Dr. Terence Soule is a professor and Chair of the Computer Science Department at the University of Idaho. Faculty profile.
Listen to the full episode:
Here are the key points
- AI and machine learning: Soule explains the difference between artificial intelligence (AI) and machine learning. AI is about making computers behave intelligently, while machine learning is a subset of AI where computers learn patterns and make decisions based on data.
- Current research: His current research involves evolutionary computation, using models of evolution as a learning tool in AI and machine learning, with applications in cybersecurity.
- Educational opportunities at University of Idaho: The university offers a range of cybersecurity programs, including bachelor’s degrees, minors, certificates, master’s programs, and a PhD in computer science with a cybersecurity emphasis. The focus is on fundamental cybersecurity principles and hands-on experience.
- Student demographics: About half of the students entering cybersecurity programs at the University of Idaho come with a specific interest in the field, while the rest develop an interest during their computer science studies.
- Industry collaboration: The university maintains an industrial advisory board to align its curriculum with industry needs and trends.
- Future of cybersecurity and AI: Soule anticipates gradual but significant changes in both fields, with quantum computing potentially impacting cryptography and the need for more secure computing systems.
The following is a transcript of the interview:
Steve Bowcut:
Welcome to the Cybersecurity Guide podcast. My name is Steve Bowcut. I’m a writer and an editor for Cybersecurity Guide and the podcast’s host. Thank you for joining us today. We appreciate you listening. Today our guest is Dr. Terence Soule.
Dr. Soule is a professor and the Chair of the Computer Science Department at the University of Idaho, and I’m excited to get to know him a little bit better and find out what’s going on at the University of Idaho, and that’ll be their topic today. So, the primary topic that we’re going to cover is educational opportunities for cybersecurity students at the University of Idaho.
So welcome Dr. Soule. Thank you for joining me today.
Terence Soule:
Thank you very much for the opportunity.
All right. So I’m looking forward to this. This is going to be fun. So let’s help our audience understand you and your background a little bit. And as we’ve discussed before the recording, cybersecurity is not probably best described as your primary interest or interest area, so I’ll let you just talk about that. But how did you first become interested in cybersecurity, and how did that fit into your progression?
Terence Soule:
Good. Yeah. So my primary area is machine learning and artificial intelligence, but I do some work with cybersecurity, especially a lot of the faculty here. And I was thinking about it where I first became interested in cybersecurity, even though it’s not a main focus, certainly have a lot of interest in it. A book called The Cuckoo’s Egg by Clifford Stall.
Steve Bowcut:
Okay.
Terence Soule:
One of the very first high profile cybersecurity events, if you will. And I read that probably a couple of decades ago, and it always has remained a thread of interest in my work.
Steve Bowcut:
Oh, interesting. Okay. We will put a link to that in the show notes. Cuckoo’s Egg by Clifford Stall, is that what you said?
Terence Soule:
Yes. Cuckoo’s Egg.
Okay. So we’ll put a link to that in our show notes so that the audience can look that up if they’re interested in learning more about that. Okay. So as you mentioned, your primary area of expertise is machine learning and artificial intelligence. And this is self-indulgent for me, but do you have a elevator speeches, a very quick and concise way of describing the difference between those two? How does artificial intelligence and machine learning relate to each other and the differences between them?
Terence Soule:
Sure. So artificial intelligence is the broader field of trying to get computers to behave more intelligently. Machine learning generally fits within that broader field as techniques that’s in which the computer specifically learns on its own. So what’s currently very popular is big databases for say, image recognition.
You have lots of labeled images and software that looks through those images and tries on its own to find patterns to be able to recognize this is what a phish is or this is what a bird is. And so software that you give it training data and it learns on its own, makes it machine learning.
Artificial intelligence includes that, but lots of other areas, so for example, expert systems where you talk to experts and hand code their rules would be considered a form of artificial intelligence, but not machine learning because a programmer is putting in all of the rules.
Oh, okay. All right. I heard artificial, I appreciate that. That was very helpful for me. And I heard artificial intelligence one time described as anything that our perception is that it would require a human to do, but a machine can do it. And then the example, the extreme example that’s typically given when people describe it that way is the answering machine.
So if you go back 50 years, an answering machine was something people, it was hard for them to conceive that a machine could answer your phone and take a message and then play that message back for you. And so that would be an example of artificial intelligence. And I’m not sure how applicable that is, but would that fit? Yeah, I guess the idea there, does artificial intelligence change, but as people accept it and get used to it and understand how it works, we realize it’s really not artificial at all. Is that fair?
Terence Soule:
Or not intelligence at all? Absolutely.
Steve Bowcut:
Or not intelligent at all. Okay.
