Exploring Careers in Cybersecurity: Protecting Our Infrastructure
Have you considered working in the burgeoning cybersecurity industry? In the first of a two-part Maximum Employment Matters webinar, industry experts discuss some of the threats posed by nation states.
Learn how to get started in a cybersecurity career, from the types of degrees available to the various careers in the field.
Students are introduced to various options for deterring and detecting identity theft. They then play a game about identity protection. Students will learn that 100% identity protection is not possible and ways to defend themselves if identity theft occurs.
Notes from the Vault examines topics surrounding financial stability and innovation, banking and supervision, and international finance. The posts are intended to stimulate discussion of these topics and place them in a context for nonspecialists.
Jean Roark: Hello, and welcome to our Maximum Employment Matters webinar. Today we'll discuss careers in cybersecurity, with a focus on cyberterrorism and protecting our infrastructure. I'm Jean Roark from the Center for Learning Innovation at the St. Louis Fed, and I'll be facilitating today's call.
Before turning it over to our presenters, let me go over our call logistics. And before I talk about our call logistics, you may notice that there is a polling question on the right side of your screen, if you've joined us in that webinar, and you are welcome to answer that question at your leisure. It's going to be up there for the duration of the logistics and the legal language, and then we'll close that pullout when I turn it over to Julie.
For today's Webex, you have three options to listen in. You can have the webinar call you, you can call in, or you can listen via your computer, which is really the preferred option. If you lose audio at any time, click on "quick start" and choose your audio connection.
Like all Maximum Employment Matters calls, this one is being recorded, and everyone's lines are muted. And you don't have the option to share your video.
All right, let's talk about questions. We would love to hear from you. If you have a question during the webinar, you may submit it at any time by typing it into the Q&A panel in Webex. All right. I'm going to move to slide two so you can actually see the logistical information. All right. And let me read our legal information: "The views expressed in this presentation are those of the presenters and not the official opinions of, nor binding on, the Federal Reserve Bank of Atlanta or the Federal Reserve System."
All right, and with that out of the way, I will turn our call over to Julie Kornegay from the Federal Reserve Bank of Atlanta.
Julie Kornegay: Thanks, Jean. Welcome, and thank you for joining us for today's Maximum Employment Matters. Today we are exploring the world of cybersecurity and the important careers within this field. So, I want to take a look at our poll question and, Jean, can you close out our poll question for us?
Roark: Yes. Give us one second and we'll show you those results in one second.
Kornegay: Well, while you're doing that, let me go ahead and talk about our lineup today. We have a fantastic group of presenters, and I'm excited to introduce our first speaker. Darren Mott joined the FBI [Federal Bureau of Investigation] in 1999. He is supervisory special agent with the Counterintelligence Program for the Birmingham division. This program works with U.S. intelligence community partners to detect, deter, and neutralize cyberthreats. Darren, thank you for joining us today. And so we're looking at the results, and it looks like a majority of people said no, that they aren't a victim. But as we mentioned a second ago, I think we may all have been victims of cyber...been cyber victims. So, do you want to speak to that?
Darren Mott: Yes. If you have any kind of credit card or debit card information, you therefore have a mortgage or a car loan, you have an Equifax account. If you're a Lowes shopper or a Target shopper, or you've ever had a Yahoo email address, all of those particular entities have been targets of data breaches. And the information, your information within those companies has been compromised. So, you're likely...you are a victim of a cybercrime.
Kornegay: Well, okay. I'm already scared.
Mott: Do you think they'll let them change their phone...
Kornegay: So, well, go ahead and tell us about the cyberthreats and risks that we have.
Mott: All right, Julie. Thanks for having me. As you mentioned, my name is Darren Mott. I'm a supervisory special agent for the FBI in the Birmingham division. I'm headquartered in the Huntsville resident agency in northern Alabama. And for the entirety of my 19 years with the FBI, I've dealt with the cyberthreat and the counterintelligence threat. And I can go into a lot more detail as to what those threats are, but my time is kind of limited, so I want to focus this particular presentation, at least my part of it, on what the FBI looks at from a cyberthreat perspective, in other words, what are the cyberthreats and, you know, how do we deal with them if we see them.
So, when I talk about this threat, I generally refer to cyber as creates risks for companies and for individuals, because we are all now integrated into the global web, if you will. So, there are inherent risks associated with the cyberthreats. And the risk is threats times vulnerability. So, you have the cyberthreat and the variety of those threats within the cyber realm, and they are trying to focus on those vulnerabilities to allow them access to gather information where they can steal your financial information, steal your personal information, or what have you.
So, this slide just kind of shows the evolution of the cyberthreat. I'm not going to just detail all of these. If you're interested, you can do a quick Google search and get information on the majority of it, but what this particular slide shows is that the cyberthreat over time, especially with the advent of the internet, has evolved from largely being a nuisance-type of threat or a nuisance-type of crime to being a very organized...being run by a very organized set of individuals that have a variety of methodologies and reasons for what it is they're trying to steal. At least for me and what my squad deals with, we're worried about nation state actors, these are other countries that are using cybertrade craft to steal economic and proprietary information, personal information, and a whole host of things.
And if you look at the most current, recent threats, at least on this slide, the OPM intrusion—OPM is the Office of Personnel Management—it is the government database for all government employees and those people that have top secret and secret clearances, Anthem with health insurance information stolen, and Equifax is your debt information was compromised. So, if you look at those three particular intrusions that the information in there is valuable, not only to criminal actors, which everybody hears about all the time, deals with because you've got someone that's hacking, say, Citibank, to steal personal information, why are they doing that? For the money, it would make sense. But nation states are a much more evolved threat because they're looking to cause damage at the national security level.
WannaCry is in there because of ransomware, and if you have...ransomware is a growing threat, an emerging threat in the sense that it's becoming more complex. If you ask the city of Atlanta how they enjoyed their ransomware experience recently, they would probably not have enjoyed it too much. It was a $19 million cost to them. And we are seeing advances in ransomware all over the place.
So how the FBI looks at the cyberthreat across this particular spectrum, and when the FBI is talking about the cyberthreat, we're talking about unauthorized access to computer networks. That is what we deal with and what we refer to as cyber, if you will. There's really not a distinct definition of cyber. Ask 10 people to define it, you'll get 10 different definitions. But for the FBI, it's unauthorized access to computer networks. So, when we look at this spectrum—I call it the "spectrum of cyber badness," if you will—all the way on the left side, you have hacktivists. These are those individuals that target websites and try to be largely a nuisance. They'll hack the front-end website of a company and, you know, put up a flag that indicates their particular political grievance at the time.
Cyberwarfare on the other end is the more extreme problem, obviously, but the Department of Defense is going to be the one that necessarily deals with that. The FBI is concerned, obviously, with cyberterrorism; however, we currently don't assess if they have the capability to take down the power grid, cause problems with the financial sector, not that they would not if they could, because they would love to do that. They don't have those capabilities. But they do use the internet for recruitment and propaganda. The three other ones, crime, insider, and espionage, are the three big ones we deal with. Criminal cyberthreat makes sense because they're just looking to steal money. They want information that they can use to financially put themselves at a financial advantage. Insiders and espionage are probably the larger threat for all companies. And in some respect, individuals just sitting at home, because of the information they're trying to acquire that they can use to support a nation. So, the insider, the FBI, 58 percent of all intrusions into small companies or into the health care company, anyway, is the data on health care. Fifty-eight percent of all health care data breaches occur because of an insider, someone who had access to the network, they acceded that access or that authorization and they stole information, either to give to someone else, either a competitor or potentially, a nation.
So, when the FBI talks about cybercrime, this is the threat spectrum that we look at. So, some quick stats, at least as far as what the bureau looks at, mostly seen, IoTs, internet of things, that is everything that's not necessarily a computer, but it kind of runs like one and it's on your network. This is going to be your Alexa devices, your smart TVs, your refrigerators that will tell you if you need milk. Anything you connect to and network that is not a computer, but is an internet effect. So, those attacks are up 600 percent since last year, partially because we are all getting more of them. Chances are, we all have an internet of things device within our reach right now.
Most software is designed without security in mind. Internet of things, they are designed basically just to work, not to be secure. And so, there are instances where bad guys attack those particular devices to get access to the network. As an example, approximately two months ago, there was a casino in Las Vegas that had some data files stolen through their network. And the effector of the attack was a thermometer in the fish tank. So, that particular thermometer was networked, because it allowed them to remotely see the water temperature, the pH value. Hackers found a flaw within that software, compromised the net, the thermometer, got access to the network, and stole the data that way.
Ransomware is up 350 percent annually. If you can go a week without seeing news about a ransomware attack, we're having a good week at that point, but they get hurt quite frequently simply because it's easy to encrypt networks, and largely because someone always clicks the link. Most of the computer intrusion cases the FBI deals with, up to 90 percent, begin with a spear-phish email. Someone clicked on a link and it either runs malware or sends you to a website where you accidentally put in or, not accidentally, but you are tricked into putting in your log-in information, and that is what creates the breach.
Microsoft Office products make up 38 percent of malicious file extensions, partially because that's what everybody uses. So the bad guys are designing malware to what folks are using. Microsoft is kind of all over the business world everywhere. Sixty-one percent of breaches with companies with less than a thousand employees...I like to say this because I do speeches all the time about the cyberthreat. And most companies, the first thing they say is, "I don't have anything anyone would want." I argue that every company, regardless of size and what it is you do, has something that some bad guy wants. Either you have financial information, personal information, or you have a network they can use to launch attacks against other networks. So, I say all this to say that regardless of the industry or the sector you're in, your network is being targeted by the threats that I mentioned earlier.
We're going to skip this slide because it's basically saying that counterintelligence and cyber are becoming a blended threat. That might be really beyond the scope of what this presentation is focused on, so I'm going to skip on that right now.
The nation state cyberthreats and why I deal with, talk about this a lot, because what I see, but it's a larger, generally, I would say, a more significant threat than the criminal element because nation state actors are...when I say "nation state actor," what I'm saying is countries like China, Russia, or Iran, who want to do us harm, are taking their intelligence organizations, their versions of the FBI, CIA [Central Intelligence Agency], NSA [National Security Agency], and so on, and focusing those not only on Department of Defense entities but also private companies, because they're looking to steal personal information and economic and proprietary information because they can use that to provide counterfeit U.S. technology. So, 2014 there was a huge intrusion into a health service provider or health insurance provider in Nashville, one of the largest health insurance providers in the Southeast. And they were intruded, we believe by the Chinese, because during that year the Chinese came out with a five-year plan that said they want to be the number one health care provider, or the most advanced health care provider, have the most advanced health care providing system in the world. They didn't go out and develop new methodologies for doing this; they came and they stole it from a U.S.-based health care company. And that was an intrusion in Nashville that was exactly that.
