June 22, 2017

Conventional wisdom says one reason so many hackers seem to hail from Russia and parts of the former Soviet Union is that these countries have traditionally placed a much greater emphasis than educational institutions in the West on teaching information technology in middle and high schools, and yet they lack a Silicon Valley-like pipeline to help talented IT experts channel their skills into high-paying jobs. This post explores the first part of that assumption by examining a breadth of open-source data.

The supply side of that conventional wisdom seems to be supported by an analysis of educational data from both the U.S. and Russia, which indicates there are several stark and important differences between how American students are taught and tested on IT subjects versus their counterparts in Eastern Europe.

computered

Compared to the United States there are quite a few more high school students in Russia who choose to specialize in information technology subjects. One way to measure this is to look at the number of high school students in the two countries who opt to take the advanced placement exam for computer science.

According to an analysis (PDF) by The College Board, in the ten years between 2005 and 2016 a total of 270,000 high school students in the United States opted to take the national exam in computer science (the “Computer Science Advanced Placement” exam).

Compare that to the numbers from Russia: A 2014 study (PDF) on computer science (called “Informatics” in Russia) by the Perm State National Research University found that roughly 60,000 Russian students register each year to take their nation’s equivalent to the AP exam — known as the “Unified National Examination.” Extrapolating that annual 60,000 number over ten years suggests that more than twice as many people in Russia — 600,000 — have taken the computer science exam at the high school level over the past decade.

In “A National Talent Strategy,” an in-depth analysis from Microsoft Corp. on the outlook for information technology careers, the authors warn that despite its critical and growing importance computer science is taught in only a small minority of U.S. schools. The Microsoft study notes that although there currently are just over 42,000 high schools in the United States, only 2,100 of them were certified to teach the AP computer science course in 2011.

A HEAD START

If more people in Russia than in America decide to take the computer science exam in secondary school, it may be because Russian students are required to study the subject beginning at a much younger age. Russia’s Federal Educational Standards (FES) mandate that informatics be compulsory in middle school, with any school free to choose to include it in their high school curriculum at a basic or advanced level.

“In elementary school, elements of Informatics are taught within the core subjects ‘Mathematics’ and ‘Technology,” the Perm University research paper notes. “Furthermore, each elementary school has the right to make [the] subject “Informatics” part of its curriculum.”

The core components of the FES informatics curriculum for Russian middle schools are the following:

1. Theoretical foundations
2. Principles of computer’s functioning
3. Information technologies
4. Network technologies
5. Algorithmization
6. Languages and methods of programming
7. Modeling
8. Informatics and Society

SECONDARY SCHOOL

There also are stark differences in how computer science/informatics is taught in the two countries, as well as the level of mastery that exam-takers are expected to demonstrate in their respective exams.

Again, drawing from the Perm study on the objectives in Russia’s informatics exam, here’s a rundown of what that exam seeks to test:

Block 1: “Mathematical foundations of Informatics”,
Block 2: “Algorithmization and programming”, and
Block 3: “Information and computer technology.”

The testing materials consist of three parts.

Part 1 is a multiple-choice test with four given options, and it covers all the blocks. Relatively little time is set aside to complete this part.

Part 2 contains a set of tasks of basic, intermediate and advanced levels of complexity. These require brief answers such as a number or a sequence of characteristics.

Part 3 contains a set of tasks of an even higher level of complexity than advanced. These tasks usually involve writing a detailed answer in free form.

According to the Perm study, “in 2012, part 1 contained 13 tasks; Part 2, 15 tasks; and Part 3, 4 tasks. The examination covers the key topics from the Informatics school syllabus. The tasks with detailed answers are the most labor intensive. These include tasks on the analysis of algorithms, drawing up computer programs, among other types. The answers are checked by the experts of regional examination boards based on standard assessment criteria.”

Image: Perm State National Research University, Russia.

Image: Perm State National Research University, Russia.

In the U.S., the content of the AP computer science exam is spelled out in this College Board document (PDF).

