To help close the cyber talent and workforce gap, the infosec community may want to think younger, by more meaningfully exposing school-aged children to concepts that might encourage them to pursue a future career in digital security. To that end, cyber education organization Cyber.org announced Wednesday what it is calling the first-ever set of cybersecurity learning standards designed for K-12 schools across the U.S.
Funded through the Department of Organizations’ Cybersecurity and Infrastructure Security Agency (CISA), Cyber.org is encouraging states to adopt its K-12 Cybersecurity Learning Standards ahead of the 2022 school year, though the organization anticipates that a few forward-thinking districts that contributed to the standards document may be ready to implement them in time for this coming school year.
The idea is to teach cyber concepts in a manner that is consistent across school districts, regardless of socioeconomic status and access to technology — such that the program over time develops a diverse and cyber-literate pool of talent for universities and businesses to recruit. And according to Dr. Chuck Gardner, director of curriculum at Cyber.org, there’s every reason for businesses and the cyber community to support this initiative.
“There are over 500,000 career opportunities right now across the country in the area of… cybersecurity. Businesses across the country are looking for talent to support their cybersecurity needs. CISA recognizes this as a national security problem,” Gardner said in an interview. With that in mind, “we’ve taken it upon ourselves to identify K-12 as the pipeline for supplying that national talent.”
“By creating a set of national cybersecurity standards, we want to make sure that students who are going to be graduating high school now [and] in the future have not only a foundational understanding of cybersecurity, but also skills and knowledge to pursue cybersecurity as a career,” Gardner continued.
Cyber.org’s standards document doesn’t recommend a particular curriculum or set of activities to help teach these topics, though that is expected to come later. Instead, it recommends core concepts and topics of discussion, built around three pillars of study — Computer Systems, Digital Citizenship and Security.
Computer Systems covers such subtopics as network communication, network hardware and software components, cloud computing, protocols, data loss, internet of things, operating systems, software updates, programming and scripting, and apps. “We're looking to have discussions about hardware and software that are working together to achieve objectives [of] cybersecurity professionals who are working to prevent adversaries from exploiting weaknesses in computing systems might seek out to disrupt confidentiality, integrity or availability,” said Gardner.
Digital Citizenship encompasses “the responsible and appropriate use of technology within society,” explained Gardner. This area touches on lessons about cyberbullying, digital footprints, public and private information, threat actors, ethical integrity, laws and regulations, intellectual property, and user agreements.
And the Security bucket includes the CIA Triad, access control, data security, threats and vulnerabilities, cryptography, authentication, securing network components, and security controls. “We're characterizing the user's responsibility for protection of access to computer networks,” said Gardner. “We want to make sure that there's secure entry to all physical devices and inherent accountability to protect personal identification information and organizational data.”
The discussion topics are presented in an increasingly sophisticated manner as students mature and graduate to higher grade bands. For instance, Cyber.org advises that grades K-2 can cover the topic of access control by talking about what kinds of information should be considered privileged or private. Next, students in grades 3-5 should be asked to identify examples of authority figures with whom they can share private information. Grades 6-8 can discuss the concept of authorized users and offer examples of why access control is necessary across user platforms. And grades 9-12 should examine “the concepts of identify, authenticate, and authorize as access control principles, as well as MAC, RBAC and DAC as access control modules,” the standards document states.
Though officially announced Wednesday, the standards have actually been in development since September 2020, after Cyber.org formed a task force of stakeholders and K-12 educators to provide input and feedback.
“The K-12 cybersecurity learning standards will help align curriculum in different districts and states to better prepare students for future cybersecurity careers,” said Janet Hartkopf, cyber program director at Basha High School in the Chandler Unified School District in Arizona. “Educators now have a clear rubric to guide cybersecurity curriculum and help address the existing gaps in the talent pipeline,” she continued, in a press release.
According to Gardner, a smattering of U.S. states and local school districts have taken ambitious strides exposing children to cyber concepts and lessons plans, but much of the country needs to catch up. Cyber.org leadership decided that its own extensive reach placed it in the perfect position to help.
“We have over 20,000 teachers from across the country who are accessing our curriculum at any point,” said Gardner. “With our national presence, we [have] a platform where we could synthesize all the great work that's happening across the country, and produce a document that the states who haven't gotten on board with cybersecurity education in the classroom yet, or even cybersecurity standards… would have some document that they could refer to.”
To encourage rollout to classrooms, Cyber.org plans a coast-to-coast speaking tour that extols the benefits of the standards framework, while presenting a rollout plan for interested stakeholders.
Last week, Kevin Nolten, director of academic outreach at Cyber.org, testified before the U.S. House of Representatives Committee on Homeland Security’s Subcommittee on Cybersecurity, Infrastructure Protection & Innovation to discuss how to bolster the cyber pipeline through education. He also emphasized the importance of supporting and funding the DHS’ Cybersecurity Education Training Assistance Program (CETAP), which provides K-12 teachers with cybersecurity curricula and education tools.
K-12 cybersecurity education must be viewed as the vehicle in which we can introduce the next generation of cybersecurity professionals to careers in the field. Expanding K-12 cybersecurity education is critical to addressing the cybersecurity workforce shortage,” said Nolten in his testimony.
Nolten made several recommendations to the lawmakers: more funding for education and workforce development, recognition of CETAP as the K-12 feeder program for various federal cyber workforce programs, and advancing initiatives that connect students at varying levels to actual cyber jobs.