One of the strongest cybersecurity programs in the country has been percolating within the depths of City College of San Francisco. The brainchild of instructor Sam Bowne, the program has placed highly in two recent collegiate cybersecurity competitions and garnered national recognition from the National Security Agency and the U.S. Department of Homeland Security, despite having fewer resources than many of the colleges and universities it competes against.
To get to this point, the program has adopted unorthodox teaching styles, leaned on former students, and created continuity despite a state of constant flux at the school. The result has been a popular set of classes in a growing industry: Nearly every projection of the cybersecurity job market over the next few decades shows a shortage of workers.
The program has been so popular that instructors say they’ve been forced to turn away students because classes were full. Despite this, instructors have had difficulty getting more funding from the college to pay for additional teachers and classes.
Through the difficulty, Bowne and his cohorts — including part-time faculty member and team coach Elizabeth Biddlecome — have crafted a curriculum that’s both effective and appealing to prospective students.
Bowne has taught at City College of San Francisco (CCSF) for 20 years. A former database administrator, he first took a night class and then decided teaching looked like fun. He started teaching in Marin, and eventually made the switch to CCSF, teaching various computer classes. He had an abiding interest in cybersecurity and finally went to the most infamous convention in hacking, Defcon.
The convention, which started in the early 1990s, has ballooned to tens of thousands of attendees every year in Las Vegas. When Bowne went in 2007, it was abnormal for a college instructor to attend.
“At the time, Defcon had a bad reputation with academics,” he tells SF Weekly. “It was considered disgraceful to teach attack techniques.”
Bowne found a wealth of knowledge that wasn’t included in any of the classes he was teaching as a result.
“There was a guy from a European company that had made a malicious toaster,” he says. “He would connect it by a USB port and it would take over all the Windows machines in an office. Another guy would get ATM machines to pay out money. At the time, it was pretty exciting stuff. The hackers knew how to do this in the ’80s and ’90s but academics didn’t know about it.”
Bowne opted not only to incorporate the attacking techniques into his curriculum, but to teach students how to do hacking — how to go on the offensive. Conventional wisdom at the time was to teach only defense. Doing so was a calculated risk.
“Had my students turned out to be bad guys, I would have been fired,” Bowne says. “But it worked out.”
Bowne’s early strategy of teaching attack methods for cybersecurity paid off. Since the mid-aughts, the program has grown to an estimated 500 students and offers three different certificates, says Richard Wu, the other full-time cybersecurity instructor at CCSF. Wu, who started teaching at CCSF in 2014, has more experience in defensive methods.
“[Sam and I] actually complement each other because together we can see the bigger picture,” Wu says.
While the program proved popular, the team struggled at cybersecurity competitions. City College has some factors working against it in this arena. It’s a two-year program, unlike many other cybersecurity programs it competes against on the West Coast. Stanford University and the various University of California schools are all four-year programs, which means students on the cybersecurity teams have had more time to learn and prepare for challenges.
Cybersecurity competitions usually consist of scenarios created by experienced industry professionals. The exact format varies by competition, but generally students have no idea what they’re heading into and need to solve problems in a matter of hours. The best way to prepare for the scenarios is just to try and know as much as possible — a format that favors those who have had more time to learn and absorb information.
In addition to a more accelerated learning curve, it’s harder for a two-year program to maintain its team from year to year as students graduate. Community college students are also more likely to have full-time jobs or other commitments that prevent them from participating in time-consuming extracurricular activities like cybersecurity competitions.
Despite these factors, CCSF has performed well in recent competitions, a second place finish at the Western Regional Collegiate Cyber Defense Competition (WRCCDC) in March, and an outright win of the California Mayors Cyber Cup in February.
Joe Needleman is one of the event organizers for WRCCDC, helping to both run it and build the scenarios that competitors face.
