Is there a connection between lack of STEM education in America and data breaches like Target or digital security vulnerabilities like the one that recently undermined encryption in Apple products? In my opinion: Yes. In this article I argue that cybersecurity in America, including the trustworthiness of American products and services, is suffering from the current under-production of students qualified in Science, Technology, Engineering, and Mathematics, or STEM. (My first title for this article was “STEM the tide of data breaches” but I decided that was too glib.)
My basic premise is that creating secure information systems, and maintaining their security, requires people who are conversant with Science, Technology, Engineering, and Mathematics. Those disciplines come together in Computer Science, often referred to as CompSci, or just CS.
My second premise is that America's schools are not teaching enough computer science to enough students. When my colleague, Lysa Myers, wrote about this in January, several of us found it hard to believe how dire things were. But Lysa was right, as confirmed by several shocking data points I recently obtained on a trip to Washington, D.C. For example, in the 2012-2013 school year, computer science counted toward a student’s high school graduation requirements in only nine states. In 2012, just fewer than 3,000 of the country’s 40,000 high schools, less than one in 10, offered the Advanced Placement Computer Science exam. Let me put that a different way: too many kids in too many schools get the impression that Computer Science doesn’t matter.
My third premise is this: if we are not inspiring and enabling our young people to study the science and technology on which much of our economy is based, we cannot hope to achieve and sustain the levels of security that our information systems need in order to retain the trust on which their continued use depends.
Some scary numbers
We already have indications that large numbers of IT jobs in America are going unfilled. For example, throughout the course of 2013, there were anywhere from 300,000 to 600,000 open IT and IT-related jobs in the U.S. (that's according to Burning Glass Technologies Labor Insights). Couldn't we just import people to fill them? Not likely, given the current Congressional deadlock over immigration reform. Besides, there are plenty of other countries seeking the same talent. According to the Global Information Security Workforce Study by Frost and Sullivan, global demand for people with cyber security skills is forecast to grow at about 13.2% annually from 2012 to 2017.
As for cybersecurity jobs going unfilled, the evidence is everywhere, starting with a huge number in the Cisco 2014 Annual Security Report: "It’s estimated that by 2014, the industry will still be short more than a million security professionals across the globe." In the last six months I have heard estimates of the shortfall of qualified cybersecurity workers just in U.S. alone ranging from 50,000 people well into six figures.
For a different perspective, consider the number of U.S. openings listed for "information security" at Indeed.com, a job listing aggregator: 11,669. The site lists 7,867 jobs requiring or preferring CISSP. Given that many of these jobs are well-paid, earning more than many other IT-related jobs, that's a lot of jobs open. How about a specific case study? Consider the U.S. government's Department of Homeland Security, where more than one in five mission-critical cybersecurity-related jobs at a key unit could not be filled, according to the Government Accountability Office. Scratch below the surface and you see a phenomenon that could mean things get worse before they get better: the greying of the cybersecurity workforce. Some 32% of DHS cybersecurity employees are eligible for retirement now or within the next three years, and 80% those currently working in cybersecurity are 40 or older, with barely more than more than 5% being 30 or younger.
In broader terms, last year's (ISC)2 Global Information Security Workforce Study (PDF) found that 56% of organizations surveyed said they don't have enough security staff to handle their current demands. According to 52% of respondents: the shortage of skilled staff is contributing to the incidence of breaches in their organizations.
Target and Apple and more
Which brings us to the Target data breach and the Apple SSL vulnerability. The full details of how these things happened have not yet been confirmed, but many of those who live security think they can see gaps in Target’s defenses and weakness in Apple's code review and testing. I think it is reasonable to argue that those gaps might not have existed if the companies' cyber security IQ was higher. When companies make decisions about technology that are not fully informed by accurate knowledge of the computer security threatscape, one has to ask if a lack of skills and education in this field is to blame.
I’m certainly not suggesting we throw Comp-Sci grads into the breach until the attacks stop and the holes are plugged (that just wouldn’t work). For a start, not all Comp-Sci grads are required to take security courses before they can graduate (which is wrong and needs to be fixed, but that’s a different article). What I am suggesting is that we cannot hope to sustain a rapid rate of digital technology development in America while at the same time defending that technology against abuse, without more people having more knowledge in the realm of science, technology, engineering, and mathematics. And a bunch of those people need to understand the core concepts of computer science and computer security.
Here's the how the big picture is painted by Chicago-based CompTIA, the world's largest computing industry trade association, which recently lobbied Washington for greater support of STEM education:
The U.S. is rapidly falling behind in the Science, Technology, Engineering, and Math (STEM) race on multiple fronts. The World Economic Forum ranks the U.S. 52nd in the quality of mathematics and science education and 5th in overall competitiveness. Over two-thirds of the engineers who receive their PhDs from U.S. universities are foreign born. The key to improving our standing is by focusing on STEM at the elementary and secondary education levels. As a nation, we have a responsibility to help to drive domestic students into these fields and to provide them with the necessary tools they will need for success at a global level.
On the bright side
As part of that lobbying effort, CompTIA presented a panel that featured two innovative approaches to improving STEM education. The first was Project Lead the Way, represented by David Dimmett, the organization's Senior Vice President and Chief Engagement Officer. According to Dimmett, Project Lead The Way (PLTW) is the nation’s leading provider of STEM programs. On its website, PLTW states:
"Our world-class curriculum and high-quality teacher professional development model, combined with an engaged network of educators and corporate and community partners, help students develop the skills necessary to succeed in our global economy....As a 501(c)(3) nonprofit organization, we deliver PLTW programs to more than 5,000 elementary, middle, and high schools in all 50 states and the District of Columbia."
I found a tour of the website to be quite inspiring, and there are plenty of opportunities for professionals and businesses to get involved.
The other private sector initiative represented on the panel was LifeJourney LLC, which describes itself as "an online career simulation experience that empowers students and individuals to test-drive future career opportunities relating to STEM and gain exposure to the skills they'll need to achieve the future they want." Founded by Rick Geritz who is now its CEO, LifeJourney is developing some impressive corporate partnerships and using some very cool technology to make a career in technology more broadly appealing.
One more ray of hope for STEM improvement is specific to Comp-Sci, and it comes from within our government: bipartisan legislation known as the Computer Science Education Act. This bill has no costs associated with it because it simply amends the definition of “core academic subjects” in the Elementary and Secondary Education Act (ESEA) to add computer science. This simple act would clarify that existing and currently funded federal programs could support computer science and local and state educators who want to put more computer science curriculum and teachers in schools. (Big hat tip to Lumay Wang from Rep. Scott Peters' office for sending me details of the bill.)
The Computer Science Education Act (HR 2536) makes a lot of sense to me because it would unleash the enthusiasm of American students and teachers for computer science that is currently constrained by the fact that it is not considered core curriculum. Fortunately, the bill has widespread support from some serious organizations, notably code.org and Computing in the Core, which has a lot more info on CSEA, and whose members include: Anita Borg Institute for Women and Technology, Association for Computing Machinery, College Board, Computer Science Teachers Association, Computing Research Association, Google, IEEE Computer Society, Microsoft, National Center for Women and Information Technology, National Council of Teachers of Mathematics, National Science Teachers Association, Oracle and SAS.
So, there are efforts underway to improve the STEM and Comp-Sci situation, from broad grassroots initiatives like Securing Our eCity, through focused efforts like PLTW and LifeJourney, to legislation that could be passed this year. All positive signs and I hope they all succeed, because the threats show no sign of abating and the skills gap is real.