Saturday, August 13, 2022

Cyber Security and CS Education

Way back in time, cybersecurity was all about controlling access to the computer in the locked room with the raised floor. Well, you had to trust the people you did let in of course. I will not say much about the students I went t university with who competed to create the best, most realistic login emulator to steal passwords because, you know, that was all in fun. Later in life I actually had supporting the real login software as part of my job responsibility.

We were more aware of security by then. It was the real world. We spent a lot of design time on our various OS subsystems to make sure that access was verified and that people could only access what they were authorized to access. Dial in lines and then networks made things a bit more risky. I remember one system that required a second password of 16 random characters that changed every 5 or ten minutes (I forget which). Someone broke in anyway. Social engineering not technical engineering. People were and are still the weak link in computer security.

In the early days few people had access to a computer. Fewer still had technical knowledge enough to crack into systems And most of them were (it seems) fairly trust worthy. As more people got access to both computers and knowledge breaking into systems became more common.

Today there is a lot of talk about cybersecurity and the need for more people to be trained in the field. What does that mean for high schools? For one thing, it means a lot of people are saying that high schools should teach it. What teaching cybersecurity means is a question with still developing answers.

Should schools offer a whole course in it or can they cover enough in an existing course? If a full course, a semester? A year? Some part of a year? You’ll get a lot of answers but little in the way of a consensus. A lot of discussion about this on Facebook group for  Cybersecurity Educators. Resources at CYBER.ORG are helpful as well.

For now, individual schools are making their own decisions. These decisions are based on things like teacher knowledge to teach such information, room in the schedule, and resources available. Some school IT departments are not willing to let students experiment on networks in a school. Or even, in some cases, to have students learn about network vulnerabilities! I suspect that career technical schools are going to be the main source of high school courses in cybersecurity. There is less focus on AP exams and more focus on preparing students for the work force sooner rather than later. Oh yeah, colleges and universities but they are not my focus.

Comprehensive high schools are more likely to add some cyber security information into existing courses. AP CS Principles for example. A few will have longer courses but I suspect most of those will be independent high schools and charters as they have fewer restrictions and their politics is different. (Different does not always mean better or worse to be clear.)

Maybe when (if?) we get to a place where the learning of coding is done well enough and deep enough in middle school we can move away from HS courses that “just” teaching programming and start using that programming to learn about other things in computer science. Like cybersecurity. Like data science (although we are seeing some of that in middle school already (Bootstrap:Data Science ) which is pretty exciting. And like more artificial intelligence.

Programming is cool (to me) and important (to everyone!) but there is more to computer science than programming. Security is an important part of that and high school CS educators have to have it on their radar and give serious thought to bringing it into their curriculum.

No comments: