Cybersecurity training and education programs need to emphasize systems engineering perspectives in order to fully understand system vulnerabilities, said leaders from the National Institute of Standards and Technology (NIST) during an Oct. 10 webinar hosted by the agency’s National Initiative for Cybersecurity Education (NICE).
“One of our key problems goes down to the engineering of how do we build systems we can actually trust,” said Ron Ross, a NIST Fellow who focuses on cybersecurity, systems security engineering, security architecture, privacy, and risk management. “Our systems are literally being pushed to the edge today,” he said.
Ross discussed how computing has become more complex as more applications emerge and systems connect to physical systems. “One of the things we’re trying to deal with is, how do we understand what’s going on, and it could be your computer, your smartphone, your tablet, but in that black box,” he said, adding, “You can never deal with complexity unless you attack it from a systems engineering perspective.”
Ross illustrated the difference between the concepts with an analogy about how bridges and airplanes are built.
“The reason that bridges don’t collapse and airplanes don’t crash very often is because we start with good science and engineering, and then we bring in good materials, and we have good people that know how to put those things together,” he said. “In the world of bridge builders and airplane builders, it’s all about the keywords of equilibrium, static and dynamic loads, vibrations, and resonance. Those are all grounded in physics and mathematics, and we have to be able to do the same thing with our software and our systems.”
But, he added, “We really aren’t doing as much of that as we need to.”
Carol Woody, principal researcher at the Software Engineering Institute and technical manager of the US-CERT Cybersecurity Engineering Team, emphasized the need for software assurance education to improve cybersecurity, and she touted the free course materials developed by her organization on the topic.