US Test Content Areas:

Computational Thinking Practices (P)

P1: Connecting Computing
P2: Creating Computational Artifacts
P3: Abstracting
P4: Analyzing Problems and Artifacts
P5: Communicating
P6: Collaborating

The Concept Outline:

Big Idea 1: Creativity
Big idea 2: Abstraction
Big Idea 3: Data and Information
Big Idea 4: Algorithms
Big idea 5: Programming
Big idea 6: The Internet
Big idea 7: Global Impact

ADMIRING THE PROBLEM

How do these two tests compare? Alan Paller, director of research for the SANS Institute — an information security education and training organization — says topics 2, 3, 4 and 6 in the Russian informatics curriculum above are the “basics” on which cybersecurity skills can be built, and they are present beginning in middle school for all Russian students.

“Very few middle schools teach this in the United States,” Paller said. “We don’t teach these topics in general and we definitely don’t test them. The Russians do and they’ve been doing this for the past 30 years. Which country will produce the most skilled cybersecurity people?”

Paller said the Russian curriculum virtually ensures kids have far more hands-on experience with computer programming and problem solving. For example, in the American AP test no programming language is specified and the learning objectives are:

“How are programs developed to help people and organizations?”
“How are programs used for creative expression?”
“How do computer programs implement algorithms?”
“How does abstraction make the development of computer programs possible?”
“How do people develop and test computer programs?”
“Which mathematical and logical concepts are fundamental to programming?”

“Notice there is almost no need to learn to program — I think they have to write one program (in collaboration with other students),” Paller wrote in an email to KrebsOnSecurity. “It’s like they’re teaching kids to admire it without learning to do it. The main reason that cyber education fails is that much of the time the students come out of school with almost no usable skills.”

THE WAY FORWARD

On the bright side, there are signs that computer science is becoming a more popular focus for U.S. high school students. According to the latest AP Test report (PDF) from the College Board, almost 58,000 Americans took the AP exam in computer science last year — up from 49,000 in 2015.

However, computer science still is far less popular than most other AP test subjects in the United States. More than a half million students opted for the English AP exam in 2016; 405,000 took English literature; almost 283,000 took AP government, while some 159,000 students went for an AP test called “Human Geography.”

A breakdown of subject specialization in the 2016 v. 2015 AP tests in the United States. Source: The College Board.

A breakdown of subject specialization in the 2016 v. 2015 AP tests in the United States. Source: The College Board.

This is not particularly good news given the dearth of qualified cybersecurity professionals available to employers. ISACA, a non-profit information security advocacy group, estimates there will be a global shortage of two million cyber security professionals by 2019. A report from Frost & Sullivan and (ISC)2 prognosticates there will be more than 1.5 million cybersecurity jobs unfilled by 2020.

The IT recruitment problem is especially acute for companies in the United States. Unable to find enough qualified cybersecurity professionals to hire here in the U.S., companies increasingly are counting on hiring foreigners who have the skills they’re seeking. However, the Trump administration in April ordered a full review of the country’s high-skilled immigration visa program, a step that many believe could produce new rules to clamp down on companies that hire foreigners instead of Americans.

Some of Silicon Valley’s biggest players are urging policymakers to adopt a more forward-looking strategy to solving the skills gap crisis domestically. In its National Talent Strategy report (PDF), Microsoft said it spends 83 percent of its worldwide R&D budget in the United States.

“But companies across our industry cannot continue to focus R&D jobs in this country if we cannot fill them here,” reads the Microsoft report. “Unless the situation changes, there is a growing probability that unfilled jobs will migrate over time to countries that graduate larger numbers of individuals with the STEM backgrounds that the global economy so clearly needs.”

Microsoft is urging U.S. policymakers to adopt a nationwide program to strengthen K-12 STEM education by recruiting and training more teachers to teach it. The software giant also says states should be given more funding to broaden access to computer science in high school, and that computer science learning needs to start much earlier for U.S. students.

“In the short-term this represents an unrealized opportunity for American job growth,” Microsoft warned. “In the longer term this may spur the development of economic competition in a field that the United States pioneered.”


