Podcast
“On the Mark” podcast transcript with Blair Taylor
[Music]
[00:00:00]
Voiceover: You're listening to a Towson University podcast.
[Music]
[00:00:08]
Mark Ginsberg: Welcome to On the Mark, where we have candid conversations about meaningful and consequential work happening here at Towson University. I'm Mark Ginsberg. It's my honor to serve as president of Towson University, located, of course, in Towson, Maryland. And on this podcast, we're introducing you to members of our university community who are engaged in high-impact teaching, research, and student success practices. Today, I'm pleased to welcome a guest who is truly shaping the future of cybersecurity education, my colleague, Dr. Blair Taylor. Dr. Taylor is a nationally recognized leader in cybersecurity education and workforce development, and she serves as the director of Towson University's Center for Interdisciplinary and Innovative Cybersecurity, known as Cyber4All. She is also a pioneer in our Department of Computer and Information Sciences. Dr. Taylor has received over $14 million in federal funding and leads two national initiatives that are helping to build the next generation of cybersecurity professionals – the National Cybersecurity Curriculum Task Force and the Cyber AI Project for the National Science Foundation and the National Security Agency.
Dr. Taylor is also co-executive director and co-founder of SecureEd, a nonprofit organization that grew from Towson University with the mission of securing the nation through education. SecureEd operates CLARK, the largest open-source platform for free cybersecurity curricula. She holds a bachelor's degree in mathematical science and a master's degree in computer science from Johns Hopkins, and a doctorate in applied information technology right here from Towson University. Blair, thank you for joining me and welcome.
[00:01:55]
Blair Taylor: Thanks for having me.
[00:01:56]
Mark Ginsberg: Yeah, great to have you here. I know that you're doing terrific work in cyber and cybersecurity. And cyber threat is one of the most significant issues and one of the most significant challenges I know we face in our modern day society. So, maybe we can start off by just talking a little bit about what that is, what cybersecurity is, and a little bit about the threat that cyber threats pose.
[00:02:17]
Blair Taylor: The current landscape?
[00:02:18]
Mark Ginsberg: Yeah, the current landscape, right.
[00:02:19]
Blair Taylor: Right. So, cybersecurity has been a problem really since we started to become interconnected. Now that people can access critical infrastructure remotely, that's when cybersecurity became an issue.
[00:02:29]
Mark Ginsberg: Right.
[00:02:31]
Blair Taylor: And interestingly, I've been doing this work for over 20 years and there's a lot of talk that AI is going to solve the problem, and it scares me a lot because I actually think the problem's gotten worse.
[00:02:44]
Mark Ginsberg: Ah-hah. With AI or concurrent with AI?
[00:02:47]
Blair Taylor: AI, first of all, is going to help us with both offense and defense, obviously, right?
[00:02:52]
Mark Ginsberg: Oh, I see. Uh-huh. Uh-huh.
[00:02:53]
Blair Taylor: But I think there's a couple things going on. I think that, first of all, the government is a little weakened at this point in time in terms of the current state of affairs. Also, the job market is so bad that students are veering away from computer science and cyber. So, I have a lot of worries about that because cybersecurity, if you look in the last month, major companies have been attacked, much more visible. I mean, cyber attacks have always been getting larger and more critical, but within the last month, a lot of very visible attacks on Land Rover, for example, and there was an AWS interruption of power. Again, I always think to myself, "Was that cyber related?" It's just that the current situation, I'm just afraid that people are turning their focus too much to AI, and the cyber is considered solved, and that is by far the case. I think one of the other – I just lectured today about my favorite subject, which is software security.
[00:03:54]
Mark Ginsberg: Mmm.
[00:03:55]
Blair Taylor: And that is a huge aspect of cyber because most cyber attacks happen because of vulnerabilities, and a lot of... You know we're so reliant on software.
[00:04:03]
Mark Ginsberg: System vulnerabilities, hardware kind of things.
[00:04:06]
Blair Taylor: Correct. Any kind of vulnerability.
[00:04:08]
Mark Ginsberg: Uh-huh.
[00:04:08]
Blair Taylor: Most attacks are, you know, you don't drive through a perfectly good brick wall. You look for a way around it, right?
[00:04:14]
Mark Ginsberg: Right. Or the cracks.
[00:04:15]
Blair Taylor: Or the cracks, exactly. So, software, which is so ubiquitous and used in everything from critical infrastructure, financial structures, hospitals, is inherently not secure.
[00:04:27]
Mark Ginsberg: It really fuels the economy.
