October 26, 2022

Viktoria Popovska: For New England higher education, cybersecurity signals news threats and opportunities

October 26, 2022

From The New England Journal of Higher Education, a service of The New England Board of Higher Education (nebhe.org)

BOSTON

Some of the most common cybersecurity threats are malware, ransomware, phishing and spam. For their victims, including higher education institutions (HEIs), cybercrimes range from inconveniences to data breaches to grand heists like the one that struck Cape Cod Community College (CCCC) four years ago.

In 2018, CCCC, in West Barnstable, experienced a cybersecurity attack resulting in $800,000 stolen from school bank accounts. CCCC was ultimately able to recover more than 80% of the money stolen by the hackers, but impacts of the attack still affect the college.

The cyberattack prompted CCCC, known as the 4Cs, to work with an independent consulting firm to learn best practices related to the institution’s cybersafety. These included, for example, installing endpoint protection software applications that protect servers and PCs from malware campuswide.

President John Cox of Cape Cod Community College spoke about the school’s cyberattack and what he has learned from the situation.

“One of the major takeaways from that is when you are looking at a website or anything electronic and you are being asked to open something up or go to a certain website or scan a QR code, unless you are 99% sure that it’s the real deal, then you shouldn’t hesitate to call the people who sent it to verify it.”

The CCCC attack also prompted the community college to reevaluate its degree programs. In the 2020-21 academic year, CCCC began offering a degree and certification in Information Technology: Cybersecurity. Previously, this pathway had been Information Technology: Security Penetration Testing and though the course requirements haven’t changed much, the new name and reframing of the program is a sign that the 4Cs and other HEIs are realizing the importance of offering cybersecurity programs, and prospective students are taking notice.

Will Markow, the vice president of applied research at LightCast, estimated that his labor market analytics company has seen at least a 40% increase in cybersecurity graduates in the last few years. Despite the rise in people completing cybersecurity degrees, the growth rate of cybersecurity job positions is still double the graduation rate, meaning a cybersecurity skills gap continues to persist.

NEBHE and cybersecurity

NEBHE, with its longtime interest in changing skilled labor demands, has been covering the need for cybersecurity talent for several years. In a 2014 piece in The New England Journal of Higher Education, Yves Salomon-Fernandez, then a vice president at MassBay Community College, wrote about the cybergap and the demand for cybersecurity talent along with New England’s response to the need. Salomon-Fernandez discussed the creation of the New England Cyber Security research consortium, a collaboration between Mass Insight and the Advanced Cyber Security Center. The consortium has evolved into the Cybersecurity Education and Training Consortium, which aims to improve the cybersecurity talent pool. The consortium holds an annual conference where new research is shared and cybersecurity experts lead various workshops.

In 2015, NEBHE announced that cybersecurity was among new academic subject areas to be offered under Tuition Break, NEBHE’s initiative to help students and institutions share high-demand programs. These offerings included associate degree programs in specialized fields such as cybersecurity infrastructure, cybersecurity and healthcare IT, and cybersecurity-digital forensics.

In July 2022, NEBHE, in collaboration with the Business-Higher Education Forum (BHEF), awarded tech talent grants to seven business-higher education partnerships in Connecticut. The grants are a part of an initiative to target growth in tech skills like cybersecurity. Quinnipiac University, the University of Bridgeport and Mitchell college were awarded tech talent grants focused on cybersecurity.

The skills gap

The cybersecurity skills shortage continues to persist and organizations of all types face cybersecurity challenges.

In its 2022 Cybersecurity Skills Gap Global Research Report, Fortinet found that “worldwide, 80% of organizations suffered one or more breaches that they could attribute to a lack of cybersecurity skills and/or awareness.”

The Fortinet report also found that recruiting and retaining cybersecurity talent was a key issue. 60% of organizations have difficulty recruiting cybersecurity professionals and 52% have a difficult time retaining those professionals.

In 2018, The New York Times reported on a prediction from CyberSecurity Ventures that estimated 3.5 million cybersecurity positions will be available but unfulfilled by 2021. CyberSecurity Ventures has since updated its prediction for 2025, but continues to project vacancies at 3.5 million. “Despite industry-wide efforts to reduce the skills gap, the world’s open cybersecurity position in 2021 is enough to fill 50 NFL stadiums,” according to CyberSecurity Ventures.

