The news over the weekend was full of stories about how the youth of the nation was going to be taught cyber skills.
The TES noted that the scheme “is part of a wider drive to attract the cyber experts of the future” following the announcement about a specialized GCHQ program for teenage girls, while the BBC reported that “getting young people involved and getting them taught from a young age will allow them - even in their home environment - to protect themselves”.
The intention is to “support and encourage schoolchildren to develop some of the key skills they would need to work in the growing cybersecurity sector and help defend the nation’s businesses against online threats”. This comes with £20m of government funding to deliver an extracurricular school programme “which will see an army of expert external instructors teaching, testing and training teenagers selected for the programme”.
It is aimed for launch by 2021, for teenagers aged between 14 and 18 and led by the Department for Culture, Media and Sport (DCMS) and named “The Cyber Schools Programme”.
The comment from the statement by Minister of State for Digital and Culture Matt Hancock, said: “This forward-thinking programme will see thousands of the best and brightest young minds given the opportunity to learn cutting-edge cybersecurity skills alongside their secondary school studies. We are determined to prepare Britain for the challenges it faces now and in the future and these extracurricular clubs will help identify and inspire future talent.”
The concept is interesting. As someone who did take “IT” lessons in school, which mostly consisted of learning Windows, the basics of email communication and later on, the internet via chatrooms, I was one of the early generations to be taught the basics of computing. In this time though, security and privacy is being taught, probably as the current generation of “Snapchatters” are deemed to be so insecure.
Looking at the programme, it will be a four year process delivered in modules, meaning older students can join at any point providing they meet the right criteria. Students “with the aptitude and enthusiasm for the subject” will be invited, and taught in both classrooms and online during four hours a week. This will initially only be available in England.
Will this make any difference to the skills shortage, or just prepare a tech savvy generation?
Mark James, security specialist at ESET, said that in order to bridge the gap in cybersecurity skills, investment has to be made in youth at an early age. "If the right foundations are laid then the interest will follow.
“The biggest problem currently is getting the right foundation skills as all too often it’s self-taught or code mashing in the gaming world of mods or hacks that may spark the interest, he said. “Designing the right structure will be a challenge - the interest and goals need to be tailored explicitly with the endgame in mind, which is not an easy task.”
Oliver Pinson-Roxburgh, EMEA director at Alert Logic told Infosecurity that it will make difference, though admittedly over time. “My concern would be around the content. I hope they invest in reaching out to industry experts to help drive the correct content and the real world content that will drive success in this project. I would also expect them to drive research and invest in good threat intelligence.”
So who will be responsible for doing the teaching? The official statement said that the provider will have the flexibility to decide the most appropriate way to deliver the programme. Tenders are currently being accepted, with the DCMS specifying “a service provider/consortium of service providers to develop and deliver an ambitious extracurricular programme”. The ‘description of procurement’ requires that the programme “will identify and mobilise expert volunteers from industry and beyond to inspire, teach and expose them to future career options”.
Also, whoever wins the tender will be responsible for developing “an innovative, high quality cybersecurity curriculum and teaching materials” which will keep current with cyber trends, and put in place the infrastructure for expansion and wider geographical roll-out, as well as harnessing and maximizing existing industry and academia resources and expertise. How this would work in practice is up to the tenderer to propose.
Javvad Malik, security advocate at AlienVault, told Infosecurity that as cybersecurity is an extremely broad subject area – input would be required from various discipline experts to encompass a broad range of skills from security and risk management, audit, assurance, coding, defending, and attacking perspectives amongst others.
“It’s difficult to say whether or not such a drive will greatly impact the skills shortage,” he said. “The reasons being that the skills shortage today won’t be the same in five years, and the needs could increase significantly by then. Secondly, these are similar challenges to STEM education. Whereby, making a subject available doesn’t necessarily translate into students opting to pursue it as a career in the future.”
The selection process to get on to the Cyber Schools Programme will see an incentive to encourage “a geographic and socio-economic spread” and aim for a 50:50 male to female ratio, and also consider individuals with latent cybersecurity talent, “including those who may not necessarily be excelling academically, but have the aptitude to succeed at cyber”.
To get onto the programme, students will need to undergo some sort of selection testing to ensure they have the enthusiasm, motivation and high cyber aptitude (either latent or developed) for the programme. In other words, this is not going to be an easy sell for schools, or those tasked with actually delivering the programme.
Pinson-Roxburgh said that to deliver the curriculum, he would reach out to industry specialist companies and thought leaders, and it would also make sense to have some lessons learnt from hacked companies and forensic investigators.
Could this work? Undoubtedly yes, as there are enough companies out there seeking individuals to present to industry (and be presented to also), so I don’t think that it is going to be a challenge to find someone to run it. Similarly the students may be more interested in this if it gives the opportunity to work with devices and code, and bring the Hollywood image of hackers to life.
Collecting a demographic of a mix of genders, ethnic diversity and attracting those who are interested and those who are more reticent will also be a challenge for the schools. I’ve seen the great work by the Cyber Security Challenge and (ISC)2’s Safe Secure Online program in how younger people can be engaged in cybersecurity, but any drive to improve the safety of the nation has to be welcomed, no matter how ambitious it is.