If you have to spend 15 years to develop something, that takes a long time, it's a lot of money. If you can just go steal it and develop it in two years, that is why nation states are becoming a much larger threat, because of their rapid capability to target individuals, they have an unlimited budget, for the most part, they have plenty of people to do the attacks, and they're very good at what they do. We have certain names for these particular actors. You may have seen news where they're called the "advanced persistent threat." Basically, that means two things: they stay in your networks for a long period of time, and they are very good at what they do, and it's unlikely you will detect their presence. Most of the cases that the FBI works is because a third-party identified some kind of data breach and we went and told the people that had the breach that they had been intruded.
This is just the anatomy of an intrusion, at least as far as we see it. Again, most begin with an email. Every corporate network allows email into their system. Bad guys recognize that. They create malware or use social engineering to get people to click on links within the email. And as a result, that...(phone ringing). Is that my phone? Oh, yes, I'm sorry. That's my phone. I apologize. I'm sorry. My phone was going off.
So, anyway, so they send an email, someone clicks the link, someone goes to the website in the link, and that allows access to the network. And there's a multitude of ways this could happen. I'm not going to spend a lot of time on that. And once they're in, they will pivot from the initial computer they targeted and go around the network, if they're given administrative privileges, and steal information, and then next they'll trade it out. Again, in most cases most companies don't recognize their data's been infiltrated until the FBI knocks on their door and says, "We'd like to talk to you about your network." That's generally a bad day for most of those companies.
So, where is all this going? Well, a couple things we need to be aware of is that critical infrastructure, when I say "critical infrastructure," what I mean by that, it's those national entities that if they were to no longer work would be a problem for the country. Think of the banking industry. If the Federal Reserve network went down, that would be problematic, is that correct, Julie?
Kornegay: Yes, that would be a big problem.
Mott: If the energy, power grid went down, I would say that would be certainly problematic. If people couldn't get into their bank accounts, if the water system stopped working, all those critical infrastructure components, our adversaries recognize the importance of those because they use them, and they're all connected. They're all networked. Even the nuclear power plants at this point have some network connection. So, I mean, to be able to access those remotely and to be able to turn them off or cause additional problems in the event of some kind of larger conflict is something that we think nation states would be privy to do. And it's already been shown in 2007 in Estonia, 2008 in Georgia, 2014 in the Ukraine, Russian intelligence services or Russian actors targeted those countries when they were going through disputes with Russia. So, this has already been proven to work and we're just going to see more of it as we go further.
If you think about the 2016 election, and we heard all the news about the Russians hacking the election. They didn't necessarily hack the election, they hacked aspects of the election, the email server for the Democratic National Committee, the attempted intrusion into the Republican National Committee, and there were some voting networks that were compromised, although there was no evidence anything was ever done on those networks to change the votes or anything, but they did get into those network voting machines. All of this is saying that nation states are becoming a much larger threat than the criminal hackers, which are still a huge threat in themselves, but I would think both need to be...companies need to be aware of both of those particular threats.
Employee education and counterintelligence securities policies should be developed to go alongside their IT [information technology] security policy; that will help to reduce the threat level from the cyberthreat in your company, if they're in corporate. I mean, as I've been saying this particular bullet for eight years, and I'll be honest, I'm not sure if any company's taken me up on it, but I keep saying it because I feel like I have to.
Some risks for all sectors, again, I've said some of this, Cozy Bear and Fancy Bear, if you ever go out and you want to do a good parlor trick, Cozy Bear and Fancy Bear were the Russian intrusions that hacked into the 2016 election. So, very few people know that. So, you know, win a bet if you want to. Most intrusions still begin with a spear-phish email because someone always clicks the link. That is the one thing; it's always the human component. We are finding now you do not see a lot of computer intrusions that occur because they use some kind of software attack. The OPM breach I talked about earlier and Equifax were both committed because of insignificant figured software, for lack of a better way to say it. So those were traditional intrusions. Other things like the intrusion into Sarah Palin's email in 2008, and then several others were, someone clicked the link and they got access to go there.
There are some risk vector awareness to be...just so you understand where the risks are evolving to, we all have little computers with us with our mobile phones. Those things are being targeted by hackers and bad guys because that's where the data is and that's information they want to get into. I've talked about internet of things, I'm not going to discuss that again, but the big threat area, I'm not saying don't use Alexa, don't use smart TVs, just be aware of the additional vulnerability you're creating onto your network that will allow those threats in.
And my last line there, the lack of advance in human nature is probably the most important thing, because someone's going to always click the link. A lot of companies do phish testing where they send out an email to see who clicks the link, and almost no company I've ever talked to has had 100 percent compliance where no one clicked the link. One company here in Birmingham I spoke to did the test. They had an 8 percent failure rate, except for one person who clicked the link 44 straight times.
All right. Some points to know, data breaches are not slowing down, nor is the spending on cybersecurity. A lot of companies spend a lot of money on widgets and things to try to fix their network. Chances are, those only have a limited effect, if they don't...if they're not configured and attached to the network in addition to employee education. No one expects to be a victim. If you call us, it's too late. If we call you, that's very bad. That's not a call you necessarily want.