134 thoughts on “Why So Many Top Hackers Hail from Russia

  1. Richard Brennan

    This may be the most important entry you’ve ever posted…

    I took my first computer programming class at Gunn High School in Palo Alto CA in 1965-66. Imagine if the initiative shown at that early date had been continued and adopted in schools elsewhere,

    BTW: They couldn’t find a computer for students to actually run programs on… so we had to drive our card decks over to SLAC (Stanford Linear Accelerator Center) … to run on the Burroughs mainframe! Go B5500 ALGOL !!! YES!

    1. Binford

      But the question is … do you still have your program punch cards from then ?? 😉

      1. Michael

        Why/ Are you hankering to buy some?

        I have a FORTRAN deck from 1965 and six hand-coded decks from 1979.

        Dunno what computer ingested the FORTRAN; that was “glass house” days. The other decks were for IBM 4341.

        1. JCitizen

          I always thought it was hilarious that I used to process punch card sheets for the keypunch operators at the state capitol with a Xerox 35k memory writer, that had more capability that those old machines ever would have. Governments are not want to change very quickly, and I can’t say I blame them because those punch cards made an excellent data backup.

  2. John Markh

    The main problem is, as you have stated, the Russians are doing it for the last 30 years, and we will probably feel the impact of any changes in policy in at least 10 years…

  3. Santa Claus

    How Can Businesses Close ‘The Cybersecurity Gap’? (venturebeat.com) 179
    Posted by EditorDavid on Sunday June 18, 2017 @11:34PM from the help-that’s-hard-to-hire dept.
    Companies can’t find enough qualified security personnel, and fixing it requires “a fundamental shift in how businesses recruit, hire, and keep security talent,” according to a VentureBeat article by an Intermedia security executive:
    The trickle of security students emerging from post-secondary schools may not be fully prepared to tackle complicated security issues — what we need are people who can protect businesses environments from everything from spam and BYOD vulnerabilities to complex threats like APTs and spear phishing. Second, certain companies may not know what to look for in a professional. Third, when skilled professionals are hired, they can often be overworked to the point where they don’t have the time to keep up with the latest developments in the field — and even in their own security tools… The fundamental problem facing the skills gap, however, is that there aren’t enough people coming into the field to begin with. Here, companies need to do two things: step-up their advocacy when it comes to promoting cybersecurity careers, and look internally for employees who have the skills and desire to take on a security position but need the training and support to succeed…

    Finally, businesses need to recognize that security threats today go well beyond just one department. Every employee should be responsible for knowing what to look for in an attack, how to report a suspected threat, and how they can simply disengage from content and files they deem suspicious. Basic security training needs to become a part of the onboarding process for any employee — especially for those in the C-Suite, where a greater number of spear-phishing attacks occur.

    The article also cites a study which found “about a quarter of all cybersecurity positions are left unfilled for about six months.”

    1. Arthur C. Clarke

      Greetings from Arthur C. Clarke. I want to inform you that Stanley Kubrick and I conducted a secret experiment using quantum entanglement and telepathy to communicate with an interface. Aliens do indeed exist in another realm now and the Akashic Records. The interface with GOD/ Grand Galactics and aliens is on Facebook. Although, he has not seen the aliens physically, he talks to the ones that have lost their forms in evolution. This experiment was so secret, that even the United States government did not know about it. Stanley insisted on the independence and secrecy of the project. Namely, talking with the dead and/or aliens. It brings me great joy and pleasure to inform you that the experiment was an extreme success. The interface’s telepathy with us has verifiable proof on Facebook and he is willing to undergo a battery of tests and scrutiny to show his evolution to a higher state of consciousness. No other private or governmental agencies have been successful in talking to formless aliens, Grand Galactics / GOD. Our interface is a Photographer, United States Marine, Artist, Underwater Explorer, Aviation Technician, Lawyer, Humanities major and has direct genetic links to Shamans and rulers at Gobekli Tepe , biblical heroes, Anatolian / Armenian Kings and interestingly for Stanley, he is also related to Napoleon, Jefferson, Franklin and one of the interface’s favorite minds, Tesla. Aliester Crowley/ 666 and Led Zeppelin were also instrumental in the evolutionary development of the telepath’s higher state of consciousness.

