"It's not usually car chases and Angelina Jolie and people dying and that sort of thing,” says Anthony Chavis, an assistant professor in cyber threat intelligence and defense.
“The movies overstate those aspects of the job, but that doesn’t mean it’s not exciting. You’re doing some really cool stuff on a daily basis.”
Chavis would know. Before coming to Johnson & Wales as the first hire the school made when the cybersecurity degree launched in 2015, he spent more than a decade doing military intelligence, serving in Iraq, Afghanistan and various U.S. posts, and later working as a contractor. He and his colleagues produced electronic warfare analysis and worked to assess and neutralize risks, decrypt communications from adversaries, disrupt technology, support tactical operations and more. “I can’t tell you exactly what we were doing,” he says, unconsciously lending himself a touch of the 007 mystique that hovers around the field.
The more sedate detective work depicted in movies, at least, is not far off, and more people will soon be able to get a taste of it through a federal grant that will allow JWU’s cybersecurity team to train high school teachers and local police. In addition to strengthening the relationship between JWU and the surrounding community, the federal funds will help train local law enforcement in cyber forensics and may provide a pathway to internships for JWU students. Additional capital is being sought to construct a Faraday room, which will block outside electromagnetic interference so that seized devices can be checked safely — because “if signals can go out of a phone they can also go in,” says Kyle Leupold ’23, “and the bad guy can remotely wipe the evidence.”
Cybersecurity’s spy-vs.-spy element makes it a never-ending game of catch-up, of constant sleuthing and quick and decisive action when the “black hats,” or malicious hackers, make their move which is constantly. The trade publication Security Magazine estimates there’s a cyberattack every 39 seconds, and Cybercrime Magazine predicts the cost of successful strikes will reach $10.5 trillion by 2025. From 2021 to 2022 alone, the number of cyberattacks worldwide rose by almost 40%, according to Check Point Research, which warns that the increased use of artificial intelligence, notably from ChatGPT, will continue to accelerate that trend, as will the ever-expanding Internet of Things, or physical objects like wearables, smart appliances and driverless cars that are embedded with software, sensors and other technology. “Everything that’s connected can be hacked,” says Frank Tweedie, dean of JWU’s College of Engineering & Design, which oversees the Cybersecurity Center. “And that can be a portal to get into something else.”
All of which means that those employed in the field will never go hungry. “There’s a huge need for talent,” Tweedie says. “It’s one of the fastest-growing areas in the marketplace today, and it goes across every industry, from governments to banks to retail and other private-sector companies. Even mom-and-pop shops need to have a cybersecurity plan in place.” The ethical hacking site cobalt.io says about 3.5 million cyber-security jobs will need to be filled in 2023 at wages of up to $166,000 a year, and the U.S. Bureau of Labor Statistics expects the field to surge 35% by 2031. That’s 30 percentage points higher than overall job growth.
Angel Labelle Johnson ’19 foresaw the explosion of need for cybersecurity five years ago, when she applied for the online MBA program. “I had seen stats about the high rate of employment in the field,” she says, “and from my perspective it was the next big thing.” After graduating she took a job as head of cybersecurity at a large e-commerce company, and she recently applied to a doctorate of technology program.
“Most of the students in my classes already have job offers or are working for big companies,” says Douglas Tondreau, an assistant professor in the cybersecurity program and director of JWU’s Cybersecurity Center. “There’s so much out there that part of my challenge is convincing students to finish school rather than just start working right away.”
The Origin Story
The first antivirus software, called Reaper, was written in 1973, to counteract the original computer “worm,” a somewhat lighthearted warning from a Cambridge, Massachusetts, engineer to his techie colleagues that self-replicating code could be made to jump from one machine to another.
“Creeper” crawled across the Pentagon’s ARPANET network, a forerunner of public internet, taunting users to “catch me if you can.” By the late 1980s malware was becoming widespread enough that former President Ronald Reagan signed the Computer Security Act, which helped establish standards and guidelines for federal information systems. From there, every year has seen more and more attacks, because even though cybersecurity has grown exponentially stronger, it will never conquer all its foes.
“As a cybersecurity professional you are always at least one step behind,” says Chavis, “because hackers have the advantage that you don’t know what they’re going to do. It’s like being a homeowner who’s about to get robbed. The thieves know all the ways into your house, they know when you’re leaving, they know things you don’t even think about. You don’t even know you’re being watched.”
