CyberPDX: Introducing Cybersecurity Through Interdisciplinary Education

[Applause] so I'm going to talk about cyber PDX this is a camp for broadening participation in cyber security that we run every summer or we're trying to run every summer and I start the camp with a quote quote from Barack Obama and a cybersecurity summit and it's one of the great paradoxes the technologies that empower us can also be used to undermine us and inflict great harm and to paraphrase him it's more tech more problems and so how do we begin to solve these problems as a society so I'm an academic I teach so we learn and then we try and teach it to the next generation and so that's what what we do and so

this is the point of Gen cyber which is a collaboration between NSF and the NSA to build the next generation of cybersecurity professionals and this is targeting high schools middle schools to try and impart some of this knowledge earlier on in the pipeline so that people are aware of that as they go and and pursue perhaps an undergraduate degree okay so these are camps to develop this next generation but what does a cybersecurity person look like my daughter is in eighth grade and the very first thing this the science teacher had her do was draw a picture of what a scientist looks like just to expose the kind of stereotyping they might have to try and sort of like defeat that and so

I thought about what does it look like like if I ask a kid what does a cyber security professional look like they might give me this which is I mean if we have a diversity problem that's probably gotta be a large part of this problem and so this really is a bit of an enigma because I look around this room and nobody here looks like that which is a problem right so what we try and do is we try to expose them to all the different roles you could play in this discipline so including you could be the cryptographer so you could be like goldwasser and Macaulay you could be the politician so Ron Wyden gave the keynote

two years ago here at besides you could be at at level influencing cybersecurity issues you could be the research director so Deborah Frank runs the research programs at PNNL you could be the journalist Brian Krebs Glenn Greenwald impacting cybersecurity through their writing you could be the bug hunter so Natalie Solana vich Tavis Ormandy you could be finding those deep vulnerabilities that nobody else can even see you could be the filmmaker so Alex Gibney was did the zero-days film which is a highly influential documentary on the Stuxnet worm our virus or whatever you malware you could be the systems developer so this is Jesse Frisell who has worked a lot on docker which is being used in a lot of

enterprises today you could be a television producer how many of you know that mr. robot is on for another another season it's a highly into a fourth season I think this is last week you could be the professor so Laurie Craner professor at CMU went to the FTC developing all sorts of interesting ideas on password security or you could be the cartoonist it's Randall Munroe influencing technical ideas using cartoons like this one down here on the bottom right this is what I teach in my web security class it's like yeah here's here's some entropy right here yeah and the bottom right just read this cartoon and you'll get what I'm trying to teach you oh yeah

there's the heartbleed cartoon that that also is an interesting explanation for that you could be a Crypt analyst so this is a book that just got released two years ago on the most successful Code Breaker in world war one in World War two Elizabeth Friedman you could be the comedian so we play the job clips from John Oliver especially when he's interviewing Edward Snowden you know getting to the heart of the fact that yeah maybe some of the things you did you know helped but maybe some of the things you disclosed might not have been appropriate to to disclose you could be the podcaster and I know Joe is not in the room but he just gave an interview

to two weeks ago on on risky business so you could be Patrick gray or Adam wallow you could be the lawyer Susan Hennessy who works on all different kinds of governmental policies and legal policies dealing with cyberspace you could be the ethical hacker joanna rutkowska of cubes and and blue pill you could be sue Nomo shimomura catching hackers like kevin Mitnick or he could be an author so this is a picture of Veronica Roth she wrote this short story on penetration testing based on the fictional divergent storyline how many of you know about divergent if you have a kid they'll know about it and this is what we used for our one of our threads in this camp

because we thought it was an interesting way of weaving the arts into cybersecurity so with this in mind how do you offer a camp that speaks to all of these diverse roles right what do you teach and how do you teach it so this is what I'm going to talk about cyber PDX it's a one-week residential camp for introducing cyber security to high school students and teachers so it's really important for us to get at the teachers because that's where your leverage point is because they can bring that curriculum back to their schools and then and then you get this sort of this beneficial effect that you can't get just by teaching students directly so what's our approach we have a

curriculum that integrates technology and the liberal arts we think that they go and hand in hand and if you were at the keynote you'll understand some of these problems have to involve the liberal arts focus on collaborative cooperative and peer learning exercises and not on competition because competition does drive out a lot of people from this discipline we have exercises that allow each student to practice different roles in cybersecurity so they're role-playing different aspects of cybersecurity just to try them out who knows what's going to stick problems we focus on problem-based learning that that we have exercises that are intrinsically motivating for them to want to complete and this is something I talked about two

years ago the design of the crypto threat in fact was based on a bunch of puzzles and who doesn't like to solve puzzles we have multimodal instruction so to engage like the physical learner the visual learner different styles of learning and teaching to engage students wherever they are wherever they're best at at learning scaffolded exercise and the real important thing here is that we want these kids to have to feel like they're both competent and have confidence in anything that they do in the camp the goal is to have every single camper be able to complete every single exercise in the camp so that's that's where the design is really I think important we inclusively target

