After a thirty-year career in cyber security and with a desire to share my passion for it, I entered the classroom as a lecturer at the South Central Institute of Technology. Now in my third year as a full-time educator, I have been on a professional journey that has taught me a great deal, including a very different way of operating compared to my experience in industry.
I’m a very practical person by nature. I learn by doing; in reality, trying, failing, trying again, etc., until I succeed. Theory only gets us so far and I know from my own personal experience that unless I anchor my knowledge in something tangible, new information can erode quickly. I also believe deeply that difficult conversations and debate are essential to understanding a topic well.
My classroom activities have a strong practical element – cracking passwords, hiding data with steganography, performing a forensic analysis with autopsy software and, among many other things – a class outing to the dark web. This is a very well-attended lesson which, while billed in something of a controversial way to drive excitement, addresses some very serious points.
It is important to point out that all of my students are aged 18 or over, and some of them will have been using the dark web for several years with information they’ve personally researched on the internet. The quality of this information ranges from the good to the downright dangerous.
The lesson is conducted using just-in-time Azure Cloud Virtual Machines, which the students have learnt to build in an earlier lesson. The Virtual Machine (VM) is both an enabling tool and a protective layer; if it gets infected with malware, then you just delete it and start again. Using an Azure VM – as opposed to a constrained dedicated educational VM – has a reinforcing action on prior learning as well as instilling essential, work-ready cloud skills and knowledge.
The students will then download and install anti-virus tools and the TOR Browser to their Virtual Machine and at this point we stop to discuss what we are about to do. First, we debate the dark web. What is it? How does it work? What are secure routes? Are you really anonymous there? What are the risks? Many learners don’t know there is more law enforcement on the dark web than anywhere else on the internet; in fact, one of our destinations is the CIA dark web homepage.
We debate online marketplaces; the places where you can buy literally anything. We talk about how users can know they are not law enforcement sting operations (there are many); and what happens if the site is raided and customer details are seized (yours will be too, and then they will be routinely shared with law enforcement agencies around the world).
We also debate the dark web as a force for good, which it certainly can be. It offers freedom of speech not permitted by oppressive regimes and the ability to research and self-solve Ransomware attacks. These essential topics balance conversations around more lurid areas such as drugs, firearms and fake passports
When I explained this lesson at the Education and Training Foundation’s ‘Big Data, Cyber Security and the Future of Learning’ conference earlier this year, a small number of people in the audience expressed a valid safeguarding concern: that such a lesson could expose learners to information that would put them at risk.
In response, I think we need to ask whether there is a better environment in which these learners could be informed and guided on this subject. A significant percentage are already exploring the dark web, guided by information from forums. Many aren’t insulating themselves well from malware attacks, and many are registering on websites and online marketplaces that lead to guilt by association.
The answer I gave then and by which I stand now is that we have a duty as educators to explore the difficult, debate wisely and drive safety through better knowledge. If we don’t teach the right way of doing things, it will be taught by others – and almost certainly not how we’d want.