      Arthur C. Clarke

      Stanley Kubrick

      666

  4. IRS iTunes Card

    This is one of the reasons why scammers in third world countries ( like India) are taking advantage of Americans , due to people here lacking computer and internet security skills which SHOULD learned at a early age.

  5. Dom

    ‘found that roughly 60,000 Russian students register each year’
    You seem to be missing a zero.

    1. dom

      Of course I may have misread read it.
      Please disregard and delete.

      1. stephen

        nope, either its 600,000 or 60,000

        ““Informatics” in Russia) by the Perm State National Research University found that roughly 60,000 Russian students register each year to take their nation’s equivalent to the AP exam — known as the “Unified National Examination.”

        Those numbers suggest that more than twice as many people in Russia — 600,000 — have taken the computer science exam at the high school level over the past decade.”

    2. BrianKrebs Post author

      Read on to the next sentence. The report doesn’t say 600,000 in ten years. That’s me extrapolating, which is why it’s in a separate paragraph.

      1. stephen

        ah ha! dyslexia strikes again. going from implied dates to 1 year to 10 years.

  6. Pessimistic Pete

    Maybe those so inclined just do it because it’s relatively easy to make money (the opportunity). That type in America would certainly become a lawyer or Salesperson.

    1. zboot

      “Maybe those so inclined do it” . . .do what?

  7. Callsign Double D

    Very informative as always. However, the root cause is our educational and societal culture. We have been dumbed down as a nation, as a culture, all in the name of fairness & equality. To meet the demands of the future, we need to make schools challenge the top 20% of learning achievers, once again, raise the standards of the next 60%, and equip, rather than dumbing down to the bottom 20%.

    The sad commentary in all of this, if you were to adopt an educational narrative in education, some group or element (ACLU, pic a name), will ultimately challenge you against the best interest of the kids, society, and the nation. All the other previous comments are good, but are moot until you address the root cause which is making education educate and encourage top performance/success–not the “drag and drop” method of the last 40 years.

    1. jjmel

      sounds good, but the fact is standards have gone up over time, as does IQ, generally, with every generation (flynn effect). so we are definitely not getting dumber. maybe youre just growing more critical as you age.

  8. Santa Claus

    read the story about jobs here…as long as security people feel like they are in north korea we’ll have this problem…

  9. Marin

    You should dig a bit deeper. Russian, and broader Eastern European (EE) hackers and programmers stood out for decades even before the “informatics” curriculum was implemented.

    Look up differences in mathematics education in Russia in US. Not just how much more demanding it is for kids in EE, but also what what it represents and what’s the teaching approach. Maths in EE is considered a tool for teaching critical thinking. In US the emphasis is on useless memorization and rote procedures.

    1. zboot

      You’re wrong about the emphasis in the US in EE – at least, this is the perspective of a US educated EE. I think the bigger issue, in the US, EE covers a huge amount of engineering discipline. In other countries, it’s more narrowly focused and there are separate programs that are otherwise “sampled” in EE.

      So what happens is a US EE graduate with a bachelors will have knowledge of a wider range of fields (and thus, wider potential job opportunities). The downside is that focus in a particular area tends to require either higher level education or extrinsic motivation on the graduates part to gain that experience/knowledge in addition to the general EE background.

      So, EE education has largely followed the needs of the market, general purpose EEs who are capable of becoming useful in any EE related discipline within a couple months of starting work. Elsewhere, available job opportunities have been much more narrowly focused, so you don’t need an EE that understands analog circuit design just as well as they do digital design and needs to be able to jump between the two.

      As Brian wrote, the biggest cause for the discrepancy is the general educational targets in the US. As much as we’ve pioneered the CS field, it’s just one of many that are also pretty involved in US economic success. Unless we’re going to make school mandatory year round, lengthen the school day, and pay teachers more, all that would happen by shifting priorities is just lead to someone who blogs in a different field lamenting how some other country is eclipsing the US in producing workers for that discipline.