[00:04:28]
Blair Taylor: It fuels the economy. And the people who wrote it, first of all, it's very hard to measure cybersecurity because there's no profit. [Laughter] You only know if it worked if nothing happened, right? So, it doesn't fit into the functionality requirements. Many of the people who develop software were not taught secure coding techniques, so this has been a huge worry and a huge source of vulnerability. Now, AI can help. I don't mean to say that it cannot, but AI is still very new in these areas. There's this thing called vibe coding, which is AI-created code.
[00:05:03]
Mark Ginsberg: Uh-huh, created by the AI software itself.
[00:05:06]
Blair Taylor: You use AI systems to just, you talk to it and create code that runs. Not only is that code not efficient, the code is inherently not secure.
[00:05:14]
Mark Ginsberg: And how accurate is it if you start with that?
[00:05:17]
Blair Taylor: Same as any AI, yeah.
[00:05:18]
Mark Ginsberg: That's what people have been critical of AI.
[00:05:19]
Blair Taylor: That's... Right.
[00:05:19]
Mark Ginsberg: That it provides a context, but oftentimes, even though the context may be correct, the specifics may be incorrect.
[00:05:25]
Blair Taylor: These things will evolve.
[00:05:27]
Mark Ginsberg: Sure. Sure.
[00:05:29]
Blair Taylor: And they will all be domain-specific, and they all get better, but right now, it's not pretty.
[00:05:33]
Mark Ginsberg: Sure. Sure. It's been said by some, in fact, as I was preparing to talk with you today, that cybersecurity is, in effect, a national crisis.
[00:05:42]
Blair Taylor: International. Or global.
[00:05:44]
Mark Ginsberg: International crisis.
[00:05:45]
Blair Taylor: Global.
[00:05:46]
Mark Ginsberg: Yeah. In fact, globally, I've read recently, too, that it's estimated there's something like 600 million attacks each day worldwide. That's almost unbelievable to think about. It's like thinking about infinity. What does that really mean? And how do you grab hold of that kind of enormity of problem?
[00:06:03]
Blair Taylor: Well, I mean, it's a tough problem.
[00:06:05]
Mark Ginsberg: It's a very tough problem.
[00:06:06]
Blair Taylor: Let's look at the war in Ukraine. I mean, most wars now today are hybrid, so there's usually a cyber attack prior to a kinetic attack. So, they may bring the power grid down and then attack a bridge. It has a tremendous effect, both... Critical infrastructure is the big worry. I always say... People say, "What do you worry about at night?" Our water systems are incredibly vulnerable, partially because they're physically weak. They're distributed. And the other thing...
[00:06:39]
Mark Ginsberg: Things that make a difference in a big-scale way.
[00:06:41]
Blair Taylor: Yes.
[00:06:41]
Mark Ginsberg: Big, big issues that affect big parts of the population, maybe the entire population.
[00:06:45]
Blair Taylor: Well, the power grid is the most...
[00:06:47]
Mark Ginsberg: The power grid's a good example of that.
[00:06:47]
Blair Taylor: Is absolutely. There's no other system that does not depend on the power grid.
[00:06:50]
Mark Ginsberg: Right.
[00:06:51]
Blair Taylor: We have known presence from nation states in the power grid, known for 10 years, and they're there now.
[00:06:59]
Mark Ginsberg: So, if there's vulnerability with the power grid, that suggests that there could be enormous complications.
[00:07:05]
Blair Taylor: Outages.
[00:07:07]
Mark Ginsberg: So I think what you're inferring, I don't want to put words in your mouth, but that there absolutely are vulnerabilities with things like the power grid.
[00:07:11]
Blair Taylor: Absolutely. Absolutely. And another area, which is one of the ways the power grid, they don't necessarily attack an actual power station. They use the supply chain.
[00:07:23]
Mark Ginsberg: Right.
[00:07:24]
Blair Taylor: A vendor that they're using, that many people are using, and it could be a patch or something like that.
[00:07:29]
Mark Ginsberg: And that's a route into the...
[00:07:30]
Blair Taylor: Yes.
[00:07:30]
Mark Ginsberg: ...creating greater vulnerabilities through the third parties that are related to the whole.
[00:07:30]
Blair Taylor: Yes. Yes, exactly. Software supply chain is considered a huge vulnerability. It's really hard to know what you're using.
[00:07:36]
Mark Ginsberg: Yeah. It doesn't take much. It's like a mouse getting into a house. Probably takes a small little crack that you can get through.
[00:07:42]
Blair Taylor: Well, actually, and it's generally, most attacks are multi-tiered.
[00:07:45]
Mark Ginsberg: Ah. What does that really mean? What's a multi-tiered attack?