How to protect yourself: one of the three big takeaways you should take from all of this is you want to protect yourself and reduce risk, you can't eliminate it; you can only reduce it. Use multifactor authentication anywhere you can. Every company should have multifactor authentication for their email, for any kind of remote access, particularly if they use Microsoft 365 or 360, whatever, the 365, or any kind of shared resource, there should be multifactor authentication. You should use a VPN [virtual private network] when you're traveling; that will encrypt your data and make it safer if you're using a free Wi-Fi network. And companies should invest in risk management frameworks, threat intelligence, and employee education is a must.
Most of this I've talked about. Again, think before you click. You should have good password management in addition to multifactor authentication. In the Yahoo email breach, three billion records were stolen. That included email addresses and passwords. My guess is that those three billion people, not everyone changed all their passwords, nor did they change the passwords on the other devices that have the same passwords. So, bad guys have those passwords. You are just asking to be a victim if you don't change your password and have good password management. That's it for me. Thank you.
Kornegay: All right. Well, I have a question for you.
Kornegay: You were going to your slides and you were talking a lot about the internet of things and Alexa, and that whole idea of Alexa scares me to death. I wonder, is legislation keeping up with what law enforcement needs to access these types of...
Mott: No. The main Computer Fraud and Abuse Act was passed in 1988, I believe. It was, I may have that date wrong, but a long time ago.
Kornegay: And I'm sorry, I'm putting you on the spot.
Mott: It might have been '86, from what I remember, but it's been a long time, and that's the existing statute for computer intrusion hasn't changed in over 30 years. I would say no, they're not keeping up.
Kornegay: And to add a benchmark, I believe, and again, I'm kind of making this up as I go, well, not making it up, but the iPhone is what, 11 years old?
Kornegay: So, if you put that into perspective that we really need to think about how technology has progressed. Well, we've taken a little different turn with this Maximum Employment Matters episode because I felt like it was really important to level set the importance of these types of jobs and the work that is going on. And now we're going to transition to our next speaker. And thank you so much. That was excellent information.
I'm excited to welcome our next speaker, Dr. David Umphress. He directs the Auburn Cyber Research Center and is the CLOSA Professor of Cybersecurity in Auburn University's Department of Computer Science and Software Engineering. He's worked there for over 40 years in various software and system engineering capacities in military, industry, and academic studies. David, we're delighted to have you with us today. Thank you so much.
David Umphress: Well, thank you, Julie. It's a pleasure to be here. And thanks, Darren, for talking to us about some of the threats that are facing us. What I'd like to do is spend a few minutes talking about how we can prepare for a career in cybersecurity, if that's what you so desire.
So, what I'd like to touch on in the next few minutes is first, to paint a portrait for you as to what cybersecurity means; second, point out the diversity of options within cybersecurity; third, discuss what's required in the way of training and education in order to succeed; and lastly, to mention some of the challenges that face folks in the cybersecurity workforce.
Now, Darren has been talking about a number of terms. And at this point, if I were to play the association game with you, you know, the game where I say one word and you say the next word that comes to your mind, if I were to say cybersecurity, what would be the first thing that comes to your mind? You might reply with maybe hack or virus, malware, breach, or maybe a number of these other terms. These are terms that I came up and thinking for just about five minutes or so. There are plenty of others. Perhaps you might come up with other terms that might seem simultaneously terrifying and strangely intriguing to you. But if you look at these terms, though, you see that they all represent a number of different aspects of cybersecurity.
If we were to look at those aspects, if we were to boil everything down into a single concept, you could see that cybersecurity fundamentally is about protecting computer systems from unauthorized access or use. You know, if we were to put it even more simply, it's about understanding that there's certain information that we want to protect and we want to ensure that, first of all, that we can depend on the integrity of that information, meaning it hasn't been altered without our knowledge; that the information is available to us when we need it; that only we can access the information; that only those that have been specifically designated can access that information; and lastly, the last one there is that any changes to the information can be traced back to who made the change. And we can be reasonably assured of that.
What I've got here is a schematic of someone who's accessing some information over the internet. It could be somebody just working in a browser trying to get a web page or something along those lines. And remember, different points where the simple request could be vulnerable to some malicious behavior. Now, if you were a cybersecurity expert, a cybersecurity professional, you might ask in going from left to right, you might ask, "What am I doing?", "Am I doing anything as a user to reveal confidential information?" such as clicking on a link from my favorite Nigerian prince, or, you know, providing my bank account information. It might be, we might ask the question, "Is the hardware I'm using reliable?" It could be that I plugged in a device that unknowing to me is transmitting whatever I type to somebody across the globe.
We might look at, is the software I'm using safe and secure, or does it have bugs in it that are revealing information unknowingly? We might look at, is the data being affected by the method by which it's being transmitted? For instance, could someone jam or listen to my wireless signal, or perhaps they could listen in on my cable communication or even cut my communication. If we look at the next one over, we might be asking, "How is our data protected as it's being sent from one part of the network to another?" We might consider as we're, as any request is going to the internet itself, we might be asking, "Who can look at my data as it's being transmitted through the collection of nodes that make up the network?" This is a tough one because internet distance isn't the same as geographical distance. If I'm sending some information from, say, Washington, DC, to San Francisco, if I'm in the middle of a normal day in the U.S., then chances are that information is going to be going around the world the long way, because there's less traffic that way. But if I'm doing it at night, it might be going the shorter distance, from Washington to San Francisco. So, we have, we don't know in advance always how, where our data's going.
