Listening to Christopher Long describe teaching his subject makes parts of it sound like a breezy outdoor summer camp, not training for one of the most highly sought after, yet undertaught, skillsets in the country.
Capture the flag competitions and scavenger hunts are examples of what the fourth-year teacher of the course Cybersecurity Fundamentals calls “gamification” of his subject. But Mr. Long, a former network administrator who switched to teaching at South County High School in Lorton, Virginia, six years ago, knows that cybersecurity itself is no game.
“The tasks that they have to accomplish are things that if they get a job in cybersecurity, they’ll do all the time,” he says.
His district in Fairfax County, Virginia, outside of Washington, D.C., was the target last year of a cyberattack, one of 50 ransomware incidents against public K-12 schools reported across the United States in 2020 – up from 11 in 2018. Mr. Long suggests that cybersecurity courses may become academic requirements in the years ahead and says this type of education is “desperately needed.” Some school districts are starting to agree, both for their defense and for their students’ futures.
“The ransomware attacks that were happening in the K-12 systems were absolutely that light bulb moment for districts and, even state departments of education, to open their eyes up” to teaching cybersecurity to students, says Kevin Nolten, director of academic outreach for CYBER.ORG, a Department of Homeland Security-backed organization, whose mission is to bolster K-12 cyber education.
The urgency is being felt across the country. Districts like Haverhill Public Schools, north of Boston, and Baltimore County Public Schools in Maryland, have had to cancel classes due to cyber attacks in recent years.
The Government Accountability Office called on the U.S. Department of Education this fall to take additional steps to help protect K-12 schools from cyber threats, but its recommendations were not pedagogical. They were geared toward getting the department’s leadership to prepare for the years ahead.
“This is a really hard challenge from a federal level because the federal government has very little role in education,” says Laura Bate, a senior director of the Cyberspace Solarium Commission, a group tasked by Congress to devise a strategy to defend the United States in cyberspace.
Ms. Bate calls education a “long-term solution” to cybersecurity problems. “We need to be able to teach this [subject] to our kids,” she says.
The number of high schools offering computer science has gone from 35% in 2018 to more than half of America’s high schools (51%) in 2021. But only 4.7% of high school students are enrolled in a foundational computer science course, a subject to which cybersecurity is a subfield, according to a recent report from Code.org.
In Florida, Broward County Public Schools, the target of a ransomware attack earlier this year, worked with CYBER.ORG to create K-12 cybersecurity standards for students and plans to offer specific training to teachers tied to these standards later this school year. Other states and localities will have the option to incorporate the new standards into their curricula.
Monika Moorman, a fourth grade teacher at Broward County’s Central Park Elementary in Plantation, Florida, who worked on the national team of educators to craft the standards, understands their importance for the students in her classroom.
“Students who are exposed to cybersecurity learning standards become better versed at navigating the online realm,” the district’s 2021 teacher of the year says, in an email to the Monitor. “They learn to understand the ramifications of their digital footprint which guides them in a responsible online behavior.”
Taking steps in Virginia
In Fairfax County, only about 2% of the district’s nearly 60,000 high schoolers take the elective class that Mr. Long teaches, where students learn both the ethics of the emerging area and the technical knowledge, such as how to run a command line on a Linux operating system.
“People hear a lot of things about ‘you shouldn’t do this, you should do that,’ but don’t really know why,” says Mr. Long, in an interview last month, sitting at his desk after a full day of teaching. “And honestly, a lot of the kids don’t care too much until they actually see the why.”
The students’ training doesn’t start with how to stop a ransomware attack. It starts with how to be a good digital citizen. One of the first lessons that Mr. Long teaches is cybersecurity ethics. The class explores, for example, intellectual property issues and the bootlegging or downloading of materials illegally.
The students are “growing up in a generation where [bootlegging] is so mainstream that they’ve never even considered the ethical issues,” Mr. Long says. “There’s a lot of people whose livelihoods depend on some of these services being paid and if you’re hacking to get free service, you’re potentially threatening the very service that you want to use.”
For the digital-native students – some of whom have been online since they were toddlers – these lessons are eye-opening, their teacher says.
The eye-opener for the district was last year’s ransomware attack. Fairfax County Public Schools hired its first director of cybersecurity after the incident, which resulted in employees’ personal information and student disciplinary records being pilfered by the hackers and held for ransom. Even so, classes continued, and Mr. Long says the attack did not have as much influence on his students as the more publicized Colonial Pipeline cyber incident, which caused gas prices to rise in the area earlier this year.
Whitney Ketchledge, Fairfax County Public Schools’ coordinator for career and technical education, says the class helps equip students for the world they’ll engage in as consumers, but also she emphasizes the preparation that the class provides for a potential career.
In addition to ethics, students in the class learn how a network operates, the perils of phishing attacks, and the basics of software programming.
“Our students are looking for ways to make things better,” says Dr. Ketchledge, in a Zoom interview. Separately, a handful of students from the district are gaining hands-on experience by interning with its department of information technology.
There are about a half a million cybersecurity job openings in the United States, President Biden said from the White House in August. He called the vacancies a “challenge” but also “a real opportunity.” Much of that opportunity though – both for cyber defense and cybersecurity education – lies in the hands of decision-makers outside of Washington.
As with personal finance classes, which started as electives and became required courses, a similar trend may be occurring with cybersecurity, Mr. Long says. “There’s a good chance that there will be at least some version of cybersecurity that will start to fall into that category,” he says. “It’s going to become required knowledge.”