Reinvigorated Center for Cyber Defenders taking shape at Sandia/California site
By Mike Janes
Sandia’s well-known Center for Cyber Defenders (CCD) initiative, which has enjoyed a long track record of success in Albuquerque and California, has seen its impact as an employment pipeline and developer of qualified cybersecurity professionals decrease in the Golden State in recent years.
But things are about to change.
Bob Hutchinson (8960), manager of the computer sciences and information operations group, has set a robust goal for Sandia/California’s new CCD effort: 50 students in the summer of 2011, with a long-term objective of 100 or more students in the summer and perhaps as many as 50 students year-round. Bob and director Len Napolitano (8900) envision a CCD in California that is grounded in science and engineering, with a solid understanding of cyber vulnerabilities.
Though the CCD started at Sandia/California in the 1990s and enjoyed a good deal of accolades and success, the number of interns began to slow when the academic world “caught up” with the Labs’ original vision, says Bob.
“The original CCD concept was born out of necessity,” he says. “It was quite simple: We needed to develop employees who could work in computer security, and no one else was doing this sort of thing at the time. We exposed them to projects and research and concepts in information security so that they could get a sense for whether it was the right career for them.
“It was a tremendous success,” Bob continues. “But then universities started developing coursework in computer security, cryptography, the fundamentals of information assurance, and even digital forensics. So once there was no longer a need for us to inform the students of what it would be like to work in this field — a need that was suddenly being met by the universities — the CCD program in California became less of a factor.”
The CCD program in New Mexico, says Bob, has continued to thrive with a project-based framework, one in which students can help Work for Others (WFO) sponsors with specific information security challenges.
But a strictly project-based format may not continue to work as well into the future, says Bob, since the attractiveness of having student interns versus regular staff executing a project will naturally diminish as “digital natives” become the norm in the workplace and replace their “digital convert” predecessors.
(Generally speaking, a digital native is someone who was born after the emergence of digital technology and, as a result, has a lifetime of familiarity with computers, the Internet, mobile smart phones, and other digital devices.)
The appeal of bringing in new students will eventually fade, Bob says, since the expertise they now offer will become routine.
Instead, Bob says, a more suitable role for Sandia is to transition the CCD from what is today an art and a practice of cybersecurity into one that is more based in engineering and science principles. This would include fundamental issues associated with the security of systems and the vulnerabilities inherent in computer systems.
“Ultimately, it is people who attack computer systems,” says Bob. “So we need individuals who are trained to understand the cognitive and social science aspects of computer security.” Bob muses that the CCD might even be able to publish a book one day on the theory of vulnerabilities that serves as the basis for producing more robust computer systems.
The revamped CCD in California also want students who are more proof-and-reason based, Bob says, individuals who want to take on the hard task of structuring and developing experimental science around cybersecurity and information technology.
The driving force behind the CCD continues to be the federal government’s need to have a hiring pool of cybersecurity professionals to draw upon. “We need to help the government acquire a supply of high-quality labor,” Bob asserts. “They need to be threat-informed, and they need to have the skills and tools that can wipe out classes of vulnerabilities, as opposed to today’s model, which is very much a ‘find-a-vulnerability, fix-a-vulnerability’ model,” he says.
In addition to project work and ongoing access to a pool of cybertalent, a key part of the CCD’s value in California will be to deliver positive publicity for sponsors. “A sponsor’s involvement in the CCD demonstrates that they’re investing in people, in the development of a workforce, and that they’re committed to making the US stronger through its educational programs. It shows that they’re forward-thinking,” Bob says.
In developing the program, Sandia is exploring a variety of funding sources and potential partners, including universities. “We may even need to create relationships with schools that are willing to assign course credit for coming here and working,” Bob says.
He acknowledges that he’s less familiar with industry models for talent acquisition yet is still optimistic that valuable relationships can be forged. “Maybe we can provide value by saying, ‘You want to develop this type of a software security product, and through our internship program, we can mentor students to help develop the concepts and the product,’” Bob says. “Or an industry partner might be persuaded to send its new employees to our program to quickly develop an elevated threat awareness and build a peer network.”
For now, Bob says he and his colleagues are developing a compelling value statement for government and industry sponsorship and identifying the many tasks and activities that need to be completed prior to the CCD’s doors being thrown open next summer.
“The biggest problem with cybersecurity today is that it’s been over-admired,” Bob concludes. “Go online and look at cybersecurity, and what you’ll find is a wealth of analysis and papers out there, and every one of them describes the problem a little better than the previous one.
“But where are the solutions going to come from? They’re going to come from people conducting experiments and reasoning, developing a theory of vulnerabilities, then taking that theory and moving it into real applications. Sandia’s CCD is here to provide those solutions.” — Mike Janes