Carnegie Mellon University, with support from the National Security Agency, is helping to make cybersecurity education more accessible to high school teachers and their students. The NSA GenCyber grant(opens in new window) offers CMU faculty and staff the chance to help expand the field by making cybersecurity curriculum and materials available to 10th- through 12th-grade educators, and the effort comes as the industry sees increased demand for qualified professionals.

Hanan Hibshi(opens in new window), assistant teaching professor at the Information Networking Institute(opens in new window), and Megan Kearns(opens in new window), a project manager for picoCTF, led this year’s picoCTF for GenCyber boot camp. Both spoke at the 2024 awards ceremony for the picoCTF hacking competition, which brought together three teams of students from high schools around the country to be recognized for their success after outranking thousands of other participants.

The picoCTF for GenCyber boot camp, however, is geared toward teachers. It teaches fundamental cybersecurity principles, Python programming and digital forensics while using picoCTF as a supplementary platform, which teachers can pass on to their students. Knowing that there is no standardized curriculum for cybersecurity in the U.S. has motivated those leading the GenCyber boot camp to connect with as many teachers as possible.

Helping them find the right resources not only for their own understanding, but for that of their students, can alleviate the burden of uncertainty and expense, Hibshi explained. 

“There's an abundance of information available on cybersecurity. We’ve reached a point where if you do a Google search, you will find multiple courses, multiple certifications, too many books. You sit there as a beginner not knowing where to start. Should I read this or should I read that? How would I weigh which one is better?” Hibshi said. “In one week, we give them all of the information they need so they don't have to spend a semester or a whole year trying to learn cybersecurity in their free time.”

Improving cybersecurity career preparation is a top priority for CMU’s CyLab Security and Privacy Institute(opens in new window). The picoCTF for GenCyber boot camp offers teachers a stipend to attend meetings and lectures on cybersecurity, and to network with other educators and experts in the field.

This year’s picoCTF for GenCyber boot camp is only the second to be hosted by Carnegie Mellon, with the first taking place in 2023(opens in new window). It is intended to share cybersecurity concepts typically taught at the college level, with the goal of helping teachers integrate these topics into preexisting curriculum for students who may be interested in a cybersecurity career. While high school students typically do not have this level of exposure to this kind of material, the increased global need for cybersecurity expertise has motivated both teachers and those at CyLab to help open these resources to younger generations.

“One of the things we've noticed through interactions with teachers is that lots of them don't have a computer science background,” Hibshi said. “Some of them come from math, some come from economics, some from business, and they decide to teach computer science. Eventually, somebody asks them, ‘Hey, can you teach cybersecurity?’”

The goal of their efforts is to ensure that students who may otherwise not have access to a cybersecurity career due to their background, grades or level of professional experience now have the opportunity. This work is in line with recent initiatives by the U.S. government(opens in new window) to minimize degree requirements in the sector in favor of skills-based hiring.

“With something like picoCTF, you can integrate the challenges into an existing curriculum. It’s somewhat packaged for them,” Kearns said. “It gives teachers a place to point their students to and say, ‘Okay, now that you've learned the theory, apply it to these challenges to test your aptitude and build a skill set.’”

The boot camp serves as a networking opportunity as well, the organizers explained. In addition to meeting other teachers, participants had the chance to speak with CMU faculty members like CyLab director Lorrie Cranor(opens in new window) and industry experts from organizations like the NSA.

“picoCTF is not just, ‘Hey, we want to teach you something in a camp and have you leave.’ Instead, we want to build a community. We want them to continue using picoCTF, and to continue supporting our efforts,” Hibshi said.

Steve Phelps is a computer science and mathematics teacher for Ohio’s Mariemont City School District and a participant in this year’s program. “I attended two different GenCyber programs last year,” Phelps said. “The CMU GenCyber was by far the best experience of the three I have attended.”

He said that changes to classes offered by his school — a fourfold increase in enrollment in AP Computer Science Principles (APCSP) and a discontinuation of cybersecurity classes — informed his decision to learn more and incorporate picoCTF challenges into the work.

“My goal for attending, and one of the selling points for this GenCyber camp, was to learn different ways to incorporate cybersecurity concepts into APCSP lessons. The picoCTF challenges and the secure programming principles shared on the first day will help me to embed cyber concepts into APCSP without sacrificing content,” Phelps said.

With additional financial support from sponsors(opens in new window), Hibshi and Kearns said, picoCTF aims to continue offering the program to future cohorts, and to allow teachers to pursue their passion for opening up career paths to their students.

“What these teachers are able to do in a short period of time is amazing. They do not get enough credit for what we've seen in that room. They all have a unique plan for their students and they've deepened their understanding of cybersecurity,” Kearns said. “We have a unique opportunity of reaching teachers who can then reach 20 to 40 students year after year, and really start to see a positive change in the cybersecurity workforce.”