Do not compute: As cyber attacks grow, Sac State readies next generation of data defenders

The computer lab was filled with the staccato tap, tap, tap of fingers dancing on keyboards. The students’ faces were illuminated by their computer screens as they worked silently, scanning lines of code to see if their simulated cyberattacks would be successful.

Last month, 29 high school students from around California participated in Sacramento State University’s Cyber Security Summer Academy. The weeklong course instructed students about common online security threats and how to prevent data breaches, which have increased in both frequency and severity in recent years.

However, one expert says that just introducing these concepts isn’t enough, and that data security has failed to evolve as quickly as the tactics used to hack private information on a global scale.

“The availability of these courses suggests increasing concern and interest,” said Mark Heckman, president of the Sacramento Valley Chapter of the Information Systems Security Association and a professor in graduate cybersecurity programs at the University of San Diego.

But, Heckman added, these courses don’t necessarily point to “a fundamental shift in tools and techniques for protecting computer systems.”

The Cyber Security Academy is one of a dozen summer academies that are offered to high school students each summer at Sacramento State. Along with the Coding Academy, it was added to the roster before registration opened this May.

Jun Dai, an assistant professor in Sac State’s Department of Computer Sciences and the instructor for the Academy, said that his goal for the class was to teach students the fundamentals of cybersecurity.

“Many people are unaware of how important this is,” Dai said. “People don’t see the dark side, but here we show the students the simulated attacks and sometimes you have to see it.”

In Dai’s approach, a good offense informs a good defense, so the professor had students trying to break into a program called Metasploitable, which is designed with security vulnerabilities to exploit if students know where to look.

Sacramento State isn’t the only university that has recognized the importance of grooming the next generation of cyber warriors before they graduate from high school. The National Security Agency sponsors a weeklong cybersecurity camp for high school students at the University of San Diego over the summer.

Heckman, who has worked in cybersecurity for more than three decades, says it’s a real possibility that the techniques being taught in these courses may be all but obsolete by the time these cybersecurity hopefuls are old enough to enter the industry.

Data breaches are growing in sophistication at the same time that the world becomes increasingly dependent on computer-based systems, creating what Heckman describes as an arms race between cyber attackers and defenders. And yet, Heckman said he has seen data security trends come and go “with few significant advances.”

In 2015, the U.S. Office of Personnel Management was subjected to what was one of the largest data breaches in government history, surrendering the personal records of more than 21 million people and leading to the resignation of the office’s director.

Fast forward to May of this year, a continent-hopping ransomware attack invaded British hospitals, the Russian government and swept across Asia, Australia and South America. That same month, the WannaCry ransomware attack targeted computers running the Microsoft Windows operating system, Dai pointed out.

May was also the month that the state of California fooled some employees with the Department of Housing and Community Development with a fake phishing scam that arrived in the form of an email asking them to “validate their employment status” to receive their bonuses. The email, which was doctored to look like it originated from the Golden 1 Credit Union, rankled a state employees’ union.

Fortune 500 companies like Yahoo, which experienced three breaches in 2016 alone, as well as Sony and Target, have also faced significant cybersecurity threats in recent years.

Heckman pointed to a lack of penalties for companies selling vulnerable systems that put “consumers and the entire country … at high risk” as the root of the problem. While he recognizes the need for individuals to be cyber-literate, he says the true responsibility for data security should rest with the public.

“It puts the blame on the victim, not the developers of unsecured systems,” Heckman said.