[00:07:48]
Blair Taylor: So, they try on many, many facets, and they try many... There's countries that literally spend, you know, invest a lot of infrastructure, a lot of money, and a lot of time just attacking a particular... Our water supply, for example. There's probably a building in some country that just is working on doing that. So, they do reconnaissance. What are the weak parts? They try contractors.
[00:08:10]
Mark Ginsberg: Mm-hmm. Mm-hmm.
[00:08:12]
Blair Taylor: There's multiple tiers toward it. But what's funny, I told you today was Cyber Day at the Cyber Center.
[00:08:17]
Mark Ginsberg: Yes, right, right.
[00:08:19]
Blair Taylor: And OTS came over, and they...
[00:08:21]
Mark Ginsberg: OTS is our Office of Technology Services.
[00:08:22]
Blair Taylor: That's correct, and they said their number one problem remains phishing. So, sometimes it's the same old problem that can...
[00:08:29]
Mark Ginsberg: And that's really the human element you're talking about, right?
[00:08:31]
Blair Taylor: That's the human element, but that's the way in.
[00:08:33]
Mark Ginsberg: So, describe for us, people that may not understand or know what phishing is. What does phishing in the cyber world mean, and how is it actually executed?
[00:08:40]
Blair Taylor: Well, so phishing, most people know that phishing is an email sent that used to be, in the good old days, was poorly spelled, and you could spot it, and it looked suspicious. Well, guess what? AI makes phishing look brilliant, but Office of Technology Services has something called the Phish Tank. And even though they have filters on suspicious phish, I'm sure that there's many phishing emails that are being sent that we don't even see. But some still get through, and they have something called the Phish Tank, and they showed me one that was about a student, homework that was graded, and then the student was supposed to click on a form, and they ask them for their password and their email, and then they get their creds, and they do identity theft, and that type of thing.
[00:09:23]
Mark Ginsberg: So, I've often been told don't click on things if you get an attachment.
[00:09:26]
Blair Taylor: That's true. That's true.
[00:09:28]
Mark Ginsberg: What about if you just get an email, and you open the email, does that pose...?
[00:09:30]
Blair Taylor: That should be okay. It's clicking.
[00:09:32]
Mark Ginsberg: That should be okay.
[00:09:32]
Blair Taylor: Yes.
[00:09:32]
Mark Ginsberg: It's clicking on an attachment?
[00:09:34]
Blair Taylor: An attachment or a link.
[00:09:35]
Mark Ginsberg: And then the attacker, the person who's doing the phishing [Inaudible 00:09:39]...
[00:09:39]
Blair Taylor: Right.
[00:09:39]
Mark Ginsberg: ...would be able to get into the systems that you're working with. Is that right?
[00:09:44]
Blair Taylor: Well, it depends. It could be spyware they're planting.
[00:09:46]
Mark Ginsberg: They could.
[00:09:46]
Blair Taylor: It could be malware they're planting.
[00:09:48]
Mark Ginsberg: And tell us what those things mean, too – spyware and malware.
[00:09:51]
Blair Taylor: They're both types of malware, but spyware is a software program that would be planted on your computer to perhaps catch your keystrokes, to try to grab your passwords, to try to grab your credentials. It's a very lucrative practice now to do cybercrime, so as long as there's money, it's going to continue. It's also very hard, the other thing with a hack, or somebody who attacks you, it's very hard to give attribution. You don't know where it came from. You don't know who it came from. Ransomware attacks are very prevalent in schools, hospitals. Education's a huge target, and hospitals are a huge target.
[00:10:24]
Mark Ginsberg: So, you would think, just statistically, with about estimated 600 million attacks each day, that there's a certain proportion that are going to hit ground. They're going to get through.
[00:10:33]
Blair Taylor: It's not a question of if. It's a question of when.
[00:10:37]
Mark Ginsberg: Not a question of, that's really prophetic. It's not a question of if. It's a question of when. So, what that infers, if I'm hearing you right, that we're all very vulnerable.
[00:10:46]
Blair Taylor: The educational institutions are very vulnerable. I attended a conference last week in Tampa called CyberBay, which kind of scared me, which I guess is part of the reason for these conferences, but one of the things that they said is, you know, we have incident response plans, right? That's part of what you're supposed to do. You talked about getting hacked, so if a hospital gets hacked, or a business gets hacked, you have an incident response plan in place.
[00:11:09]
Mark Ginsberg: Right, right.
