Re: Cybersecurity Students

[Bob Mahoney <bobmah () MIT EDU>]

[Disclaimer: I am no longer at MIT, and am only here as a guest associate, which I appreciate.]

Some time back now, I started and ran MIT’s first Network Security Team.  Through need and an appreciation of the 
untapped resource, we employed a number of student staff.

This worked out fabulously.  “Win-win” doesn’t begin to do it justice.

The relevance to this discussion is that using students served to seed some security awareness out into the student 
community, where they naturally came to advise their friends with security problems, and interrupted any number “clever 
ideas” in the dorms, where random student curiosity might have gone on to become a problem, all happening below my 
radar.

They were a back-channel to communicate security information, and they helped the team and IS&T have real credibility 
among the students.  They were our secret weapons out in the community.

We *never* had a breach of trust or confidentiality involving the student staff, and we only very rarely saw any 
serious misbehavior in the student population.  Once or twice we did have a computer science class do something very 
unwise.  (like pinging all the NTP servers they could find on planet Earth, and doing unannounced & unauthorized 
performance testing...  my phone rang angrily for days afterwards)  But generally Computer Science classes kept their 
experiments to their own local networks, and we had good relations.

Student security staff were intimately involved in doing campus vulnerability scanning, and maintaining/extending that 
capability.

I’d just like to suggest that interested students can be given a productive outlet for their curiosity, that can 
greatly aid security your effectiveness.  They became critical to our success.  They were a whole lot of fun to work 
with, and they helped us do so much more than we could have otherwise ever done.

(of course, I may have just lucked-out in employing the kids most likely to have caused problems if left to their own 
curiosities...  :-)

The bug-bounty program suggestions here sound like a great innovation in this direction.

Many of our students came back expressing real appreciation for the experience, and said it gave them a unique, 
real-world resume item that helped them really stand out to their early employers.  Quite a few work in security now, 
and at least one is a CS professor of some note.

It might be useful to consider students as a potential opportunity, rather than simply a threat.

-Bob