Once again, the kids show their mettle in cybersecurity

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

For more than a decade, the Air Force Association and Northrop Grumman have conducted the CyberPatriot national youth cyber defense competition, matching teams of middle and high school students who find and fix cybersecurity flaws. Winners were announced last month. For more about the program, CyberPatriot Commissioner and Ret. Air Force Brig. Gen. Bernie Skoch joined Federal Drive with Tom Temin.

Interview transcript:

Tom Temin: Bernie, good to have you back.

Bernard Skoch: Thanks, Tom, it’s always good to be on Federal News Network. It’s great to be here.

Tom Temin: Tell us about this program generally, refresh our memories on how this works every year, because it’s really exciting, I think, for the associations and the companies and the kids involved.

Bernard Skoch: Well, it’s trying to address a national need, Tom. And if you look at the history of the Air Force Association since 1946, we’ve been advocates of strong national security, and that takes many forms. Certainly national defense is part of it. But there are other elements of national security, including technological superiority, including a strong economy and an educated public. So the Air Force Association started this initiative really as a national program in 2010 – pilot program – because we want to attract young women and young men to STEM, to science, technology, engineering, math. And at its core, that’s the purpose of the program.

Tom Temin: And in recruiting, the teams that compete give us a sense of how many people are involved, how many students are involved and how you recruit them and get them involved.

Bernard Skoch: While the program has evolved significantly, since it started. With our pilot program, we had eight teams – about six kids apiece – in the state of Florida in 2009-2010. This past year, we had nearly 5,000 teams in all 50 States, Canada, overseas locations of Department of Defense schools and other friendly nations to the U.S. The teams form up in a school, they learn the basics of cybersecurity from online training that we provide. And then with the cooperation of a lot of partners, we ship them problems to solve and they see who can find and fix what’s wrong with networks. We estimate from that modest beginning in 2009 of eight teams, that we’ve now reached about a quarter-million students and they’re excited about the program. Northrop Grumman and Northrop Grumman Foundation has supported the program since its inception of giving out about a quarter-million dollars in scholarships in the program, as has Cisco.

Tom Temin: 5,000 teams! And that means just in this year, well, how many are on a team, then?

Bernard Skoch: About six kids on a team. What we’re thrilled with, of course Tom, now is we’ve been around long enough, we’re starting to see the results. And we’ve got hard data that shows that because students participate in this program, they actually are attracted more to STEM careers and education, and career tracks. And that’s important for the nation. You know, right now, and you can find any number you want. But the most accepted number is that there are about 3.5 million unfilled cybersecurity jobs. And we’re feeding that workforce. And there’s been a lot of studies that suggested that if you want to shape a student’s interest in a particular career track, you’ve got to reach them about the ninth grade. You can’t wait till they’re a college graduate, you can’t wait till they’re ready to go into the workforce. You’ve got to stimulate that interest in STEM early. And that’s what the Air Force Association’s CyberPatriot program is all about.

Tom Temin: It sounds like a major thing to administer, just having 30,000 students online and competing. I guess 30,000 people online, it’s not that big a number in this day and age. But how does it all work mechanically, because they can’t all gather in a convention center, at least not this past year?

Bernard Skoch: Yeah, what a great question Tom. And we’ve adapted remarkably to the COVID pandemic. But it starts with online training. And they go through 12 modules of learning what a network is, what a firewall is, what a router is, and all those basic things. And you, Tom, we’re dealing with middle school students in many cases. So we’ve got middle schoolers that are learning about cyber vulnerabilities. We only teach them defensive skills. We’re smart enough to know that a student learns to be a good defender may learn some offensive techniques. But that’s why we infuse cyber ethics in everything that we do with them. After they go through these online modules of instruction. we encrypt these gigundous files, and they pretend to be a network administrator. And they get to work and find, “Well, this password is expired. These firewalls are open, these routers have all the default settings. The user that shouldn’t have been on the system six months ago is still on the system.” And then we’ve got automatic software that we developed with the University of Texas at San Antonio, that scores them. And they get immediate feedback, they fix the vulnerabilities, they get scored. And then in a typical year, which we hope to return to next season, they are flown all expenses paid to the National Championship where the 28 teams compete in person to see who’s best at this. But now they’ve got a red team penetrating their networks. And they’ve got to fend off these red teams while they’re keeping critical services up. And Tom, there’s no more humorous sight than a middle schooler sitting there fending off red teams. We’re having to bring in booster seats in some cases for these kids that are defending networks.

Tom Temin: Wow. Sounds like a lot of fun actually, too. We’re speaking with Ret. Air Force Brig. Gen. Bernie Skoch, now commissioner of the CyberPatriot national youth cyber defense competition. And I imagine there’s a technical upkeep that you have to do to keep the problems current because, what is a solved, understood issue in cyber one year gives way to something exotic and new the next year or the next week, even.