      We shouldn’t shift priorities just to “beat the Russians at IT”, we need to first evaluate what our overall priorities should be, then set priorities. Otherwise, we’ll be yoyoing around the next thing some other country is beating us at and never making real progress.

      1. Nobby Nobbs

        I think you guys are talking at cross-purposes. He’s using the abbreviation “EE” to refer to Easter Europeans, while you are talking about Electrical Engineers.

        Not that I don’t see bits I agree with in both your essays, just wanted to mention the non sequitur.

      2. Marin

        This is wonderful. You saw something that appeared indirectly critical of you and without actually reading my whole (short) comment you wrote a long unrelated essay.

        In my comment “EE” means Eastern Europe, as I indicated. Not Electrical Engineering.

        But to try and save your comment, let me add: I agree that the answer is not yoyoing around or for the US to adopt a similar “informatics” curriculum. I think that a more important factor for the Eastern Europeans’ success in IT is not the “informatics” curriculum but the education approach that emphasizes critical thinking. Education in the US could use some more focus on critical thinking whatever the industry or discipline students are pursuing.

        1. JD

          I couldn’t agree more, and I am someone who has been educated in EE. That education also makes us much more pesiomistic and much more careful than people from the West.

    2. JCitizen

      The US hasn’t used wrote learning since the 1930s. You are way behind the times. However, an instructor that knows how to teach wrote learning can have great success, but that teacher wouldn’t have a life either, as the grading and correction necessary is intensive.

        1. JCitizen

          I’m not entirely sure I disagree with the author of that article, but memorizing mathematical formulas is not true rote(wrote) learning. Rote learning is an exhausting process where by the instructor hands out the assignment, and the student attempts to complete it – where any mistakes are made – the instructor writes the entire missing pieces of the problem that the student gets wrong, and hands the work back to them to be studiously copied to another paper in corrected form. This requires way too much grading time, for instructors in the US in modern times, and exhaustive rewriting by the teacher for each individual student.

          So either the definition for “rote” learning has changed, or they are simply mistaken by the true meaning of the word. Since secondary education is pretty well dictated by Federal guide lines, I doubt anyone has wavered very far from this model since the 1950s. They managed to shove the “new math” down the throats of the public school system in the mid 1960s, in an attempt to prepare children for computer based mathematical programming, but the draconian way they implemented it was a disaster – and US public education has been trying to catch up every since. I Lord don’t get me started on this new “Common Core” policy!

          1. JCitizen

            *correction – that’s Oh Lord not I Lord – I need to say as far away from that submit comment button as I can! 🙁

            1. anglocop

              @JCitizen: it’s “rote” learning, and “wont to” (not “want to”).

              1. JCitizen

                Thanks anglocop, I need help sometimes! =)

  10. Lakshan

    While this article makes interesting points on training and education differences, it does not address the topics of integrity and ethics.

    I can teach anyone to program, but I will only hire staff that I can trust, and the number of candidates (and hired staff) that demonstrate integrity is diminishing; this is a higher concern.

    1. BrianKrebs Post author

      Laskhan, you are correct. There are many aspects of this problem that are not explored in this article. That said, ethics/ingrity in this space is a very difficult thing to measure empirically.

      1. Jewtopia

        That is, it’s impossible to measure empirically.

        Hard to imagine such empiricism in a work/educational environment. Not many would hold a straight face if they hear “Marvin, for lying about washing your hands, that’s minus two honesty points on your quarterly review…”

    2. Gary

      I’ve been in the valley since the 80s. It used to be when you changed jobs, you only took what was in your head. Now the engineers steal code. I have no idea if this is encouraged in the hiring process.

      I know of one case in the 90s where an employee was trying to sell schematics of a chip to a competitor. Company ethics then were high enough that the companies did a sting and had this person arrested.

      Now I look at companies such as Uber with disgust.

  11. Riccardo Cabeza

    Filthy leeches. It would be helpful if the republican traitors could stand up to acts of war against the US.

    Then again, I guess it’s the republican party who thinks Americans are filthy leeches undeserving of health care.

    So, both sides, world is round, opinions differ etc.

