A Faculty Perspective: Preparing to Study Cyber at SIPA

Admissions note: Jason Healey is a Senior Research Scholar at SIPA specializing in cyber conflict, competition, and cooperation. He directs the SIPA Cyber program and teaches two courses: Foundations of Cyber Power and Conflict and Cybersecurity: Technology, Policy, and Law.

Over my decade here, SIPA has been committed to bringing all things cyber and digital to the school. We’ve developed a robust program of research, events, and coursework that have made us a hub for the study of cybersecurity and technology policy. 

The most common question my fellow faculty and I get are “how can I possibly have a career in cybersecurity (and technology risk more broadly) … I don’t have a technical background?” Our alumni are now off changing the field, at the White House, Federal Reserve, JPMorgan, amazing think tanks, and teaching students to pass on their own experience and perspectives. They were almost all in the same place as you are now, coming to SIPA from some other set of non-technical experience, and made it in the field. The one message I hear from them when they mentor students is don’t feel discouraged, you can do it!

But it does take work. In this post, I’ll provide some recommendations from faculty on resources students can use for self-study whether you want to get a head start before SIPA or help prepare yourself for one of the main cyber career tracks for SIPA alumni.

Reading

There are different learning styles. For me, I prefer reading. Whenever I’ve re-directed my career (into cyber in 1998, working for the finance sector in 2001 and the White House in 2003, expanding into risk and business continuity in 2005, and so on) I’ve read as much as I can get my hands on starting with general topics then diving more deeply.

If you want to switch into a cyber career, or wondering if it’s for you, start your reading early. First, there's general cyber reading. Start with everything cyber-related on the Lawfare and War on the Rocks blogs. For many of us writing on cyber policy, these are the most important websites to stay current with the current discussions. I have perhaps 30 articles across the two and still consider myself honored to have another one accepted. 

For books, check out The Cuckoo's Egg (Cliff Stoll), a very readable classic. The Hacked World Order (Adam Segal) and The Darkening Web (Alexander Klimberg) on general cyber international relations. Both are good, but Adam Segal is adjunct faculty at SIPA and directs the Digital and Cyberspace Policy Program at the Council on Foreign Relations. Current for former journalists wrote compelling accounts; check out David Sanger's The Perfect Weapon, Kim Zetter's Countdown to Zero Day, Andy Greenberg's Sandworm, and Nicole Perlroth’s They Tell Me This Is How the World Ends. Anything written by these journalists will always be good, either these books or their articles in the New York Times, Washington Post, Wired, and Wall Street Journal

Singer and Friedman's Cybersecurity and Cyberwar is a bit out of date but very readable -- as is my cyber military history, A Fierce Domainand Fred Kaplan’s Dark Territory (which quotes several SIPA faculty who were involved in important historical events). There's also a lot of academic works like Ben Buchanan's The Cybersecurity Dilemma, which is excellent, but probably a better third or fourth book as is Josephine Wolff’s excellent You'll See This Message When It Is Too Late and SIPA professor Erica Lonegan’s Escalation Dynamics in Cyberspace.

Faculty members Beth Cartier and Neal Pollard also recommend magazine articles, especially Wired, as well as the Economist, which only infrequently covers cyber but when it does, it is always solid.

Faculty member Camille Francois recommended several newsletters, especially Zach Whittaker’s This Week in Security and Kim Zetter’s Zero Day. The once-a-week Politico Cyber newsletter is a must-read for us in policy and of course don’t miss SIPA’s own Cyber Regulation Watch newsletter, edited by students! Be sure to also sign up for the weekly Global Frequency newsletter from faculty member Matt Devost, which covers cyber and tech.  

Our faculty also recommend the second category, cyber fiction! Recently, I’ve enjoyed the Phoenix Project and the Unicorn Project (Kim, et al) along with Project Zero Trust (Finney), which are novelized accounts of the troubles of managing large-scale, modern IT initiatives. They are far more interesting than you’d imagine (“wow, I hope they get through this next change-management meeting so they can ship on time!”) but more importantly they give a very readable perspective of the actual problems deploying and maintaining enterprise technology.