Terence Soule:
If you go back, I’ll say 50 years maybe, people said, well, chess is this extremely complicated program or problem. And for anybody to play chess well they have to be intelligent. And now we have expert chess playing programs that nobody could possibly beat, but they don’t feel very intelligent because all they can do is play chess.
Steve Bowcut:
Is play chess. Interesting. Okay. Very good. I like that.
Terence Soule:
So definitely that line for if a computer could do this, it must be intelligent, keeps moving ahead.
Okay. All right. So tell us a little bit about any research that you’re currently working on either in AI or cybersecurity, but is there research that you’re currently working on and at the same time, is there a thread or a through line of research that’s guided your career?
Terence Soule:
So yeah, in terms of, my career, what’s guided it is been curiosity. So I find a question like, ah, it piques my interest and then I get to go and tackle it, which is one of the nice things about being an academic is you can go off on tangents if they interest you. A lot of what I do these days in AI machine learning is what’s called evolutionary computation, which is actually using models of evolution as a learning tool.
So if you think of a population of say, rabbits evolving over time to escape predators, you can do the same thing with computer programs. You can create a population of computer programs and have them evolve over time to get better at solving some problem.
Steve Bowcut:
Interesting. Okay.
Terence Soule:
And there are some applications within security to that. So you can imagine a program and its job is to identify attackers and you can have a set of these programs and let them evolve. The ones that do the best job you copy and mutate and try variations of
Steve Bowcut:
Perfect. That’s exactly what I was thinking when you said that, because if you had a series of computers and they were programmed to look for anomalous behavior that is threatening, that over time they could learn that easier and improve on that. Oh, interesting. Okay.
Terence Soule:
Exactly.
All right. So let’s get to the meat of the conversation and let’s talk about the University of Idaho specifically and tell our audience if you can, what cybersecurity educational opportunities a student might find there.
Terence Soule:
Okay, excellent. So I like to characterize our educational two pillars that guide us. One is the fundamentals of cybersecurity. So it’s a rapidly changing field and we want to make sure that students are prepared for what might be coming down the road in 10, 20, 30 years. So we put a lot of focus on fundamentals.
And then the other one is hands-on opportunities. So the opportunity to really apply those skills. We have a number of different programs. So we have a bachelor’s program, we have minors in cybersecurity, a couple of different certificate programs, a master’s program, and currently only a PhD in computer science, but with a cybersecurity emphasis. And we’re probably in the next year or two, we’ll have a PhD specifically in cybersecurity.
Steve Bowcut:
Really good.
Terence Soule:
One of the things we offer is training at a whole bunch of different levels. Come in with an interest in a different area and do a minor in cybersecurity, or you can start with a bachelor’s and work all the way through a PhD.
Interesting. And this thought, this question just occurred to me and so I’m not sure what the answer would be, but do you have any insight as to the students coming into the University of Idaho? Most of them, the ones that end up with a degree in cybersecurity, are they coming in with that in mind or are they computer science students who just, their interest evolves to be more security-centric and therefore they decide to go that direction? Do you have any insight to that at all?
Terence Soule:
I would say it’s about 50/50. So we certainly get students to come in and they know about cybersecurity and they’re excited and that’s what they want to do. But then quite a few who are interested in computer science in general and find that to be their focus.
We’ve actually set up the program to take that into account. So the first two years for the bachelor’s of the cybersecurity in the computer science were almost identical. So students can be in the program for two years before they decide I definitely want to do computer science or I want to do cybersecurity.
Steve Bowcut:
Oh, good. I love that.
Terence Soule:
And even then we get some overlap. So I’ll have students who will do the computer science degree but get a certificate, for example, in cybersecurity.
Steve Bowcut:
Very good. I love that. I know it was my experience and my children have had the same experience. It takes a while to figure out what you really want to do, where your passion is at, and you may think it’s computer science, but changing to cybersecurity may be a decision that people might want to make. So it’s nice that they’ve got a couple of years or they don’t have to backtrack much to change course. So that’s very cool.
Terence Soule:
Yep, very intentional.
Are there any cybersecurity projects or programs like extracurriculars? Sometimes there are teams that do hacking and compete or programs as part of a study, of a course that they have to get involved in or have the opportunity to be involved in, or any of that kind of thing?
Terence Soule:
Oh, absolutely. The major one is all engineering students, so we’re in the College of Engineering, are required to take a year-long capstone design course.
Steve Bowcut:
Okay.
Terence Soule:
So it’s a team-based project course. So it’s a team of students working on a particular project for a year. We have what are called clients, which are often people from industry. They may be faculty members with a particular research question. And so our cybersecurity students also have to go through the capstone project course. And so they get at least a year of working on some project either sponsored by industry or sponsored by a faculty member’s research.
Steve Bowcut:
Oh wow. Very cool. That would be interesting.
