Kids make the best social engineers, says Reuben Paul, with a giggle, as he tries to cajole this writer out of her password.

He knows from whence he speaks – and the giggle is totally, and refreshingly, age-appropriate. Reuben, at 8, is not only well-versed in the wily ways of children, the third-grader is already an information security pro of sorts, developing a pair of security apps aimed at kids, heading up a gaming company and keynoting at IT security conferences like the Houston Security Conference. 

OUR EXPERTS:
Start early

Gene Fredriksen, CISO, PSCU 

Jeff Jacoby, program engineering director of cybersecurity and special missions, Raytheon 

Michael Kaiser, executive director, NCSA 

Reuben Paul, CEO, Prudent Games 

Phyllis Schneck, deputy undersecretary for cybersecurity for the National Protection and Program Directorate (NPPD) at the Department of Homeland Security

In fact, when SC Magazine caught up with him to get his thoughts on how to raise IT security awareness among kids – especially when they’re online – and on what the industry and children can do for each other (hint: the industry needs skilled security workers, the cyber generation of children have a facility with technology…you do the math), Reuben was packing his bags to fly to India, where he was slated to keynote at the Ground Zero Summit.

Children, like adults, “need to know that actions in cyberspace have consequences,” he says.

While children, brought up with good security hygiene, represent the industry’s next best hope, they’re also, unfortunately, an obvious point of vulnerability, easy targets of online predators. They are more trustworthy than adults,” says Reuben, explaining their cunning. “And kids are more trusting than adults.”

They routinely expose they’re parents’ personal information and sometimes inadvertently run up outrageous credit card charges. For instance, app store owners like Apple and Google have recently drawn the ire of the Federal Trade Commission (FTC) and were ordered to refund millions of dollars to parents whose children were allowed to make online, and costly, purchases without their consent. 

In other cases, the FTC has fined children’s app-makers like Path and W3 for violating the Children’s Online Privacy Protection Act (COPPA) by collecting and storing personal information about children under 12 years old.

Dual mission

Because children can be both the victim and (often inadvertent) perpetrator, the IT security industry is charged with both protecting the internet from them and protecting them from the internet. The payoff for cybersecurity as a whole: Youngsters can eventually become skilled workers and improve the country’s cyberposture.

One of the best ways to create “cyber resilience” is by educating and training the young, says Phyllis Schneck, deputy undersecretary for cybersecurity for the National Protection and Program Directorate (NPPD) at the Department of Homeland Security.

However, she readily admits that “basic hygiene” is missing from the curricula of computer science programs at universities. Schneck believes in catching young people early, encouraging good hygiene and attracting the brightest to the IT security industry. “We need to raise the encouragement level, especially among young women,” she says. “The industry needs to show girls that it’s cool to be in security.”

Like Reuben, the Homeland Security cyber guru’s interest in computers was influenced by her father and prompted her to get a Ph.d. in computer science from Georgia Tech. Reuben, too, has learned by osmosis, absorbing his father Mano’s security-related conversations with business associates. The young entrepreneur’s interest first came to light when Mano blanked out during one such business dialog and was searching for the word “firewall.” Reuben piped up to fill in the blank, much to the amazement of the adults around him. 

That early interest in computers and security led to the development of a trio of applications designed to, as the company tagline says, help kids “learn while you play.” While one app takes on math, the other two tackle security – Cracker Proof leads children through four simple steps to make their passwords stronger while Crack Me If You Can promises “a fun way to learn about bruteforce attacks.”

Not every kid will have Reuben’s proclivity for all things computing and security, but, by increased exposure to IT security – through school, mentoring and government programs – they can develop the skills that will both protect them and turn them into future security pros.

Those are two goals encouraged by Reuben (left), whose talk in India addressed the need to sharpen his generation’s cyberskills, and whose ultimate dream, he says, inspired by cyberbullying and the suicide of a 12-year-old girl, is that “one day all the world will celebrate Cyberchildren’s Day,” a day for kid safety on the internet.

But first there’s a lot of work to do. 

