The Security Institute’s View

Posted On 15 Dec 2017
Comment: Off

Developments in both the 2011 and 2016 UK National Cyber Security Strategies shifted the Government’s position from being advisor to industry, education and society to that of interventionist, reflecting the realisation that most end users are not sufficiently cyber aware to redress the issues involved without significant assistance. Simon Marsden addresses the challenges of cyber security education in schools and why they must be overcome sooner rather than later.

Back in October 2015, many of us awoke to Dido Harding, CEO of TalkTalk, informing the world that the business had been the victim of a “sequential attack”. My first thought was: “We have a problem on our hands”. Our education system of the last 40 years has enabled a situation whereby the majority of the workforce – at all levels – are not cyber aware, while self-taught teenagers commit a large proportion of cyber crimes. The TalkTalk episode was, in fact, an SQL injection attack, a method known about for almost two decades.

My interest in cyber security stems from an educational perspective by dint of working as a university lecturer in initial teacher training for computing, and previously as head of computing in a secondary school. My focus is very much on what we need to do in the UK to educate children, not only to be safe and informed cyber users, but also to be in a position to foster skills such that they can be useful – and not damaging – to today’s society.

Michael Gove’s 2012 speech at the BETT education trade show heralded a major change to the new national curriculum, making it statutory to teach computing to students from age five upwards as of 2014 onwards.

While the UK’s National Cyber Security Strategy documents indicated the need to include cyber security within computer science teaching, and promoted extracurricular initiatives such as the Cyber Security Challenge, there was no indication that the low number of students studying computing beyond the age of 14 would be addressed.
The extracurricular activities for “talented” 14-to-18 year-olds appeared to be the preferred route to developing the nation’s desperately-needed cyber specialists, including the latest £20 million initiative which was again targeted at elite children. If cyber knowledge really is – as stated in the 2016 UK Cyber Security Strategy – “no longer an issue just for the IT Department, but for the whole workforce”, are these interventions enough, or will the skills gap continue to leave us vulnerable?

Introduction of cyber

The May 2015 update to the ‘2010-2015 Government Policy: Cyber Security’ Policy Paper announced that cyber security had been introduced at every level of the education system from age 11 to post-graduate, claiming that: “This ensures everyone who leaves education has at least a basic understanding of cyber security before employment.” However, at best this can only be partially true.

The new GCSE qualification in computer science provided by the OCR Examinations Board was promoted as having a “focus on cyber security… which students will study for the first time” and accredited for first teaching from 2016, thus indicating a mismatch between Government statements and school implementation. Additionally, only 28.5% of schools entered pupils for the GCSE in 2015, so are students of all subjects at university really privy to cyber education?

Numbers vary depending on which Government spreadsheet you open, but the GCSE entries from 2016-2017 show 589,096 pupils with 61,040 taking information communication technology (ICT) and 69,061 studying computer science. If we generously afford the same weight to the ICT GCSE as the computer science GCSE, it still means that only 25% of pupils left secondary school with some applicable knowledge. Removing ICT, we’re then down to 12% (ICT is no longer in the curriculum). Very few of these students will go on to A-Level (8,299) or future courses where they’ll be taught to be ‘cyber aware’.

Positively, 11% of the children interviewed by The Royal Society for its ‘After The Reboot: Computing Education in UK Schools’ Report expressed interest in a career in computer science, but children are receiving a mixed experience, with some even having to teach themselves how to code.

Despite the excellent work of Computing at School, a BCS initiative, many of the teachers are not qualified in the subject, only around 50% have any knowledge of (or qualifications in) computing and many harbour a very limited understanding. This is in part due to a history of putting ‘the last man standing’ in the ICT classroom. In my last teaching post, my department comprised one business studies teacher, two PE teachers and myself.

Statutory subject matter

The question is often asked as to why so few children, and especially girls, want to take this subject. This is a statutory subject in England and should be taught to all children from age 5 to age 16 (optional at GCSE level), but with a lack of qualified staff and other pressures placed on head teachers, this isn’t happening.

Academies and free schools can opt out of the National Curriculum, while others avoid the problem by not teaching computer science to every year or in every week. Often, lessons are still based on digital literacy, as this may be all that the teacher has the knowledge to provide.

While some children receive excellent provision, most miss out on the exciting wealth of experiences (ie graphics, robotics, programming, cyber, physical computing, games, etc) that could maintain their interest in computing and STEM-based subjects.

John Hattie, author of ‘Visible Learning for Teachers’, ranks teacher credibility as the fourth most important area in a list of influences on learner achievement. Since the 1980s, children’s cyber role models have been found in fictional representations such as The Matrix, so do teachers have credibility?

My trainees do some of the Cyber Security Challenges and are expected to encourage their pupils to do likewise. One trainee was told: “You’re not doing that with these children in this school”, the teacher fearing the children would use the knowledge for deviant purposes, when the challenge was to gain a basic understanding of steganography.

Another trainee used a wireless router to show how easy it was to see connected devices as a first step in an attack. The pupils were interested and excited, but just as quickly lost interest – while their teacher lost credibility – when both trainees and teacher avoided questions about their own hacking abilities.

Children are desperately inquisitive about hacking and I feel that we’re doing them a disservice if we don’t teach them about this matter. Curiosity is what we want to fuel, not stifle. If we do stifle this, we do so at our peril. If a child’s interested – as was the TalkTalk incident’s perpetrator – in SQL injection, a simple search yields over five million hits.

Putting our heads in the sand while children have access to information and time on their hands without any guidance is counter-productive. It reminds me of Nancy Reagan’s simplistic and ineffective ‘Just Say No’ anti-drugs campaign, in comparison with the more nuanced approach employed in the UK’s current ‘Talk to Frank’ initiative, whereby accurate information is given alongside the risks.

The reticence of schools towards teaching about hacking isn’t surprising when considered alongside their Duty of Care and safeguarding responsibilities. They’re risk averse. Imagine the headlines if a hacker said: “I learned how to do this at school”. However, not teaching hacking overlooks the value in it, the need for children to satisfy their curiosity and the opportunities to teach both the ethics and consequences of the deed itself. After all, how can you counter a cyber attack if you don’t know the first thing about how they work?

Looking for white hats

We’re desperate for future white hats, so let us not allow our children to stumble into becoming black hats. When we teach children about drugs we bring in professionals in order to give the children and the teachers the best information that we can. I suggest that we do the same when the talk turns to cyber.

I also suggest that we need to show children how known exploits actually work, teaching them how to enact an SQL injection and other misdeeds and, at the same time, highlight how to prevent such occurrences from taking place.

We need to create courses at universities – similar to the excellent elective CS50 (Introduction to Computer Science) module at Harvard University – whereby students gain a core understanding about the subject as part of their degrees. Hopefully, we’ll then have a knowledgeable workforce capable of understanding (and perhaps even countering) the threats present now and into the future.

Simon Marsden BSc Cert Ed MSc FHEA MBCS: Senior Lecturer for Initial Teacher Training in Computer Science at the University of Portsmouth’s School of Education and Childhood Studies

*Subsequent to this article being completed, it was announced in the Conservative Government’s Autumn Budget that the number of computer science teachers will triple to 12,000 and that there will be a new National Centre for Computing. Although the fine details are yet to be clarified, this is to be welcomed as it appears that the much-needed training for existing teachers to retrain as computer science teachers will now be available. The question as to how new trainee computer science teachers will be recruited still needs to be urgently addressed, with most teacher training providers currently struggling to recruit even a handful of trainees yearly

 

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.