Gender, GDPR and tooling up for the cyber-wars - thought leadership from Barbara Endicott-Popovsky

Profile picture for user Madeline Bennett By Madeline Bennett December 25, 2018
Summary:
IT security guru Barbara Endicott-Popovsky on the major hurdles the West faces in the cyber-war - and why she loves GDPR.

Barbara Endicott-Popovsky
If I allowed my students to do those things, I’d go to jail and so would they.

If anything is going to inspire a young kid into a STEM career, space travel could be it. And Barbara Endicott-Popovsky was fortunate to grow up during the ideal time for inspiration - the era of the space race, the Apollo missions, man on the moon:

That just got me started. As a kid I built my own telescope. I would go to the observatory, we would have moon watches. I loved looking at the stars through the telescope, so it was set at a very young age.

From her initial role as IT manager at Boeing – where she uncovered the firm’s first ‘man in the middle’ attack just as the organisation was moving from mainframe to distributed computing - to her current position as Executive Director at the University of Washington’s Center for Information Assurance and Cybersecurity, Endicott-Popovsky has built up her own human database of IT security knowledge. She’s now applying this to train up the next generation of cyber-security experts, but is frank about her concerns over the limitations of educating students in the West coupled with a skills shortage she doesn’t see ending any time soon:

I'm shocked that North Korea at one time was putting out 200 cyber-security experts a month. North Korea - a little tiny country. The Russians are masterful, the Chinese are amazing, the University of Tsinghua is well known. Now the difference there, they allow their students to do things that if I allowed my students to do them, I’d go to jail and so would my students.

Tsinghua University, for example, assigned a case study to hack the Israeli Knesset [parliament]. It was so bad that the people, the members of the Knesset, would know when there was a graduating class because all of a sudden they were pummelled by all these attacks.

Conversely, the West has directed its technology focus to making money, according to Endicott-Popovsky – and other nations are beginning to realise that and seize on any weaknesses:

I’m not knocking it, it’s what makes the world go round. But what we've done is the equivalent of putting our wallets on the kitchen table and leaving the back door unlocked.

Skills needs

While the potential risk of state-sponsored attacks is likely to grow as nations like Russia and China continue to hone their cyber credentials, here in the West one of the key battles is attracting and developing enough trained security experts. There were one million cyber-security job openings in the US alone in 2016, and more than 200,000 of those positions went unfilled. In May, 2018 a much-cited report, Cybersecurity Ventures predicted that by 2021 there will be 3.5 million vacancies in the IT security field.

Endicott-Popovsky is far from optimistic about the potential for all these vacancies to be filled:

I think we're going to have this deficit for some time because it starts in K12. We're not educating people at the very beginning of the pipeline what cyber security is all about, we’re not giving them a sense of cyber hygiene. We're not talking about behavior online, cyber-bullying and things like that. You still have people in elementary schools that come from the old world. So I think this is going to be with us for a while.

Despite the millions of vacancies for cyber-security roles - this is an area of work that has a zero percent unemployment rate, according to the University of Washington, Bothell – the sector has yet to see a broad shift in the number of women attracted to IT careers, which stands at around 20%.

Endicott-Popovsky has managed to improve on these numbers: a third of students currently enrolled in her course are women, something she attributes partly to having a female course leader. But this is still a lower proportion than in the late 1970s, when Endicott-Popovsky started her first IT job at Boeing and 40 percent of people in the field were women. Hence, she never felt she was getting treated a certain way due to her gender, even when her [male] boss was intimating she might be crazy:

I was involved with one of the first data breaches at the company. I had IT operations responsibilities and we were moving over from mainframe computing to distributed processing. We experienced what I would call a ‘man in the middle’ breach and when I reported it to management, they thought I'd lost my marbles and more or less told me that. So I just was flabbergasted at the response and became extremely curious about cyber security. It stayed with me, and I began to read and study it.

But I think they would have responded the same way with anyone, it was just simply the time, it was something brand new and people hadn't thought of it. My boss was quite a supporter of mine, so I think he thought he was doing me a favor by telling me that - if you have these ideas, it's okay to tell me but I wouldn't share these with just anybody. I think he felt he was coaching me.

Due to her experiences in the workplace, and the more balanced gender split when she started out, Endicott-Popovsky is surprised about the decline in women at universities and across the industry:

I never really dwell on the issue of gender discrimination. I've had a couple of issues when I was younger, but I just ignored it and let it go right past me because I was goal-driven always, no matter what I did. What I would really recommend women do is set their sails and don't look back.

Endicott-Popovsky pointed to the 33 separate cyber-security career pathways on offer in the National Initiative for Cybersecurity Education framework, which she hoped would encourage more women to consider entering the field:

There’s something for everybody, from purely managerial to the deeply technical. What I would suggest is that they go through the framework and find what sparks their interest. If they're fascinated by cyber-security or even slightly curious, find something that sparks your interest, and follow the skills and abilities that are recommended for each of those career pathways. I've found that if you do what you're passionate about and really interested in, regardless of who you are or what you look like, and if you have goals, the rest of this just rolls right off your back.

As well as her ongoing fascination with all things cyber security, privacy is a new aspect to the courses that Endicott-Popovsky teaches, and one that is perhaps at odds with the traditional US mentality. The geography of the US and the nation’s history have conspired to give it a somewhat strange disadvantage when it comes to privacy, compared to its European counterparts:

In the US, we didn't have the advantage - and I use that word advisedly - of having had a world war on our shores. We have two oceans and a couple of friendly neighbors on either side, and it just means that we're blind to certain things. We've been able to be blind because we've only had our soil breached a couple of times in our history.

While organisations across the European Union might have been cursing the General Data Protection Regulation they’ve been obliged to adhere to since May this year, for the extra data management burden they bring, Endicott-Popovsky is a huge fan. She has recently added privacy as a core component of the Certificate In Information Security & Risk Management course she teaches at the University of Washington, and is a firm believer in the need to protect the rights of individuals to own their data:

I really appreciate the European GDPR. You guys had your antenna out a mile, so I think culturally you were far more sceptical and aware of the privacy issues for the individual. What's happened to companies is that they’ve had to follow suit. Microsoft is a US company, but it's international and they can't have corporate privacy regimes for this country and that, the internet doesn't work that way. So you have to build the systems to the most stringent standards, and you guys raised the bar.