Michael Thomas thinks the country’s first line of defense against future cyberattacks could be sitting in a sixth-grade classroom on Chicago’s West Side.
Thomas, an assistant professor of educational psychology at the University of Illinois at Chicago, received nearly $300,000 in federal grant funding last year to create a collectible card game aimed at teaching cybersecurity skills to middle school students in several of the city’s minority communities.
The project is part of a government-wide effort to recruit the next generation of cybersecurity experts and make up for a shortage of cybersecurity professionals that U.S. officials say poses a threat to national security and potentially even to the nation’s sovereignty.
Since September, Thomas and a small research team have been working to develop the game. Modeled on other battle-card games like “Magic: The Gathering” and “Pokémon,” Thomas said his card game will appeal to younger students and help them learn mental habits needed to operate in the fast-paced, high-risk domain of cybersecurity. Those skills include multitasking, making sense of complex and choatic situations and adapting to frequent and sudden changes in workflow, Thomas said.
Thomas also hopes to help students adopt safe cybersecurity habits, such as creating strong passwords and detecting emails used to steal private information.
Although most cybersecurity education programs in the U.S. have targeted high school and college students, Thomas said research indicates that students often begin losing interest in computer science and related fields during middle school. He said capturing the attention of students at a young age is critical to helping the U.S. catch up to countries that produce more cybersecurity talent, such as Russia, China and India.
The project, funded by the National Science Foundation, aims to recruit 50-60 students to an after-school club that will meet for 90 minutes twice a week to play the card game. Students will also be exposed to “the world of hacking” through cybersecurity magazines, “replicas of materials used while developing real hacks and defenses” and visits to cybersecurity offices and “places where hackers and cybersecurity professionals gather,” according to a 15-page project description obtained from the NSF through a public records request.
The goal of the card game, which Thomas is for now calling CySec, is to get students excited about computer science and interested in cybersecurity careers, which are both in high demand and high-paying. The project also targets African-American and Hispanic students, groups that comprise less than 11 percent of the U.S. cybersecurity workforce.
Thomas plans to introduce his card game at two schools on Chicago’s West Side with large percentages of students from minority and low-income families: STEM Magnet Academy (34 percent African-American, 28 percent Hispanic; 57 percent reduced-price lunch) and Morton School of Excellence (94 percent African-American, 5 percent Hispanic; 99.8 percent free or reduced-price lunch).
Both schools provided Thomas with letters of support for his grant application, but the project must be approved by Chicago Public Schools’ Research Review Board before Thomas can introduce the game to students. CPS said the board is currently evaluating the project.
Although the threat of cyberattacks against the U.S. appears to be increasing – the number of information security incidents reported by federal agencies increased from about 5,500 in 2006 to more than 67,000 in 2014 – there are significant concerns about efforts to establish the “pipeline” of cybersecurity experts that Thomas and others imagine.
For some, including a fellow professor who sits down the hall from Thomas, showing teenagers how to crack a weak password or break through a firewall raises a host of questions related to privacy, safety and ethics.
Critics of teaching cybersecurity in schools fear that it is another example of the military’s influence on the country’s education system, and that cybersecurity education programs will cement the country’s role in the future of cyberwarfare without a public debate over its implications.
They also wonder whether parents – let alone the students themselves – know what they are consenting to when they allow their children to participate in cybersecurity programs.
But perhaps the most urgent question is whether 12-to-14-year-olds can be taught and trusted to use skills such as hacking and encryption responsibly.
“A lot of people ask me, ‘Are you going to teach kids how to hack?’” Thomas said. “And the answer is, ‘Yes.’ Not in an unethical way, right, but you can’t teach someone karate just teaching them how to block things. You have to also show them how to punch and throw. You have to understand how somebody is thinking. You have to be thinking about what could happen.”
Thomas’ lesson plan starts with a deck of 100-plus cards that reveal a world of virtual punches and counters, from brute force attacks to spear-phishing.
Hacking for beginners
Seated at a small table in his office at UIC’s Education Department building in the shadows of the Eisenhower Expressway, Thomas holds a stack of cards made using different colors of construction paper, each card in a protective plastic sleeve. He thumbs through the deck until he finds a yellow one.
“So these are hacker cards,” he said. “And here are the different characteristics.”
Each card has point values assigned for a handful of categories, such as infamy (a measure of evilness) and talk ability (such as how well the hacker can craft a spoofing email).
“Like if I’m going to trick you into clicking on something in an email that’s going to install malicious software on your computer – which seems to be pretty effective recently,” Thomas said, referring to recent high-profile phishing attacks such as the one against the Democratic National Committee during the 2016 presidential election.
Diane Murphy was teaching students how to hack several years before Thomas began developing his card game. A professor of information technology at Marymount University in Virginia, Murphy runs a yearly cybersecurity summer camp for high school and middle school students called GenCyber. Similar versions of the camp, which is funded by the National Security Agency, are held throughout the country, reaching more than 1,000 students each summer.
Despite her role at the forefront of cybersecurity education, Murphy worries that students, especially younger ones, might not be ready to grasp the seriousness of hacking and cybersecurity.
“When do they have enough common sense to know how to use it properly?” Murphy said. “I’m always concerned [about] how you build in parental control. I’m not too sure that they know what is right and wrong at that age.”
Last summer, Murphy had students debate the legal battle between the FBI and Apple over whether the government can force companies to unlock cell phones to access protected data. Murphy also works with students to develop their own ethical guidelines for hacking.
“I'm not too sure that they know what is right and wrong at that age.”
–Diane Murphy, professor
But she knows that her efforts to make sure students use their new skills responsibly only go so far.
“I can teach them in class and I can go over good habits and whatever, but what they do when they get home, I’m not sure,” Murphy said.
