Photo by @russfillerup

Should Every Computer Science Degree Require a Course in Cyber Security?

Let us discuss priorities in the education of computer scientists

I am of course not a dominant voice or should perhaps not speak overtly about the education of computer scientists. Although I am doing a few computer science courses at the faculty of Informatics in Norway I have not attended these long enough to heavily criticise which direction a degree in computer science should go in. However I saw the article written by Jack Cable called Every Computer Science Degree Should Require a Course in Cybersecurity in Harvard Business Review and it made me think. I can at least ask a few questions in this regard so I will attempt to have a quick look at this article and its arguments. What else is a computer science degree not teaching that could be relevant for computer scientists? Let us look at the article in question.

First I must say I enjoyed the article written by Jack Cable and he has some compelling points as well as impressive writing. Jack Cable is according to his Twitter a: “Coder turned white hat hacker, acknowledged by Google, Facebook, Uber, and the US Department of Defense.”

He is currently studying at Stanford University the class of 2022. In 2018, Jack became the youngest person to receive security clearance from the Department of Defense through his work on government cybersecurity programs.

Although I thoroughly enjoyed reading the article I would like to think through a few of its points.

Everything related to computer science seems to be ‘eating the world’. Such is the case for this article in the Harvard Business Region too:

Cybersecurity is eating the software world.

I think quite a few writers within technology likes the comparison within the idea of evolution or development — superior in some sense. The Russian interference is mentioned alongside the Facebook breach and increases in data breaches. “What’s worse, nothing seems to be getting better.” This is apparently partly due to lack of punishment. Companies additionally ‘sacrifice security’ for other benefits since investing in this area yields no immediate financial benefits. Alike governments does not invest enough in computer science education towards this end.

“In almost all cases, they stem not from sophisticated hackers’ exploiting novel vulnerabilities, but rather from simple errors that any well-trained eye could spot.” He mentions Equifax that was due to the error of a single employee.

As a side note Equifax confirmed at least 209,000 consumers’ credit card credentials were taken in an attack on March 1, 2018, Equifax announced that 2.4 million additional U.S. customers were affected by the breach. The company claims to have discovered evidence of the cybercrime event on July 29, 2017. This was according to Jack Cable due to the misconfiguration of server storage.

An important point that Jack mentions is that security is brought in as an afterthought or that some people do not consider it at all. Jack asks why software engineers should not be responsible for security in software given that the majority of breaches can be readily prevented. Just one of the top 24 undergraduate programs in the US has a security course as a requirement. He mentions the priority of machine learning as opposed to security and questions what should be electives.

Given that Stanford, among other universities, is producing computer scientists who will inevitably be responsible for the impact technology has on our world in the coming decades, it is the duty of colleges to ensure students can not only get a job but also code with the attention and precision that security necessitates.

Dare I mention the recent Amazon forest fires? This may seem a moot point, however ‘we’ and perhaps also software is eating the world. The cleared areas have been used to give place for mainly raising cattle, and as such it is interesting to ask whether the climate crisis or sustainability should feature as a core subject for software engineers or computer scientists prior to a course in cyber security.

At the University of Oslo security is already part of the core modules of the progression, so it is surprising to hear that there is a lack of focus on this in the US. Samantha Breslin mentions that in making computer scientists we are making some truly significant moves towards a continued gender imbalance. There is plenty to suggest that fairness is a topic that should feature more prominently in the education of computer scientists. Poorly designed systems with a lack of diversity are often enormously unsafe.

Perhaps in talking of safety we have to include the broader perspective of how unsafe energy usage can be detrimental long-term as much as the rush for short-term security. Of course from a realist perspective, if we talk political science and state actors, in this security perspective one could argue that I am not realistic.

On the other hand I think it is equally unrealistic to believe that we can maintain and security in all systems across the world without adverse consequences. This insecurity is problematic both because you can be hacked — and because protection is not only financially expensive it is taxing for the planet.

Building walls is something the US seem to be quite concerned with nowadays. If hosting is done on Amazon Inc (not to be confused with the forest) servers then building digital walls and maintaining them certainly requires a large amount of burning coal or other fossil fuels. This has to be brought more prominently into the debate of security.

I applaud Jack Cable for his excellent article and hope we can see a focus on security in computer science that is appropriate to modern considerations beyond building and maintaining walls.

This is day 86 of #500daysofAI. I am currently writing about AI Safety.

AI Policy and Ethics at www.nora.ai. Student at University of Copenhagen MSc in Social Data Science. All views are my own. twitter.com/AlexMoltzau