[00:11:10]
Blair Taylor: Well, they're all digital. So, they suggested that all these incident response plans be printed in hard copy, so in the event that we have a ransomware attack, or we have a denial of service attack, or we're shut down, that we have the ability to access our incident response plan in some type of paper format. So, that's kind of a throwback.
[00:11:30]
Mark Ginsberg: So, they're not inaccessible, they become accessible for you.
[00:11:33]
Blair Taylor: Yes.
[00:11:33]
Mark Ginsberg: So, what you're really suggesting, and it's another question I've had for you, is that we hear a lot about the evolution of technology, about how not just our computer systems, but our ability to use technology and the technology themselves are evolving so fast, very, very quickly. So, my question is how has the landscape, or what about the landscape has changed for the cybersecurity world as the evolution of our technologies continue to grow?
[00:12:00]
Blair Taylor: Well, there's things that have happened. There's things that are in the process of happening. There's also quantum down the road, which is going to make cryptography easier to hack, easier to...
[00:12:12]
Mark Ginsberg: Quantum's a word that people are using, throwing around a lot. Help us to understand what that actually means. What is quantum in this world?
[00:12:18]
Blair Taylor: Essentially, it means very, very fast computers working at speeds that we can't even imagine, and processing at speeds that we can't imagine. Whereas, for example, the big worry, which they're a little ahead of, encryption. Encryption takes time to try to break the code. Well, with quantum, it can be done like that.
[00:12:41]
Mark Ginsberg: So, it really is that what quantum is yielding is speed.
[00:12:44]
Blair Taylor: Is speed, primarily speed.
[00:12:46]
Mark Ginsberg: And greater power, too?
[00:12:47]
Blair Taylor: And greater power.
[00:12:47]
Mark Ginsberg: Uh-huh.
[00:12:48]
Blair Taylor: And greater power. So, anyway, the landscape has changed just in terms of more dependence on software. Like critical infrastructure used to be somebody in a room, and they had to go in person. Even think about COVID. I mean, people who were even traditionally in person, like a financial institution, they spent a lot of time getting everybody to work remotely. Well, guess what that did to the attack surface?
[00:13:14]
Mark Ginsberg: Boy, that really increased the opportunity.
[00:13:15]
Blair Taylor: Yes. So, just a lot of different changes, I think, as far as the landscape. I talked about hybrid wars, warfare. They call cyber the fifth domain. There's been some talk about even making cyber academies that now AI will probably feature in. You don't use cyber without AI anymore. Which is great, but guess what? AI has to be secure.
[00:13:40]
Mark Ginsberg: Well, you've been studying AI. Let's talk about it. I got lots, this is just fascinating to me. More than fascinating, it's pretty scary. I keep thinking as you're talking about the implications of this, and the vulnerabilities on one hand are scary enough, but the implications of those vulnerabilities are even scarier. So, you study AI. You're a researcher that's looking at AI and its implications for cyber.
[00:14:04]
Blair Taylor: You can't not study AI today, especially in a technology field, but I would like to talk about a specific project that Towson has led.
[00:14:11]
Mark Ginsberg: Sure. Yeah, please. Great.
[00:14:13]
Blair Taylor: Towson does a lot of work with NSA.
[00:14:15]
Mark Ginsberg: Yes.
[00:14:16]
Blair Taylor: And as you know, we're a Center of Academic Excellence in Cyber Defense.
[00:14:18]
Mark Ginsberg: Yes.
[00:14:19]
Blair Taylor: Which there's about 430, approximately, schools.
[00:14:22]
Mark Ginsberg: And that's a big deal for Towson to be recognized and a part of that NSA recognition.
[00:14:26]
Blair Taylor: Well, the second designation we have is Cyber Operations, and there's only 20 or 21 in the country, so that's a huge deal.
[00:14:32]
Mark Ginsberg: So, what you're saying, and I want to point this out for listeners, is that Towson is not just a place where cyber is taking place. It's a national leader. It's a national leader in the world of cybersecurity education and practice.
[00:14:45]
Blair Taylor: Right. And we're 1 of 20 or 21, depending on the day.
[00:14:49]
Mark Ginsberg: Yeah.
[00:14:49]
Blair Taylor: Twenty schools that has this Cyber Operations designation, and that is to prepare students to become cyber operators. Part of our advantage is how close we are to the three-letter agencies that do this important work. But a year ago, last March, as I said, they have the current designation, Cyber Defense, Cyber Operations, and it's a very active community that does a decent amount of funding, and we meet several times a year and that type of thing. We were asked, Towson was asked to lead a new designation in cyber AI. We are pretty much the only place in the country that is doing any curriculum guidelines in AI, cyber AI specifically. We had a very short timeline, this was last March. NSF funded it, NSA asked us to do it as well.