Many of us were tempted into the field because of cultural depictions and these books can be an easy introduction. Neal Pollard recommended the classic novels of William Gibson, especially Neuromancer which first introduced the word cyberspace, as are those from Bruce Sterling and Neal Stephenson, especially Snowcrash, which first discussed cyberspace as a vivid place you (or well, your avatar) could visit. Many of us prefer Cryptonomicon, but that’s a big, nerdy (though action-packed) read. 

Matt Devost also recommends Local Heavens, a cyberpunk retelling of Gatsby, updating and extending the genre in more diverse directions. Our colleagues Peter Singer and August Cole write “useful fiction” to explore how future conflict might unfold, with many cool but realistic cyber themes, with books like Ghost Fleet and Burn In, along with a monthly column.

Third are reports from think tanks like the Atlantic Council, Center for a New American Security, Council on Foreign Relations, and the Center for Strategic and International Studies, These organizations are also holding a lot of virtual events during the quarantine that are open to the general public. 

Fourth, the Internet threat reports from major cybersecurity companies will give you a unique and up-to-date perspective. FireEye’s APT1 report made history, a private sector company calling out espionage – with in-depth analysis backed by evidence – by another country. CrowdStrike’s Global Threat Report is quite readable and there are now dozens of such reports focusing on adversary groups, that is, criminal hacking groups or state-backed espionage teams. The Verizon Data Breach Investigations Report and reports from Ponemon are on cybersecurity more generally and the costs of cyber crime.

Last, there is the more technical literature, especially tied to hacking skills and certifications. Over 20 years ago I started with Hacking Exposedand faculty member Charles Carmakal said it “was my go-to book when I started my career.” The authors have kept the book updated so it is now on its seventh edition. Study guides for Security+ and Certified Ethical Hacker are also useful. Only dive into these if you care about such things and can deal with sometimes daunting technical material right out of the gate. They're important but you might start with the other material first.

Social Media, Movies, and Podcasts

Beth Cartier called out the Darknet Diaries podcast for special attention, as “a fantastic bridge between storytelling and the technical concepts” of cybersecurity. Many of us also rely on the CyberWire Daily for news updates while Click Here has more in-depth reporting. In long-form podcasts, BBC’s Lazarus Heist and the Economist’s Scam Inc are excellent.

Neal Pollard also wanted to highlight how many SIPA faculty and our colleagues got into the field because of depictions we saw in film. Check out this SIPA-produced short film discussing the impact of classic movies like Sneakers, Wargames, and, of course, the Matrix.

Unfortunately the community has somewhat fragmented in social media, as many of us now avoid posting to X. LinkedIn is picking up some of those posts, but imperfectly so.

Getting a Basic Technical Background

If you want a job in cybersecurity, then you must have some understand of what happens on the other side of your screen. If it still seems like magic, then your analyses won’t have enough foundation. Fortunately, even a modicum of basic computer science or programming can be enough for you dispel the fog of magic and learn key concepts and terms. The deeper you can go, the more job options open up for you.

Any of the basic computer science classes available on the various MOOC platforms (EdX, Coursera, Udemy, etc.) will be a great start. Maryland’s Cybersecurity for Everyone and Harvard’s CS50L are popular options. And get as much Python as you can, not just for cyber but to help you at SIPA and any job afterwards. If you can handle the quant, consider pairing cyber classes with the concentration in Data Analytics and Quantitative Analysis.

Once you feel a little more confident with technical skills, Charles Carmakal has some advice: “when I speak to students who want to get into the field, I ask them to download VMware Workstation, install test systems, and play around with the tools in Hacking Exposed.”

Within the cybersecurity fields, a certificate is a routine credential to demonstrate you have special knowledge or skills. Once you get to SIPA, we strongly recommend getting a Google Cybersecurity Certificate, which we offer to you for free, thanks to Google’s generosity. Students tell me it is about as much work as a three-credit SIPA course and is packed with solid technical knowledge and practical skills. The higher-end certifications, such as those from SANS, are often highly specialized and more expensive (often paid for by companies to train their staff).

This brief list of recommendations will get you off to a great start in studying cybersecurity policy, and you’ll be well prepared for cyber-related classes at SIPA. More importantly, you’ll be on your way to an exciting career in a field which has difficult and interesting challenges and is well paid and chronically understaffed. I look forward to your joining cybersecurity as a colleague!