Chavis himself has been hacked several times. “More often than not when retailers or vendors are attacked, they don’t even know it occurred until the victims start telling them about it,” says Nicholas Tella, JWU’s director of information security. Tella recently had a week of workdays hijacked by hackers who got into the Audience View platform (formerly University Tickets) that students use to buy admission to events. “We discovered it when a student reported a suspicious charge to her credit card after she got tickets to the SnoBall,” he says. “We went to talk to her in the commuter lounge, and other students overheard and started saying, ‘That happened to me too!’ We found like eight victims just in the commuter lounge that day, but the platform wouldn’t admit there was a data breach. Of course, now we know we were far from the only school affected, but I spent the entire week trying to deal with it. You can never predict how your day will go with this job.”
Cybersecurity’s enigmatic nature is one of the things that appealed to Leupold, a recent graduate, when he was applying to colleges. “Cyberspace in general isn’t something you can really see,” he says, “so I thought it was cool that so much is happening even though it isn’t happening blatantly in front of you.” Last October, Leupold won the candidate division (for anyone seeking to get on employers’ radar) of the inaugural Colorado Cyber Games, a monthlong competition sponsored by the National Cybersecurity Association that presents contenders with weekly offensive and defensive challenges.
“Our hacking team has always done well in competitions where they’re looking to build the best mousetrap,” says Tweedie. “We’ve been up against much bigger schools — including MIT, Harvard and Yale universities — in hackathons and we still win. Before COVID-19 slowed the pace of competitions, we were top of the game in the official student league.”
That kind of authentic learning — being presented with a problem and having to fix it in real-time — is at the heart of JWU’s ethos, and the cybersecurity program is no exception. When Chavis, Tweedie and Assistant Dean Nick LaManna were putting the program together, they traveled to the Naval Academy in Annapolis, Maryland, to make sure they were doing things right from the start. “I think we were the only school that had that kind of access,” says Tweedie. “We had a connection who worked at JWU and was also a commander there. From the beginning we wanted to make sure we’d have the right credentials to align with the federal requirements to become a National Center of Academic Excellence.” That prestigious designation, from the National Security Agency, came last summer, and JWU is one of only about 300 colleges and universities nationwide that has it.
That kind of authentic learning — being presented with a problem and having to fix it in real-time — is at the heart of JWU’s ethos, and the cybersecurity program is no exception.
The White Hats
The certification must be revisited every five years, but cybersecurity faculty and students are used to working on the fly. “Things I taught a few years ago are no longer valid because technology is updated so fast,” says Chavis. “Every time something new comes out we have to adjust. Textbooks can’t keep up, so we do labs using real-life examples.”
That allows students to look at cases both past and present, and analyze how police “blew it,” as Tella puts it, in a few famous national investigations. “When things were missed though it hasn’t been entirely the cops’ fault,” he adds. “Until the past decade or so they just didn’t know how to check browsing histories. The crimes were moving faster than the police training and the laws to address them.”
That’s one reason JWU views working with local law enforcement as a priority. “We think we can help the police departments get better at picking up on social media red flags, processing evidence faster, closing cases quicker and just becoming better equipped to take on challenges they might not have seen before that relate to technology,” says Tondreau. “We envision new cadets going through training with us as a matter of course. It will become a recruitment tool for the police and for us that will help people see the good work the police do at a time where they’re sort of under fire.”
Training local teachers, too, is a two-way street; it helps schools beef up their cybersecurity while creating a pipeline of students for JWU to take to the next level. “We looked into needs in the area and number-one is awareness training for secondary schools, which get hit a lot,” he says. One reason educational institutions are targeted, he adds, is that they have a lot of personal information on faculty, staff and students, and can’t fully regulate the use of devices. “Sometimes they’re hacked by students playing around,” Tweedie says. “We’d like to harness the interests of students like that and build a model where they and their teachers can get JWU credit through trainings.”
Of course, there’s always a risk that students could go to the dark side instead. As one former professor pointed out, the skills they’re learning in some classes can either get them a job or “land them in jail.” “With digital forensics tools we teach students how to recover deleted files,” says Tondreau. “But by learning that, they’re also learning how to destroy digital evidence if they’re ever accused of a crime.” It’s important to Tondreau, Chavis and their colleagues to touch upon ethics in every class so that “our students will contribute to society in a positive manner,” Tondreau says. “We like to think our students will come out using what they’re learning for good. It’s much more interesting that way.” JWU