Steve Weber
Industry experts project that several million cybersecurity jobs will be available across the nation by 2020, and individuals qualified to fill those jobs will be in great demand. Drexel University’s College of Engineering and the College of Computing & Informatics are answering that need with new programs and courses to prepare our students—undergrads and grads—for leadership in the field. We sat down with Steven Weber, professor and interim department head of the Department of Electrical and Computer Engineering, to find out how.
WHY ARE CYBERSECURITY PROFESSIONALS IN SUCH DEMAND?
There is a concern in all segments of our society that we are now subject to threat and attack in regard to cybersecurity. It just permeates everything. And the big thing everyone talks about is pipeline and talent. There’s a disconnect in supply and demand on the order of a million jobs or more that’s acutely felt in the United States. It’s an epidemic, to use an alarmist word, but one that aptly describes the discrepancy between the positions that need to be filled and the anticipated number of individuals qualified to fill them.
Pursuing cybersecurity is perhaps one of the very best things you as a Drexel student can do with your time – taking a cybersecurity course, considering a cybersecurity degree program, joining a cybersecurity student group. Not enough students are aware of this career. Any investment in effort is going to pay enormous dividends because it’s very much in demand, it’s financially lucrative, it’s an intrinsic component of the constantly changing technology landscape, and it’s just a really fun career.
WHY ARE THERE SO FEW STUDENTS IN THIS PIPELINE?
What I hear when I talk to students is that there is this perception that cybersecurity is only for “wizards.” They say, ‘I can do engineering or math or science, but I certainly couldn’t do cybersecurity.’ It’s perceived as being on this other level. I think, as with any technical field, there’s a whole spectrum of ability. But this “fear” of cybersecurity as a discipline or focus area for technologically minded students is unjustified. So, I’m hoping to dispel that.
HOW IS DREXEL PREPARING STUDENTS TO FILL THESE JOBS?
What we have at Drexel in terms of infrastructure is, first, the Isaac L. Auerbach Cybersecurity Institute. That sits within the office of research, as do many of the institutes at Drexel. I credit our university leadership with seeing four or five years ago that there was a need to start a cybersecurity institute.
As for our degree programs, at the undergraduate level we have the Computer Security Technology (CST) degree program, “housed” in the College of Computing & Informatics (CCI). We also have the Computer Security concentration option as part of the B.S. in Computer Science degree, also in CCI.
In my opinion, all engineering students should consider taking one or more cybersecurity courses as a technical elective. These courses are offered in the College of Engineering (CoE), specifically the Department of Electrical and Computer Engineering (ECE), as well as in the College of Computing.
WHAT ABOUT AT THE GRADUATE LEVEL?
We have a Master’s of Science in Cybersecurity, offered both online and on campus. This degree program is co-owned by ECE and CCI. We are currently widening the degree program to meet the needs of a larger segment of potential students. Why? Because as it stands now, the degree program is tailored for students who have a bachelor’s degree in computer science, in computer engineering, in EE, or in math.
What we’ve found over the last five years is that if you have that degree credential and are already working in a cybersecurity-related area, then you may not need a master’s degree in cybersecurity. If you don’t have an undergraduate degree in one of those fields, then the Master’s of Science in Cybersecurity will be a much more appealing degree program for you. The evidence for that comes from the applicants we’ve seen in the last five years. We have to turn some away because they don’t have that specified undergraduate degree. That’s why we want to widen the pipe, so to speak.
So, we’ve subdivided the existing master’s degree into three different tracks: a track for students who want an information systems focus, a track for students who want a computer science focus, and a track for students who want an ECE focus. We have different touch points within cybersecurity, so you can look at that and say, this is the track that best fits my coursework.
WOULD YOU TALK ABOUT ECE’S NEW CYBERSECURITY COURSES?
Certainly. We have a grant this year from the National Security Agency that’s called a Cybersecurity Curricular Capacity Building grant. The focus is to develop courses that explicitly integrate into our curriculum what I would call security-oriented design.
Engineers design things. What design means at its heart is that you take a problem, you have some constraints on what you can do that define the design space, you have some performance objectives that allow you to assess how well your design performs, and then you get it to work and you get it to market. Historically, we have not done design with security in mind because we’ve not lived in an era where everything you do is subject to attack.
