Pentagon Seeks High School Hackers
Andy Greenberg, 05.21.09, 06:15 PM EDT
As a cyber space race looms, the military is looking for a few good geeks.
High school hackers, crackers and digital deviants: Uncle Sam wants you.
As part of a government information security review released as early as
Friday, White House interim cybersecurity chief Melissa Hathaway likely will
mention a new military-funded program aimed at leveraging an untapped
resource: the U.S.' population of geeky high school and college students.
The so-called Cyber Challenge, which will be officially announced later
this month, will create three new national competitions for high school and
college students intended to foster a young generation of cybersecurity
researchers. The contests will test skills applicable to both government and
private industry: attacking and defending digital targets, stealing data, and
tracing how others have stolen it.
The competitions, as planned, go far beyond mere academics. The Air Force
will run a so-called Cyber Patriot competition focused on network defense,
fending off a "Red Team" of hackers attempting to steal data from the
participants' systems. The Department of Defense's Cyber Crime Center will
expand its Digital Forensics Challenge, a program it has run since 2006, to
include high school and college participants, tasking them with problems like
tracing digital intrusions and reconstructing incomplete data sources.
The security-focused SANS Institute, an independent organization, plans to
organize what may be the most controversial of the three contests: the
Network Attack Competition, which challenges students to find and exploit
vulnerabilities in software, compromise enemy systems and steal data.
More is at stake in these games than mere geek glory. Talented entrants
would be recruited for cyber training camps planned for summer 2010, nonprofit
camps run by the military and funded in part by private companies, or
internships at agencies including the National Security Agency, the Department
of Energy or Carnegie Mellon's Computer Emergency Response Team.
Alan Paller, director of the SANS Institute, says companies including EMC (
EMC - news - people ), AT&T ( T - news - people ) and Verizon ( VZ - news
- people ) have all expressed interest in sponsoring elements of the
program. (EMC and AT&T spokespeople didn't respond to requests for comment, and
Verizon declined to comment in advance of the program's announcement.)
The ultimate goal, according to the initiative's mission statement, is a
new sort of grassroots cybersecurity education designed to keep America ahead
of a growing threat of cyber attacks from both criminal and
state-sponsored enemies. "In the 1950s and 1960s, Sputnik and the space race inspired
young people to pursue careers in science and engineering," reads a draft of
the statement. "We have a similar opportunity to inspire today's young
people to tackle the important challenges we face, including cybersecurity.
Fears of cyber-sabotage or espionage were brought home last month by
revelations, reported in The Wall Street Journal, that Russian and Chinese
intruders had gained access to and mapped out the networks of U.S. power
systems, leaving behind software designed to sabotage them. Cyberspies have also
repeatedly hacked government and military networks going back as early as the
beginning of the decade. Forbes reported in 2007 that military contractors
including Lockheed Martin ( LMT - news - people ), Raytheon ( RTN - news -
people ), Boeing ( BA - news - people ) and Northrup Grumman had suffered
security breaches that had the potential to reveal classified information.
One element of ending those cyber debacles, says the SANS Institute's
Paller, will mean a renewed focus on cyber education. "We have probably only
1,000 very skilled hackers working for government and industry," he says. "We
need 20,000 or 30,000. Those hackers are out there. We just need to get
them into a much more important and useful role."
China, for its part, may be well ahead of the U.S. in cybersecurity
education and recruiting, Paller argues. In a hearing before the Senate's
Homeland Security last month, Paller told the story of Tan Dailin, a graduate
student in China's Sichuan province who in 2005 won several government-sponsored
hacking competitions and the next year was caught intruding on U.S.
Department of Defense networks, siphoning thousands of unclassified documents to
servers in China. "China's People's Liberation Army is running these
competitions all the time, aiming their recruits at the U.S.," Paller says.
"Shouldn't we be looking for our best talent the way other countries are?"
But a parallel track of domestic cyber training raises the specter of U.S.
government-trained hackers not only stealing data from foreign enemies--a
diplomatically thorny prospect in itself--but also hacking other targets for
fun or profit, and potentially becoming a rogue collection of skilled
cybercriminals. "There probably could be a couple people we train that go to
the dark side," admits Jim Christy, director of the Department of Defense's
Cyber Crime Center. "But we'll catch them and send a message. The good guys
will outweigh the bad."
Teaching offensive hacking is a necessary element of protecting networks,
argues the SANS Institute's Paller. "Offense must inform defense," he says.
"We'd like it to be just training defenders, but if they don't know how
attacks are performed, they'll be incompetent."
He adds that even without formal training, teens are already becoming
active hackers. According to a survey released by Panda Security earlier this
month, one in five U.K. teens says he or she knows how to find online
software tools for gaining unauthorized access to data. A third of those
respondents claimed to have used them. "This isn't about educating hackers," says
Paller. "It's about finding them."
Training games used in digital espionage and data theft, including
offensive tactics, are nothing new: The military has long put cadets through
defensive and offensive simulations. Programs like the SANS Institute educate
so-called white-hat hackers, penetration testers paid to test the security of
private companies and government institutions. And cybersecurity
conferences like Las Vegas' DefCon host games of "Capture the Flag," in which teams
win points by compromising the opposition's PCs.
But the Cyber Challenge would be the military's first attempt to reach
civilian students. And despite the controversy it likely will raise, it may be
the kind of early education push American cybersecurity needs, argues the
Department of Defense's Christy. "As cybersecurity comes to the forefront,
we're going to start seeing fratricide between in agencies and the private
sectors as everyone tries to recruit a small number of experts," he says.
"We have to grow this workforce."
**************Discover the variety of Bisquick® mix. Get Recipes & Savings
[Non-text portions of this message have been removed]