“We don’t block community colleges [from competing], but because they usually don’t have as much experience and it’s harder for them to get teams together, they don’t participate as much,” he says. “City College is strong every year. They hold up with the 4-year schools that have double the amount of training. They’re very impressive. They have a good school that puts together some very good students.”
Former CCSF student and current part-time instructor Biddlecome has a lot to do with that.
Bowne had been the previous coach of the teams, but wanted to step aside for a few reasons. In addition to, in his opinion, being a bad organizer, Bowne wanted more women to join the cybersecurity program. A coworker told him that it wasn’t enough to say it: Women needed a role model to follow.
After Biddlecome took over as coach, there was an almost immediate increase in gender diversity in the program and the competition team.
“At my first competition, there were 10 teams of six,” Biddlecome says. “Out of those 60 competitors, two were women, myself and one girl from Cal Poly. The second year, there were three women, myself and two girls from Stanford. The first year I came in as coach, not only did we have parity on the team — three women and three men — we had a female co-captain and I’m pretty sure the first African American woman team member.
“As far as I know, I’m the only female coach in the country.”
Skills to pay the bills
In addition to winning competitions — one of the best learning tools in the business, according to Bowne — cybersecurity students at CCSF have been able to convert their newfound knowledge into jobs in the field.
Kerrie Lu started taking classes at CCSF in the spring of 2018, officially. Unofficially, she had been shadowing Bowne’s classes for awhile because she wasn’t sure she could do the program. While she was interested in learning more about cybersecurity for her job as a paralegal with the District Attorney’s office, she didn’t have a background in coding.
“I couldn’t find any programs that were small enough that I could manage,” she says. “Many of them were master’s programs or Ph.D. programs. Those were very advanced for me and they asked for prior computer science or coding experience. Someone pointed me to courses at CCSF. That’s what I wanted.”
Lu excelled and got recruited onto the competition team. Despite her lack of coding experience, she found her niche in compliance and policy. By attending both competitions and cybersecurity conventions, she made connections which eventually translated into a job as a security analyst. The new gig is a significant pay upgrade over her previous job with the District Attorney — and she hasn’t even completed her certificate program yet.
Lu’s success isn’t surprising. Employers are desperate to hire more cybersecurity professionals.
“Saying there’s a shortage is an understatement,” Bowne says. “It’s ridiculous. Everybody gets hacked. No matter what you buy or who you are or where you are, you’re gonna get hacked. It’s getting worse every year by a large amount.”
Bowne says this in a calm, matter of fact tone — he’s not worried about it, just presenting the facts as he sees them.
“There’s never any perfect safety in the cyber world or the real world,” he says. “You can either be clueless and take random risks by not protecting yourself, or you can educate yourself and take calculated risks.”
Still, it underscores the desire employers have for more cybersecurity experts. Which makes it more frustrating for the instructors at CCSF that they haven’t been able to get more funding.
Wu, Bowne and Biddlecome all say that they’ve had to turn away students because there’s not enough room in the classes. City College has been under pressure in terms of both budget and accreditation for the past several years and has had to cut classes and positions to make ends meet. Still, faculty are frustrated that more resources — even if it’s just making part-timers like Biddlecome full-time — haven’t been made available to help satisfy demand.
“CCSF takes accolades off the backs of some of our very best part-time faculty. This is unacceptable and an embarrassment to take the accolades on their backs, from their work, and not open up full-time positions for them,” said Abigail Bornstein, a computer networking and IT (CNIT) faculty member at CCSF, at an Oct. 24 meeting with the school’s Board of Trustees.
Thomas Boegel, vice chancellor of academic affairs at CCSF, says the CNIT budget has been constant from Fall 2019 to Spring 2020, and that every department’s budget is smaller than in 2018.
“The number of cybersecurity-related classes has been slightly growing from Spring 2019 through Spring 2020,” he wrote in an email to SF Weekly. “Over 500 seats in cybersecurity-related classes are currently planned for Spring 2020.”