[00:15:37]
Mark Ginsberg: Right.
[00:15:38]
Blair Taylor: We got a grant, and within a month, we had 200 people in the Cyber Center from all over the country coming up with what a program in cyber AI would look like. So, we had 200 faculty. We spent two days that first time, we literally with sticky notes, whiteboards, blah, blah, blah. We ended up coming up with two programs of study.
[00:15:59]
Mark Ginsberg: Uh-huh.
[00:16:00]
Blair Taylor: Now, this is tricky, so I have to say this slowly. We came to the conclusion that we needed two programs of study. One was called SecureAI. Now, that means that the AI systems themselves have to be secure, right? Because if they're not, then we have a huge problem.
[00:16:19]
Mark Ginsberg: Then by definition, you're really in trouble.
[00:16:20]
Blair Taylor: Right. And that is a very technical program, SecureAI is a very technical program. The second program of study that we came up with was AI for Cyber, and that is using AI to do cyber. So, that would be more tools oriented, a little less technical, more schools. It was an easier bar to reach per se. But after the first workshop, we came up with the two programs. We came up with about 30 knowledge units, which defined what that program should look like.
[00:16:48]
Mark Ginsberg: Uh-huh.
[00:16:49]
Blair Taylor: And then we met three and four times, and by September, we had a stone man draft, and we now have five schools that have been approved as pilots in Cyber AI in the country and another 5 to 10 in the pipeline. Yes.
[00:17:02]
Mark Ginsberg: And now the question is how do we best integrate it within our models.
[00:17:04]
Blair Taylor: Now we need to figure out how to integrate in.
[00:17:06]
Mark Ginsberg: I see.
[00:17:06]
Blair Taylor: We have several majors where we could put it in, but we're trying to figure out where to put AI also.
[00:17:11]
Mark Ginsberg: But it does sound like, back to the cutting edge concept, that this integration of cyber practice and the application and integration of AI is where the field is evolving. It's an area of not only potential, but of really absolute need.
[00:17:26]
Blair Taylor: Absolutely. I mean, I'm teaching into a cyber class, and I haven't taught it in a year and a half, and as I'm updating, literally every question is, "And how does AI affect this? And how does AI affect...?" And also, the fundamental idea that these AI systems themselves have to be secure. It's sort of like having a security tool, like having an antivirus, and that itself has vulnerabilities. I mean, this is a big problem.
[00:17:48]
Mark Ginsberg: Yeah. Now, as long as you're talking about education, let's talk a little bit about not just our training programs here, which are, I think most people would say, world class in their essence. But what are some of the... Well, two things, I guess. We have a growing number of students who are interested in cyber. We provide a great number of people into the workforce in cyber. What are some of the things that they're learning and what are some of the approaches that you take to training people to become cybersecurity professionals?
[00:18:17]
Blair Taylor: Well, I mean, we have about six different programs that include cyber at different capacities. The one that has the Cyber Operations designation is CS with a Cyber Operations track. So, that is a very technical track. Again, that would train students to become...
[00:18:32]
Mark Ginsberg: And these are at the undergraduate level too.
[00:18:34]
Blair Taylor: That's in undergraduate. What we do have, we also, our MS in CS has this Cybersecurity track and our AIT MS also has a Security track.
[00:18:43]
Mark Ginsberg: And the MS are master's programs for those...
[Crosstalk 00:18:45]
[00:18:45]
Blair Taylor: Master's. We also have a master's in Homeland Security.
[00:18:48]
Mark Ginsberg: Right.
[00:18:49]
Blair Taylor: And then we have a Network Security track in IT. So, we have a variety of different ways of teaching cyber, and students can study cyber.
[00:18:59]
Mark Ginsberg: And as the students come through your programs, they come out of Towson, they finish four years or however long it takes them to achieve their bachelor's degrees, what are some of the roles that they're taking on?
[00:19:09]
Blair Taylor: Well, so we do heavily staff federal agencies. I mean, we have a couple scholarship programs that have been very successful at Towson where federal agencies either choose our students – they're very competitive, very competitive for the students to get into – and then we have another one where students find a federal or state job. The scholarships, there's two of them, CyberCorps and CSA, and they both pay full tuition and additionally they pay a stipend. It's like a scholarship for service. The student has to, each year they get the scholarship, they have to work a year of service in a federal or state agency. So, those, we have a lot of that. We also have students go to security companies, local companies. There's a lot of security, there's a lot of tech around Baltimore, Towson, Columbia, Washington. We have students going to many, many different... Like having cyber, I think, even if you don't do strictly cyber, makes you stand out, right? Everybody wants a software engineer who knows cyber. I mean, that's just...
