In 2002, Golden Richard III started a cutting-edge information assurance program at UNO that drew national attention. Ten years later, standout graduates have worked at the Massachusetts Institute of Technology’s Lincoln Laboratories, found holes in the Android system, earned $150K salaries and attained top national security clearances. Under Richard’s direction, UNO founded the Greater New Orleans Center for Information Assurance, a Board of Regents sponsored center with two state-of-the-art computer labs, where researchers have obtained several million dollars in federal research grants and gained certifications from the National Security Agency and the Department of Homeland Security.
What is information assurance? Information assurance is basically computer security. Inside the umbrella is basically anything related to securing or investigating digital information. This would include things like: defensive security measures; the design and deployment of antivirus and firewalls; digital investigation, which is basically digital forensics; reverse engineering, which is analysis of malware — computer viruses and worms and stuff like that; and network penetration testing, which is an offensive technique that essentially looks like malicious hacking — only it’s done in an authorized way to measure the security posture of an organization. And then there’s cryptography, which is encryption and breaking an encryption — encrypted data — and seeing if it can be decrypted.
And why is it appealing for UNO to have an information assurance program? One, it’s a financial issue. I mean, students want to get a job, right? There aren’t really enough people, particularly smart people, who actually know what they’re doing, in computer security. People are desperate for good people. And if you’re a good person, you know, then close to six figures right out of school is not out of the question at all. You can just walk and collect, essentially.
The other thing is that IA students are just inquisitive students — you know, hacker types, and I mean that benevolently, not maliciously — people that like to tinker and figure out how computers work and how software works and stuff. That’s essentially a fundamental skill that’s necessary in computer security, so they see a way to sort of formalize their tinkering. It’s just interesting, right?
So some people it’s for money; some people it’s for interest. Most people that are studying, it’s for both because they do something fun and they know that they’re going to get paid a lot and can be eccentric or weird or whatever. Whatever they are is going to be tolerated if they’re smart because their services are invaluable — and everyone wants a job like that, right, where you don’t have to wear the tasseled shoes every day and stuff.
What are the uses for this kind of study? Increasingly, every corporation of any size, and state and local and federal government, everyone, needs an IT security person of some sort. Bigger organizations have internal teams that can do digital investigation. They have internal penetration testing and network security experts. They may still be required to get an external person to verify. And there are the people that are going to go do cyberstuff for the FBI and local and state police and other federal agencies. Everybody who is hiring wants computer security — it’s just like a big vacuum cleaner that’s hungry for computer security people and that will vacuum up anybody that’s good enough to try.
What kinds of students gravitate to information assurance? It tends not to be people that have casual interest in computer science. It tends not to be the person that’s just interested, for example, in a 9 to 5 job or a 9 to 5 study, where they come do the classwork and then go do something else. These students tend to be sort of rabid about computer science. It’s a lifestyle, essentially.
I’m not saying they don’t go have a beer with friends or have girlfriends or whatever — they do — but it’s a significant portion of their existence — their work on stuff and their own projects and everything all the time. They are working in the lab, late. And they tend to tweet about it. There’s some bragging rights: “Oh, look what I did.” It’s taken very seriously.
No one with a basic casual interest is going to be a superstar anyway because the field changes so quickly. If you’re like “Get me out of here, I’ve got to be out of here, I can’t do this for a month,” or something, good luck, because everything’s changed since you stopped. It’s changed since yesterday.
What are the challenges inherent to teaching this kind of a program? The challenge for the student is similar to the challenge for the instructor, which is to stay up to date, because this stuff changes constantly. You don’t look for one day then a student who is paying attention to every tweet on computer security that comes out constantly will tell you “Hey! Did you hear that LinkedIn was hacked five minutes ago?”
The students that are really interested in this stuff, or the really good ones, are really a notch below the instructor in capability. You may have more experience and ability to adapt to some unique situation, but these guys are reading and working too, so if you start reading and flipping some lame slides that are like three years old, then you’re a joke, essentially, and you’d be found out immediately.
Also to do it properly, you need realistic lab work. Digital investigation, you need to do digital investigation, not just read about it, because it’s hard. For reverse engineering malware, you need to see real viruses, and that means you have to pull a virus out. They get a sample of the executable code of the virus and what I want is a completely documented printout. I want every single line commented. It’s not English. It’s just bits and bytes. And the next step is to extract computer code from the file. By the end, you have human language flowing down the right side of the paper that completely describes what it’s doing.
Wow, is there a huge attrition rate with this? That sounds scary. No, there’s not a lot of attrition, actually, and believe it or not, there’s not a lot of failure rate either, because it does take a certain sort of person to be interested in it in the first place. And there are some people that come in that just clearly have innate skill in this — it’s not going to kill them.
The rest of the people by and large don’t have the necessary low-level computer programming skills to do this because this is de-emphasized, because now everything is Web. Now everything is apps and stuff, so the really low-level nitty gritty is really not needed for most people. They come in thinking that they’re programmers and then it’s just like, “Man, I am just a complete weakling.” They’re just, like, vibrating.
So I scare them by giving them a virus the very first day and saying: “Here it is,” but then encouraging them every day to please not drop (the class) and give it some time and give them bits and pieces and, you know, help them through the first few, while really scaring them into thinking that they’re really sort of on their own and I’ll disclose information at my leisure. There’s a definite dawning of “I can actually do this, I’m not good at it yet, but I’m making progress and I’ve figured this piece out.” By the end, every single person in the class can do it.
So what do you think are the greatest accomplishments of the program in the last 10 years? Two things: teaching things in computer security that really need to be taught, regardless of how hard it is, because there’s a huge need for it, and putting UNO on the map in terms of federal funding.