With cyber issues among the most complex facing society, educating young minds to tackle future problems has never been more important. Current approaches, however, are not good enough, Lesley Seebeck writes.
Each time a new cybersecurity strategy or initiative is released, there is a section reserved for people and training – the upcoming Australian cybersecurity strategy is almost certainly going to be no exception.
Just as each agrees more people should be doing cybersecurity, each will also agree that part of the solution will be more education. Not simply for people to staff cybersecurity operations centres. Education for boards, education for seniors, education for companies’ supply chains, and education for kids in schools are also needed.
In this debate, education is at risk of becoming a MacGuffin – a story device that drives a plot but is not important in and of itself – for many of the intractable problems that accompany digital disruption.
Worryingly, at times the language used in these policies implies that when educating, knowledge is to be transmitted, one-way, to others. One could infer that there is a singular ‘truth’ that must be told to the ‘security illiterate’. This cannot be how Australia educates its people on cyber issues. The difficulty for traditional approaches to cyber education is twofold.
Because of rapid change, the shelf-life of top-down, specific educational material can be fleeting. Information technologies, including digital and cyber, have been democratised in recent years. They are general-purpose, relatively easy to learn, and lightweight. With readily available data and computation power, anyone can access global-spanning networks, enabling their applications or malware to scale fast.
Cybersecurity is deep, broad, and far-reaching. It touches all aspects of the economy and society. Vulnerabilities may be hidden deep in systems and may lie dormant for years. Trust can be swept away by a single data breach or eroded over time by loose language or carelessness over personal rights. The reality is that building and managing complex systems is really hard, especially when they are intangible, dynamic, and localised, and it almost always involves failures and shortcomings.
The complexity and changing needs of cyber are not simply amenable to a standardised degree, where a student has a single, if years long, exposure to education. Things move too quickly for a one-off awareness campaign to be a success either. Education for cyber has to be something rather different. It must account for four specific things: needs, change, aptitude, and foundations.
First are needs. Cybersecurity needs may be complex to solve, like ‘I need experienced threat hunters and cyber forensics staff for this breach’, or simple ‘what is the one thing I need to know now’. Similarly, long-term needs may demand profound levels of knowledge, such as building foundational research programs and an industrial base.
On the other hand, someone may require only enough understanding to satisfy basic needs, such as being able to make informed decisions on whether to fund a system’s development or basic reporting to a board on the liabilities of such a decision.
Second, cyber education must deal with constant change. Whether short or long-term, it must allow for adaptability. Cyber is an ever-changing field, in terms of exposure, the nature of attacks, and preventative behaviours.
Organisations respond to constantly changing competitive pressures, regularity requirements, and customer needs, and technological change requires constant updating and adaptation. Education has to reflect this too.
Third is general aptitude. A number of roles within cyber often need aptitude more than skills. For example, good threat hunters need to be able to look at problems in a virtual environment differently and apply creativity. Skills can be taught and practiced, but aptitude is much more difficult to instil.
Aptitude in imagination, curiosity, persistence, and teamwork are all desirable in cybersecurity, but these may be hard to articulate and even impossible to find in traditional skills frameworks. Aptitude can be encouraged, mentored, or coached, and may be found in fields far removed from defence and national security, and must be part of any successful cyber education framework.
Finally are foundations. While nobody can know what technology will look like in 10 years – when today’s year seven students will finish their degrees – let alone 20 years, there’s a fair chance it will substantially involve data and artificial intelligence in a way that affects our daily lives.
Understanding computation, statistics, and algorithms requires overall mathematical ability, logic, and good problem-solving. It demands a broader base for understanding than, say, knowing the basic commands of a programming language.
To build a smarter future, we need students to have a solid grounding in mathematics, reversing the trend of the last 20 years. That needs to be rounded out with critical thinking and civics, asking students what it means to live in and support liberal democracies.
If these elements come together and materialise in policy, cyber education could start to look rather different.
Cyber education for younger students should encompass both cyber awareness – what you need to do to stay safe, and good cyber hygiene for instance – and an ongoing grounding in these critical foundations.
That means a focus on mathematics and critical thinking, though it is clear educators will need to improve how mathematics is taught and acknowledge that it requires readiness on the part of the student. Aptitude too, must be nurtured. This can be done through a variety of means that suit the setting and student, as a one-size fits all approach is unlikely to succeed.
Last, without the development of a deep well of knowledge and understanding that only sustained, long-term research programs can deliver, Australia will always be on the back foot – defensive, suspicious of systems and people, and tentative about the future.
If education for the cyber age is to be taken seriously, it needs a rethink. This is not a problem that will be solved by government funding one-off programs on ‘cyber skills’. It needs a more holistic approach. One that encompasses a deeper understanding of people, a better grasp of the multi-dimensional nature of cyber issues, and a willingness to sustain the development of deep knowledge along with meeting immediate needs.