OSU has received funding from the National Science Foundation to help boost a cybersecurity workforce.
photo courtesy of Oregon State University
Government agencies are having trouble filling open cybersecurity positions, which can leave them vulnerable to attacks. Oregon State University has received $4.8 million from the National Science Foundation to help boost and train workers to shore up cybersecurity at some of our most vulnerable federal agencies. Dave Nevin is an assistant professor of practice in the School of Electrical Engineering and Computer Science and Rakesh Bobba is an associate professor of computer science at OSU. Cameron McCawley is a student and president of the OSU Security Club. They join us with more on what the funding will do and how OSU is preparing students for jobs in cybersecurity.
Note: The following transcript was created by a computer and edited by a volunteer.
Dave Miller: From the Gert Boyle studio at OPB, this is Think Out Loud. I’m Dave Miller. We turn now to the shortage of cybersecurity workers and a new grant program that aims to help. Oregon State University is one of the recipients. They received nearly $5 million from the National Science Foundation to help boost and train new cybersecurity experts. It comes at a crucial time given that the public and private sectors are scrambling to fill open positions that have left them vulnerable to attacks. Oregon alone has 7,500 openings. David Nevin and Rakesh Bobba are both computer science professors at OSU. Cameron McCawley is a senior there. He is a computer science major and the president of the OSU security club. They all join me now. It’s good to have all three of you on the show.
Dave Nevin: Thank you, Dave.
Rakesh Bobba: Thank you, Dave.
Cameron McCawley: Thank you.
Miller: Rakesh Bobba first, I understand that the money we’re talking about here from this grant is going to be used in two big ways. The first is to give students full scholarships. How is this going to work?
Bobba: This money is coming from the NSF Scholarship For Service program. This is a program that NSF started about 20 years ago with the goal to develop, in their own words, “a superior cybersecurity workforce.” So they want to increase the number of cybersecurity professionals going into the federal government and also to increase the education capacity and research capacity at institutions. So a big chunk of this grant is going to be for cybersecurity, students specializing in cybersecurity and who make a commitment to go serve the federal government, for the same number of years that they received this scholarship for.
Miller: Sort of like if the government pays for you to go to West Point, then you’re required to serve as an officer in the army for some number of years. What kinds of jobs, what kinds of agencies are you assuming graduates would go to after their say four or five years at OSU?
Bobba: These scholarships have a maximum of three years. So for undergraduates, typically two years, junior and senior year. And then if you’re pursuing a Master’s or PhD, you can go up to three years. So then your commitment is also three years. There’s a whole host of agencies that are participating in this program and can hire our graduates in this program. There are the big three letter agencies but they’re also federal agencies like the U.S. Department of Education, Department of Agriculture. This program, although they primarily prefer that graduates go to the federal agencies, they also allow graduates to fulfill their obligations by working for local governments, tribal governments, national labs, so Pacific National, Northwest National Laboratory and DOE National Labs and so on. So these are all options and we were at a job fair organized by this NSF SFS and there were hundreds of agencies looking to hire graduates from this program.
Miller: Dave Nevin, is it your hope that these scholarships will actually encourage people to go into this field who otherwise wouldn’t do it?
Nevin: Maybe. So I hope that it would encourage people. But what we’re finding is that there are a number of cybersecurity students who are seeking to go into public service and that’s their career goal. And so this would be ideal for them.
Miller: Cameron McCawley, what about you? How did you become interested in cybersecurity?
McCawley: I became interested through the security club, itself. And learning about the technical concepts and security, learning how to exploit vulnerabilities, defend against those vulnerabilities. I think it’s all super fascinating. I think it’s really cool work and it’s always changing, there’s constantly new things to learn and I really gravitate towards that.
Miller: When you say “learning how to exploit vulnerabilities,” what I hear is learning how to break into a system, but for the purpose of good, right? So you can tell those folks hey, there’s a hole here and you should patch it. What’s it like, though, when you find that hole?
McCawley: Exactly, it’s really rewarding. It can be a real challenge. It’s like solving a mini brain teaser or puzzle. So when you finally solve it or you finally find that vulnerability and you’re able to exploit it, you can, there’s that big dopamine rush, right? So what the club tries to do [is] give students the hands-on experience needed to learn how to find vulnerabilities, learn how to defend against those vulnerabilities, thinking like an attacker, thinking like a defender, and then also letting students participate in competitions to then apply those skills in a more stressful environment.
