This Month's Q&A: May 2021
UA Little Rock’s Trojan Cyber Arena
IF THE JOB is to spread the word about cybersecurity—both its personal dangers and its career opportunities—who better to head the mission than a teacher? And not just any teacher, but one whose chosen specialty is middle school. “Middle school is really when they make or break their future career choices,” says Sandra Leiterman, who is completing her first year as Managing Director of UA Little Rock’s Trojan Cyber Arena, formerly known as the Cyber Gym. We sat down with Leiterman to hear her thoughts on this exciting new cybersecurity outreach program to young students all across the state.
First of all, for our readers who know UA Little Rock’s cybersecurity center as the “Cyber Gym,” tell me when and why the name was changed to the Cyber Arena.
We changed it just recently—basically for legal reasons. Someone else had copyrighted the “CyberGym” name.
That makes sense. And what were you doing prior to joining the Cyber Arena?
I’m from Wisconsin, north of Green Bay. I moved to Arkansas in 2006, got my Bachelor’s in Middle School Education from UA Little Rock, and graduated in 2010. Then I taught middle school math and science for five years. During that time, I also wrote a state approved STEM curriculum to kind of change over one of our elective classes that wasn’t very productive. We called it Design and Discovery, and I had the students start with the history of technology. Then we went into patent researches and I taught them the difference between invention and innovation. Then we just did a whole bunch of different STEM projects that were more engineering related.
Where were you teaching?
Fuller Middle School, which is part of the Pulaski County Special School District. I taught there for four years. When I started, we were the lowest-attended middle school in the district with the highest discipline problems. In three short years—with the amazing leadership that we had and a great education team—we were named a STEM school of excellence by the International STEM Education Association. So we really did some awesome things.
I once gave a talk to a middle school class, an excruciating experience. That age strikes me as notoriously difficult, so tell me, what attracted you to them?
They are notoriously difficult, and dealing with them requires a perfect balance of guidance and sarcasm. But they’re in that moldable age, and there’s tons of research out there that shows that middle school is really when they make or break their future career choices, their study habits, all of that. For me, I remembered my middle school years and how spirited I was, and I wished I’d had somebody who believed in me and encouraged me.
I love those kids at that age. They come in as these little shy sixth graders and that whole year is when they really mold into their personalities. It’s just really fun to watch their confidence come up—or not. Then seventh grade is kind of that awkward middle year where they’re like, “Oh, maybe I made some bad decisions in sixth grade. Maybe I want to go this other way.” Then in eighth grade they’re on top of the world again. “We own this place!” Overall, I think they want guidance. They want somebody to believe in them. They want structure, but they’ll never admit that they want it.
On the UA Little Rock website, you say that teaching middle school was your first brush with cybersecurity.
Yes. In my class I went paperless. I had a little Mac lab with 25 MacBook computers. I actually did Google Classroom before it was a thing. I just used Google Drive and I made all my assignments on there, all my folders. I did all the work that today is done for you. It was pretty amazing.
But before I would let any of my kids get their school email address and log on to the Google Drive, they had to go through the Common Sense Media online safety and security program and earn their Digital Citizen Certificate. They had to do that before I would let them participate in the online learning.
Why was that? Were they just being loose and wild and not paying attention to what needs to be paid attention to?
Yep, pretty much. And the thing is, I feel like parents are far too trusting today. They want to be their kids’ friend, so they give them a phone at 12 years old and then pay no attention to what they’re doing with it.
But these kids need to know the dangers that lurk in sharing their location or posting things where they are, who they’re with, what they’re doing—that’s one piece of it. The other piece is when they post things to their Facebook or Twitter, even if they delete it, it gets screen shot and it can be shared and can come back to haunt them forever. So we talk about the digital footprint and how important that can be even in sixth grade. It’s those kinds of things that nobody’s teaching these kids, and they need to know it.
How do they respond to that? “Oh, you’re so uptight”?
There’s a little of that, but it’s also eye opening for many of them. I shared with them a couple of different FBI and police stories where they were able to track down a girl and gain her trust by giving her all of the secret family information. And then they kidnapped her.
They were able to do that because of everything she’d posted online. They knew where she played softball, what her number was, who her friends were, who her family was. I mean, they scared the heck out of the girl, but her parents knew what was happening.
It was a strong way to teach some important lessons: You don’t know who’s out there, who’s lurking, and even if you keep your stuff private, who else is watching? So it was a lot of the Internet safety that didn’t necessarily apply to working on the assignments that I had online, but I felt strongly that they needed to know this stuff. And when I say that parents aren’t teaching their kids about Internet safety, it’s not that I think they’re just not doing their job. Parents don’t know all the dangers either.
So your take on cybersecurity in your classroom was more of a “personal cybersecurity” as opposed to the “nation-state” kinds of threats.
Right—let’s just keep these kids safe.
Sounds to me like you’re the perfect person to be doing this student outreach for the Cyber Arena. How did you become involved with it?
Well, in 2015 I got my Master’s in Digital Teaching and Online Learning from UA Little Rock, and I was working as a Math Education Specialist in the STEM Center. I spent 50 percent of my time on Arkansas Department of Education math initiatives. I was doing professional development for teachers throughout the school year and over the summer. The other 50 percent of the time I could do pretty much whatever I wanted in STEM education, and I did a lot with Girls in STEM and robotics. Those are my other two passions.
I officially started this position in June of 2020, but I started interacting with Philip Huff, Director of Research with the Trojan Cyber Arena, and his people in 2019. That’s when they got the PROMISE Grant, which is what started what was then the Cyber Gym. Their mission was to train teachers in cybersecurity.
