.
I’m encouraged because I feel like so far it’s been a really big, hard part that we’ve had to snap security on at the end and add it to things, and like I said, this culture change really needs to happen. I truly think that these kids, because they’ve been enabled with the technology from the beginning and hopefully they’re going to be getting the message in the schools about securing themselves and being safe, that they’ll bring that forward. So when they’re developing the new innovations, they’ll already have been thinking about all cybersecurity repercussions.
So I’m very encouraged about the way forward.