Clearly, there is a need for more cybersecurity professionals, but why have efforts to reduce the skills gap not worked?

One reason is that people simply aren’t getting the right credentials to secure a cybersecurity position. Many top cybersecurity jobs require not just a bachelor’s degree, but also a master’s and may also require credentials such as a CISSP certification. CISSP stands for Certified Information Systems Security Professional and is independently granted by the International Information System Security Certification Consortium.

Despite the demand for cybersecurity positions to be filled, the industry is slow to soften the credentials or education requirements. But some companies, such as Deloitte, have begun creating a talent pipeline where they train candidates in skills they would not have previously been qualified for.

Cybersecurity and higher education

Cape Cod Community College is far from alone in facing cybersecurity threats.

The threat that cyberattacks pose for HEIs is extremely costly and increasingly frequent, according to April 2022 coverage in Forbes. Ransomware attacks are the most frequent problem for HEIs, with each attack costing on average $112,000 in ransom payments. Forbes writes that HEIs are prime targets for cyberattacks because of their historically underfunded cybersecurity efforts and the way that information sharing and computer systems work in the institutions.

Austin Berglas, global head of professional services and founding member of the cybersecurity firm BlueVoyant, told Forbes that his company had seen a large increase in ransomware attacks in 2020 and 2021 since everyone went remote.

In 2022, a handful of U.S. HEIs have publicly disclosed cyberattacks, according to Hackmageddon, a security breach tracker. Still, most cyberattacks on institutions go unreported unless forced to by law.

Universities have begun upgrading their cyberdefense systems, partially as a result of nudging from the insurance industry.

With the understanding of the threat of cyberattacks, HEIs are working on pumping out cybersecurity professionals.

Consider the University of Bridgeport (Conn.), one of the universities that received a tech talent grant from NEBHE and BHEF. The university announced that it will use the grant money to launch a 12-week course in cybersecurity and information security geared toward the finance and tech sectors. The university plans to offer a certificate to course participants that will allow students to be workforce ready in the cybersecurity field.

Other New England HEIs are also looking to impact the cybersecurity world. Yale University is partnering with other institutions to support the Secure and Trustworthy Cyberspace Program, a research program supported by the National Science Foundation. That program is working on initiatives like the creation of a confidential computing center, making a secure software supply chain and working to improve computing in marginalized communities.

In addition to the programs offered through NEBHE’s Tuition Break, five Massachusetts universities offer bachelor’s degrees in a cybersecurity-related field as well as two in Connecticut, two in Vermont, three in Maine, three in Rhode Island and one in New Hampshire, according to Cybersecurity Guide. Various other associate, master’s and doctoral degrees in cybersecurity fields are also available at New England HEIs.

Cox, of CCCC, also spoke about the school’s partnership with Bridgewater State University, which is developing a cyber range to simulate and test cybersecurity networks. This cyber range will allow students and professionals to perform mock cybercrime investigations to better prepare for any situation.

This is unlikely the last you’ll read on the complex challenges of cybersecurity in The New England Journal of Higher Education.

Viktoria Popovska is a NEBHE journalism intern and a junior at Boston University.

RWhitcomb-editor

May 16, 2016

Llewellyn King: Internet is a cesspool of crime, war and mischief

RWhitcomb-editor

May 16, 2016

Via Inside Sources

The big news coming out of the G7 meeting in Japan will not be about establishing international norms for cybersecurity. That will only get an honorable mention at best. But maybe it should get greater attention: The threat is real and growing.

Consider just these four events of the recent past:

The electric grid in Ukraine was brought down last Dec. 23 by, it is believed, the Russians. Because of its older design, operators were able to restore power with manual overrides of the computer-controlled system.

The Hollywood Presbyterian Medical Center in Los Angeles was ransomed. This crime takes place when a hacker encrypts your data and demands a ransom, often in untraceable bitcoin, to unlock it. The hospital paid $17,000 rather than risk patients and its ability to operate.