And if you look over at the final, right-hand side there, the end point, the idea there is, "What protections exist on the computer that is fulfilling my request for information?" Is it leaking information such as credit card information or doing something along those lines?
In looking at all of this, you're probably thinking that cybersecurity is much more than passwords, it's much more than encryption or, you know, waiting for your virus checker to finally finish checking all your files on your machine. The prevalence of network computers and the rise of computer-related crime has led to considering cybersecurity as a distinct profession. While there are a number of skill inventories that apply to cybersecurity, the one that is referenced the most today is NICE, which stands for National Initiative for Cybersecurity Education. And because it's managed by the National Institute for Standards in Technology, it's in wide use both in industry and across government.
Now, what NICE does is it gives us a nice view of cybersecurity. If you take cybersecurity as a profession consisting of seven special areas, and I'm showing them here on the screen for you. The one at the top that says Investigate, that's a specialty area which focuses on reverse-engineering malware, performing postmortems on data breaches, conducting forensics, and so forth. The Securely Provision area has to do with developing and installing secure software, assembling and constructing hardware that we know is secure, and designing secure networks. The Collect and Operate area, emphasis is taken into account the actions that are most likely to present a threat to us at any particular point in time. In the special area named Protect and Defend, addresses put in place the hardware and software and network protections that support security at an acceptable cost. And that acceptable cost might be in dollars or it might be in performance, in delays, and things like that.
Those in the Operating and Maintaining area are doing system administration type of duties. And if you're a cyber analyst, you're collecting information on groups, organizations, or countries, much like what Darren mentioned to us earlier, and identifying what they're up to, what they're capable of, and how they might try to circumvent security. And if you are working in the Oversee and Govern area, then you're dealing with managing large systems, in making and enforcing policies, dealing with regulations perhaps, or even dealing with laws.
Now, although these areas collectively overlap on cybersecurity fundamentals, they each have a set of unique skill requirements. For example, to enter the Investigate skill area, you need to have some fairly substantial and sophisticated skills in systems engineering, computer science, software engineering, computer engineering, and information technology. That doesn't mean that you can't do it right out of high school, for instance, but what it has to do with is how effective can you be. You need to know a lot of things in order to do this effectively because it involves tracing down problems.
Similarly, the Securely Provision area places demands on producing secure products. It's quite one thing to write software, quite another thing to make sure that you engineer the software so that it protects this data. If you're working in the Collect and Operate area, and essentially the...excuse me, Collect and Operate and Protect and Defend area, then you're working using the skills that are required of, say, a two-year degree or a four-year degree. That's the level of sophistication at which is needed in order to succeed.
If you're working in the Operate and Maintain specialty area, that requires a lesser degree of technical skills. This requires skills that typically come about by training and certifications in the beginning, and then later move up into more the sophisticated skills later on in your career. Analyze is an interesting one because it can be done early in someone's career. Essentially, everybody is used to noodling around on the internet and finding things. You know, you stalk people through Facebook and things like that. That can be done with a fairly minimal amount of training, but to actually understand what's happening in a political context typically takes, you know, a substantial educational background. This is a very interesting area in that it isn't always just specifically relegated to technical people. Analyze is often done with people from political science or psychology or criminal justice backgrounds work very heavily in this area.
And again, the last one, Oversee and Governing, the idea there is that it requires experience, it requires a knowledge of things from a larger perspective, from the IT and management information systems background in order to identify policies and regulations that make sense and don't adversely affect organizations.
Now, if you look across this, you might think, "Golly, this cybersecurity stuff is all just, you know, technical geeky stuff," but really, we can flip it on its side and say, you can be a cybersecurity professional that's working strictly on, you know, cybersecurity stuff or you can fold cybersecurity into other areas as well. For instance, if you're working in an aeronautics area, you still have to be aware of cybersecurity. You still have to be able to trace down issues. You need to make sure that you're using hardware from a trusted supply chain, that you're operating your networks within an aeronautical system, for instance, effectively. The same with automobiles, the education arena, manufacturing, and so forth. So, all these areas entail some degree of, require some knowledge of cybersecurity.
Now, the challenges that face the workforce at this point, and as Darren mentioned, it's education. Cybersecurity is more than just noodling around on networks and maybe writing a little bit of python or things like that or doing some encryption. It's much, much more than that. Sure, it involves those things, but it involves understanding hardware systems, software systems, network systems, and so forth. And really when you look at it, it employs a wide, wide range of skills, ranging from the very technical to the more mundane, like running a network to, you know, the exotic, like being able to look at a group of people or an organization, determine if they're going to pose some type of threat. And in that way, it's really interdisciplinary and multidisciplinary. It embraces a number of different areas. And all of them can fold together to contribute to it. It's in high demand.
I get calls, at least four or five calls a week from people that are asking for students that are graduating from our program at the undergraduate program, master's degree, and even at the PhD level asking if I'll give them names of the students so they can hire them. So, it's in tremendously high demand. So, the students that come out of our programs with a cybersecurity background, we've got 100 percent employment at this point. And we could easily fulfill many more jobs than that.
And lastly, it's just not for nerds. Sure, you can do the nerdy stuff if you want to, and you can really get deeply down into the nerdy stuff, but it's for the normal people as well. You know, speaking as a nerd, I enjoy doing the nerdy stuff, but there's room for everybody in this area.
So, with that in mind, I've got my email address down at the bottom. If you'd like to shoot me a question after this presentation, I'd be happy to answer it. Thank you, Julie.