Terence Soule:
Yeah, it covers all sorts of different areas. One of the projects that comes to mind, I think it’s cool, we have a lot of faculty who do research on securing the power grid. So a particularly important area of cybersecurity is infrastructure.
Steve Bowcut:
For sure.
Terence Soule:
And so one of the teams recently did basically a mod for Minecraft, if you’re familiar with Minecraft.
Steve Bowcut:
Well, I know what it is.
Terence Soule:
Yep.
Steve Bowcut:
I don’t play it, but I know what it is.
Terence Soule:
Which basically simulates a power grid so that it can turn it into a test bed for doing research in.
Steve Bowcut:
Oh, okay. Very good.
Terence Soule:
So that’s one example. But we also have faculty who are very interested in internet of things security. So as you get more intelligent devices, internet connected refrigerators and ring doorbells and smart homes, it comes along with a lot of increased security, potential security vulnerabilities. And so that’s a pretty big area of research. And we have students who, for their capstone design, work on those sorts of projects.
Interesting. Very good. And you mentioned industry, and I’m always interested in exploring this idea that, so in industry right now, there seems to be a very significant shortage of skilled cybersecurity professionals. And you read about it all the time. I’ve written several articles about it and I’m always interested to explore how does education, how does academia respond to that? So are you, at University of Idaho, are you doing things to fill that gap as quickly as possible, or are you listening to industry and teaching certain courses or going certain directions? Or what is that relationship like?
Terence Soule:
So what we have is an industrial advisory board. So we have people from industry, it’s actually a mix, industry and also national labs like the Idaho National Lab. And we meet at least yearly. We actually communicate via email quite a bit more often than that.
But we have a yearly meeting. We go over the curriculum, they meet with students, and so they interview the students and say, what have you learned and what’s been good? And then they give us feedback and that absolutely influences the direction of our curriculum. So we try to be very responsive to industry’s needs.
And are you getting the sense that what industry wants, are people with just the basic level of education so they can come into the workforce and be an analyst and a SOC, or are they really more interested in people with that working on an upper degree, graduate degree, and maybe they’re going to do some threat intelligence research, that kind of thing for their organization, or is a combination of both, I presume?
Terence Soule:
I would say all of the above.
Steve Bowcut:
Okay.
Terence Soule:
For sure. So one of the things we have in part, well in large part to meet industrial’s needs, our master’s programs are available remotely online.
Steve Bowcut:
Okay.
Terence Soule:
So we have a whole, it’s not self-paced.
Steve Bowcut:
Yeah.
Terence Soule:
Students who are remote follow along with the class on campus. Usually it’s recorded lectures, so they’ll watch the lecture in the evening on their own time. And that’s one of the things that industry has really requested is that ongoing education opportunities for their employees.
Steve Bowcut:
Okay. Very good. All right. So let’s-.
Terence Soule:
… At the master’s level, we’ve got some certificates as well at the undergrad level that can be done similarly.
Very good. So let’s focus back on the undergrad level. So if you were a, picture in your mind, a young student, maybe they’ve already gone through the first year, the first couple years of computer science or cybersecurity, but cybersecurity is something they’re thinking about, they would like to focus on, what would be your top picks for a reading list or research that they could do on their own, or learning they could do on their own, books or papers or lectures or websites or conferences to go to that kind of thing?
Terence Soule:
And I apologize, but it depends a lot on what their interest is.
Steve Bowcut:
Okay.
Terence Soule:
I mentioned the Cuckoo’s Egg, let me see if I can find the title. There is another book that I quite liked, Countdown to Zero Day.
Steve Bowcut:
Oh, yeah.
Terence Soule:
Which is about the Stuxnet virus.
Steve Bowcut:
Yeah, I’ve read that one. Yep.
Terence Soule:
Okay. Yep. So in many ways that is my recommendation for students, is that more general what’s going on in the real world. I find it very motivating. And then in terms of learning the material, that’s a good chance to focus on courses.
Steve Bowcut:
Yeah, interesting. I find that interesting because both of those books have been out for a number of years. And I know there’s one school of thought that says that this technology is changing so fast that, and I know that students feel this way sometimes, they feel like, well maybe I’m wasting my time to be reading these books that are 10 or 15 or 20 years old.
Stuxnet was ancient history. But the principles that are taught there I think are still so relevant that in my opinion, it’s still worthwhile to read those kinds of things and understand how we got to where we are. And that’s, history always does that for us. If we can see how we got to where we are, then we can avoid some of the same mistakes and move forward. I find that interesting.
Terence Soule:
No, I would agree. I guess along those lines, and I don’t have one off the top of my head, social engineering is still a huge part of cybersecurity and vulnerabilities and always has been and probably always will be.