[00:20:12]
Mark Ginsberg: Well, everybody needs it.
[00:20:13]
Blair Taylor: Yes.
[00:20:14]
Mark Ginsberg: I recently read Barack Obama, of course, our former president, who was recently quoted in a talk he gave that cybersecurity is the most – what he said – cybersecurity is the most serious economic and national security challenge we face as a nation. Former President Obama. It really suggests not just the importance of the issue, the criticality of it, but the need for well-trained professionals to be able to counteract these threats.
[00:20:37]
Blair Taylor: And there's a huge shortage still, a huge workforce shortage.
[00:20:40]
Mark Ginsberg: Right.
[00:20:41]
Blair Taylor: Unfortunately, the job market is very tight right now. So, students are struggling to find internships, and that's across tech.
[00:20:50]
Mark Ginsberg: So, Maryland is considered to be a national leader in cybersecurity here in our state, and we're training a number of cybersecurity professionals from Towson who are going into positions of great importance, not just in our state and our region, but throughout the nation, and literally throughout the world. And these are people who are doing very, very important work protecting our systems, our infrastructure, protecting our national security, and our national economy as Obama suggested.
[00:21:15]
Blair Taylor: I think that one of the advantages that we have is that…our location.
[00:21:20]
Mark Ginsberg: Yeah.
[00:21:20]
Blair Taylor: You know, being so close to the nation's capital, and many of our students have parents or relatives who worked for the government. So, some of them buy into that mission work, which I actually am a big believer. That's a large part of why I believe the work I do is important. But it's not a hard sell, right? I mean, the students, they want to work...
[00:21:42]
Mark Ginsberg: Yeah, yeah, yeah.
[00:21:43]
Blair Taylor: ...to help defend the nation.
[00:21:45]
Mark Ginsberg: As you're educating our students, you're probably thinking about a range of vulnerabilities. I wonder if, for those people who are leading organizations who are listening to this now, what you consider to be some of the most effective cybersecurity strategies could be and are for an organization that they might look to particularly as they try to protect themselves?
[00:22:04]
Blair Taylor: Well, one of the things, if we talk software again because that's... I think that anytime I talk to any company and they hear, we start talking to our students. One of the work I did, I've been doing for over 20 years, is introducing cyber very early in the curriculum because it tends to be, and especially secure coding, think about the fact that you're writing a program and you're learning programming, and then when you're a senior, you learn about secure coding. That's not right.
[00:22:33]
Mark Ginsberg: It's too late in the game.
[00:22:34]
Blair Taylor: Too late in the game. So, we believe in teaching security early and often, and we have a project called Security Injections, which is used nationally. And we start in the very CS0 and start talking to them about... If you're ever in a group of people, then you talk about how to solve the cyber problem, they always say, create a security mindset. Some of the technical things will not stick with people, but if they're aware and they think like an adversary and they code defensively, code responsibly, that goes a long way. So, for companies, any company that I talk to, they're very surprised about what a good job we're doing with coding and talking about coding securely very soon. We call it code responsibly.
[00:23:16]
Mark Ginsberg: Yeah, yeah. So, we have programs in cyber, we have general programs in computer science too, in CS for short.
[00:23:21]
Blair Taylor: Yes, mm-hmm.
[00:23:21]
Mark Ginsberg: I think what you're suggesting is these kinds of concepts need to be integrated...
[00:23:27]
Blair Taylor: Everywhere.
[00:23:27]
Mark Ginsberg: ...everywhere, including in non-computer science studies programs as well.
[00:23:32]
Blair Taylor: Right.
[00:23:33]
Mark Ginsberg: I'm a psychologist. I need to know not as much as your students need, but I need to know enough to be able to protect myself.
[00:23:39]
Blair Taylor: Cyber4All, Mark, Cyber4All.
[00:23:41]
Mark Ginsberg: Cyber4All. Well, you've called it that for a reason.
[00:23:44]
Blair Taylor: We called it that for a reason because you cannot solve the cybersecurity problem with just technical solutions.
[00:23:50]
Mark Ginsberg: Yeah.
[00:23:52]
Blair Taylor: I mean, the user, you mentioned the human interface as being the weakest link, and everybody needs to be educated. Everybody needs to understand about protecting their data. Everybody needs to be cautious of phishing and other types of things.
[00:24:07]
Mark Ginsberg: Yeah.
[00:24:07]
Blair Taylor: So, it is incredibly important. That security mindset needs to be across the entire organization.
