The investment the State of Maryland makes in its cybersecurity defense is “paltry” considering the value of the information assets it should be defending from cyberattack, a former NSA official and UMUC graduate adjunct professor in cybersecurity told the Maryland Cybersecurity Council Jan. 25.

“Now the state spends about $3.8 million on its cybersecurity function,” said Debora Plunkett, whose 32-year career with the NSA included serving as director of information assurance. “My personal view is that [that amount] is paltry, considering the state budget and considering what the state has to lose if those assets are put at risk.”

She called for a one-time surge in investment and then a sustained stream of resources every year.

“You have to trust the hardware, the software, the systems, the users,” Plunkett said.  “That’s a lot of trust where bad things can happen. The best way to demonstrate commitment is with action, investment, legislation and changes for training and development—all very necessary.”

The Maryland Cybersecurity Council, chaired by Maryland Attorney General Brian Frosh, consists of state legislators, government security, technology and commerce officials and is staffed by the University of Maryland University College (UMUC). Its mission is to investigate vulnerabilities in cybersecurity and recommend legislation to fix them.

Plunkett told the Council that more students need to be prepared for cybersecurity jobs. But while the trend line for positions in the field is rising, she said, the trend line for those prepared to fill those jobs is declining.

“It’s actually getting worse instead of better,” she said.

Yet young people live and breathe computers, she said.  So why is interest in cybersecurity declining?

To these young people, she said, it looks like a cybersecurity professional’s role is to limit access to the internet—access that they believe should be free and open.

“We need a different message,” Plunkett said. “We need to speak about the threats and risks, but we should tell our kids that they should be able to operate freely. But just as they have to follow some rules to get their driver’s licenses, just as they have to wear their seatbelts, they have to follow some rules in cyber space.”

Our youth need to know about the grave dangers that reside in the “dark world,” she said, and that “the potential for bad things to happen is real.”

And then, she said, young people need to be enticed with “the excitement of developing new breakthroughs in cybersecurity tools, technologies and techniques” that will protect the system they love.

The education needed in building cybersecurity must begin as early as kindergarten, she said, and continue throughout school.

In a recent report, the Council questioned the likelihood of qualified cybsersecurity specialists teaching in the public schools when the pay is so much better in the private sector.  But Plunkett said that misses the point.

“Teachers don’t need to be cybersecurity experts,” she said.  “They just need to know how to weave cybersecurity concepts into their curriculum.”

Every teacher can be trained to talk about cybersecurity in their classes, she said. English teachers can advocate safe internet use while teaching students about how to do research for term papers, and math teachers can talk about the importance of security when teaching algorithm development. Learning how to do that should be part of teacher education, Plunkett said, and money should be made available to teach existing teachers.

And teachers, themselves, who handle immense amounts of sensitive data about students, must be trained in how to protect it, she said.

Every state is a target, Plunkett said, and protecting everything is daunting. But states have been working on this problem for a while and, instead of reinventing strategies, Maryland can leverage those that have already been developed elsewhere.

“You have to know what is important to defend and then apply well-known measures that already exist,” she said.

Also, security measures must extend to the companies that do business with the state, Plunkett said, because attackers can gain access to state data through unprotected vendors that have plugged into state agencies. That, she said, “is a recipe for disaster.”

With so many attacks on the American election system, teaching election workers and campaign staff members how to protect their information is essential, she said.

“There are bad guys, including nation-states like Russia, who are interested in getting into our election process and systems and—most scary—maybe even into the minds and hearts of Americans and make us distrust our election system  . . .  to destroy democracy by destroying our confidence in our system.”