Developments in both the 2011 and 2016 UK National Cyber Security Strategies shifted the Government’s position from being advisor to industry, education and society to that of interventionist, reflecting the realisation that most end users are not sufficiently cyber aware to redress the issues involved without significant assistance. Simon Marsden addresses the challenges of cyber security education in schools and why they must be overcome sooner rather than later.
Back in October 2015, many of us awoke to Dido Harding, CEO of TalkTalk, informing the world that the business had been the victim of a “sequential attack”. My first thought was: “We have a problem on our hands”. Our education system of the last 40 years has enabled a situation whereby the majority of the workforce – at all levels – are not cyber aware, while self-taught teenagers commit a large proportion of cyber crimes. The TalkTalk episode was, in fact, an SQL injection attack, a method known about for almost two decades.
My interest in cyber security stems from an educational perspective by dint of working as a university lecturer in initial teacher training for computing, and previously as head of computing in a secondary school. My focus is very much on what we need to do in the UK to educate children, not only to be safe and informed cyber users, but also to be in a position to foster skills such that they can be useful – and not damaging – to today’s society.
Michael Gove’s 2012 speech at the BETT education trade show heralded a major change to the new national curriculum, making it statutory to teach computing to students from age five upwards as of 2014 onwards.
While the UK’s National Cyber Security Strategy documents indicated the need to include cyber security within computer science teaching, and promoted extracurricular initiatives such as the Cyber Security Challenge, there was no indication that the low number of students studying computing beyond the age of 14 would be addressed.
The extracurricular activities for “talented” 14-to-18 year-olds appeared to be the preferred route to developing the nation’s desperately-needed cyber specialists, including the latest £20 million initiative which was again targeted at elite children. If cyber knowledge really is – as stated in the 2016 UK Cyber Security Strategy – “no longer an issue just for the IT Department, but for the whole workforce”, are these interventions enough, or will the skills gap continue to leave us vulnerable?
Introduction of cyber
The May 2015 update to the ‘2010-2015 Government Policy: Cyber Security’ Policy Paper announced that cyber security had been introduced at every level of the education system from age 11 to post-graduate, claiming that: “This ensures everyone who leaves education has at least a basic understanding of cyber security before employment.” However, at best this can only be partially true.
The new GCSE qualification in computer science provided by the OCR Examinations Board was promoted as having a “focus on cyber security… which students will study for the first time” and accredited for first teaching from 2016, thus indicating a mismatch between Government statements and school implementation. Additionally, only 28.5% of schools entered pupils for the GCSE in 2015, so are students of all subjects at university really privy to cyber education?
Numbers vary depending on which Government spreadsheet you open, but the GCSE entries from 2016-2017 show 589,096 pupils with 61,040 taking information communication technology (ICT) and 69,061 studying computer science. If we generously afford the same weight to the ICT GCSE as the computer science GCSE, it still means that only 25% of pupils left secondary school with some applicable knowledge. Removing ICT, we’re then down to 12% (ICT is no longer in the curriculum). Very few of these students will go on to A-Level (8,299) or future courses where they’ll be taught to be ‘cyber aware’.
Positively, 11% of the children interviewed by The Royal Society for its ‘After The Reboot: Computing Education in UK Schools’ Report expressed interest in a career in computer science, but children are receiving a mixed experience, with some even having to teach themselves how to code.
Despite the excellent work of Computing at School, a BCS initiative, many of the teachers are not qualified in the subject, only around 50% have any knowledge of (or qualifications in) computing and many harbour a very limited understanding. This is in part due to a history of putting ‘the last man standing’ in the ICT classroom. In my last teaching post, my department comprised one business studies teacher, two PE teachers and myself.
Statutory subject matter
The question is often asked as to why so few children, and especially girls, want to take this subject. This is a statutory subject in England and should be taught to all children from age 5 to age 16 (optional at GCSE level), but with a lack of qualified staff and other pressures placed on head teachers, this isn’t happening.
Academies and free schools can opt out of the National Curriculum, while others avoid the problem by not teaching computer science to every year or in every week. Often, lessons are still based on digital literacy, as this may be all that the teacher has the knowledge to provide.
While some children receive excellent provision, most miss out on the exciting wealth of experiences (ie graphics, robotics, programming, cyber, physical computing, games, etc) that could maintain their interest in computing and STEM-based subjects.
John Hattie, author of ‘Visible Learning for Teachers’, ranks teacher credibility as the fourth most important area in a list of influences on learner achievement. Since the 1980s, children’s cyber role models have been found in fictional representations such as The Matrix, so do teachers have credibility?
My trainees do some of the Cyber Security Challenges and are expected to encourage their pupils to do likewise. One trainee was told: “You’re not doing that with these children in this school”, the teacher fearing the children would use the knowledge for deviant purposes, when the challenge was to gain a basic understanding of steganography.
Another trainee used a wireless router to show how easy it was to see connected devices as a first step in an attack. The pupils were interested and excited, but just as quickly lost interest – while their teacher lost credibility – when both trainees and teacher avoided questions about their own hacking abilities.
Children are desperately inquisitive about hacking and I feel that we’re doing them a disservice if we don’t teach them about this matter. Curiosity is what we want to fuel, not stifle. If we do stifle this, we do so at our peril. If a child’s interested – as was the TalkTalk incident’s perpetrator – in SQL injection, a simple search yields over five million hits.
Putting our heads in the sand while children have access to information and time on their hands without any guidance is counter-productive. It reminds me of Nancy Reagan’s simplistic and ineffective ‘Just Say No’ anti-drugs campaign, in comparison with the more nuanced approach employed in the UK’s current ‘Talk to Frank’ initiative, whereby accurate information is given alongside the risks.
The reticence of schools towards teaching about hacking isn’t surprising when considered alongside their Duty of Care and safeguarding responsibilities. They’re risk averse. Imagine the headlines if a hacker said: “I learned how to do this at school”. However, not teaching hacking overlooks the value in it, the need for children to satisfy their curiosity and the opportunities to teach both the ethics and consequences of the deed itself. After all, how can you counter a cyber attack if you don’t know the first thing about how they work?
Looking for white hats
We’re desperate for future white hats, so let us not allow our children to stumble into becoming black hats. When we teach children about drugs we bring in professionals in order to give the children and the teachers the best information that we can. I suggest that we do the same when the talk turns to cyber.
I also suggest that we need to show children how known exploits actually work, teaching them how to enact an SQL injection and other misdeeds and, at the same time, highlight how to prevent such occurrences from taking place.
We need to create courses at universities – similar to the excellent elective CS50 (Introduction to Computer Science) module at Harvard University – whereby students gain a core understanding about the subject as part of their degrees. Hopefully, we’ll then have a knowledgeable workforce capable of understanding (and perhaps even countering) the threats present now and into the future.
Simon Marsden BSc Cert Ed MSc FHEA MBCS: Senior Lecturer for Initial Teacher Training in Computer Science at the University of Portsmouth’s School of Education and Childhood Studies
*Subsequent to this article being completed, it was announced in the Conservative Government’s Autumn Budget that the number of computer science teachers will triple to 12,000 and that there will be a new National Centre for Computing. Although the fine details are yet to be clarified, this is to be welcomed as it appears that the much-needed training for existing teachers to retrain as computer science teachers will now be available. The question as to how new trainee computer science teachers will be recruited still needs to be urgently addressed, with most teacher training providers currently struggling to recruit even a handful of trainees yearly