Kornegay: Well, thank you. That was fantastic. And I do have a question for you, if you don't mind. And I don't want to put you on the spot, but I'm curious, are there scholarships available for students that are interested in this area or any type of...I mean, I see on your slide prior to this one looking at aeronautics, agriculture, if there was a student that was interested in cybersecurity and they wanted to come to Auburn, where would they go to look for possible scholarships? And this is a plug for Auburn, so...
Umphress: Hey, we're “War Eagle,” thanks. The scholarships, there are scholarships that are available for students. Many universities have named scholarships, people that contribute money to the university for a particular cause and things like that. Those are probably the most prevalent ones. There are some scholarships that are a little more organized. For instance, I have a scholarship that's known as the Cyber Corps Scholarship for Service scholarship, and it's a scholarship that pays tuition, books, and a living allowance. But for the scholarship that I work with, it's at the junior and senior year. The biggest thing that we see for students coming right first into college, is they think they want to know what they want to do, and then they end up switching majors two or three or four times before they really fall into what they feel comfortable with.
And so, oftentimes scholarships obligate you for, you know, a certain period of time. And so, that's the reason why you don't see a lot of scholarships in the earlier years with regard to cybersecurity, but there are some around, even at the community college level.
Kornegay: Okay, great. Well, thank you so much. I appreciate it. So, we're going to transition. And if you guys can load the next poll question for me and I'm going to try this down here. So, what is the—if you guys want to participate—what is the forecasted growth of jobs in cybersecurity? Is it, A, less than 10 percent; B, between 10 and 15 percent; C, 15 to 20 percent; or D, 20 percent or more? And I'll give you guys a second to respond to that. And if you guys have questions, when you're done answering the poll question, go ahead and start typing those in the chat box, and we will get to those in just a moment.
All right. And so now I'm going to go on to, let's see. If you could close up that poll? And let's see what the responses were. I'm not seeing the answers.
Roark: Yeah, I'm sorry, Julie. It's just taking a second to load those results. And that will be in just a second or two.
Kornegay: Okay, sure. Well, I'm going to transition to our next slide. And then, let's see. I don't want anyone to give away the answer. So, 28 percent is the forecasted growth for information security analysts in this area. And, let's see. Yeah, so most of the folks got that right. Good job.
So, I thought before we got too far into the questions, I'd take a minute and talk about the money, because that's really what people want to know, right? So, let's look at, we looked at the forecasted growth. And then, according to the Bureau of Labor Statistics, employment in this field is projected to grow 28 percent between 2016 and 2026, which is much faster than all occupations. And you see that at the bottom the total of all occupations is 7 percent. So, what does this mean for teachers and counselors and students that are listening today? You need to take some computer classes, definitely. As our speakers mentioned today, cyberattacks have grown in frequency and analysts are needed to come up with innovative solutions to prevent hackers from stealing critical information or creating problems from computer networks.
Banks and financial institutions as well as other types of corporations need to increase their information security capabilities in the face of growing cybersecurity threats. Another area, health care industry, expands its use of electronic medical records. Ensuring patients' privacy and protecting personal data are becoming more important. It seems like nowadays when you go to the doctor's office, they don't hand you a clipboard anymore, they hand you an iPad. And so, you're putting all of your important information right out there.
All right. So, I'm on my last slide here. To give you a better idea of what the work looks like and the income potential in these fields, I put together this slide and it illustrates the salary band within the information and security analyst job family. So, most of the positions require a bachelor's degree in a computer-related field. And experience is definitely a plus. The median annual wage for information security analysts was $95,510 in May of 2017. The median wage is the wage in which half of the workers in an occupation earned more than the amount and half earned less. So, in this field, the lowest 10 percent earned less than $55,560, and the highest 10 percent earned more than $153,090. And then you'll see the orange trend line. That line represents the 2017 annual median income for all workers. And that was $30,533. So, as you can see, all of the jobs in this area would be considered high-paying jobs.
Computer support specialists and web developers typically require a minimum certification or associate's degree, but like I mentioned a moment ago, all the other positions require a bachelor's degree or higher. Some of the important qualities the candidates in this job should have: analytical skills, detail oriented, ingenuity, problem-solving skills, communication, and teamwork.
So, with that being said, I'm going to transition to our Q&A section. And as we kind of get some of these questions that have come in consolidated and we look at some of this, I think I'm going to ask the first question; that's my prerogative as the host. And so, I'm going to ask this to both of our speakers today. Of the important qualities I just mentioned, the analytical skills, the detail-oriented skills, ingenuity, problem solving, communication, and teamwork, which would you say is the most important? And I'm going to lead off with Darren, because he's right here and I can give you a second to respond to that and then I'm going to ask David. So, David, you get the advantage here of being able to put some thoughts together.
Mott: I would say probably the analysis and problem solving, partially because the threats are continually going to change, so you're going to have to be able to develop solutions to risk problems as they come in, and you may have to make those changes on the fly as the threat changes, if it's something no one's ever seen before as to how you're going to address this. As new things are developed, there are technologies that have not even been developed yet that are going to become cyberthreats that we're not aware of. So, when those come out, the one thing, again, that will never be created with any software-based product is security. So, you're going to have to figure out how to deal with that particular security violation. Being able to quickly solve that problem, perhaps come up a unique methodology to do that are probably the key areas.
