In this episode, our guest is Professor Doug Jacobson from the Department of Electrical and Computer Engineering (ECpE) at Iowa State University (ISU). Here, we talk about the new ECpE major program in Cyber Security Engineering, which was proposed and established under Jacobson's leadership. We also learn about his innovative research and outreach activities in cybersecurity and information assurance, such as the ISU Cyber Defense Competitions, ISU Center for Cybersecurity Innovation and Outreach, and the ISU Information Assurance Student group. This episode was conceptualized, recorded, edited, and produced by Santosh Pandey from the ECpE Department of Iowa State University. The transcript was prepared and edited by Santosh Pandey from the ISU ECpE Department. The communications and digital hosting was handled by Kristin Clague from the ISU ECpE Department. The music was provided by Alex_MakeMusic from Pixabay (Track Title: Inspire Me).
Welcome to our ECpE podcast series where we talk about exciting activities within the department. I'm your host, Santosh Pandey. Our guest today is Professor Doug Jacobson from the Department of Electrical and Computer Engineering at Iowa State University. Doug, thank you for joining us today. We want to learn about the new major in cybersecurity engineering in the department, which was proposed and established under your leadership. In addition, we want to chat about your research and outreach activities within cybersecurity and information assurance, in a language that is relatable to our students. To start with, could you please talk about the new cybersecurity engineering major program - the need for it, what is it all about, and the timeline of events? Yeah. Thank you for hosting this. The new cybersecurity undergraduate degree was started back in 2019 and really follows on a long history of cybersecurity at Iowa State. We had our first class in cybersecurity, actually, in 1995. And we've been offering classes ever since. We offered a master's degree in 2000. We offered a minor in 2015. And the major in cybersecurity was the next logical step. As we saw the need for students educated at all levels, from a minor all the way up through a PhD. That is great. So how is the cybersecurity engineering major program related to the existing software engineering and computer engineering majors that we have within the department, especially in terms of the structure, curriculum and course offerings. So again, this is an engineering degree - cybersecurity engineering. So we very purposely took our computer engineering program, and all the strengths around our computer engineering program, and we kept the core. Every required computer engineering course is also required of our cybersecurity engineering students. We then added eight courses in cybersecurity around courses and then minimum of four elective courses. That was very purposeful. The strength of this department is that strength in understanding computing, understanding the breadth of computing, both from a hardware and software standpoint. So our cybersecurity majors come out with a deep understanding of not just cybersecurity, but how computers work, which is critical in this world of IoT, critical infrastructure, etc. You know, it's 35 billion computers on the internet. And so we really felt it was important to ground this in computer engineering. Moving on, do you have any plans to get this new major program accredited by the ABET and what is the value of having ABET accreditation? So, yes. And actually that was one of the emphasis for creating this. ABET just recently created the cybersecurity engineering criteria. And so, that criteria has only been out for two years now. And we just went through an ABET accreditation cycle this Fall. We officially will hear this summer, but all indications are that we will receive ABET accreditation come August, which is when they make the formal announcements. As a follow up question, can you tell what is the strength of the student enrollment within this new program? Yeah, currently, we're about 160 students in the program. We graduated our first set of students two years ago and I think we've graduated 20 students, not counting this recent graduation term. So enrollment has basically met our expectations. That's great. So moving on the next question. In this era of advanced threats to our devices and data, what crucial role does cybersecurity play in addressing the challenges of the 21st century? And more importantly, how do you communicate the need of cybersecurity public in general? You know, the news every day, now we are seeing something about cyber security. So the threats change constantly. The threat actors have figured out - they're motivated, they know how to make money. And just because we figure out a way to stop them in one place, they turn around and find another way to get in. So it's a constant, constant battle. We win in one arena and they'll turn around on, find another arena to fight in. And the cybersecurity education is critical at all levels because technology can't win this battle alone. The general public, the users have to play an active role in their own protection. So it's critical that we offer cybersecurity to everybody. And it's also critical that our cybersecurity engineers, the people we produce that are the frontline warriors in this, understand that too. They have a responsibility not just to build cool technology, but also understanding to help the user community to better protect themselves, because they play a critical role in their own protection. So you have been a proponent and an advocate of information assurance and securing the internet against digital attacks for so many years. How do you think the field of cybersecurity has let's say within research and education? I've been in cyber since the early nineties. So I've been in it forever. And in some ways it's changed, in other ways it hasn't. It's changed in obviously the number of users, the number of things that can be attacked. You know, there's over 35 billion devices on the internet right now, all of which are potential victims. So we've seen the threat landscape, not only in the quantity, but in the way the threat actors are operating. You know, the whole ideas of ransomware and holding data for ransom, using security techniques to disrupt our very lives, to disrupt how our government works. So we're seeing our threat actors use cybersecurity to either get money or to disrupt. And the 'getting money' is actually one of the newer things. You know, 20 years ago, they didn't know how to make money doing this, or at least not much money. The estimates are that ransomware alone in the first half of last year was almost a $600 million business. That's amazing. That's real money. And so that's how we've seen it