[00:24:12]
Mark Ginsberg: Yeah, and that's been talked about quite a bit. Kevin Mitnick, a well-known security consultant, was quoted recently as saying the weakest link in the security chain is the human element.
[00:24:21]
Blair Taylor: Absolutely.
[00:24:22]
Mark Ginsberg: Absolute weakest link, right? So, people can hack into our systems, but those users in the systems become, I guess, on a personal level, a real point of vulnerability.
[00:24:33]
Blair Taylor: Right, and I think not only does it need to be across majors, but it needs to start early.
[00:24:37]
Mark Ginsberg: It needs to start early.
[00:24:39]
Blair Taylor: So, students, we're doing an event.
[00:24:39]
Mark Ginsberg: Before they get to the university.
[00:24:41]
Blair Taylor: Before they get to the university. And high schools are starting to do that. Middle schools, we have an event we call Junior Cyber where we bring third to fifth graders, and we just start to talk to them about cyber and do fun events for them to get in the mindset, to get that mindset.
[00:24:55]
Mark Ginsberg: Yeah.
[00:24:55]
Blair Taylor: It's just being careful. It's really, you know what it is? It's being a digital citizen, and that'll come...
[00:25:00]
Mark Ginsberg: And digitally responsible.
[00:25:01]
Blair Taylor: Digitally responsible, and AI will fit into that as well. So, we need to continue to push technology responsibly into the... Which is difficult.
[00:25:11]
Mark Ginsberg: Right.
[00:25:12]
Blair Taylor: Towson is a great school for this. We teach our educators. We do such a good job with education. So, you make sure that cyber's a part of that, technology's a part of that, responsible use of technology, and then AI will be closely on its heels.
[00:25:27]
Mark Ginsberg: Yeah. Well, AI is going to be an important part of this formula for success.
[00:25:28]
Blair Taylor: Yes. Yes.
[00:25:31]
Mark Ginsberg: Let me ask you one more theme of questions, and I'd really like to hear a little bit about this because you're on the cutting edge of training professionals who are entering the cybersecurity field. Tell us a little bit about how it is you go about training people. What are the kinds of things that you do, the kinds of experiences you like them to have, the kinds of knowledge, skills, and abilities you try to impart as you're training the next generation, and actually the soon-to-be generation of cybersecurity professionals in our communities?
[00:25:58]
Blair Taylor: Towson is very much cutting edge with cyber. We've been doing cyber for many years. Generally, we follow curriculum guidelines. We're ABET accredited in cybersecurity. I was actually, you know, on the doc, created some of these original documents myself. We'd follow the NSA designations, which is a way to kind of know what is... And I'm also on part of the organization that updates these, and then I would think we'd move into the cyber AI. But the other thing that we do, and Towson is very specifically involved in this, is we have a grant, I think you mentioned in the beginning, that looks at emerging trends.
[00:26:38]
Mark Ginsberg: Yes. Right.
[00:26:38]
Blair Taylor: The grant is called the Cyber Security Curriculum Task Force. We work with about six other organizations. This is our second grant. Our first grant was a couple million dollars, and this is close to a couple million dollars. And the money goes to faculty to build curriculum in emerging areas from quantum. For example, we just funded the building of a lot of curriculum in quantum. The last grant, we did a lot in autonomous vehicles.
[00:27:01]
Mark Ginsberg: Uh-huh.
[00:27:02]
Blair Taylor: So, just different, just to give you an idea of some quantum-resistant cryptography. So, we find faculty...
[00:27:06]
Mark Ginsberg: Wide range.
[00:27:07]
Blair Taylor: Yes. We do a reconnaissance and a gap analysis, which is the cyber terms, and we look to see what we need more, what's emerging, what we need curriculum on, and we created a product called CLARK, which is an eight-year-old product.
[00:27:25]
Mark Ginsberg: Yes, I've heard about this. Talk a little more about it.
[00:27:27]
Blair Taylor: So, it's very unique, and I'm very proud of it. About 2016, I worked at NSA as a contractor for three years, took a leave of absence and worked there, and we had money to build curriculum, and it was close to $20 million. So, we gave funds to schools all across the country to build curriculum in cyber because there's a huge cyber workforce shortage, there's a huge cyber faculty shortage.
[00:27:57]
Mark Ginsberg: Mm-hmm.
[00:27:57]
Blair Taylor: So, we can't build a cyber faculty tomorrow. [Laughter]
[00:28:00]
Mark Ginsberg: Right.
