Ethical, educated or neither?
- 18 July, 2006 09:51
I recently read about the "Ethical Hacking and Countermeasures" degree being offered by a Scottish university. At first, I thought this was for a master's degree, and then I was really dismayed to see that this was a bachelor's-equivalent program. There are so many things wrong with that prospect, it's hard to know where to begin, but the story does raise some good questions about where degree programs fit into computer-related professions.
The very existence of a degree program officially called "Ethical Hacking and Countermeasures" annoys me, because the name is a marketing ploy. The program could accurately be referred to as computer security, and there are already degree programs with that title. The term ethical hacking simply implies intent -- and intent isn't a skill set one can teach. (Ethics, yes, but that would put this degree program in the Philosophy department.)
The university claims that it conducts background checks before people enter the degree program to weed out anyone who might want to use his skills criminally, in accordance with the Disclosure Scotland standards. But a background check only checks whether or not someone has been previously convicted -- a very rare occurrence even for established "black hats." A background check doesn't read minds, and it is likely that the check for the university is limited to a criminal records check and does not go out and interview their friends, neighbors, co-workers, etc.
It is extremely unlikely that the university will give further tests, such as polygraph exams, in addition to this background check, not least because a thorough check -- for the sort that can even begin to determine the applicant's intent -- costs tens of thousands of dollars. Also, as in the U.S. juvenile justice system, Disclosure Scotland doesn't disclose many offenses committed by young offenders (though their cutoff is 16 years of age, and serious offenses such as those resulting in a supervision requirement order or disposal in a court of law are not stricken from the record as a matter of course). Minor yet telling offenses might never come to university officials' attention.
Most importantly, "ethical hacking" is a trade, not a program of study. And that leads me to a deeper question: In that case, what are college degrees for? After all, we have trade programs if you want to learn a skill. If you want to learn about hacking skills, you can take courses from the SANS Institute or other programs -- and if you're self-motivated as many young hackers are, much of your learning is ad hoc.
On the other hand, if you look at most computer science and engineering bachelor degrees, only 25 percent of the program of study is actually devoted to the major's core skill sets. The rest of a bachelor's degree involves courses that expand the student's overall body of knowledge and skills. College degrees should represent the acquisition of basic knowledge and abilities across a broad range of subjects. They also represent some devotion and an overall breadth of instruction within each major. Even within the student's major, there's a broad focus rather than a specialization. For example, a computer science major takes a variety of computer courses. Biology students take a variety of biology courses. You don't generally see biology students majoring in molecular biology, nor should they.
In contrast, the course list for the Ethical Hacking and Countermeasures Degree includes just one nontechnical course -- on law -- early in the four-year program. It's neither a well-rounded course of study nor a good trade-school skill foundation, since if somebody just wants to learn a skill, there are plenty of shorter-term courses available that can quickly get students into a genuine business environment, which is, after all, where the real learning takes place.
The first job or serious internship a student holds is infinitely more useful in skill-set acquisition than his whole college career will (or should) be. However, a college curriculum exposes people to a breadth of knowledge to draw from, and a computer science degree is no exception. Foundational computer science courses teach underlying principles that can be applied to any area of computer science. They makes people better practitioners in any specialty that they may choose in the future.
Conversely, a degree program and title that is too specific does a disservice to the student. A degree in ethical hacking and countermeasures, rather than a generic computer science degree, is apt to prove a disadvantage in making lateral movements in the field -- and again, it might also limit students' breadth of knowledge.
While a bachelor's degree might provide much breadth but not much depth, a master's degree generally involves only courses within the specific program of study, though it requires about the same number of semester hours in the chosen major as it takes to get a bachelor's degree. The assumption is that master's-level courses will go into more detail about one specific subject and will involve more in-depth work. Again, though, you are talking about the equivalent of three months of actual business-world experience.
A good master's degree program -- the one I took, for instance -- teaches the student how to expand his thought processes on the subject. My degree program discussed the application of computers to a business environment, which was invaluable -- I admit that it was all theory, but that's in many ways the point of academic study. My classwork broadened my perspective on the hands-on tasks at my job.
While the specialized coursework needed for a master's degree makes it more similar to a trade program, again, skill acquisition shouldn't be the degree's focus. All things being equal, I would prefer to hire a person with a master's in computer science over a person with a master's in computer security, since the computer science major would have a more diverse exposure to the application of computer security. The computer science major might have had two or three fewer courses in computer security than the computer security major -- but I or another co-worker can help him make up for that over a couple of weeks of actual work experience.
No employer should believe that college degree alone makes someone capable to do a job. On-the-job experience more than makes up for a lack of a few courses. And if you look around the industry, the leaders and founders of the computer security field didn't need a degree in computer security. They basically taught themselves -- as do most of the hackers.
Why should the computer security (or information security) field merit its own degree program, when no other disciplines with the computer profession as a whole need such a distinction and when breadth of knowledge and the ability to synthesize thought are so critical to god work? I believe that such an overspecialized course of study cheapens the fundamental purpose of a college education. And having degree titles with marketing buzzwords such as "ethical hacking" is a flat-out embarrassment.