change. And because there's so much money on the table, we've seen our threat actors willing to spend more time interacting with their victims, crafting much more sophisticated attacks against the victims because the payoff is so large. Do you think with the rise of cryptocurrency and Bitcoin, the threats have increased? Yes, because now they have an anonymous way to pay each other. You can't get $4 million worth of gift cards, but you can transfer 4 million of Bitcoin without getting caught. So yes, Bitcoin has really enabled them to extort much larger quantities of money because it's so easy to move that. So when you talk to students, do you think it is easier to communicate these concerns about cyber attacks? Do students relate to these things because they're more aware of cryptocurrency, they're more aware of ransomware? The awareness is there. I don't need to go in and talk about why security might be important. It is important. But on the other standpoint, there's a lot of misconceptions out there. So it is getting people to understand the complexity of the problem, understanding their role in that problem and understanding again the breadth of that problem, both the technical side and on the social side of things. And so there's still a lot of education to do to understand that entire threat landscape. You know, when I gave talks 20 years ago, I'd have to stand up and spend 15 minutes explaining why somebody would do this. I don't need to do that anymore. So moving on, could you talk about your Center for Cybersecurity Innovation and Outreach? What was its mission and how can students get access to some of the research and education facilities offered by the center? Yeah, so the Cybersecurity Innovation and Outreach is a new created back in 2000, the Information Assurance Center. And from the very beginning, that center has, like many centers, has a focus on research, education and outreach. And so the center is a rallying point for the research faculty and there's a large number of faculty members, some around 20 or so who do research either fully in cyber or some aspect of cyber and lots of opportunities for students to get members through undergraduate research projects. A lot of senior design projects are cyber security focused. So our faculty are always looking for ways to work with the undergrad on various research type projects. So could you talk about the information assurance student group? When was it started and what opportunities does it offer for students? Yeah, so that group was actually started back in 2003, so it's actually fairly old. And we started that group to really provide an opportunity for students to explore cybersecurity. They'll bring in speakers, have internal speakers and they'll bring in speakers from around the country to talk about cool things in cyber security. They also run some formal sessions where they'll teach you about, for example, what's SQL injection attacks. So they'll pick on a particular topic and talk about that. So it's really an opportunity. It's all student-run, student-led to bring students together to talk about various aspects of cybersecurity. Is this geared towards undergraduate students, graduate students or students in general students? The students in general. It tends to be more heavily populated by the undergrads and it's targeted at a broad set of students. So there's students from MIS and computer science and software engineering and other disciplines who have an interest in security, along with students who are fully focused on security. Right. That's great. So could you talk about the cyber defense competition that you have been holding for so many years? When was it started, what was its mission, and the impact that it has had so far? So, yes, we held our first cyber defense competition in 2005, one of the first ones in the country. And from the very beginning, we chose to build our cyber defense competitions Ours are really focused around learning and so the students are given a scenario and they build out the defensive environment around that scenario. So there's actually a build phase. Then there's a defense phase where they face off against some very good adversaries. So they got this whole design build, defend aspect to it. And these competitions today they're back in person, they're an eight hour event. The setup takes a month, but the actual competition happens during an eight hour window where the red team comes in and tries to attack. And usually successfully attacks the, the blue team. Our employers are extremely excited about the cyber defense competitions. They look for that on students resumes. They're not as interested as much in who actually wins. What they're excited about is these students are experiencing in real time, a live exercise, and they have to detect and kick out the red team and write action reports about it. That's the kind of thing they do in real life. That's the kind of thing I can't teach in the classroom. Great. That's a very unique thing that we have at Iowa state. So what is the impact that it has had on students and student education or retaining our best students? So yeah, several ways to measure impact. We've I think we've held over 60 or close to 70 cyber defense competitions over the years. And probably close to 10,000 students have gone through the various competitions, I think. The impact, obviously on our students, is that these provide real live exercises. And so they lead to great job opportunities and we run a high school competition. So we use it as a recruiting tool. We work with community colleges on a competition. We have one where we bring in students from other schools to come in and compete against our students. So it's a recruiting tool. It's a way to show off Iowa state. It has a fairly broad impact besides just giving our students some really cool experience that gets them really cool jobs. What. Do you think is the response from companies and industry these cybersecurity education platforms you have created at Iowa state? Could you name some companies that hire the students and what kind of jobs do they offer our students? Yeah. So responses from our companies has been great. The actual degree, the new bachelor's degree was created with input from our advisory board. So we have a cybersecurity advisory board made up of national labs, made up of companies, government officials, et cetera. They help create this degree. So they're very invested in this. They're very invested in our cyber defense competitions. They give money for us to help host these competitions. They're also speakers for the security club. So our companies are very invested in working with our students, building that pipeline, getting the interns. Some of the companies - they kind of range all over the place. Some of our students go work