While these ransom attacks are fairly common, this is the first one believed to have been launched against a hospital. Previously, hospitals had thought patient records and payment details were what hackers would want, not control of the operating systems. Some of the ransoms are as low as $3,000, with the criminals clearly betting that the victims would lose much more by not settling immediately, as did the medical center. The extortionists first asked for $3.6 million.

In a blockbuster heist on the Internet, the Bangladesh central bank was robbed of $81 million. The crooks were able to authorize the Federal Reserve of New York to release the money held in an account there. They would have got away with another $860 million, if it were not for a typing mistake. In this case, the money was wired to fraudulent accounts in the Philippines and Sri Lanka.

Target, the giant retailer, lost millions of customer records, including credit-card details, to an attack in February 2014. Since then, these attacks on retailers to get data have become common. Hackers sell credit card details on what is known as the “black web” to other criminals for big money.Often the finger is pointed at China, which will not be at the G7. While it may be a perpetrator, it also has victim concerns. There is no reason to think that Chinese commerce is not as vulnerable as that in the West.

China, with the help of the Red Army, is blamed in many attacks, particularly on U.S. government departments. But little is known of attacks Chinese institutions sustain.

Governments want to police the Internet and protect their commerce and citizens, but they are also interested in using it in cyberwar. Additionally, they freely use it in the collection of intelligence and as a tool of war or persuasion. Witness U.S. attempts to impede the operation of the centrifuges in Iran and its acknowledged attacks on the computers of ISIS.

As the Net’s guerilla war intensifies, the U.S. electric utility industry, and those of other countries, is a major source of concern, especially since the Ukraine attack. Scott Aaronson, who heads up the cybersecurity efforts of the Edison Electric Institute, the trade group for private utilities, says the government’s role is essential and the electric companies work closely with the government in bracing their own cyber defenses.

Still, opinions differ dramatically about the vulnerability of the electric grid.

These contrasting opinions were on view at a meeting in Boston last month, when two of the top experts on cybersecurity took opposing views of utility vulnerability. Juliette Kayyem, a former assistant secretary for intergovernmental affairs at the Department of Homeland Security who now teaches emergency management at Harvard’s Kennedy School of Government, said she believed the threat to the electric grid was not severe. But Mourad Debbabi, a professor at Concordia University in Montreal, who also has had a career in private industry, thinks the grid is vulnerable -- and that vulnerability goes all the way down to new "smart meters."

The fact is that the grid is the battleground for what Aaronson calls “asymmetrical war” where the enemy is varied in skill, purpose and location, while the victims are the equivalent of a standing army, vigilant and vulnerable. No amount of government collaboration will stop criminals and rogue non-state players from hacking out of greed, or malice, or just plain hacker adventurism.

Governments have double standards, exempting themselves when it suits from the norms they are trying to institutionalize. Cyber mischief and defending against it are both big businesses, and the existential threat is always there.

Llewellyn King is a longtime publisher, columnist and international business consultant. He is host and executive producer of White House Chronicle, on PBS.

Editor's note: See bostonglobalforum.org for coverage of international cybersecurity issues.

Robert Whitcomb

December 21, 2014

Commentary

Yves Salomon-Fernandez: Cyber-security: Big N.E. jobs-growth potential

Robert Whitcomb

December 21, 2014

Commentary

Editor's note: This piece was written before the most recent huge cyber-security breach -- at Sony.

Within the information-technology sector, cyber-security is considered its own super sector. As information becomes increasingly digitized and a growing array of transactions can be completed in the cloud, individuals, governments and enterprises become increasingly more vulnerable.

This vulnerability is capitalized upon by hackers and other cybercriminals, as evidenced in the high-profile breaches at the U.S. Postal Service, Target/TJX, JP Morgan Chase, American Express, Home Depot, Neiman Marcus, the Internal Revenue Service —to name a few. Others not reported in the media range from insurance and retirement companies to higher education institutions and government agencies.

While computer users are much easier and more lucrative targets, the increasing ease of conducting transactions via mobile devices has also led to a proliferation of mobile-based attacks.

