So goes the official industry stance. But it’s a messy world out there, and it doesn’t like being inconvenienced
Cybersecurity is the hottest of hot tech fields, the one that most young people interested in a tech career aspire to today. There’s an aura of the dramatic about it, a definite whiff of intrigue, and, with its “red teams” and “blue teams” and “purple teams,” probably no small relationship to video gaming.
And Arkansas, perhaps surprisingly, happens to be a great place to study cybersecurity. “Arkansas is in a unique position because Governor Hutchinson used to serve as the co-chair for cybersecurity for the National Governors Association,” says Lee Watson, CEO of Forge Institute, which partners with ACDS to conduct cybersecurity apprenticeship programs in both Little Rock and Northwest Arkansas. “Because of his leadership in that area, Arkansas was not only well positioned to learn what other states are doing in cyber, but also to maybe take a step forward.”
Does the fact that Governor Hutchinson also once held the title Undersecretary of Homeland Security contribute to making Arkansas a “natural” at cybersecurity? It couldn’t hurt. “Arkansas has a pretty strong cybercommunity,” Watson says. “If you look at the professionals that work in regulated industries, like the electric grid sector, the banking sector, or just the large enterprises including the telco sector, they’ve got some good expertise. Arkansas is also blessed with some pretty interesting military missions. They bring in some really smart people from around the country for that.”
Scott Anderson is one of them, having earned his big-time cybersecurity spurs during eight years of active duty at Little Rock Air Force Base in Jacksonville, and then 16 more years in the Air National Guard. Discharged in April of 2020, Anderson is now executive director of Forge Institute’s American Cyber Alliance, which is dedicated to reducing cybersecurity risks through training and collaboration with stakeholders in business and government. “People need to be thinking about everything that’s going on,” says Anderson. “Cybersecurity, like physical security, is everyone’s responsibility, not just the responsibility of IT or cybersecurity professionals.”
In academia, Dr. Philip Huff and his team at UA Little Rock have developed an elite cybersecurity degree program, the centerpiece of which is its Cloud-based Trojan Cyber Arena, which students from all over the state use to experience various attack scenarios—more about that in a minute. Before Huff joined UA Little Rock to develop its cybersecurity program, he worked in the power industry for 15 years, starting as a programmer right out of college. “Pretty quickly I moved over to cybersecurity,” he says, “and was director of cybersecurity and critical infrastructure, which covered generation facilities, substations, and control centers.”
The University of Central Arkansas in Conway graduated its first cybersecurity-degree students in 2021. “Cybersecurity is vitally important,” says Dr. Stephen Addison, dean of the College of Natural Sciences and Mathematics at UCA, in which the cybersecurity program falls. “I became chair of physics at UCA in 2002, and at that time I sat down and figured out what I wanted to see happen in the college that would make the university prosper into the future. I made a list of things, and cybersecurity—or what we call cybersecurity today—was one of the things on that list. That’s why I pushed for a cyber range here on campus. Our cyber range runs hundreds of virtual machines and duplicates the entire Internet. Our students learn how traffic moves around the Internet, where weaknesses are, how to harness systems, how to use different tools. And the great thing is, we can inject viruses and launch attacks within the range without them getting out into the wild. It allows people to develop skills without putting the outside networks at risk.”
“And then,” says Christopher Wright, himself another Air Force cybersecurity veteran who’s now a principal in the Little Rock cybersecurity consulting firm Sullivan Wright Technologies, “you’ve got my alma mater, U of A, which has a longstanding cybersecurity program in the College of Engineering. Then there’s UA Little Rock, which not only has a program for university students, but also develops training and education for other industries around the state. We’ve also got a hidden gem in south Arkansas—Southern Arkansas University Magnolia has an outstanding cybersecurity program in its computer science department. Arkansas Tech has a program. And these Arkansas universities are all building, or have built, cybersecurity programs that are kind of the “second-generation” cybersecurity programs, ones that really build off of true computer knowledge instead of just offering a paper-pushing degree like the first-gen cyber programs were.”
There are also grassroots community cyber groups throughout the state. “There’s one in Northwest Arkansas called ArkanSec,” says Wright. “In Fort Smith, there’s one called FS2600. In Little Rock, we’ve got one called Central Arkansas Hackers. These aren’t super-formal things, just people coming together to mentor, to be mentored, to learn, to share jobs, to help people grow.”