Yeah, no, I agree. In fact, I think, and this is my own perception, that it’s becoming more and more relevant because as we get technologically better at defending against attacks, the threat actors have to rely more and more on social engineering. There’s almost always a significant social engineering aspect of every major attack or breach that we hear about. And so I find that interesting. All right, so we like to end with this kind of a fun question.
So this is where we ask you to dust off your crystal ball and look down the road five or 10 years and tell us what you think the future looks like. And because you’ve got such expertise in artificial intelligence, I’d like you to include that. So what do you see coming down the road in the field of cybersecurity, but maybe also in the field of artificial intelligence? What could we expect?
Terence Soule:
Okay. Yeah. So a few things come to mind. One that we haven’t touched on yet is quantum computing.
Steve Bowcut:
That’s true.
Terence Soule:
That’s quite likely, at least on the side of cryptography, to have a pretty significant impact on the future of cybersecurity.
And just your estimate, I’m not asking you to tell me anything concrete, but when do you expect that breakthrough is going to come? I get the sense we’re waiting for a breakthrough. We understand the idea, it can be done, but it’s really not practical and our encryption is still good for now, but it won’t be when the bad guys learn how to do this. So what’s the timeframe there?
Terence Soule:
So it’s an interesting question and I hate to go off track too much, but I’m not a hundred percent convinced that we aren’t there already.
Steve Bowcut:
Oh, no. Okay.
Terence Soule:
It wouldn’t surprise me at all if, at least at the level of large government agencies, they can’t do some decryption that isn’t available to everybody else yet-.
Steve Bowcut:
Which is disheartening because eventually it will be, if they can do it eventually the threat actors, if the nation states can do it, then the hacking groups eventually will do it.
Terence Soule:
But a lot of that is, I think going to be fairly gradual, just updating what forms of encryption we use, updating how information is being transmitted. So if you can use quantum techniques to transmit information that makes things like eavesdropping, at least theoretically impossible. And I suspect that that will happen very gradually. It’s expensive, it’s difficult to get right, and so it’ll be done first in the highest threat areas.
Okay. Interesting. Anything else in the way of artificial intelligence we should be expecting the future to bring?
Terence Soule:
So certainly I think we’re going to see similarly, a lot of incremental changes that each one of which seems pretty extreme but maybe isn’t so much. So right now we’re seeing a lot with AI generated art.
Steve Bowcut:
Yeah.
Terence Soule:
For people who’ve been paying attention, and not a huge number of people, but I’m amongst them, in some ways seems like a very big step, but it’s been coming for quite some time. I think we’ll see a lot of the same thing in cybersecurity. Machine learning and other AI techniques have been used in the past and they’ll be increasingly used in the future, but in incremental changes.
The other big change that I’m looking forward to, I don’t know if it’ll happen, but it’s one of the areas that we have a lot of faculty interested in, is just the underlying theory, and to some extent the hardware for computing in general. It was designed in a sense not to be secure. It was designed with goals of how easily can we communicate, how fast can we compute without a lot of concern about are we doing it securely.
So if you look at the fundamentals of computer science, things like the definition of a computer retaining machine doesn’t talk about security at all, it only talks about computation. And so I’m interested in part because I have faculty who are interested in it, but going back to those fundamentals and saying, well let’s, instead of just having a definition of a computing machine, let’s try and come up with a definition of a secure computing machine.
Steve Bowcut:
Oh, interesting. And that is a challenge, I would presume maybe primarily because people, although we all want to be secure, we’re really not willing to give up much convenience for that security. If you came out with hardware today that is really secure, but it’s not convenient, it takes forever to boot up and all of those things, it’s not going to be adopted well, I wouldn’t think. So it has to at least offer the same level of convenience that the public or researchers that are used to today and be more secure, I would think.
Terence Soule:
Yeah. I would say absolutely. At least close to the same level of convenience. We’re willing to… We’ve gotten training-.
Steve Bowcut:
That’s true.
Terence Soule:
… with a little bit of, you have to put in a password and oh, now it’s got to be 30 characters long and-.
Steve Bowcut:
That’s true. We have adopted to that technology. Okay.
Terence Soule:
But you’re absolutely right, it’s got to be a balance between security and convenience. Yeah.
Steve Bowcut:
Yeah. And security always is. All right. Well, thank you for your time today. This has been a lot of fun. Very interesting. I think our audience will find this interesting and more importantly, I think our audience will find it helpful. Anyone who’s thinking about the beautiful state of Idaho and going to school there, hopefully they’ll listen to this and take a look at some of the resources that we’ll put in the show notes.
So thank you and a big thanks to our listeners for being with us today. And please remember to subscribe and review if you find this podcast interesting. And join us next time for another episode of the Cybersecurity Guide podcast.
Additional info
- The University of Idaho has an active Cyber Defense Club.
- The University of Idaho also offers a dual-credit program which enables high school students to start working towards college credits.