Kornegay: Okay. Well, so, I wonder, I mean, if you have a candidate that comes to you, to the FBI, do you have—and if it's top secret and you can't share it, then you just let me know—how do you develop talent like that?
Mott: Well, that's a tough one because the FBI, there's two, you have two career paths in the FBI. You have a special agent career path who are all the investigators carrying guns and badges, we arrest people, do search warrants, do all that stuff. And then you have the professional support, and within that particular realm you have your internet technology specialists, the folks that make the networks run, the folks that bring in new hardware and your new software and do all of that. So, there's two different job tracks. It depends on the track you want to go into.
So, I'm on the agent track and I've worked the cyber track, but I haven't necessarily come in with a, I had a master's degree, but it wasn't in cybersecurity, but I've been dealing with computers since 1977, so I had a more innate capability to deal with cyber and understand what it was, especially 19 years ago when the FBI didn't even have a definition for cyber.
So, we have changed the hiring track range, in that we hire a lot more engineers and folks with a cyber background because we recognize in that track they are more important. So, you don't have to have necessarily any specific degree to be an agent. And, I mean, it's very likely that if you come in with a cyber degree you could be working bank robberies for the first five years. It's hard to tell. This is a funny organization in that respect. But, in most cases, if you come in with a cybersecurity background, you'll probably work the cyberterrorism or some aspect of it.
Kornegay: Very good. Very good. All right. David, you're up. Do you want me to repeat the question for you?
Umphress: No, I've got it, thanks. I agree with Darren, but I think all of those skills are vital. Most of the people that I work with, by the time they finish a degree or by the time they enter the workforce, they've achieved good problem-solving skills and things along those lines. But the hardest thing that I see from the people that I work with is soft skills—being able to communicate effectively. They want to talk in jargon. They want to use words that nobody understands. They get excited and talk about things in a language that, you know, just really baffles people and it's tremendously important to be able to communicate effectively at the level of the people that you're communicating with. And so, I guess I place that at the top.
Kornegay: Darren's agreeing with you and...
Mott: I can revise my answer.
Kornegay: Well, and I was, I wasn't trying to lead, but I did want to go there because I would say that a lot of times in my background and trying to learn more about cybersecurity and cyberthreats and terrorism, that a lot of times people do work in teams and you have to communicate. And, you know, that's not information that you sit on, so how do you disseminate that? And so, yeah, I would love, do you have any feedback or any thought on how you can improve soft skills in the young folks that you're working with?
Umphress: Oh, sure, practice. It has to happen all the time in every particular venue. And whoever's doing it needs to receive feedback on how effectively they're communicating.
Kornegay: All right, that sounds great. Well, so, going to work on their soft skills, everybody listening can work on soft skills next week. So, I wonder, I was reading something in my homework and I came across a scenario or an instance where someone was telling how they got into cybersecurity. And they commented that they just sort of fell into it; that they had moved from another department or had been trained. Do you see this much in your area, or is this something that is more specialized at this point? And I'll let Darren kick it off and then I'll come to you, David.
Mott: I don't think in the companies I've dealt with I've seen that particular instance, but as far as...I can't really address that because how the FBI works is completely different.
Kornegay: All right. David, what do you think?
Umphress: Well, from my perspective, and I've been in the software world for a long time, is that we're...cybersecurity is more of a rebranding of what we've done for a long time than what we've been aware of. So, when you hear somebody moving into cybersecurity and things like that, it's always been there, or it's been there for a long time and there's been a need for it. So, we're just now beginning to see cybersecurity emerge with degree programs and with specific certifications, so somebody can brand themselves with that. But right now, for most of the generation of workers and professionals, they've been around longer than cybersecurity has as a recognized discipline, so they're moving into it.
Kornegay: Okay, well, I've got a question and I think I know the answer, but I'm going to ask it anyway. And it says, "Does the federal government offer scholarships to work for them?" So, I'm wondering if it's like, if you were recruiting at the FBI, is that something where they would have to be hired and that they would pay for additional training?
Mott: Yeah, that's a good...so the FBI does not necessarily offer scholarships saying, "We will pay for your tuition, you'll come work for us." There are federal programs that do that; NICE foundation does that, and I believe—I believe David mentioned cybercrime may not—again, I'm not in that world, so I'm only aware because my son is in cybersecurity at UA, so I've kind of looked at that a little bit. But what we do, like the FBI does do, and they did this for me, is if you are an active employee, the federal government will pay for your master's or for an advanced degree. I got my cybersecurity degree through the FBI. So, yes, we do offer that if you're employed. As far as if you're not employed, there, I believe there are federal scholarships available.
Kornegay: That makes a lot of sense, right?
Umphress: For participants, if you're interested in a scholarship, there are two major ones, and you could just Google them. One's called SMART, S-M-A-R-T Scholarship. It has to do with working with government organizations, specifically the military. The other scholarship, the one I mentioned earlier, is called Cyber Corps, C-Y-B-E-R C-O-R-P-S. And it's also referred to as Scholarship for Service, and you'll hear it referred to as SFS. If you Google Cyber Corps, SFS, you'll get a list of all the Cyber Corps schools or schools that offer that scholarship.
Kornegay: Oh, great, thank you. I've got another question, and we may have to talk about this a little bit. This says, "How do you motivate educators to encourage students to enter this field?" And I think, one, it seems like this program is building awareness of what's going on, because things are moving so quickly in this environment. But I wonder if the broader question, how do we motivate students and parents and educators to get excited about this field? And so, I'm going to start this time with David. He's had the advantage here. So, do you want to share any ideas or thoughts or, you know, how do you have a pep rally for cybersecurity?