  12. D L

    The problem is definitely the lack of emphasis in the K-12 education system.

    Three years ago, my daughter took a required “computer” course in high school. The Microsoft-sponsored curriculum consisted of learning the optimal ways of utilizing Word, Excel and Outlook. Unfortunately, it did nothing to enhance her understanding of computers or entice her to become involved in expanding the use of technology.

    In the USA, each state controls its own education system and requirements mandated by the Federal government are usually viewed with suspicion. The states have to do a better job of helping their students compete in the global economy.

    1. Nobby Nobbs

      Seconded!
      In fact, my kids had a hissy fit when I suggested they do their homework at my house on my Linux box. LibreOffice was poison as far as they were concerned.

      I discovered that the school wasn’t teaching Word Processing skills, but Microsoft Word per se.

      That was bad, IMNSHO.

      1. Gnecht

        In an English Composition course once, I had to save my work as an RTF file and upload it to the school’s website. I tried to use LibreOffice, but lost points for bad formatting due to differences in RTF implementation between it and Word. Experiences like that may be one cause of the behavior you described.

  13. TonyN

    This is some very good work, Brian.
    I like one of the other commenters took my first computer science class in high school in 1972, and have used computing in my working life for the last 40 years. Something went very wrong with the perception of the public.

    1. JCitizen

      We didn’t have computer science in our high school, but by 1979 we did have college outreach classes in BASIC programming. This introduction was fun for one class, but the drudgery of coding wasn’t my bag so I went for engineering. I really should have gone on to computer science in college, because in 1991 I took industrial robotics and automation, then I ended up, later on, after the turn of the century, taking a full CCNA course.

  14. mark

    How could the US catch up? Why, that would require NATIONAL standards, and funding, and, heavens to Betsy, you wouldn’t want to take local control away from local school boards, and we just *don’t* raise taxes, we only cut them.

    Suggesting all that just gives me the vapours….

    1. Steve

      Heavens to Betsy, huh? Yes, that expression assumes new relevance these days. Very clever!

  15. JCitizen

    I’d imagine that the reason a lot of Russian students end up “hacking” ( more accurately criminal cracking), is that reaching success in a legal way gets the attention of the oligarchs that want a piece of the action, to the point that even trying to be successful just ends up robbery from the government and/or powers that be.

    I can’t even imagine an Apple or Microsoft success story, because all the crooks would have their hands in the till to the point of failure. No one would bother trying when there is no chance of reaching for the sky without being robbed blind. Kaspersky is one of the few exceptions, but I think that company took advantage of the confusion following the dissolution of the CCCP, and was able to gain a toe hold in the western nations, and a position powerful enough to resist such criminal and corrupting market forces. I could be wrong, but that is how I see it.

    1. Alex P

      JCitizen… I know you get most of your news from Russia bashing media, but I could mention Yandex, Mail.ru, VK, OK, Kasperski… all major IT companies.

      They are surely not as big as Facebook or Google, but the services they provide are good enough to prevent Facebook and Google from taking over.

      1. JCitizen

        Thanks Alex P – I pray for the honest innovators over there and wish them the best!

  16. Mike Flanigan

    Great article. The state of the education system in the United States is such a shambles that the sad fact is that getting teachers to teach – on a large scale – the things that they do in the Russian system would be virtually impossible.

    Changing to a system that emphasizes actual practical knowledge and skill development (starting early), as opposed to abstract “here’s some stuff on that overall subject now that you’re in high school” – well, that would identify smart kids from the less bright, and it would do it early on. This would trigger immense social resistance, because here in the United States, everyone is above average, aren’t we.

    It’s no wonder Russia is kicking our ass in this area.

  17. Alex Q

    I always assumed the answer to the title question is simply that Russia isn’t interested in prosecuting cyber crime in the same way the US does; at least when the targets are outside its borders. Any truth to that?

    1. jjmel

      that is likely the case everywhere. why would any government waste resources on crime that its own citizens are not reporting because theyre unaffected by it?