students from underrepresented who are underrepresented not only in cybersecurity but in college so we're looking at socio-economic deep diversity we're looking at ethnic diversity we're looking at gender diversity and we're telling the teachers who are doing the recruiting for us find the students who you would never think would go into cybersecurity or computer science or even better none of those - or to college those are the people that we want in the camp and then finally we run alongside of this a teacher camp and we have these teachers develop curriculum projects of their own based on the concept that that have been presented to them at camp and this allows them to own a curriculum that

they can then go back to their high schools to actually teach to their students so just to get a little bit of a more detail about what we teach in this camp we have four threads we have a cryptography and security we have a programming thread a filmmaking thread and a cyber policy thread so the cryptography and security thread we talking about how ciphers work how they can eventually be broken we talk about different security tools that are used in industry and and how they work and this was something I described a couple years ago at b-sides we base this we have this divergent theme capture the flag and urban race and basically this the the content modules there are five

of them we start with the historical impact so we're always focusing on motivation why would you be interested in in cryptography and security so we do some history we cover different ciphers in World War 1 World War 2 and how they really shifted the course of those two Wars and then we go into basic encoding because cryptography is done into digital domain so we have to teach them what binary is and and these sorts of things and ASCII and and all the different ways you can encode digital information we go to simple ciphers that can be broken fairly easily and they sort of analyze these things and reverse engineer their encoding we talk about modern ciphers and how for example

public key cryptography works and how that how it can be used to secure transactions over the Internet and then we talk about men in the middle attacks so that even if you do have public key cryptography if you can't get someone's public key appropriately and if you're in the middle so basically the NSA program by the Flying Pig program we talk about how that whole thing can be subverted and in this thread they can now see from the beginning sort of the initial sort of forms of cryptography all the way to modern programs that are trying to hijack the security of people so they actually feel like they have a pretty good understanding of these

concepts so this is all built into a scaffolded CTF activity that leads to an urban race where there the whole thing is role-playing inside of the divergent plot which is from the short story which is a ripoff of that short story and then right at the end there dropped into the plot live their messaging this Twitter bot that that's basically cyber 4 and they're trying to help this character out to save the city so save Portland because Portland is about to get blown up and then the idea is that every team should be able to save the city and so far every team has most more or less but they're running all over campus like

some of the things they have to decode and solve there they're running all over the Portland State campus and having a grand old time all that content is available so this is actually being run in like Lewis and Clark at Lincoln High School Village home resources so we actually have this curriculum the instructor material is there and people can just you and run this anywhere you'd like all the all all the material that you need to run this curriculum is public the other thread is the programming thread and the idea here is a lot of them haven't seen haven't been so a lot of these schools don't have computer science at all so we try and teach them sort of the ideas of

programming and what we really want to impart is the the the idea that computing computer programming is it's fraught with errors right like and you can't start to rely on code without understanding that a lot of code doesn't work so that's one of the things we try and talk to them about so we start them out with blockly and then we go into Python programming with turtle graphics we talked to them about you know encapsulation and abstraction and sort of these software methods for managing complexity and then they do a final project to it with that includes a code walkthrough at a showcase another the third thread is the film thread so we talked about the influence of movies

historically on policy and then and how they how it changes public perception that leads to things things like laws changing and then we talk about the techniques that are used within each of these films to get that emotional impact because if you develop an impactful film using all these different techniques then that's where your highest lever of change can be as a cyber security professional and so some of the movies that we have shown we show the imitation game we show wargames just for the impact that these particular films have had on on perception and then we show hidden figures as well so we also teach them the film methods right so a lot of

them have never done any sort of filmmaking they're shooting a lot of videos on their cell phones but they're not really composing them the way that you would want to to to influence perception so we talked about camera angles camera movement camera shot size and its effects and then they get a daily film assignment that they're forced to incorporate themes of the camp themes of security themes of cryptography perhaps in a film that speaks speaks about those topics they edit load these things and then we watch them and give them feedback and then the last one is the cyber policy thread so we talk about social and legal problems brought about by technology and the

importance of having policymakers who know something about technology I think we're lucky to have Ron Wyden as our senator but not everybody is like that not every senator is like that and they're voting on these things that might actually make things a lot worse so we also focus on collaborative problem solving to address these policy issues and so this speaks to the soft skills we have to have students in this next generation to be able to go face-to-face with someone they completely disagree with and still find common ground so we completely lost that in you know in today's fragmented filter bubble sort of makeup and so we with the cyber policy thread we talked about