Thomas said he takes seriously the ethical and developmental concerns of teaching cybersecurity to middle school students. He said his card game will include an ethical component that penalizes a player’s score for exploiting opponents in certain ways, for example.
“What we’re trying to do is talk about ourselves as being white-hat hackers,” he said, referring to a term used by cybersecurity experts. “A white-hat hacker is somebody who uses their skills so as to make the world more safe, more friendly for everyone. A black-hat hacker is somebody who’s trying to maliciously steal resources, or they might be interested in stealing data for the purpose of stealing money or something else.”
Thomas’ team plans to work with teachers to address ethical concerns. The team includes Rigel Gjomemo, associate director of UIC’s Integrative Graduate Education and Research Traineeship in Electronic Security and Privacy, and UIC education graduate student Skip Kumm.
“We intend for schools and teachers to be the conduit of this information,” Kumm said. “We want this to be used in a classroom, in an after-school activity where there’s a teacher there teaching security, teaching ethics. Kids can play it on their own time, but it really should be introduced at school.”
Whether students apply hacking skills at school or at home, UIC assistant professor of education Nicole Nguyen said they are being groomed for a job that goes beyond defending the country from cyberattacks. Nguyen, whose office is down the hall from Thomas’, said that while it is important to train people to protect the country's digital infrastructure, the U.S. has carried out a number of its own cyberattacks, such as unleashing a malicious computer worm called Stuxnet that caused substantial damage to Iran’s nuclear program.
Nguyen, who studies the intersection of national security and education, said educators need to question whether preparing students for cybersecurity professions is leading them closer to war.
“When we say cybersecurity, do we actually mean cyberwarfare?” she said.
Diversifying the pipeline
Over the past three years, the National Science Foundation has awarded grants totaling more than $9 million for 40-plus projects focused on cybersecurity education. But Thomas said he thinks his project is one of the first to focus on minority students.
After receiving the NSF grant last year, Thomas said he attended a meeting in Washington, D.C., with other recipients of cybersecurity grants. The gathering also included representatives from the FBI, Department of Homeland Security and other agencies involved in cybersecurity.
Thomas, who is black, said he could not find one other black person there.
“We’re in Chicago, so part of my pitch was we want this to work in schools that are 90-percent black, for example,” he said. “This is a community with great need – and that’s true for science and math and other kinds of subjects – and I want those kids at this age to think, ‘You know what, this computer stuff is kinda cool,’ and, ‘I could see myself getting into cybersecurity.’”
In his project description, Thomas wrote that efforts to establish a “pipeline” of students toward cybersecurity careers have failed because too many “fall down the drain into a school to prison pipeline of misery and societal burden.”
Although she supports efforts to diversify the technology workforce, Nguyen said recruiting students from impoverished backgrounds could have unwanted effects.
“In my own research, there’s been a concerted effort to extend what they call the ‘pipeline,’” said Nguyen, adding that until recently, those efforts targeted students in high school and older. “This idea of, ‘I’ll have a job after graduation’ is why parents consent to these types of programs. How much is this willful consent, and how much is you’ve put so many carrots in front of a young person and they’re not able to make a willful choice? Especially if you live in a high-poverty area, this is a booming industry.”
Like Nguyen, Corey Mead questions the influence of the U.S. national security apparatus on the country’s education system, including the military’s use of video games for training and recruitment, which he wrote a book about. But that’s why Mead actually supports efforts like Thomas’ card game that teach cybersecurity outside of the military.
“It’s a great idea,” said Mead, an associate professor of English at New York’s Baruch College. “It’s something that ideally would be happening on a much broader level.”
Struggle for CPS approval
Thomas and his team have until September 2018 to test their card game with students and produce a final version that will be shared publicly, with the possibility of introducing the game in middle schools across the country.
The NSF grant also requires Thomas to administer two multiple-choice tests evaluating students’ cybersecurity knowledge and enthusiasm for the field.
Thomas also wanted to videotape students playing the game but has yet to receive approval from CPS to visit schools. He said the district has raised concerns about what students will learn from the card game.
“We’ve been sort of struggling with CPS,” he said, despite the two West Side schools that signed on for the project. “But frankly, if it doesn’t work in CPS for whatever reason, then we go to the suburbs and we do what we have to do.”
The principal of one of the CPS schools, Maria J. McManus of STEM Magnet Academy, said some of her students already play similar battle-card games.
“We have some kids that are really, really into this stuff,” she said. “They’re like little junior hackers already.”
Despite the district’s concerns, McManus said she views Thomas’ project as a way to promote positive internet usage and provide students with new career opportunities.
Studies show that the demand for cybersecurity professionals is growing 12 times faster than the average U.S. job market. And according to the Bureau of Labor Statistics, the average annual wage for information security analysts – the occupational category for cybersecurity experts – was more than $96,000 as of May 2016.
“Who thinks about being a hacker or being in cybersecurity?” McManus said. “Nobody thinks about those jobs, but they’re out there. And they’re very lucrative.”
CPS did not grant a request to speak with a member of the district’s Research Review Board about the project but provided the following statement from spokesperson Michael Passman:
“CPS led the nation in making computer science a core high school requirement, and we continue to seek out opportunities and resources that will help us provide Chicago students with a 21st Century education. CPS is reviewing this program to determine if it has potential to effectively supplement the District’s existing computer literacy instruction.”
Follow Alex Ruppenthal on Twitter: @arupp
March 29: How Hardik Bhatt wants to protect state agencies from hackers.
Oct. 31: A massive cyberattack temporarily takes down major websites. Find out how hackers use household devices to wreak havoc online.
Sept. 15: Whether fictional or real, stories of hacking appear to be everywhere. We discuss online security and the public’s fascination with hackers with two local experts.