Written by Shannon Vavra
Not everyone in the cybersecurity community is entirely optimistic about a new U.S. military program meant to extend educational resources to historically Black colleges and universities.
For years, the Department of Defense has worked to extend cybersecurity resources to historically Black colleges and universities (HBCUs). A new initiative meant to improve access to cybersecurity resources at HBCUs and Minority Serving Institutions, though, is being met with some skepticism among prominent cyber practitioners and educational advocates.
Backed by the National Security Agency and the Pentagon’s Office of Small Business Programs, the goal is to connect Black and minority universities with other colleges that already meet NSA cybersecurity curriculum standards. The aim is to share resources, such as labs and range time, and advice on curriculum development. The effort, known as the Cybersecurity Education Diversity Initiative (CEDI), also allocates $300,000 available for internships, the Pentagon said.
“A lot of these programs almost end up being lip service,” said Camille Stewart, who is leading the #ShareTheMicInCyber campaign, which is meant to amplify and support Black cybersecurity practitioners.
The Pentagon is proffering the program as a way to establish equitable access to cybersecurity resources for a diverse set of students. But if the program creates a pipeline of HBCUs that are dependent on other organizations for cybersecurity resources, rather than building out their own capacity, the result could be a missed opportunity that exacerbates existing inequities, experts say.
“Because of the investments, it means the institution is always reliant on another institution, and they’re not actually building out the capability themselves and integrating it more broadly,” said Stewart, who also is the head of security policy for Google Play and Android. “Learning from an institution that is doing it well is a good opportunity — organizational mentorship can be great [but] it would seem that by hinging this on a collaborative effort, it’s limiting.”
The president of the National HBCU Alumni Association Foundation, Ty Couey, says the announcement sounds like a great idea — he just wants to know more about how the Pentagon plans to dole out the $300,000 in funds. (The Defense Department declined to share those details for this story.)
“There’s always a possibility it may make a real difference. It may work,” he said. “But there needs to be some teeth. We need to simply set it up at HBCUs. Period. Not sharing, or anything like that. Just set it up.”
The government’s announcement coincides with months of protests against racism and police brutality across the country, which has prompted some efforts in the cybersecurity community to reckon with systemic racism and disparities in access to cybersecurity resources, such as #ShareTheMicInCyber. Cisco, The Craig Newmark Foundation, Dropbox, FireEye, Google, HackerOne, Microsoft, Netflix, Tenable and Verizon Media, and several other companies, have announced they will be funding #ShareTheMicInCyber initiatives.
Others have suggested the Pentagon’s CEDI program could be a step in the right direction for efforts to address longstanding inequities, particularly at a time when organizations say they are committed to diversity efforts.
Lodrina Cherne, a principal security advocate at Cybereason, said the CEDI shows some long-term promise in that it doesn’t appear to focus only on injecting HBCUs with capital, and has the potential to help solve networking and mentorship issues.
“We need more teachers, we need so many other support resources to make these initiatives a success,” Cherne said. “You’re going to need support through institutions, through facilities, through internships and job placements, you’re going to need support to give students access to companies.”
The paid internship component is such an important part of launching minority or Black students’ careers in the information security field, Cherne says, because of what she calls the industry’s “snake eating its tail problem.” It’s a term that applies to entry level jobs requiring applicants to have years of experience.
For students who are traditionally underrepresented or Black, or who may not be plugged in to networks of support in the information security field, paid internships can be one small step in the right direction, Cherne says.
The fact that the CEDI will offer some paid internships means it will likely help more minority and Black students get a foot in the door, Stewart agreed.
“Many minority students will not and do not have the financial support to be able to sustain themselves while taking on an internship that doesn’t pay,” Stewart said. “They are immediately selected out because they don’t have the luxury of having someone supporting them while they dedicate themselves to that kind of internship.”
Leroy Terrelonge, a cyber-risk analyst at Moody’s, says that participating in a similar program, but which focused on minority high school students, called the Stokes Educational Scholarship Program, helped him set his cybersecurity career in motion.
“It was a great launch to my career. They paid for my college, paid me a salary while I was in college, and gave me incredible work experience,” Terrelonge said. “That scholarship, which I got as a senior in high school, has opened so many doors for me. I hope the students in this program will have a similar positive outcome.”