While this disparate network of cybersecurity experts operates independently of one another, they also band together in strategic ways. For example, Chris Wright is a frequent instructor in the cybersecurity apprenticeship boot camps that Forge Institute organizes on behalf of ACDS, and Forge uses the UA Little Rock Cyber Arena in its training classes. “The folks that are taking our training programs are already employed by Arkansas employers,” says Lee Watson, “and the companies range from managed service providers that are assisting doctor’s offices and clinics and law firms, all the way up to Fortune 500 companies within the state.”
Perhaps most strategically of all, many members of this Arkansas cybercommunity came together to serve on Governor Hutchinson’s State Computer Science and Cybersecurity Task Force. Formed in December 2019 and composed of leaders in education, industry, and government, the Task Force’s mission was to assess the state’s computer science and cybersecurity education programs and make recommendations for continuing and enhancing the progress made since Governor Hutchinson’s 2015 mandate that all Arkansas schools provide a computer science curriculum in grades K through 12.
On October 1, 2020, the Task Force presented its final report. There were 21 recommendations, one of which was to Increase Cybersecurity Knowledge and Awareness. “The Task Force stressed an ongoing and growing concern for the economy of Arkansas is lack of cybersecurity awareness and knowledge across multiple sectors and populations [my Italics].”
YOU MIGHT THINK, with all this cybersecurity training and energy and expertise bubbling up throughout the state, and with today’s businesses relying more and more on data, that cyber-readiness would be an easy sell.
Yet if you talk with any of these cybersecurity experts long enough, they’re likely to tell you that whenever they move out of their self-reinforcing cyber-bubble and into the sprawling 21st century world of e-commerce and online banking and social media and mobile devices that are the electronic equivalent of the Swiss Army Knife, it’s as though they’re preaching into the wind. “What I’ve seen in a lot of businesses is that they say they want security,” says Chris Wright, “but they want it only as long as it doesn’t inconvenience them. When it starts to inconvenience them, the cybersecurity becomes the villain instead of the attackers. So they’ll start to fight against that.”
Another problem, Wright says, is the near-constant bombardment of apocalyptic statistics about cybersecurity that seem designed to shock like a Hollywood horror movie trailer: “A cyberattack happens every 39 seconds!” “Nearly $3 million is lost to cybercrime every minute!” “Global cybercrime inflicted a total of $6 trillion USD in damages in 2021!” “Between 2019 and 2020, malware increased by 358 percent and ransomware by 435 percent!”
“People hear things like that and they say, ‘Yes, that’s bad, but it’s not my problem. It’s the problem of Bank of America. It’s the problem of the U.S. federal government. It’s the problem of Microsoft or Google or something like that, but it’s not the problem of XYZ cardiologist or some specialty clinic in the middle of nowhere in Arkansas.’ But we’re seeing it trickle down. In reality, it is the problem of these small clients. And, by the way, those kinds of statistics aren’t terribly accurate. The standard deviation for any of them is so large that it’s kind of hard to take them seriously.”
To an outside observer, this disconnect looks like the age-old standoff between risk and reward, perhaps thrown into overdrive in this era of heightened suspicion of “experts” and strident demands for “personal freedom.” Eric Wall has spent the past 24 years protecting the data of such major entities as Baptist Memorial Health Care, Arkansas Blue Cross Blue Shield, and, currently, the University of Arkansas for Medical Sciences. “There’s a saying, and I didn’t come up with it,” Wall says, “that the network or website that’s best for business is one that’s worst for security, and the network that’s best for security is the one that’s worst for business. So the most secure network or website would be one that nobody could get to—but then you couldn’t sell your product. It hasn’t always been good for my career to be the one who says to the businesspeople, ‘We need to block this.’”
Scott Anderson is disturbed by what he sees happening. “I’m not a fearful person,” he says, “but I hate that we have all of this knowledge and ability as a country, as a society, and yet there’s not enough getting done. Coming from the military, I would say that what we call ‘the attack surface’ is growing, with everybody using and integrating technology into everything. It was growing before COVID, but it’s growing exponentially now because of the pandemic. Think about how many more people are working from home, and how many are using technology they’ve never used before.”
“There are always trade-offs,” Philip Huff says. “Nobody has enough resources to fully solve the problem. It is deemed an organizational risk.”