Miller: Rakesh Bobba, so as you noted, the lion’s share of this federal grant is going to go towards scholarships, but another part is going to go towards a kind of clinic that you’re setting up. What’s the idea there?
Bobba: This is called cyber clinic and the idea here, I think, Cameron described how the OSU Security Club is giving students an opportunity to take the skills they learned, the concepts they learned in the classroom and test them out. The concept of the cyber clinic can be thought of as a teaching hospital for cybersecurity. So this provides an environment for students where they’re actually defending real organizations against threats and at the same time, serving organizations that are typically underserved or are unable to afford security services or higher security experts into their organizations. So this is basically a teaching hospital, is a good analogy for this.
Miller: Cameron McCawley, just from the work you’ve done, either at the clinic like this or in competitions, how would you rate the level of cyber security that you regularly see now? How are we doing?
McCawley: I think there’s a lot of great areas, there’s a lot of areas that need improvement. With the competitions, it is very hands on keyboard where . . . so if there’s like a cyber defense competition, where players are trying to defend a simulated corporate environment from an ongoing cyber attack in real time, they get to learn skills such as system hardening and monitoring, responding to incidents. And what we find is that a lot of the vulnerabilities, or the gaps in defense, have to do with either unpatched software or it has to do with the person between the seat and the keyboard. Social engineering. So not downloading malicious attachments, all those things go into having a good security practice at a company or, in this case, a simulated company for competition.
Miller: Dave Nevin, the number that I mentioned just in Oregon is shocking: 7,500 cybersecurity openings right now in the public and private sectors put together. Nationwide, it’s something like three quarters of a million openings. What does that add up to? I mean, what are the biggest vulnerabilities that you see?
Nevin: Well, it is really a huge vulnerability, not having enough people to protect environments. And so the result of that, though, is a boon for our students. There’s high demand for these positions and that results in high salaries. And for the Scholarship for Service program, the government found it’s difficult for them to compete on a salary level and other levels against the private sector. And so this scholarship program helps them to fill these vital roles.
Miller: At least for a couple of years. But is it possible that around the country people would do this scholarship for two or three years, work in the public sector, say for a federal agency or for local or state government, and then after those two or three years are up, then they switch to the private sector to double their salary?
Nevin: That does indeed happen. But what they’re finding through this program is that a large number of students find value in public service and remain in public service. And they might switch between agencies, in advance in their careers and earn more money in the federal government or other government agencies. But it is surprising that money isn’t everything to the folks that go into this.
Miller: Rakesh Bobba, I think people in, in every mid to certainly larger size organization now are required to take at least annual cybersecurity trainings, where you learn things like if you find a flash drive in your parking lot, don’t just go straight to your computer and stick it in. Do these trainings actually help?
Bobba: I think it’s a mixed bag when it comes to these trainings and a lot depends on how the training is done. So I think they do help in raising awareness about these issues, as you mentioned, don’t stick the USB stick in the parking lot, don’t click on any link that comes to your email and so on. But I think there is some kind of debate going on right now, the value of these training, so if we can improve them further. They definitely help in raising awareness among the employees, so that it overall improves. I think Cameron mentioned the person at the keyboard, defending against social engineering attacks, but I think there is more work going on on how to improve this.
Miller: Cameron McCawley, we heard about the huge need in the public and private sector for more cybersecurity, but also no surprise, the public sector in general does not pay as well. What are you thinking about in terms of where you’re going to end up for your career?
McCawley: I kind of fall into the niche of intelligence, so cybercrime, looking at attackers, what they’re doing and then predicting what they’re going to do, so that way companies can better protect themselves from emerging threats. There is, both federal agencies that need that kind of work and there’s also a lot of private companies as well, doing enterprise intelligence. So I think any role that involves those skills or that kind of work would be really cool.
Miller: Cameron McCawley, Rakesh Bobba and Dave Nevin, thanks very much.
Nevin: Thank you.
McCawley: Thank you.
Bobba: Thank you for having us.
Miller: Cameron McCawley is a senior at OSU. He is a computer science major with an applied focus on cybersecurity. He’s also the president of the OSU Security Club. Rakesh Bobba and Dave Nevin are both computer science professors at Oregon State University.
Contact “Think Out Loud®”
If you’d like to comment on any of the topics in this show, or suggest a topic of your own, please get in touch with us on Facebook or Twitter, send an email to thinkoutloud@opb.org, or you can leave a voicemail for us at 503-293-1983. The call-in phone number during the noon hour is 888-665-5865.