Umphress: Well, first of all, it has to do with education. And it's educating not only the students but their parents about what we refer to as cyber hygiene. How do you—there are four questions you need to answer: what information is important enough to protect; how do you go about protecting it; how do you know that it is protected; and what do you do in the event of it being breached in some fashion?
And so, that applies to all of us, you know. How do you protect the information? Like, the length of passwords. And how do you notify if something adverse happens, and so forth. So, I think with a greater awareness of cybersecurity, then that will begin to motivate people. It's not a problem of motivating a lot of young men to get into cybersecurity, but it is an issue in motivating young women, especially disadvantaged minorities, because they're oftentimes discouraged; by the time they reach college, it's really tough to get them motivated. It has to happen in the K through 12, early K through 12 years. And schools have to be equipped to address these issues and get these students excited about the possibility of really cool things that aren't always technical, but a lot of cool things having to do with cybersecurity early in their educational exposure.
Kornegay: All right. That's really good feedback. Now I'm going to turn it over to David.
Mott: No, Darren.
Kornegay: I'm sorry. There's so many Ds, I'm just getting them confused.
Mott: It's an interesting question. Before I joined the FBI, I was an educator. I was a high school teacher in Florida, and I think I've been around computers for 20 years. And I think actually, I motivated myself to enter the field, as opposed to motivate students. But that's a rough question. How do you motivate educators to encourage students into the field? I'm not sure, how do educators motivate students? But I think part of it is, there is a huge, there are lots of job opportunities within this particular world. It's projected by 2021 there will be two million vacant jobs within the cybersecurity realm. So, if you're an educator and you're looking to do something different or even just in addition to what it is you're doing, pick up this field and start doing it yourself, you'd be surprised how many opportunities there are for you to get involved in the field, and then you can translate that to your students as well.
I mean, again, I don't know what the educators in the room are doing, as far as what they're teaching now. So, for an English teacher, it might be different than for a math teacher, but that's the best answer I can come up with.
Kornegay: That's a great answer. Well, quickly, I have two more questions that I want to ask you, so we'll try to be brief. And it's along the same lines of what we just talked about. How can educators prepare students for jobs that haven't been created yet? When you think about...oh, yeah, I certainly threw you under the bus. So, when we think a lot about the kids, the students that are in ninth grade, or even in sixth grade right now, when they're done with school, what is work going to look like for them in this field? Any suggestions or just, if you don't have any, that's fine, too.
Mott: Maybe that's where the problem solving and ingenuity come into play.
Kornegay: Maybe so.
Mott: I don't know. Most students probably say they are going to be YouTube stars so anyway, you know, it's a good question.
Kornegay: Yeah. But I think what is the problem-solving skills that you were saying, that's the skill, these practice soft skills that we mentioned earlier, might be the best way for them to adapt as these changes occur.
Mott: Well, right. But if you think, look at Silicon Valley. I mean, four years ago, was Uber around four or five years ago? I don't know. It may have been, but it wasn't around 10 years ago. So, being able to come up with things that can make people's lives easier is going to give them a lot of different opportunities going forward because if they can come up with an idea of how does this make someone's life easier, and can I then create it, program it, produce it, and then monetize it, there's a lot, I think there's a lot of...
Mott: It's an infinity loop at that point, as far as your options.
Kornegay: David, do you want to hop in?
Umphress: Well, I think that when we look at how we work with students, we need to look at what we're really teaching them. There are some skills that are nonvolatile, that aren't going to change: this is communicating, working with teams, problem solving. Then there are very volatile skills on a total opposite end. And specifically, in the area of technology, that's where you find those type of things. Right now, the half-life of technology is about 18 months, meaning if I were to teach somebody something now in a highly volatile computer science field, in 18 months it would be, will have changed.
A case in point. I teach a course in Android, development for Android mobile devices every year. I teach it once a year. And every year I have to revise the course because, well, in the past year, two versions of Android came out. The previous year, another version of Android came out. So, I'm continually revising it. So, I think the thing to do is to look at a healthy mix of nonvolatile and volatile topics, realizing that, you know, the volatile topics are the ones that are going to excite people and get them going, but those are the ones that are going to fade very quickly. It's the nonvolatile ones that are fundamental, that really are truly the ones that carry over.
Kornegay: Wow, that's really, really good. Thank you so much. I wanted to thank both of our speakers today. You guys have done an amazing job. They didn't laugh at me too hard, with all of my technology challenges. But, so I didn't have time for my last question, but that's all right. And if you guys are interested in more information on cybersecurity, then join us tomorrow. We have another webinar series, and we're going to look at cyberterrorism and protecting our financial systems. We're going to do a deeper dive on that.
And so, with that being said, on behalf of everyone, I'd like to thank you for participating today. If you joined us via the webinar tool, you likely saw a survey link pop up on your screen. Please take a moment to complete that and let us know how we did. You will also receive a survey via email. And you only need to fill this survey out once. So, if you know someone that would find this session valuable, please let them know about tomorrow's program, but also this has been recorded and we will archive this on our Maximum Employment Matters web page in the coming weeks.
With that being said, thank you so much for joining us. I'm going to bring this session to a close. And we hope you enjoy the rest of your day.