Carnegie Mellon University
December 16, 2022

Discussion with Matt Kaar: How the Scholarship for Service Makes an Impact

Scholarship for Service Alumnus Interview

INI Communications Team

Matt Kaar ‘06 is an INI faculty member, CERT Division cybersecurity exercise developer and trainer at the Software Engineering Institute (SEI), and an alumnus of the INI and the Scholarship for Service program. He also leads SEI’s involvement in The President’s Cup Cybersecurity Competition, the first of its kind focused solely on the U.S. federal workforce.

INI: How do the INI and SEI prepare students for cybersecurity careers?


Matt: At the INI, it's that mix between an interdisciplinary education and a heavy emphasis on practical application of the skills that they're learning. The Cyber Forensics and Incident Response (CyFIR) track, taught by INI faculty at the CERT Division, is an excellent example of that.

 The CERT Division at CMU’s Software Engineering Institute employs talented researchers and engineers across a variety of cybersecurity disciplines. By staying ahead of sophisticated threats and vulnerabilities, CERT works with sponsors to improve their defenses as well as help respond to incidents when they occur. CERT instructors at the INI bring this same mindset to their courses.

 The CyFIR track places INI students in realistic scenarios to teach them how to think through complex cyber problems. And this close proximity to a cutting-edge research organization gives INI students a huge leg up when preparing for their own successful careers in cybersecurity.


To see a course example, the Applied Information Assurance (AIA) syllabus is viewable online.


 The AIA course builds upon the skills that students have been receiving throughout their graduate studies and puts them into realistic situations to practice those, both as individuals and as teams. They also have the opportunity to create content that will be used in the instruction of AIA courses. They have the ability to research a specific area of information assurance that they're interested in as a team, create a lab around it, and present that lab.

The best labs go on to be used in future AIA courses. In addition, they complete different group exercises on a weekly basis with members of their team, and they will work through incident response scenarios and forensic scenarios, all inside of a live virtual environment that's been crafted to maximize the experiential learning that's possible throughout the semester-long course.

"This is a place where a lot of the research is being done. Going to the source is a great way to be prepared."

INI: How is this approach to teaching different and significant?


Matt: I have been teaching AIA for five years. I actually took AIA seventeen years ago as an INI student. It was the first offering of the course, and I remembered it standing out from other courses for its focus on the hands-on practice of information security. While a lot has changed in cybersecurity during that time, we carry that same mentality into the current version of AIA. Co-instructor Chris Herr and I put students in simulated exercises, both as individuals and small teams, to practice the same techniques they will encounter after graduating and taking their first job.

 Experiential learning is a fundamental part of understanding how things work, and this is as important with cybersecurity as any technical discipline. And it is especially important when you make mistakes to learn from them. There is no better place to do that than in AIA so you are battle-tested when entering the cyber workforce after the INI.

INI: So why is this work happening at CMU?


Matt:  As an anecdotal story from when I was researching graduate schools, I had a scholarship offer [at another school], and it looked like CMU was not going to work out like because the scholarship had gone to somebody else – but then that person declined, and I was given that [Scholarship for Service] scholarship slot. It just worked out. 

 I had already visited [the other school], and they were talking in the class I attended about research by Adrian Perrig, who at the time was teaching at CMU. I came and visited CMU and realized I would be taking the course from Adrian Perrig. So then [choosing CMU] was just, like, a no brainer, right? Okay, then, you’re going to the source.

This is a place where a lot of the research is being done. Going to the source is a great way to be prepared. And, by the way, because CMU is co-located with the CERT Division, it has opportunities to do internship work and be in support of the government. We have a lot of interns who are SFS students that come through and do great work in our program, and I think it's a great opportunity to be exposed to federal government work. We have a lot of work with CISA (Cybersecurity and Infrastructure Security Agency).

INI: How does the INI prepare you for federal work?


Matt:  The focus on systems curriculum, the core classes – those courses that teach you fundamentals of programming, of how your application interacts with the system, of how these systems and the network interconnect and work together – CMU’s treatment of that is at a great level for somebody who wants to do rigorous work with the government. And, the reason you go into government service is that you believe in the mission, and you're given an opportunity to do things that nobody else in the commercial sector or in academia can do. There are laws that restrict certain activities to only people that are employed by the government.

"At CMU, we are providing a pathway to do the most interesting work in government by giving you fundamental instruction about the how this stuff works." 

When I was there, I took an operating systems course, and, I mean, that was a forty-hour-a week job to take that course! I had three other classes that I was taking at the same time. It was a ridiculous amount of work, but I don't look back on that and say, wow, that was so much work. I look back on it and say, ‘Look at this story I have to tell.’ When it comes to understanding how these systems work. I absolutely learned more in that fifteen-week course than any other way to learn that material.

There's just no other way to learn that much, in that short of a time period … part of what we are offering is a world-class education and, because of that, access to the toughest problems that the federal government has to offer. That's the payoff, right? Nobody is going to look at a future graduate of CMU, whether you are applying to an internship or applying to a job and say, ‘This job is going to be too much for them.’ That's just not going to happen. There could be other things that disqualify you … but it will not be because you didn't get the right education. If you apply yourself at CMU, you can go anywhere you want.

INI: Why was a career in cybersecurity appealing to you?


Matt: My first job out of college after studying computer science was working in technical support for a cybersecurity company in Atlanta, Georgia. I was fascinated not only by the technology, but also the people that make it happen. When we took phone calls from customers, they were generally not thrilled with how our product was working. Of course, it was my job to turn that frown upside down. After doing that job for a year, I knew I wanted to take my skills to the next level, and I found that opportunity at the INI. Fast forward to today, and I still derive joy from the same problem-solving attitude developed at that first job.

 Cybersecurity is a discipline that continually changes, and it is important to remain a student even as you are charged with teaching students of your own. You only need to read the news to understand how important cybersecurity is to our way of life, and I hope that students taking AIA will leave with a better appreciation of how to apply their newfound skills to make a difference of their own.

"You're given an opportunity to do things that nobody else in the commercial sector or in academia can do."

INI: Tell us about the President’s Cup Cybersecurity Competition? Why are competitions important?


Matt: The President’s Cup Cybersecurity Competition is the first cyber competition focused solely on the U.S. federal workforce. Established by a presidential executive order in 2019, it seeks to find the best cyber practitioners in the federal executive workforce. The initial event came together in record time, and the SEI was chosen by the Cybersecurity and Infrastructure Security Agency (CISA) to lead the engineering and execution of that competition as well as every year since. That effort involved writing open-source software to manage the competition, developing complex cybersecurity challenges based on federal cyber work roles, and delivering an engaging finale including a livestream of the team competition on YouTube. I have been fortunate to lead a talented team of engineers across many disciplines to deliver this complex, yet rewarding, project each year since its inception.

The cybersecurity field is short [on talent] significantly, by like six-digit figures in the United States alone. This is our responsibility. We have to get better at this.

You have to grow the pool of people, and the director of CISA set a goal to get to fifty percent female representation in the cyber security field in the next ten years. That’s a bold goal, but I feel like that's the kind of thing you need to set, and then begin to execute on.

Those are some things that we have in mind as we're developing our plans for the work that we do. The nexus of what is being done to work on this problem [of the cybersecurity talent shortage] is happening at CMU, from participation in conferences to the development of technologies, to getting involved with government agencies that are focused on the technical work. These interesting problems are going to be something in the realm of an INI grad because of their education.