Millenials are well-known for their tech prowess. But, for their security acumen, not so much. In its second annual millennial study, Raytheon found that the demographic was indeed becoming more security conscious but were “still engaging in risky behavior,” according to Jeff Jacoby, program engineering director of cybersecurity and special missions at Raytheon.

In the three months prior to the survey, 72 percent connected to public Wi-Fi without a password and 52 percent plugged into a USB device, such as a memory stick given to them by someone else. That they have sloppy security hygiene is not that surprising (have you seen their dorm rooms?), nor is their keen interest in cybersecurity jobs.

According to the survey, the group was more likely to be interested in a career in computer science rather than in medicine, politics or Wall Street. More than a third (35 percent) cited app developer as a desired career while cybersecurity drew the interest of 25 percent. Nearly 40 percent had a greater interest in a career that would make the internet safer than was measured 12 months ago. But they don’t have any real understanding of what that type of job might entail.

That interest is a plus for the IT security industry, whose job market, according to Ponemon Institute research, will show a 40 percent vacancy starting this year.

Coupled with significant growth – the Bureau of Labor Statistics predicted a 22 percent growth in employment for cybersecurity by 2020 – the IT security industry needs a greater pool to draw from.

But until they’re trained up, young workers pose challenges for CISOs. Gene Fredriksen, CISO at PSCU, notes that, by and large, millennials believe that security problems “are not going to happen to them.” As a result, when they enter the workforce, “you have to do basic security awareness training,” he says.

That’s a task made easier if colleges, high schools and industry up their game.

DHS cyberchief Schneck calls for computer science programs at universities to “teach basic hygiene.” And Raytheon’s Jacoby points out that 64 percent of the milennials surveyed didn’t have access to computer classes, including computer science, in high school.

That’s “not to fault schools,” says Michael Kaiser, executive director of the National Cyber Security Alliance (NCSA). Educational institutions are preoccupied with other aspects of education and “don’t have the knowledge about this sector,” he says.

Jacoby concurs, noting that awareness training and education should begin in K-12…or even before.

After all, it was innovative school and afterschool programs that helped propel Reuben down the tech path. “I was put in a program at school and the assignment for class was to make a game,” he says, explaining how he created his first video game as a first-grader. He also attended robotics camp in his hometown of Austin, Texas.

While weaving computer and security classes into the curriculum or creating robust tech offerings in afterschool programs are clearly critical to the education of the future generation of security pros, there is real “opportunity for cybersecurity businesses and community members to collaborate with educators on cybersecurity awareness programs, including cybersecurity as a career,” says Kaiser.

Government, industry and educational groups have certainly begun to step up. Groups like the Executive Women’s Forum (EWF) offer scholarship dollars for young women pursuing security careers. And an initiative just launched by the Information Systems Security Association (ISSA) to close the workforce gap and provide education for IT security includes offerings for “pre-professonals” – students or young adults.

To raise cybersecurity awareness among elementary school children, Intel Security and Discovery Education has unveiled the “Intel Security Digital Safety Program,” a three-year national effort offering a sweepstakes competition for teachers and parents to earn grant funding for the elementary schools. The program initially will target children aged eight through 11 who will receive a cybersecurity certificate once they complete the program.

Future IT security pros

The earlier children are introduced to an activity, the science proves again and again, the more likely they are to master it. Proof of concept requires only a single trip to Starbucks where the tech-savvy, under-two set are adeptly moving from app to app on iPads and smartphones while their parents sip lattes.

The trick with kids is to make them “play without realizing they’re learning at the same time,” says Reuben, who took iPads to school and encouraged classmates to try his apps.

While some child experts warn, rightfully so, against too much screen time for the smallest users, introducing good online hygiene early can have a rippling effect, building good habits and cyber resilience as those children grow to adulthood and enter the workforce. “What we do as individuals has ramifications on national security,” says Jacoby, who advocates for training and raising awareness so that all digital citizens are safer online. 

Could a Safe Internet Day for kids be just around the corner? Reuben is committed to making it happen – every January 20 (his birthday). And, he says, kids should get the day off from school, of course.