Huff suspects there’s still a lot of confusion about cybersecurity. “One of the confusing things is, there’s cyber safety and there’s cybersecurity,” he says. “And especially in October, Cybersecurity Awareness Month, you always hear about privacy, be aware of social media, change your passwords, and so on—which is great. Everybody needs to do that. But cyber safety and cybersecurity are two different things. Cyber safety is sometimes called cyber hygiene, which basically means keeping your network clean and up to date.
“But cybersecurity is a profession. It’s work, organizations have to invest in it, they have to pay for it. If we want to develop a workforce here in Arkansas, we can’t just take cyber safety and teach more of it. It requires actual professionals that study and get really good at this cybersecurity task. We’re not going to get out of this mess from good safety and hygiene alone.”
In 2019, when Huff arrived at UA Little Rock, the existing program to address what we now call cybersecurity issues was called “information assurance.” “That’s more of a federal agency term,” Huff says. “It kind of originated out of the NSA [National Security Agency], which, along with the Department of Homeland Security, had started what they called ‘centers of academic excellence’ across the country to create a community of schools developing workforce talent for cybersecurity. And UA Little Rock was one of those schools. For the longest time, it had offered a minor in information assurance. But by the time I came here, a lot of schools were looking at the job market and seeing a need for a more focused study. Because the world had gotten to the point that cybersecurity was more than a minor. It has become a very prominent position having a seat at the executive table and emerging as its own unit within an organization.”
Huff was brought in to make that transition at UA Little Rock, and he arrived with an ambitious goal in mind. “My vision was for us to be the top cybersecurity-degree institution in the U.S. I mean, what else?”
His mandate was not only to develop a degree program in cybersecurity, but also to establish, within the school’s Emerging Analytics Center, a research arm in cybersecurity. In order to accomplish all of that, he knew they needed to start with a blank page. “I had seen a lot of schools kind of hopping on the bandwagon, if you will,” he says, “just taking some of their computer science and criminal investigation degrees and merging them together into this multidisciplinary cybersecurity degree. We wanted to do something more holistic with UA Little Rock, and I think we’ve done that. I think we’ve set ourselves apart as a ground-up cybersecurity program instead of piecing together lots of different courses.”
He began by “improving the operations,” which meant automating—via Artificial Intelligence—a lot of the big data problems the profession was facing. “It’s gotten to the point that no single human can get their hands around it. We don’t even have enough humans. It has to be automated.”
He also focused on training. “It really goes hand in hand, because building a cybersecurity community here brings industry to the table. If we’re not providing a workforce, then there’s no reason for industry to be at the table with us, as our partners. And to do innovation in cybersecurity, we really need that close partnership. So it’s all about developing the ecosystem. I’ve been working with Lee Watson, Scott Anderson, and others at Forge Institute from even before I got into academia, trying to lay the groundwork. And it’s not just me. The people at the Emerging Analytics Center and the leadership at UA Little Rock have been very forward thinking.”
Part of the UA Little Rock vision was to continue building the ecosystem by teaching teachers to teach cybersecurity, as well as to bring high school students across Arkansas into the cyber loop. To that end, in 2017 UA Little Rock was awarded a PROMISE Grant from the National Science Foundation. “Dr. Mengjun Xie received money to develop our free Cloud-based cybersecurity lab—what we now call our Trojan Cyber Arena,” says Huff. “That was a key component of our success, because getting that off the ground allowed us to solve the problem of all these high schools across the state wanting to offer a cybersecurity course, but you really need these labs, and you need not just one computer but several computers to simulate different scenarios in cybersecurity. Buying that many computers was prohibitive for many of these school districts, so this was a real game changer. With metered use of our Cloud-based lab, the cost is significantly reduced.”
A happy offshoot of the PROMISE Grant was the addition of veteran teacher Sandra Leiterman as Managing Director of the Cyber Arena. “In 2015 I got my master’s in Digital Teaching and Online Learning from UA Little Rock, and I was working here as a Math Education Specialist in the STEM Center,” Leiterman says. “I spent a lot of my time on Arkansas Department of Education math initiatives and was doing professional development for teachers throughout the school year and over the summer. Philip and his team had all this amazing content, but they didn’t have the connection to the schools. And Dr. Carolina Cruz-Neira, who was head of the Computer Science department and director of the Emerging Analytics Center at the time, recommended that they bring me in. ‘She’ll get you hooked up,’ Carolina said, so I worked with them in getting the teachers into the training. And then I spent the teaching week with them basically just learning and watching, and it was mind-blowing.