Bernard Skoch: You are spot on. And there’s a couple of factors at work here. One is just what you described – that the sophistication of the attacks, the complexity of the systems increases every year. But what we’re finding is that the students are getting better, too, because we have a lot of repeat offenders, if you will, these kids that come back year after year. We designate cyber all-Americans for students that reach the National Finals all four years of their high school career. We’ve only had about a dozen of those since the program began. But think about it – it’s about twice as difficult from the field of 5,000 or 6,000 teams to be one of the top 28 that reaches the national finals competition. It’s about twice as tough as a basketball team in the NCAA women or men reaching the Final Four. These students have distinguished themselves remarkably.

Tom Temin: And this is a program of the Air Force Association, though. Do you find that the Air Force itself is kind of interested in says, hey, Bernie, what’s going on? Any any good possible recruits coming out of this?

Bernard Skoch: Oh, what a great question. You bet! Because not only the Air Force, but all the military departments, all the federal sector. Right now there’s about 31,000 open jobs in the public sector, meaning government in the military for cybersecurity professionals. They want this talent, but so does Northrop Grumman. So does Boeing. So does AT&T. So does Cisco. And that’s why, in many respects, why they have become such avid supporters of the program. We’ve got a wonderful cadre of sponsors, and they see the value to the nation of developing this group of students into the cyber defenders of tomorrow.

Tom Temin: All right, and are you aware of any students that have gone on to the armed services specifically?

Bernard Skoch: We have a litany of these people. We have Rhodes scholars that have gone through our program. We’ve got full ride scholarship, we got Academy graduates, we’ve got professionals in industry, we’ve got students that have arisen from the ghettos of urban blight to become cybersecurity engineers because this program caught their eye. And that’s why we’re so grateful for the support that we get from industry and from government.

Tom Temin: Yeah, that was a question I had, what do you see in terms of diversity of the students that participate and are girls there as much as boys?

Bernard Skoch: What a great question again. The typical STEM program in the United States recruits about 12% female participation. We incentivize female participation. A typical team will pay $200 for the year to register. We registered all-female teams for free. And so we’ve driven female participation up to about 27%, or double the national average. Our minority participation, underrepresented populations is about 42%. So we’re working very hard, because we want this to be an opportunity for everyone. And we need everyone pitching in – we can’t have populations declare, “Well, that’s not for me.” We want everyone to see this as a career track. And it’s not just about the white collar, computer science PhD track. We need people in the careers that are blue collar, if you will, that are doing the system administration work in corporate America and in the public sector.

Tom Temin: Sure, in many ways that level of work, say what we call the blue collar, for lack of a better term, is very different from say factory-type of work, which also takes skill. But the difference is that every night you’re on the cyber job, or every day, you’re on the cyber job, there’s a different challenge coming in. So even though the processes might be similar, you’re using your brain as much as your typing fingers.

Bernard Skoch: Well, you’re onto two points, I think, Tom. One is we don’t know what stimulates interest in cybersecurity. We don’t know what background attracts people to that or software development, is it an artistic talent, is it a technical talent, is it an analytical talent? And the other element that you’ve raised is about compensation. Cybersecurity jobs pay very well. But as you point out, the compensation isn’t all financial, it’s emotional, it’s psychological compensation. You’re not putting hubcaps on a car. You’re doing something that’s stimulating, something that requires an element of creativity, and something in which you have a good deal of intellectual freedom to pursue ideas where they take you.

Tom Temin: And just briefly, what do we know about the winning teams this year?

Bernard Skoch: Well, you know, it’s it’s kind of like the NCAA Final Four. And you see on the women’s side, you’ll see the Tennessee’s of the year, year in and year out, and you’ll see a few others. And on the men’s side, you’ll see North Carolina and Duke so we get our repeat people who consistently do well. But we’re thrilled that we have teams that came to the National Finals from all over the country this year, so it’s about half regulars and half new blood, and we think that’s healthy for the program. It’s growing like crazy, course COVID took a toll on us because a lot of schools weren’t meeting in session in person. But our growth curve is phenomenal. And we expect to get back to full program participation this coming season.

Tom Temin: Ret. Air Force Brig. Gen. Bernie Skoch is commissioner of the CyberPatriot national youth cyber defense competition. Thanks so much for joining me.

Bernard Skoch: Tom, it’s always a pleasure. Stay in touch.

Tom Temin: We’ll post this interview along with a link to more information at FederalNewsNetwork.com/FederalDrive. Here the Federal Drive on your schedule, subscribe at Podcastone or wherever you get your shows.

Related Stories

    These white hat hackers keep finding new ways to help out the armed services

    Read more

    SBA hackathon developers leverage AI, agency data sets for disaster recovery tools

    Read more


Sign up for breaking news alerts