Security Education: Training 'Ninjas'Prof. Sujeet Shenoi on Cyber Corps Prep for Government Jobs
How do psychology skills make one a better information security pro? Sujeet Shenoi of the University of Tulsa's Cyber Corps program discusses what it takes to be a star in government information security.
In 2012, the U.S. National Security Agency launched a Cyber Operations Program at four select universities. The goal: to produce a larger pool of professionals with deeper technical expertise in interdisciplinary areas of computer science, computer engineering and electrical engineering.
The University of Tulsa in Oklahoma is one of those four select schools, and professor Shenoi oversees that initiative, as well as the school's Cyber Corps program, which offers scholarships in return for students' commitment to government service.
When it comes to training students for jobs in government service, Shenoi makes every effort to raise the bar.
"My mission is to create people who are going to be at the 'tip of the spear' - the kind of students who would potentially build President Obama's Blackberry or check Vice President Cheney's pacemaker," Shenoi says.
To create what he describes as security "ninjas," Shenoi seeks students not just with traditional backgrounds in computer science and information assurance, but also in non-traditional disciplines such as communications and organizational psychology. One example: a student who had a background in Mandarin Chinese and communications, but wanted to work in cyber-operations.
"She's not a world-class programmer, but that's not the point," Shenoi says. "She can work with a whole bunch of world-class programmers, but how many world-class programmers have these other abilities that she has?"
In this excerpt of an interview about what it takes to be among the best and brightest in government information security, Shenoi discusses:
- Today's skills gap;
- The value of a diversified education;
- What it takes to be an information security 'ninja.'
Shenoi is the F.P. Walter professor of computer science and a professor of chemical engineering at the University of Tulsa. An active researcher with specialties in cybersecurity, cyber-operations and digital forensics, Shenoi spearheads the University of Tulsa's elite Cyber Corps Program that trains cyber professionals for U.S. government agencies. He is also the director of the Cyber Security Education Consortium, an NSF ATE Center that is building a high-tech workforce in the Southwestern United States. For his innovative strategies integrating academics, research and service, Shenoi was named the 1998-1999 U.S. Professor of the Year.
Filling the Gap
TOM FIELD: What do you see as the biggest gap between the positions that the government agencies need filled and the talent pool that's available to fill them?
SUJEET SHENOI: Each one of us has a mission. My mission is to create people who are going to be at the tip of the spear - the kind of students who would potentially build President Obama's Blackberry or check Vice President Cheney's pacemaker.
So, if it's only the tips, then the number of positions are not going to be so many. But then if you look at the base of the perimeter, then there are a whole bunch of other jobs that are needed. And these are what the other agencies are looking for.
FIELD: What do you see as the essential skills for someone going into the information assurance and information security fields today?
SHENOI: They've got to be fearless of learning, that's the No. 1 thing. It trumps everything else. The second thing is that you've really got to enjoy your job. Like, I'm 54 years old, and I can't wait to get up in the morning and go to work every day. And my students are the same way, too.
You've [also] got to be detail-oriented. I tell my students: 'I'm not training [you] to go and work for Walmart.' No, I train them maybe to work at the White House or the NSA or the CIA. And, you know, you can't screw up because people can potentially die, or you might give the administration bad advice, which is equally bad.
The Need for Diverse Skills
FIELD: You strive to diversify the skill set that your students bring to bear. What are some of the disciplines that you're drawing from outside of information security and technology?
SHENOI: Some of my colleagues give me a lot of trouble because they know computer science and engineering; they ... want a cookie-cutter. Now, I do not want a cookie-cutter mold. Let me give you an example:
I've got this one student who went to a university in Ohio and majored in Mandarin and communication, and she came over with her master's in computer science. She was willing to jump off a cliff, and that's why I really respected her. And of course now she's combining her Mandarin Chinese, computer science and communication skills. She's not a world-class programmer, but that's not the point. She can work with a whole bunch of world-class programmers, but how many world-class programmers have these other abilities that she has?
Increasingly, I've begun to take people like that. I took a student who was in organizational psychology from Cornell University, and ... she was going to join Symantec and look into the psychology of malware writers.
You know, Wayne Gretzky scored a lot of goals because he skated to where the puck will be, not where the puck is. The idea is if you can look at what the psychology of malware writers is and what are the trends, then maybe we can start being more proactive with cyberdefenses.
So, I said, "Why don't you come here, and you can work for the intelligence community," which is what she did. And this August she's going to be joining Harvard.
FIELD: So you actively encourage your students to go off into some of these diverse areas?
SHENOI: Exactly correct. And that's the point. As a mechanical engineer/nuclear engineer and a computer scientist, I can tell you: It's very easy to teach one of those people computer science, but it's really hard for them to understand the fundamentals of all these other fields. So I do have my tip-of-the-spear guys who are ninjas. These people have what I call certificates in cyber-operations. They do a whole bunch of courses in reverse engineering and offense, defense and malware writing, malware analysis, all those kinds of things. They can pick locks. They can escape from handcuffs behind the back. But I also have about 20, 30 percent other people who come from other backgrounds.
One of the courses that every student of mine takes is a course in hardware reverse engineering. We give them a TV remote, and they've got to deconstruct it, and then they've got to program the thick microcontroller to behave like a TV remote and actually control a light bulb. So, imagine the challenge. They're looking at hardware, which of course a lot of people are allergic to and fear greatly. But they're learning to use low-level programming, and then they're doing something with it. It's really quite marvelous. That's what we want. That's what the special forces do, and I like to think that that's what we try to do here in the field.