  18. Brian

    Politics (as some in this post have brought up) aside, we as a nation (Federal and Corporate) say we value education and STEM but do not put our money (or other resources) where our mouths are. This article / post is looked out through the lenses of cyber security education somewhat and IT Generalists somewhat. What some might misinterpret is that the goal for our nation’s education system should be to mimic Russian and shoot for more “hackers” (traditionally called Crackers, but never mind). I don’t think that is what Brian is trying to draw a conclusion to but merely setting the scene as it were. If the focus on IT and CS (yes, I view those two as separate BUT complimentary disciplines) is redoubled and done smartly for the good of ALL public students in K-12 it would benefit the economy as a whole not just the cybersecurity industry (Fed/Mil/Private). Fact is that our world is increasingly automated and digitized. Those that are beholden to those tools and can not manipulate or create with the equivalent, modern-day forges, hammers, anvils and iron ore as it were WILL BE left behind, make no mistake. The skills that a Russian Informatics curriculum puts forth attempts to provide that base lining of skills and critical thinking that could be easily ‘ported over to other STEM and non-STEM fields for the benefit of all. My $0.02. I do not believe that this is “fad” as some in this comments section made mention that we would be wasting our time and yo-yo to the next big thing. This focus on CS is where we need to go; not exclusively, but this re-focus along with some of the so-called “humanities” both can be mutually beneficial and have positive feedback in to each domain’s further understanding AND application for the learner and hopefully later practitioner. My $0.02.

  19. Robert Sarukyan

    I think the reason why Russians are more successful at hacking is about the same as why Jews are more successful at finances than others. Its about sharing deep secrets between people. I will tell you one example: in Russia people openly talk about hacking secrets, coding secrets while in America if you try to do this you will be treated as very suspicious and people will immediately tell you this is illegal.

  20. rera

    Real reason coz carders hackers are under fsb.
    they offcourse work together mossad mi6 cia
    but now you know that so what you gona do next?
    Nothing offcourse,you cant even revolt coz police state will catch you.only thing is that u can continue 5-8work.slave

    1. BrianKrebs Post author

      I love that so many people on the dark side of computer security read this blog, and even more that many of them feel the need to add their perspectives here. Thanks for yours!

  21. Rodney Thayer

    No, I didn’t assume it was because of the IT training. I assume it’s because it’s the wild wild west. Lax laws, a society full of questionable practices, decades of experience working around “the system”. Scads of unemployed military types from the old soviet union.
    Nice riff on computer training but…. relevant? No.

    1. BrianKrebs Post author

      Rodney, nice to see you here. Your point touches on the second half of the assumption named in the lede of my story, which I said was not addressed by this article. However, from a logical standpoint, it is relevant because regardless of the ethics and morals of Russian IT experts who go to the dark side, they still have to have mastered the subject, and the reason why so more folks in Russia have mastered it IS explained here.

  22. nycman

    Seems like Russia’s education system fails as well, because they are not delivering skills that their economy can use. Perhaps there is some other skill shortage in Russia that it’s education system is failing to deliver.

    One criteria to decide what to study is the future opportunities in that field: salaries, industry size and growth rate, number of people going into that field, number of open positions, etc. If Russians are deciding to study CS, but there’s low demand for CS in their country, I’d say that’s a Fail. More practical people would decide to study things for which there is likely to be job opportunities in the future.

    There are lots of hackers in Russia because they are generally beyond the reach of Western law enforcement.

    1. Richard Steven Hack

      The Russian economy is doing just fine, thank you, by all accounts. – outside of some idiots on Bloomberg or The Economist.

  23. Tony

    Our obsession with blaming hackers is a waste of time. Hackers will hack. There is nothing we can do to rid the world of hackers. So why the focus on hackers???
    Why not focus our blame on the root cause of the hacking problem. Poorly designed systems.
    We CAN design secure systems.
    We CAN NOT stop all hacking attempts.
    So why not focus our resources on something that we can actually accomplish?
    Blaming the Russians accomplishes nothing.
    Throwing some software developers or corporate executives in jail will accomplish a lot.
    Focus on the root cause.