[00:28:00]
Blair Taylor: But we can help them. So, we built all this curriculum, and then we also wanted to put in one place, okay? So, Towson built a product called CLARK, and that product was awarded. There were three other schools that bid for this, and that is cybersecurity labs and resource knowledge base. CLARK now hosts about 2,000 pieces of cyber curriculum.
[00:28:24]
Mark Ginsberg: Wow. Huge.
[00:28:24]
Blair Taylor: Anything that NSA produces must be hosted on CLARK.
[00:28:28]
Mark Ginsberg: Wow.
[00:28:29]
Blair Taylor: It's one stop, totally free.
[00:28:31]
Mark Ginsberg: Yeah. It's really a clearinghouse.
[00:28:34]
Blair Taylor: It's a total. There's nothing like it. And the cool thing about it, we can say it's built by faculty, for faculty. So, when I teach, I'm sure you probably feel the same way, I can't use PowerPoint slides just given to me. I have to change them, and I have to...
[00:28:48]
Mark Ginsberg: Sure, sure.
[00:28:48]
Blair Taylor: So, with CLARK, you download it, you can do whatever you want to it, and it's totally Creative Commons, non-commercial, and they can use it in their classrooms.
[00:28:55]
Mark Ginsberg: What a great resource.
[00:28:57]
Blair Taylor: And it's all mapped to Bloom's Taxonomy with learning outcomes.
[00:29:00]
Mark Ginsberg: Fabulous resource.
[00:29:00]
Blair Taylor: So, we ended up starting a nonprofit. A nonprofit came out of Towson called SecureEd, and we probably employ, between SecureEd Inc. and SecureEd Lab, over 80 Towson students to build both the platform...
[00:29:14]
Mark Ginsberg: That's fabulous.
[00:29:14]
Blair Taylor: ...and to review the curriculum.
[00:29:16]
Mark Ginsberg: Fabulous.
[00:29:17]
Blair Taylor: So, it's just, to me, it's like I'm proud of it, not only because literally, there's no hoax with CLARK. I mean, we continue to seek funding to build the curriculum, update the curriculum. But for the faculty, we have faculty come up to us, say, "I can just use it?" Especially high school teachers. They're like, "It's free? I can just use it?" So, yes. But what I love is that it helps the Towson infrastructure because we have undergrads who get development experience, who stay and get their master's, who continue to work for SecureEd. And so, like I said, it's just been a really unique platform and opportunity.
[00:29:50]
Mark Ginsberg: What a great resource. And as I often like to say, there are many great universities in Maryland, and at Towson, we also seek to be a great university for Maryland, not only one of the great universities in Maryland, and certainly that work contributes to that.
[Music]
[00:30:03]
Mark Ginsberg: Well, let me thank you for being with me on this episode.
[00:30:05]
Blair Taylor: Thank you.
[00:30:07]
Mark Ginsberg: Dr. Blair Taylor, the director of Towson University's Cyber4All, our Center for Interdisciplinary and Innovative Cybersecurity, and a professor in our Department of Computer and Information Sciences. Fascinating conversation about an issue that is more than important. It's really critical.
[00:30:22]
Blair Taylor: Critical.
[00:30:23]
Mark Ginsberg: Absolutely critical. And I hope our listeners have had a chance to hear some of the wide-ranging issues that are involved in cyber because it's not a narrow little field.
[00:30:32]
Blair Taylor: No.
[00:30:32]
Mark Ginsberg: There's a lot, a lot of elements to this and a lot of pieces. It's almost like a jigsaw puzzle with the pieces fitting together. I'm very grateful that you're one of the people helping to make those pieces fit.
[00:30:42]
Blair Taylor: Thank you.
[00:30:43]
Mark Ginsberg: Once again, thanks very much to Dr. Blair Taylor for joining me today in On the Mark. We look forward to having you join us again for another episode of On the Mark here at Towson University. Thanks very much.
[00:30:53]
Blair Taylor: Thank you.
[Music]
[00:30:58]
Mark Ginsberg: Thank you for listening to On the Mark. If you like what you've heard, please give us a follow or leave a review. It helps to ensure that we can keep bringing you more candid conversations about the consequential work of higher education. If you have feedback about our podcast, I'd welcome hearing from you. Please feel free to send me a message at onthemark@towson.edu.
[Music]
[00:31:27]
Voiceover: Founded in 1866, Towson University is a top-ranked, comprehensive public research university recognized as Maryland's number one public institution by the Wall Street Journal. As greater Baltimore's largest university, TU proudly serves as an engine of opportunity for nearly 20,000 students, the state of Maryland and beyond. Explore more than 190 top-ranked undergraduate and graduate degree programs and make our momentum yours at towson.edu.