for three letter agencies over in the DC area and r ight, do some really cool things. Most of the time, they can't talk about it. We have a set of students who then will go work for companies where security's not what the company does, but what they do needs to be protected. And they need architect systems around that protection. So companies like Principal, John Deere Financial. And then we have students who go work in companies where security is part of what they're producing. Either solely, so they go work for FireEye or other companies that sell security. They either sell products or they sell services. You know, PWC, Ernst & Young are employers of our students. Or they'll go work for companies where security is important to what they're embedding in. So take John Deere again, for example. Tractors are autonomous. Our students go in and help build secure tractor systems, et cetera. So there, they're working about how do I put security into a product so that it doesn't fall victim to an adversary. What is your vision for cybersecurity education at Iowa state? Where do you think all your efforts so far, they are heading towards in the next five years or 10 years? So I think, I mean, obviously we, we will keep working on the degree. You know, we have various technical electives that we have on the roadmap. So that's a little more tactical to kinda keep building the degree. The new initiatives that we're trying to do here is twofold. One is looking at how to - there's kind of a gap out there in the employment market. What's produced in Iowa? We produce students at a bachelor's level, community college produces them at a two year level. There's a gap. And so we're actually developing a certificate for degree. And so that's an effort to upscale, usually a current existing workforce. The other effort we're doing is trying to bring cybersecurity into other disciplines. So we're creating a minor in applications of cybersecurity for non-computer people. So how do I give cybersecurity to somebody an Agriculture business? How do I give cyber security to somebody in mechanical engineering or economics. And so what can I do to give those students, not to make them into cyber security warriors, but to put them in a position at their jobs that they think about cybersecurity, the impact of cybersecurity as they're doing their regular jobs. So at a higher level, how do you think the research and the education activities within industry compare with those happening within universities? Is there a fair degree of collaboration between universities or industry or industry is leading the way? So it comes in two parts. When it comes to creating just plain old technology, industry obviously drives that. The collaboration comes in the research behind that technology - research into new algorithms, you know, research into AI and other mechanisms. That's where industry and the university partner. And we have faculty that partner with various industries. Again looking at more of that - how do we take cutting edge research and apply that into cybersecurity? So what are some of the courses that new student can take, who want to build a background within cybersecurity? So our students in the cybersecurity engineering program, of course, they take the four, you know, there's four required courses, which really sort of build the foundation of cybersecurity. One of the things we often say in cybersecurity is - I need to teach you everything before I can teach you anything. So our first three courses really build that breadth foundation and then our technical electives go into depth and theory behind what you have already been sort of played with in our first three courses. And so that's really kind of our focus behind that. We have other opportunities, however, for students who are in software engineering, computer engineering or other computing disciplines to take the minor, for example. That's a minors program at Iowa state that has 15 credits. And so they take, of which six can be double counted. So it's nine unique credits. And that gives them a background where they may not be frontline defense, but they could take in, you know, companies like Deere and others who are hiring a computer engineer or software engineer to develop products. Having somebody with a minor allows them to then develop those products with a deep knowledge of security behind it. They're still primarily focused on their product development, but they now understand cyber security. And then we have electives. So students can just, you know, computer engineering students can take a couple security electives, same with software engineering. And there, that just gives them a little more breadth. And again, they're not gonna be potentially developing a lot of security, but that gives them some breadth to allow them be part of a multidisciplinary team where there may be security people on that team. They'll be able to speak to the language and interact with them. So what are some of the teaching labs that go with these courses? So we have a lab, we call it the ICE lab, and it is a set of large virtual environments. And so the first two courses that are foundational background courses, Computer Engineering 230 and 231, use this ICE lab, which is a simulated internet. So they're playing in a virtual environment on a address space. They're using real tools. They're defending real systems, setting up real firewalls, real intrusion detection, using the state of the art tools, both from attacking and defending standpoint. So everything we do is in this virtual environment, obviously to keep - you know, we don't, you don't want people playing with tools on the real internet. Yeah. But it is as realistic as we can make it. Okay. So we have a dedicated lab environment for our classes. So on a last note, do you have any final advice for our students who want to succeed in cyber security engineering? Well, it's all about curiosity. You know, cyber security is a fun field. It's an ever evolving field. And my recommendation to these students is to do what you can to stay on top of it and play. Set up your own little virtual environments. It's really all about just kind of having that fun and getting immersed in that, you know. Get involved with the club. And it's a fun field. Every morning you wake up and there's some new news article about something bad that happened the night before that you need to now worry about. Well, that's all the questions I had so far. I think we had a very informative discussion today. I hope our students learned a lot through these discussions. We thank you for your leadership efforts within the department that has positively impacted so many of our students in so many Yep. Thank you for doing this. And, hopefully we'll see some of you in some of our classes we have. Thank. You.