  24. babble

    There is one major factor being ignored here that could account for the numbers: the greater inclusion of women in STEM disciplines in Russia. (http://www.bbc.com/news/business-39579321)
    While the country is certainly not an exemplar of gender equality, it does recognize the practicality of being more inclusive in recruiting its workforce.

  25. RG

    In 1993, I had a BA in Secondary Education with a primary emphasis on Computer Science. I also still had the zeal and enthusiasm to pursue teaching CompSci to high school students as a career – and I was really good at it! Interview after interview, I showcased a 4-year program complete with AP classes and the passion to bring it about. The kindest words I received was that I was a visionary. Then would follow that 1) there was no equipment, 2) no budget, 3) no interest (I know, seriously?), 4) “that ‘computers’ was just an elective [here]”, and so on. My first real gig as a high school teacher was teaching history – an important subject to be sure, but one that spends all of its time looking backwards into the past.

    The need for comprehensive Computer Science / Engineering program was very real in the early 1990’s and has only gotten more acute. I wasn’t a visionary. I was just surrounded by short-sighted administrators who didn’t *want* to see how things were going, much less respond to it.

    The dotcom economy let me transition to a career professional programming and computer architecture. Today I’m an InfoSec “evangelist” and arguably earning a far better income than if I had stayed in education. But from time to time I’ve wondered how things might have been if I had found a school that was willing to acknowledge that computers were being used everywhere even then, and had found the courage to retool their curriculum to better-prepare their students for the future.

  26. Wladimir Palant

    Brian, I think what you are comparing there is misleading. It’s not just about computer science, you have to go deeper. People say that the Soviet school system has been geared towards producing rocket scientists and I have been in that system long enough to confirm that. Math and physics had a very high standing in the Soviet Union, with top notch didactics and teachers. Computer science classes around 1990 (cannot tell about anything more recent) on the other hand weren’t too great – but that wasn’t an issue, people who are strong in math and physics usually don’t have much trouble making a computer science career.

    That doesn’t mean that the Soviet system should be copied however. I can only compare to education in Germany where technical subjects are more of a trouble child. But German schools are good at other things that Soviet ones neglected due to their focus: all those “soft” subjects where you have to think for yourself rather than to follow a given set of rules. This might not help you become a great rocket or computer scientist, but it helps you grow up into a dignified and independent human being.

    1. v

      Heh, I didn’t see your post before posting mine, honestly 🙂

      1. Wladimir Palant

        Yes, funny to see your post right next to mine. Moderation took time, so you actually couldn’t see mine before posting yours :). We simply had the same thought and replied at the same time.

  27. v

    I think it’s incorrect to put too much focus on Computer Science vs more general – Maths, etc.

    As someone who graduated from high school in 1993 and from one of the top Moscow universities in 1999 – how we were taught CS was pretty laughable, actually. I only hope things have changed since then.

    Maths, though, was pretty solid. And with good foundations, CS can be dealt with with self-education.

    My daughter here (SFBA) learns some kind of “coding” (Scratch) while in elementary school. I’m not sure I even knew what computer was at her age.

    So, my concern is – we rush to create too many “coders” now, only to find out later that they are poorly equipped with foundations to adjust to The Next Big Thing – biotech, quantum computing, whatever it will be.

    1. doug

      Yes, the vast majority of programmers I hired did not learn it in HS or college. They picked it up on their own. There’s something vaguely addictive about programming. And it’s one of the few things where you can express your creativity and get recognized (and paid) pretty much on your own.

  28. John

    Two points:

    1) There are two AP computer science exams.

    The AP test described in the article is the “AP Computer Science Principles” test. It is a new test that was designed “to broaden participation” (College Board).

    There is another AP computer science test: “AP Computer Science A,” which requires students to know how to program in Java. The participation numbers at the end of the article are for this test. To see the official comparison of the two, search for “Unlike AP Computer Science A, which is taught in Java”.

    2) A more advanced AP Computer Science test used to exist (AB), but it was discontinued after 2009 because the number of students taking it was declining. To see the official announcement, search for “The AP Computer Science AB Exam will be discontinued following the May 2009”.

Comments are closed.