“They’ve created all these different modules, from password security to phishing to ransomware. And what’s cool about this program is that in the workouts that Philip and his people designed, you get to see them from both the attacker’s side and the victim’s side. I mean, after watching some of these courses, I was like, ‘I don’t know if I want to be online again. Maybe I should delete all my social media. Maybe I don’t want my cell phone.’”
Another pivotal moment arrived in December 2019. “We got a big grant from the Arkansas Department of Education to take our teaching global,” says Leiterman. “So we, in collaboration with Virtual Arkansas, designed an online cybersecurity course—levels I, II, III, and IV—that’s being deployed free of charge to every high school student in the state of Arkansas through the Virtual Arkansas platform. I eventually got our team to buy into the need to also go into middle schools. That’s when these kids are making their decisions about what they want to do, where they want to go. So now we go down to seventh grade.”
Huff says “We now have hundreds of students across the state accessing our labs through Virtual Arkansas. We’ll have more than a thousand servers up and running in the Cloud on any given day.”
“My role,” Leiterman says, “is to keep this up, so we’re doing summer camps. We’re doing events. Of course, I officially started in the middle of the pandemic, so nobody would let me in the schools. But I did a Women in Cybersecurity virtual event partnered with the Women’s Foundation of Arkansas. In October 2020, we did that on International Day of the Girl. I had an FBI mobile forensics agent, a female Certified Systems Security Officer who is the manager of the Secure Operations Center at Simmons Bank, a security analyst from Arvest Bank, plus female security experts from Acxiom and Edafio. So all these wonderful women in leadership positions in cybersecurity were my panelists, and we had 60 girls log on on a Sunday afternoon to hear all about it and participate in the cyber workouts.
“Then a couple of weeks later we did another very similar event, but this was for Cybersecurity Awareness Month. So we had another summit where I invited speakers. And we organized a summer camp in about three weeks’ time. We had almost 100 kids come through. We had four different sessions over a two-week period and again, it’s pretty amazing the speakers that we had. A lot of them chose a different path first or they didn’t know this is where they were going. Or it kind of fell into their laps, so their stories are really essential to hear, especially in Arkansas where we have a lot of students of color. We have a lot of students who fall into a low socioeconomic bracket.
“And for both, we need to make them aware of the career opportunities that are available to them. The second thing is, so many of these kids think they can’t do it because to get one of these big, glamorous jobs, they’ll have to leave home. And our low-income students, they especially don’t want to leave home. They don’t want to leave their small hometowns. So they can get a degree online, and a lot of times they can work from home in their hometowns. So it gives them something to strive for.”
The most recent accomplishment for the UA Little Rock cybersecurity program came in October 2021, when it received a $750,000 grant from the National Centers of Academic Excellence in Cybersecurity, located within the National Security Agency. UA Little Rock will be one of the first universities in the country to offer a graduate certificate in cybersecurity education through the National Cybersecurity Teaching Academy, a collaborative of 10 institutions in nine states that will offer the first credentialing program for high school cybersecurity education in the country. The inaugural program will prepare 90 high school teachers to teach an advanced cybersecurity course.
“Providing these educational resources to our partners at the secondary level strengthens our fight against cyber crime, while attracting more students into a reliable and exciting career pipeline,” UA Little Rock Chancellor Christina Drale says. “The demand for cybersecurity professionals shows no sign of slowing down as more businesses become increasingly dependent on technology.”
AT THE END of the day, it appears that UA Little Rock has figured out a way to “package” messages of cyber safety in the service of the deeper message of cybersecurity, and that would seem to be a good thing. After all, to quote another of those statistics, “The number of Internet-connected devices is expected to increase from 35 billion in 2021 to 75 billion in 2025.” And as American Cyber Alliance’s Scott Anderson so deftly puts it, “We used to tell our kids not to talk to strangers. Now they talk to strangers all day long.”
“I think we have a role to play in educating the general public about cyber safety,” Philip Huff says. “There is a part of that—the hey, what do I do and not do with my phone, my password, social media, privacy, all of that. That gets kids interested, and it makes people aware. But our main focus is on developing the workforce, on developing them as professionals.”