Training the Defenders of the Digital Age

The digital age has ushered in no shortage of wonders. Grandparents can talk face-to-face with their grandchildren who live thousands of miles away. A patient can meet with a doctor, get a diagnosis and get their medication without leaving their home. A student living in a remote area can practice building circuits with at-home kits and online how-to videos.  

With those wonders, however, the digital age has also ushered in cybercrime. Cybercrime encompasses any illegal activity that involves a computer, digital device or network. It could be a ransomware attack on software, a phishing scam or online fraud, or theft of personal data.  

And it’s growing. In 2024, the FBI’s Internet Crime Complaint Center received over 850,000 complaints, which resulted in $16 billion in reported losses, a 33% increase from 2023. The current estimated cost of cybercrime is $10.5 trillion per year and is expected to reach $16 trillion by 2029.  

As companies ramp up their cybersecurity to combat these crimes, the need for trained cybersecurity professionals who can effectively secure data against such breaches is increasing. Yet, the growth in the cybersecurity workforce is struggling to keep pace.  

Seeing this gap, Matt Bishop, a professor of computer science at the University of California, Davis, has championed a collaborative effort to create a curriculum that teaches computer programmers the necessary skills to develop secure software as a way to chart an optimistic course forward in the uncertain future of cybersecurity.

The Secure Coding Playbook

Strengthen Workforce Education for Excellence in Programming Securely, or SWEEPS, was initially funded by a $2.5 million grant from the National Security Agency, or NSA, through the National Centers of Academic Excellence in Cybersecurity program. UC Davis leads the initiative in collaboration with the University of Maryland, Baltimore County, Worcester Polytechnic Institute, Dark Enterprises (a cybersecurity education nonprofit) and tech firm StrongKey.  

The coalition developed a curriculum to provide intensive, hands-on training in secure software development, equipping developers with the knowledge and tools to enhance code security without compromising efficiency.  

“The software that runs our country’s infrastructure and computer systems is vulnerable to attack,” Bishop said. “We’re trying to change that.”  

SWEEPS offers several options for students and career developers, including one-day workshops, online courses, week-long bootcamps and a certificate program. The curriculum covers subjects like common security misconceptions and proactive security practices, compliance and legal requirements in secure programming and cybersecurity, and exploits and defense mechanisms.  

“We want to make these materials available to schools and continuing professional education programs to teach programmers how to do it right from the beginning,” Bishop said. “Industry wants people who can program securely.”  

The High Price of Weak Software

Currently, SWEEPS is at a standstill. It was a casualty of the widespread cancellation of federal funding, with about $1 million left to spend.  

Without funding for programs like SWEEPS and without investments into educating software developers in cybersecurity, Bishop fears that the trajectory of software quality will continue as it is now: poor and rife with issues and vulnerabilities.  

These vulnerabilities expose software to more cyberattacks — pinprick attacks are the most common, such as people breaking into point of sale systems or stealing credit card information. However, something as big as a cybersecurity disaster is not out of the realm of possibility.  

“Think of all of Amazon’s clouds disappearing,” Bishop said. “Recently, we saw what a brief outage can do. What would happen if it could not recover for a month or longer? Imagine the power grid or water grid suddenly ceasing to function.”  

If future developers can understand what is needed initially and build it right from the onset, it can lead to a stronger cybersecurity infrastructure. With tools gained from educational platforms like SWEEPS, when cyberattacks occur, they will be equipped with the necessary resources to withstand them.  

“Getting it right from the beginning is much slower, much harder and much more expensive,” Bishop said. “But if software isn’t developed carefully, there are ways for attackers to use it to get into systems and do nasty things. What we’re doing now is putting Band-Aids on poor software, and we can’t do that anymore. We have to start building things that don’t need Band-Aids.”

Engineering a More Secure Future

If software continues to be poorly written with little thought to what happens when it is attacked, and developers only have enough knowledge to throw on patchwork solutions, systems will continue to become increasingly vulnerable to attack.  

The systems and the people who create them will always be one step behind the “bad actors,” as Bishop calls them, susceptible to cyberattacks, both minor — from phishing email scams to small-scale data breaches — and catastrophic, such as ransomware attacks on hospitals or the manipulation of nuclear systems or transportation control.  

However, if developers are taught from the onset how to think defensively, creatively and futuristically when building software, in Bishop’s estimation, they can get out in front of those bad actors. Perhaps there will be a day in the not-so-distant future that software will consistently be on offense instead of defense.