Free Cybersecurity Lessons from Hacker High School
Data breaches make headlines on a nearly daily basis, and the internet is littered with the tattered remains of reputations and relationships blown apart by misjudging or misunderstanding the broader implications of sharing information online. In this dizzying digital revolution, cybersecurity is more important than ever.
Security professionals are in high demand, making security skills a hot commodity. And I’ve written before about local programs like CyberHui, CyberPatriot, and GenCyber, all focused on inspiring the next generation of geeks to make security a priority, and putting students on a solid, knowledge-based career path.
There is another computer security program for high school students out there, but while it has a huge global following, only a fraction of its participants are in the United States. And there’s one volunteer in Hawaii hoping to help it find some local roots.
“It is vital that we teach the next generation about the profession of digital security,” Bob Monroe, a Honolulu-based volunteer with Hacker High School, said in an email. “It is more vital that we teach them to think for themselves and not rely on marketing ploys and fancy flashing lights.”
What Hacker High School offers is a full cybersecurity education curriculum. It’s built on the principles of open source, and similarly offered for free to educators, and has so far been translated into 22 different languages. In fact, the program has been around for 15 years, so I felt bad that I hadn’t heard of it.
But Monroe wasn’t surprised. We had him on Bytemarks Cafe to talk a little more about the program.
“We have six million students in Hacker High School right now, but of the six million students that we currently have, only two percent of them are from the U.S.,” he said in tonight’s interview. “China gets it, Asia gets it, Europe understands it, but somehow the United States doesn’t understand that cybersecurity is important.”
To be sure, there is actually a fair amount of national emphasis on cybersecurity in the U.S., but there are still good reasons why Hacker High School might not yet have taken off in America.
Firstly, there are a lot of other alternative programs out there, and U.S. schools and students have a lot to choose from. Hacker High School, Monroe notes, is embraced strongest in places that can’t afford or attract commercial training programs.
Secondly, a lot of the programs in the U.S. are driven by very specific interests, from businesses to the military, and focus on the use of specific tools. Cyberpatriot, for example, places a lot of emphasis on Microsoft software. While Microsoft is dominant in the marketplace, teaching Microsoft-centric security can be limiting.
“We teach teens to think critically about their environment,” Monroe told me. “We teach them to not trust any tool, software or product unless they have tested it for themselves.”
Key to the Hacker High School approach to security is the Open Source Security Testing Methodology Manual, or OSSTMM. It’s published by ISECOM, or the Institute for Security and Open Methodologies.
“The OSSTMM is the only security testing framework recommended by the NSA,” Monroe said. “This in not based on any vendor or marketing jargon… this is a purely scientific and mathematical testing process that is free for anyone to use.”
Hacker High School gets pretty deep into computer systems, in fact.
“We teach our students to use the command line interface instead of relying on software or hardware that they didn’t build themselves,” he said. “So when our students enter the workforce, they look at all the security products and ask why they are being used, and ask how anyone can trust any product unless it has been tested against the operational security controls.”
“This makes for big headaches for those in the industry and are used to having some black box with blinking lights and calling that security,” he adds. “That isn’t security.”
Monroe did admit that cybersecurity education can be boring. That was why he volunteered, and he was able to help bring a little more color to the material.
“In our lessons I’ve created a special persona named Jace, a female hacker who is about 16 years old [and] the characters in Jace’s world are complex and not always what they appear to be,” he explained. “She takes the reader through real world events based on the topic of the lesson… she learns through hacking, through creating things and gaining knowledge about the technology around her.”
Again, the ten-lesson Hacker High School curriculum can be downloaded for free, meaning any teacher or educator can fold it into their own classroom plan. There’s also a Security Awareness Instructor certification, and you can get a license if you want to teach Hacker High School commercially.
Monroe says he is only just beginning to gauge local interest in Hacker High School, while also trying to find a way to enroll in the University of Hawaii’s new cybersecurity PhD program. Beginning with his radio interview, which you can listen to below, here’s hoping he continues to engage the local tech community and starts to make connections with like-minded cybersecurity professionals and educators.