constitutional law surveillance programs security versus privacy spearfishing and fake news and how we need policies to manage all of this stuff but we need policies that have all the stakeholders agree on what that policy is and so what we do is we give them role dossiers of all the stakeholders in a debate so for example controlling fake news well you have like the head of the NSA the lawyer the ACLU lawyer the journalist you have all these people with different views and different stakes in this problem and then we have them we have them learn their won dossier really well and then they network with each other to find all of the information about all the other

dossiers so they have a good understanding of all the different stakeholders using this student mixer and then we have this cyber summit which is modeled after Barack Obama's cyber summit from 2014 where they do nine rounds of alternating discussions to try and formulate policy right and so they go back and forth between caucusing with other students who have their same role to get more depth for what what they need to be advocating and then they go back to the negotiating table and so we have ten tables trying to develop ten different policies to address a problem like fake news and then we go through them after and talk about them this leads to a pivot so

this is sort of the climax of the cyber policy / film thread where it's a crisis situation modeled after the cyber 912 competitions which are undergraduate competitions sort of like the Model UN is and so they synthesize what they've learned into a five-minute film that addresses the crisis that addresses the policy concerns in a video that we end up showing at the final showcase so in the past when Pokemon go was was the thing two summers ago or three summers ago we had the zero day exploit that the NSA was using to track terrorists and criminal activity and so what is that good policy or you know what is the sort of the trade-off between the privacy of

a legitimate user versus trying to you know fight crime so that was that was one of the pivots last year we did a nation-state attack on the 2018 election which hopefully isn't gonna be replayed this election I don't know okay so evaluation we've been doing this for a while 2014 and 2015 it was a cyber discovery camp the last three years it's been a gen cyber camp it's offered to rising 10th grade students and this is to give them time to take this content go back to their high schools and be able to sort of spread that right to those folks these are the ten schools from last July if you have a freshman in

any of these high schools get them these are likely going to be similar to the high schools will be participating this coming year get them on the cyber PDX team and we hope to see them in the in the summer if if the end of gen cyber gives us money for it this is this is our results so we have the 2016 and 2017 Student Survey results so 60 plus percent female around 40-ish percent ethnic minorities and then 20 teachers each so about 60 students every year do this if you look at the ratings they're above 4 in terms of they had fun they learned a lot they feel the other one they were glad they attended the camp

this is what you want as a first experience in cybersecurity and this is why the curriculum and the exercises were done the way they were to get that first positive experience in terms of comparison to other gen cyber camps one of the things we do is we target underrepresented groups so if you look at that first row you see that for Gen cyber participants the pre camp intent to pursue a career in cyber is lower than the national average but we do more for the the people then if you look at the change between before camp and after camp it's quite substantially higher than the national average so yes in progress a longitudinal study of

students is currently in progress we have someone from the School of Education who is going through IRB approval to do some tracking longer term just to say yes this is the approach that that we can say you know first for sure well not for sure but it does seem to work okay so cyber PDX 2019 we're actually looking for sponsors just in case Gen cyber cuts are cuts the budget we're also looking for volunteers we're trying to do an extra day at camp we're trying to maintain our teacher stipends where where the gen cyber is trying to get us to basically cut them in half the teacher program is essential for us it's like we can't wait like it makes no

sense if we're just teaching students like we have to teach the teachers otherwise the the leverage is gone we are trying to start up a Yubikey module to FA for all so we're trying to raise money to get a whole bunch of you bikies to us and teach a Yubikey module a two-factor authentication module in camp that we can then send teachers with this curriculum and a whole bunch of ub keys back to their high schools to get to factor for all and this is something that we're begging for money for so this is why and I'm begging on behalf of Ellie Harmon who's our camp director she couldn't make it today but if you are interested in helping out

that's her email address there this is a link to this site and one last thing I have a marketing slide sorry it's a little bit of a sales pitch I'm at Portland State we're trying to hire new faculty so if you know of anyone who's interested in tenure-track faculty position that's the link and then we have adjunct faculty positions available for teaching security courses this is the list of courses that we have if you are interested in offering other courses to influence the next generation of students we I'd be happy to talk to you about that and then I'm also looking for I'm chairing this USENIX advances in security education we're looking for submission so if you have something that

you want to submit that is there and with that I am done [Applause]

the programming thread was it this one oh that one the curriculum yeah crypto cyber PDX org hopefully hopefully it works let me know if that's down

we there is this informal learning program that NSF runs and so we're applying to have this being done as an after-school an after-school program at like Reynolds high school that's the that's the one high high school that we're we're thinking of sort of people who need at after-school experience like maybe their parents are working and and they have an after-school program and they want to learn something this would be a curriculum that we could just drop in place and then have them run over over the course of five yeah yeah after school middle school and younger there are yeah that's true yeah we have something we had ideas about doing maybe Parks and Rec they might have programs

that do that or or maybe even a Girl Scout if yes so the curriculum is pretty portable that you could yeah you could probably run that thanks thanks very much sorry sorry to cut off quickly but we're on schedule I've got a gift for you

you