The (ITRC) reports nearly 5,000 breaches between 2005 and 2014, more than a quarter of which were caused by hacking, that is, unauthorized individuals penetrating a computer network generally with the intent of obtaining information or disrupting the network.

________________________________________

Breaches by Sector, 2005-14

Total breaches	4,794
Total number of records breached	641,037,690

Business	55.6%
Banking/Credit/Financial	36.1%
Medical/Healthcare	24.8%
Educational	15.9%
Government/Military	15.6%

Source: Taking a Strategic Approach to Closing the Cyber Gap

________________________________________

Data breaches are very costly for businesses. Citing the security firm Symantec, a recent article in The Economist estimated the annual global cost of cybercrimes to be $113 billion, with the number of victims standing at 378 million. Not surprisingly, the U.S. ranks first in the cost of data breaches around the world.

Locally, New England’s economic reliance on the financial services, high-technology, education and health-services sectors—and its significant array of businesses engaged in research and development involving intellectual property and personally identifiable information—make cyber-security a field that warrants a strategic and coordinated approach to close the middle-skills gap.

The available pool of qualified cyber-security professionals is insufficient to meet current workforce demand. With an expected reduction in the New England labor force by 2020, this talent shortage is a prime area for taking a supply-chain approach to resolving.

Closing the gap in cybersecurity should be conceptualized through a continuum that includes advancement from certificates, associate and bachelor’s degrees, and moving onto graduate school credentials. It should also engage employers in identifying the technical competencies, soft skills, as well as industry-specific knowledge and continuing education that potential cyber-security employees need to succeed in entry-level jobs and beyond.

Engagement of high school students—digital natives—while still in high school would also help provide early exposure and garner interest in the field.TripWire’s Cybersecurity LifeJourney Experience provides a good “test drive” of cybersecurity careers.

Quantifying the demand for cybersecurity talent

The U.S. Bureau of Labor Statistics estimates that cyber-related jobs will grow by 37 percent through 2020. According to a report released earlier this month by Burning Glass, a company that tracks job postings among other services, between 2007 and 2013, cyber-security jobs grew by 74 percent —a growth rate that is more than twice all information-technology jobs. According to the “Job Market Intelligence: Report on the Growth of Cyber Security Jobs,” demand for cyber-security talent by far outpaces supply. On average, it took 24 percent more time to fill cybersecurity-specific jobs compared with other IT positions and 36 percent more time compared with all other jobs.

With 7,107 openings in 2013, Massachusetts ranks ninth in terms of total cyber-security jobs. Between 2007 and 2013, Boston had an 87 percent job growth rate in cyber-security, based on data published in the report. The Greater Boston area ranks seventh in total number of job postings (6,336). Washington, D.C., and New York lead the country as the top two cities for jobs in cyber-security.

New England’s call to action

Earlier this month, Mass Insight and its Advanced Cyber Security Center announced the creation of the New England Cyber-Security Research Consortium. While few details have been released on the consortium, its focus will be on research and collaboration among higher education institutions with research capacity and industry.

Although research and the innovation economy are critical to the region, in this instance, filling the middle-skills gap in cyber-security is equally critical to the region’s economic vitality and continued competitiveness of the key sectors that underpin the New England economy. In the public higher-education sector, we see MassBay Community College, Middlesex Community College, and the University of Massachusetts taking the lead in developing academic programs that can train people for these jobs and begin to close the labor gap.

Cybersecurity jobs provide a ladder for workers going from entry-level security analysts to engineers, auditors, testers, administrators and architects. Filling this range of positions calls for collaboration among community colleges, four-year colleges and universities, industry and policymakers. These jobs have the potential to financially sustain digital natives, the short- and long-term unemployed looking to acquire the skills to help them rejoin the job market.

Cyber-security is a prime area for public- and private-sector collaborations with higher education because those jobs hold high value to businesses. For the workforce, they hold a high career lifetime value and provide ladders for advancement.

Yves Salomon-Fernandez is vice president for strategic planning, institutional effectiveness and grants development at MassBay Community College and executive officer of MassBay’s Framingham Campus. This originated at The New England Journal of Higher Education, a service of the New England Board of Higher Education.