While many focus on scare stories or coming threats of external hackers and the risks to our society from cyber terrorists, I would like to outline a threat which has been personally observed over the past few years: the lack of fundamental theory from some computer security graduates from both undergraduate and postgraduate programmes – I note that these are not Edinburgh Napier University graduates as we build cryptography in our BEng, BEng (Hons) and MSc modules – and I teach on a few of these, so hopefully it goes in.
Over the past few years, I have been involved in job interview panels for academics, researchers and PhD students, and have observed that many lack the skills to be able to explain public key encryption. Along with this quite a few cannot even get to the point of explaining the keys involved, while others will take a guess and define that we might encrypt with the sender’s public key, and then this is decrypted on the other side with the senders private key – a worrying situation for all. A follow-up question on how a private key is used to prove someones identity, is often not reached, as the candidate has struggled to explain simple public key encryption.
This lack of knowledge is evident within recent graduates, experienced professionals, and even PhDs in Computer Security. The threat that I would like to highlight is that we may be training the next generation of information professionals who have a limited background in core fundamentals. Coming from a background in electrical engineering then moving into computer science, I personally equate this to an electrician who has no knowledge of the basics of Ohm’s Law, or not being able to wire a plug.
Why does this exist?
As with any relatively new subject area, there is often a gap in providing professionals to support a new industry. This happened with electronics in the 1970s, and with the computing industry in the 1980s, where other disciplines, such as Physicians and Mathematicians, filled the gap while universities scaled-up their undergraduate courses. The same thing is possibly happening now within computer and information security, where many of the current professionals are not formally educated within their area of work. Often, though, they fill the gaps by studying towards professional or postgraduate studies, and then work towards gaining some credibility in the area. While it is understandable that professionals moving into new discipline have gaps which get plugged the longer they work in the industry, what is more worrying is that some of our graduates seem to lack the basics of their discipline.
A major concern is that in any new area, colleges and universities will quickly create new programmes to attract students, of which there can be a range of standards applied, especially in a discipline which ranges from cryptography to social informatics. While there are some initiatives to set standards across the industry, there is still no real consensus as to what should be taught. This may thus confuse industry in to the standards that they might expect from graduates.
Why is it a risk?
Unfortunately, as we move towards an information society that is built on upon security, there are two major risks: a lack of depth covering key principles within professional certification, and the lack of in-depth knowledge within undergraduate and postgraduate programmes. This there is thus a need to set a high standard of educational achievement when it comes to defining the key tools of the trade. As an Electrical Engineer would know Ohm’s Law from their apprenticeship, so should security professionals understand the key principles around encryption, authentication and information assurance.
So what … we have professional certification?
From the perspective of having taught within professional certification, in particular, the Cisco Academy, I believe that there are strengths to professional certification, especially in undertaking a range of practical assignments that are well matched to the requirements of industry. The understanding of fundamentals, though, are often weak, and typically either far too simplistic, or too complicated that it is difficult to distil the key principles. There are many occasions too in the exams where the knowledge gained of the general principles require superficial knowledge of the area. The flow of the material often struggles to provide the foundation work that is required to build a solid foundation, and there are many examples of key principles being buried within more generalised material. A review of professional certification exams is often enough to show that students basically need to learn the right answer, without actually knowing how they would apply their knowledge, use it within higher levels of learning, such as with synthesis and analysis. Professional Certification, though, for many does allow them to study a wide range of subject, often ones in which they have gaps, so the opportunity to learn some depth is there, but often the focus is on passing an exam, as the time frames and the pressures of employment often reduce this scope.
So what can I learn?
As you may know, I Iove code and crytopgraphy, so here’s a page I’ve created which implements a wide range of encryption methods … from AES to Blowfish:
As an industry we are still evolving, however, we must provide a strong foundation in the key fundamentals of computer security, especially in encryption and authentication. Without this, we are building our digital infrastructures of sand, which others will easily knock-down. It is often within a face-to-face interview situation, whether it be in an oral exam, or within a job interview, that you can often tell whether someone truly has a deep understanding of their area. As computer security evolves as a discipline, there must be a worry that academia follow the professional certification focus of breadth rather than depth. This can be highlighted in a requirement not to scare students with some difficult maths, but any reading Bruce Schneier’s book on Secrets and Lies: Digital Security in a Networked World, will quickly realise that the maths of the algorithms are less important than understanding the core principles of security.
If you are interested in Computer Security, Codes and Encryption, here’s an outline presentation: