ACSC Joins Army National Guard Cybersecurity Seminar, Kicking Off “Exercise Cyber Yankee”
July 16, 2017
The ACSC was honored this month to support the Army National Guard by hosting a cyber seminar as part of Exercise Cyber Yankee at Joint Base Cape Cod, a training exercise designed to simulate a cyber attack. While soldiers trained all week, the June 14 cyber seminar addressed the DoD cyber commanders, CSOs and both public and private sector cyber and intelligence analysts from across New England who came together to share and collaborate with the Army National Guard to explore better methods for securing our national infrastructure and training the next generation of cyber defenders.
Speaking to senior representatives from the National Guard, Army, Air Force, Department of Homeland Security, FBI and more, we opened the day with a panel sharing insights from academia. I moderated a discussion on the challenges of educating and sustaining the next generation of cyber security professionals. The panel featured Larry Wilson (ACSC Member - University of Massachusetts, Chief Information Security Officer, UMASS President's Office), Mike Ahern (ACSC Member - Worcester Polytechnic Institute, Director, Corporate and Professional Education and Instructor, Foisie Business School), and Kevin Powers (Boston College, Program Director, Masters in Cybersecurity Policy and Governance).
The academic panel discussion focused upon how Massachusetts higher education and training programs are developing the future cyber workforce, and the challenges of sustaining our next generation of cyber security professionals. Key takeaways from the panel discussion included:
- There is a huge demand from both industry and government for trained cyber security experts, and a high demand from students seeking degrees;
- Educational programs need to be more innovative and hands on, more like med school where students learn in morning, then practice in the afternoon with practical, hands-on training;
- Schools need to collaborate with industry to make their programs work… produce more practically-educated students who require less on-job training;
- Schools are looking for ways to fund cyber programs, which may mean that they pay for themselves and generate revenue through service offerings;
- For graduate degree programs and even undergrad, the students are not who you might think they are—many are transferring from other, unrelated careers;
- Graduate programs need to be more certificate-based than degree-oriented.
Next, our industry partners took the stage to share insights from the front lines of corporate cyber security. The panel was assembled to showcase cyber development all the way from early-stage R&D through to startups, and into mainstream implementation and practice. The session featured Chris Lord (ACSC Member - Carbon Black, Director of R&D and Threat Research), Bruce Bakis (ACSC Member - MITRE, Principal Engineer), Gerald Beuchelt (LogMeIn, Chief Information Security Officer), and Jothy Rosenberg (Dover Microsystems, Founder and CEO).
The industry panel discussion explored both innovation and the challenges of deploying and supporting government technology and security practices. Key takeaways from the panel discussion included:
- The security talent crisis makes hiring ridiculously hard. Organizations do not need PhD’s. They do need to develop career paths that get young people engaged right out of high school, and keep them involved;
- Because so many computer science graduates have never touched a security system, it takes a long time to teach them practical skills;
- Cloud security is still a big challenge, particularly for organizations with a lot of legacy infrastructure. Available solutions are still at the low end of the maturity scale;
- Security is no longer an individual company issue, but requires collaboration due to supply chain attacks that target one customer or supplier for access to others. One organization can be a gateway for access to many more;
- Security needs to focus on the industrial, not consumer-oriented, Internet of Things (IoT), such as automotive, transportation and the electric grid which is run by millions and millions of IoT devices;
- IoT detritus is a problem as IP-connected devices are put in place and then forgotten to just live on;
- Because critical infrastructure, such as the electrical grid has already been breached, industrial security is not about keeping attackers out anymore, it’s about maintaining control and securing against attack;
- Industry is capable of creating more resilient systems and better security, but will only do so if there is a financial benefit;
- Perception among innovative, smaller organizations is that working with the government is just not worth it, there is too much inertia, too much red tape;
- Industry needs a flexible program to engage government in a more meaningful and commercial way, without having to invest up-front —a more exploratory or test environment for initial justification before spending time and money on government certification;
- The venture capital environment is challenging for early stage companies. As VC funds have grown, even if the market opportunity is ginormous, they don’t want to make small investments. They are more interested in funding another SnapChat or consumer innovation than to fund security.
The Cyber Seminar continued with afternoon panels that featured discussion and cybersecurity efforts from government partners (state and federal), as well as exploration of DoD efforts in Cyber from a Panel of Department of Defense leaders.
Read more about the afternoon panels in this article from veteran security journalist Paul Roberts.