Engineers designing systems—whether a chemical process, a transportation system, a circuit, or a communications protocol—have to be brought up in their education with that security mindset. When I say security-oriented design, I mean explicitly building into our courses a marriage of the threat model and the design space. The threat model has to inform the design space, and your assessment of the success of the design has to incorporate an assessment of how you will meet the threats. We’re trying to change the engineering-design mindset to be more security conscious.
HOW IS THIS SHOWING UP IN OUR COURSES?
There are five courses in the ECE senior-year curriculum that were funded by this grant. First, Professor Kapil Dandekar developed a new wireless security course based in his new laboratory that included experiments using software-defined radios. Students were able to integrate communications theory, network protocols, and security principles. Second, Professor Matthew Stamm offered a media forensics laboratory-based course in which students sought to detect manipulation of images using signal processing principles. Third, Professor Ioannis Savidis offered a course on hardware security, where one of the topics was to protect the intellectual property in circuit design through obfuscation techniques. Fourth, a security professional who works for the U.S. government taught a two-course sequence on security “offense and defense” techniques, focused on how to attack and defend various aspects of the network protocol stack. Fifth, an expert in cryptocurrencies will offer a laboratory-based course on cryptocurrencies and blockchain next quarter.
WHAT SKILLS ARE STUDENTS GOING TO NEED?
Technical knowledge is not enough. This is true for all engineers, not just cybersecurity experts. You really have to understand that the purpose of a business is to sell a product or offer a service. You have to understand how to talk with people outside of engineering, and you have to understand the policy landscape. This is something engineers don’t often think about. But regulation and compliance with policy is at the heart of the financial and health industries, and these are two massive industries in Philadelphia that have great need for cybersecurity expertise.
When we talk with industry, that’s what we hear: if you really want to help us out, you would give us not necessarily students with a deeper technical education but with an education that includes technical expertise along with an awareness of policy, the law, compliance, and how to communicate and work in a business. Moving forward, I would like to arrange for our students to be able to take courses in the law school, and for CoE and CCI to offer cybersecurity courses designed for law students wishing to obtain technical cyberliteracy.
This issue of cyberliteracy is something that a lot of people talk about because, ultimately, to be a citizen of the 21st century is to be a digital citizen. Cyberliteracy is a vital component of digital literacy.
TELL US ABOUT THE CYBERDRAGONS
It’s one of the coolest things we have here at Drexel. I’m the faculty mentor, but I’m not the coach. The coach is Charles Ludwig, the chief information security officer at Susquehanna International Group here in Philadelphia. He and his security team (many of them alums) come to campus twice a week to train the students. It’s like a course except, A, it’s more fun, and B, there’s no credit. You show up when you can. It’s knowledge training and skill refinement.
The CyberDragons are meant to be open to a wide spectrum of students, from beginners to experts. If you just have an open mind and are curious, you are going to be welcome. Many colleges and universities around the country have cybersecurity teams like our CyberDragons. There are competitions in which these teams compete, just like any other intercollegiate sport. Two of the competitions are the offensive side, often called “Capture the Flag,” and the defensive side, often called “Inherit and Defend.” One of the most popular is the Collegiate Cyber Defense Competition. Drexel made it to the mid-Atlantic regional finals last year.
FOR STUDENTS INTERESTED IN CYBERSECURITY, WHAT IS THE BEST POINT OF ENTRY?
There are three different levels. Level one is if you’re just an enthusiast and you want to learn more. The easiest thing you can do in this case is join the CyberDragons. Just look up the CyberDragons student group page.
Level two is taking some courses. The ECE department is always looking at developing and offering courses that are cyber-related. Talk to your academic advisors about suitable cybersecurity technical electives. As an engineering student, you probably already have the prerequisites that you need to get into them, and any knowledge you gain in the classroom is going to be helpful in your career.
And level three is for those who are considering a degree. There is the CST program in the College of Computing for undergraduate students, and the Master’s of Science in Cybersecurity for graduate students. And beyond that, we do research. You can talk with any of the various faculty. No matter what you do, you need to be literate in cyber. And if you want to move beyond literacy and to develop expertise, Drexel offers a path.
WHERE DO STUDENTS GET MORE INFORMATION?
Visit the Institute's website. There, you will find information about faculty affiliates, publications, research projects, and engagements with the cybersecurity community. You may also always write to me at spw26@drexel.edu.