DeVos should make cybersecurity a priority for the Department of Education

Before they can even walk, toddlers today are interfacing with computers. They use iPads to play games and watch Netflix. By the time they enter preschool and kindergarten, computers are already a major part of their lives.

Similarly, teenagers today grew up with constant access to computers and as a result, they rely on them for information, education, and social connectivity more than I ever did growing up. However, despite all the technology classes and coursework they take as part of their curriculum, basic cybersecurity best practices are far too often left out of the equation. From earlier and earlier ages, they are learning to type, learning to code, and learning the ins and outs of office, design, and editing software, but not how to protect themselves in an increasingly interconnected world.

{mosads}Most kids have a digital record that is started minutes after they are born, when proud parents snap that first picture and share it on social media for friends and loved ones to swoon over. This digital footprint follows them over the course of their lives, which are now lived in public. Like the Truman show, we can share first words, first steps, first days of school, and major achievements for adoring eyes to see. As our kids are born into this technology, we have a responsibility as a society to teach them how to secure that same technology, because their entire lives move through it.

In the cybersecurity chain, all of the protection in the world cannot account for the fact that users are almost always the weakest link. Training adults to learn about and, more importantly, care about cybersecurity is difficult at best and next to useless at worst. Teaching basic cybersecurity practices starting very early in schools is one way we can start to address this structural weakness.

STEM education programs are an excellent step towards teaching younger generations about science, technology, engineering, and math and how they can use this knowledge in real world situations, but there remains a need to inform younger generations on the issues they face when using technology every day.

We see this all too often with older generations. Those of us who are technologically savvy can easily spot even a well-crafted phishing operation and many of my professional colleagues know all too well the experience of getting an email forwarded from an elderly family member with an email that looks suspicious, asking them to “check if it is legitimate.” At advanced ages, they don’t understand the mechanics of checking links, but they understand the need to be cautious and know they need to do so. When school systems do not equip teenagers to recognize these threats and check them out, they are failing to prepare our next generation with a skill that they desperately need.

Thirty years ago, teachers who taught computer and technology focused courses had an excuse to learn the material simultaneously while they were teaching it—it was brand new, and they didn’t grow up with it. However, this isn’t acceptable anymore. We need to be more aggressive in teaching children good cybersecurity practices on an equal par with teaching them about “stranger danger” and at the same starting age.

The incoming administration needs to realize that we can only stop the cybersecurity problems of the future by training the children of the present in good cybersecurity hygiene practices. We’re not doing it, we’re waiting too late to even start having the conversation, and today’s youth don’t understand the ramifications of dropping their guard. Some companies might train the technical staff on being “secure,” but then they fail to train the receptionist not to pick up a thumb drive he or she found in the parking lot and put it into his or her computer at work.

We make sure kids learn how to add, subtract, multiply, and write, but we don’t teach them anything relevant about the actual devices they’re doing those tasks on: computers, smartphones, and tablets. Kids are given Google Classroom accounts, which also serve as an email account, and are given a standardized password that a) they’re not allowed to change, and b) is easily guessable by other students. This does not ingrain the need to create complex passwords, secure their data, or prepare them for securing their employers’ data in the future.

At best, we’re telling them to be careful on social media, but at the same time, we’re not telling them about the dangers of the data those platforms collect. We’re not helping them draw lines between what they post in the virtual world and the real world consequences, and they don’t understand why they shouldn’t use the same password for everything in a way that makes it meaningful. Teaching these concepts younger in life is not only necessary to protect current generations, it’s important to pass onto future generations.

While the Department of Homeland Security partners with non-profits aiming to educate and incorporate cybersecurity concepts in our nation’s classrooms, such as the National Integrated Cyber Education Research Center (NICERC), a not-for profit academic development center to provide K-12 cybersecurity curricula and hands-on professional development for teachers at no cost, more can, and quite frankly, should be done.

Much will be made this week of the confirmation hearings for Betsy DeVos’ as secretary of Education, but I fear it will focus heavily on marquee topics designed to generate headlines: her views on Common Core, her support of charter schools and school vouchers, and her financial disclosures.

But in her role leading the Department of Education, Secretary-designate DeVos should also acknowledge that we can only stop the cybersecurity problems of the future by training the children of the present in good cybersecurity hygiene practices. We aren’t currently doing it and we are waiting too late to even start having the conversation.

By making this conversation a priority among the various other topics she will be charged with, we can start to ensure that we are reinforcing best practices on the front lines, rather than continuing to drop our guard.

Ben Cotton is the CEO and founder of CyTech Services, a service disabled veteran owned small business located in Manassas, Va. CyTech is an industry-leading computer forensics and incident response firm serving both public and private industry. Mr. Cotton was a 21-year veteran of the U.S. Army, Special Operations Command, and has served in both unclassified and classified units fighting the global war on terrorism, specializing in sensitive site and digital device exploitation, Computer Network Attack and Computer Network Defense. He is a plank holder for the SOCOM capabilities that now exist within these technical areas. He holds a master of science in information technology management.

The views expressed by contributors are their own and are not the views of The Hill.