So they had all this amazing content, but they didn’t have the connection to the schools. And Dr. Carolina Cruz-Neira, who was head of the Computer Science department and director of the Emerging Analytics Center at the time, recommended that they bring me in. “She’ll get you hooked up,” Carolina said, so I worked with them in getting the teachers into the training. And then I spent the week with them basically just learning and watching, and it was mind blowing.
There were just all the different modules, from password security to phishing to ransomware. And what’s cool about this program is that in the workouts that Philip and his people designed, you get to see them from both the attacker’s side and the victim’s side. I mean, after watching some of these courses, I was like, “I don’t know if I want to be online again. Maybe I should delete all my social media. Maybe I don’t want my cell phone.”
One of the modules we do is about mobile forensics, and it’s probably one of the most eye opening to students about online safety and security. They go through a supposedly deleted cellphone image, and they’re able to recreate everything. We have another module where George kidnaps a monkey, but you’re still able to find out where he went, who he traveled with, where he’s from, where this monkey is.
Another great module is a kidnapped dog—Belle the dog. That one appeals to kids a little bit more, but you know it’s the setup, the drop off, where they are, the whole location. And the students are like, “Wait, these are deleted files?” Yes they are, and from the “deleted” files we can create this entire case. And the students are just like, “Oh my god.”
Is it fair to say that your arrival marks a new phase of the Cyber Arena?
Yes. We started in 2019 training the teachers. Then in December 2019 we actually got a big grant from the Arkansas Department of Education to make it go global. So we, in collaboration with Virtual Arkansas, designed an online cybersecurity course—levels I, II, III, and IV—that’s being deployed free of charge to every high school student in the state of Arkansas through the Virtual Arkansas platform.
My role is to keep this up, so we’re doing summer camps. We’re doing events. Of course, I officially started in the middle of the pandemic, so nobody would let me in the schools. But I did a Women in Cybersecurity virtual event partnered with the Women’s Foundation of Arkansas. Last October, we did that on International Day of the Girl. I had an FBI mobile forensics agent, a female Certified Systems Security Officer who is the manager of the Secure Operations Center at Simmons Bank, a security analyst from Arvest Bank, plus female security experts from Acxiom and Edafio. So all these wonderful women in leadership positions in cybersecurity were my panelists, and we had 60 girls log on on a Sunday afternoon to hear all about it and participate in the cyber workouts.
Then a couple of weeks later we did another very similar event, but this was for Cybersecurity Awareness Month. So we had another summit where I invited speakers. And last summer we organized a summer camp in about three weeks’ time. We had almost a hundred kids come through. We had four different sessions over a two-week period and again, it’s pretty amazing the speakers that we had. A lot of them chose a different path first or they didn’t know this is where they were going. Or it kind of fell into their laps, so their stories are really essential to hear, especially in Arkansas where we have a lot of students of color. We have a lot of students who fall into a low socioeconomic bracket.
And for both, we need to make them aware of the career opportunities that are available to them. The second thing is, so many of these kids think they can’t do it because to get one of these big glamorous jobs, they’ll have to leave home. And our low-income students, they especially don’t want to leave home. They don’t want to leave their small hometowns. So they can get a degree online, and a lot of times they can work from home in their hometowns. So it gives them something to strive for.
Initially, all of the outreach was to high school students. But I got our team to buy into the need to also go into middle schools. That’s when these kids are making their decisions about what they want to do, where they want to go. There’s one research study showing that by eighth grade many have pretty much decided on their career path. So we go down to seventh grade now, rising seventh graders.
We had probably about 10 or 15 middle school students in our camp last summer. And we’re doing another one this July — the dates are July 12-16 and 19-23.
Is the camp virtual?
Last year it was virtual. This year we were awarded a GenCyber Grant, which is a prestigious nationwide program sponsored by the NSA. We had submitted a grant proposal, basically outlining what we wanted to do and who our target audience would be. We’re the first in Arkansas to be awarded the GenCyber grant, and we’ll have capacity for up to a hundred students face-to-face or virtual. Our face-to-face part will be limited to just 25 students, but a majority of our applicants are wanting to do virtual anyway.
What’s your biggest challenge in getting the word out?
One of the biggest challenges is that I can’t be everywhere. But hopefully this fall things will open back up, and we have plans to do outreach all across the state. We’re developing a cybersecurity concept escape room that we’ll take on the road and set up events and just invite people to come see us. We’ll put the word out through schools, local education co-ops, or statewide email lists, as well as on social media.
It'll be both fun and educational. We’ll have five different rooms that the participants have to get out of, and each room will have a specific task that they must accomplish in order to get the information and move on to the next room. They’re all going to be different cybersecurity concepts. So we’ll have one on lock picking, where they’ll have to learn how to pick a lock and get into the file cabinet to get the credentials to log in. And, of course, lock picking relates to password security.
Which reminds me, another big challenge we have is that so many people think, Oh, that’s not going to happen to me. But a lot of the attackers are moving from big business to smaller targets, because they’re easier to hack.
So I can’t say it enough: When Google says to update Google Chrome, do it. It’s not to make your life difficult. It’s because there’s a security breach somewhere and they want you to be protected. When Apple sends out an update on your iPhone, do it. Protect yourself, do these updates. If something says change your password, change your password. Don’t use the same password on every account. Use a password manager. Use an authenticator app. There are so many easy ways to protect yourself.
It’s a scary world, and there are a lot of bad people out there. The best way to defend against those types of people is knowledge. You’ve got to beat them at their own game. And you can’t do that sitting idle. You have to know what they do and what they look for.
Is it easy? No. I have two-factor authentication on everything, and sometimes it really frustrates me. But, then, about a month ago, I woke up to a message that somebody in Taiwan was trying to get into my Apple account. And I had the option of allowing it or not. Right there in that moment, all my caution proved to be well worth the effort.