Pentagon Seeks High School Hackers
Andy Greenberg, 05.21.09, 06:15 PM EDT
As a cyber space race looms, the military is looking for a few good geeks.
High school hackers, crackers and digital deviants: Uncle Sam wants you.
(Forbes) – As part of a government information security review released as early as Friday, White House interim cybersecurity chief Melissa Hathaway likely will mention a new military-funded program aimed at leveraging an untapped resource: the U.S.’ population of geeky high school and college students.
The so-called Cyber Challenge, which will be officially announced later this month, will create three new national competitions for high school and college students intended to foster a young generation of cybersecurity researchers. The contests will test skills applicable to both government and private industry: attacking and defending digital targets, stealing data, and tracing how others have stolen it.
The competitions, as planned, go far beyond mere academics. Thewill run a so-called Cyber Patriot competition focused on network defense, fending off a “Red Team” of hackers attempting to steal data from the participants’ systems. The Department of Defense’s Cyber Crime Center will expand its Digital Forensics Challenge, a program it has run since 2006, to include high school and college participants, tasking them with problems like tracing digital intrusions and reconstructing incomplete data sources.
The security-focused SANS Institute, an independent organization, plans to organize what may be the most controversial of the three contests: the Network Attack Competition, which challenges students to find and exploit vulnerabilities in software, compromise enemy systems and steal data.
More is at stake in these games than mere geek glory. Talented entrants would be recruited for cyber training camps planned for summer 2010, nonprofit camps run by the military and funded in part by private companies, or internships at agencies including the, the or Carnegie Mellon’s Computer Emergency Response Team.
Alan Paller, director of the SANS Institute, says companies including EMC, AT&T and Verizon have all expressed interest in sponsoring elements of the program. (EMC and AT&T spokespeople didn’t respond to requests for comment, and Verizon declined to comment in advance of the program’s announcement.)
The ultimate goal, according to the initiative’s mission statement, is a new sort of grassroots cybersecurity education designed to keep America ahead of a growing threat of cyber attacks from both criminal and state-sponsored enemies. “In the 1950s and 1960s, Sputnik and the space race inspired young people to pursue careers in science and engineering,” reads a draft of the statement. “We have a similar opportunity to inspire today’s young people to tackle the important challenges we face, including cybersecurity.
Fears of cyber-sabotage or espionage were brought home last month by revelations, reported in The Wall Street Journal, that Russian and Chinese intruders had gained access to and mapped out the networks of U.S. power systems, leaving behind software designed to sabotage them. Cyberspies have also repeatedly hacked government and military networks going back as early as the beginning of the decade. Forbes reported in 2007 that military contractors including Lockheed Martin ( LMT – news – people ), Raytheon ( RTN – news – people ), Boeing ( BA – news – people ) and Northrup Grumman had suffered security breaches that had the potential to reveal classified information.
One element of ending those cyber debacles, says the SANS Institute’s Paller, will mean a renewed focus on cyber education. “We have probably only 1,000 very skilled hackers working for government and industry,” he says. “We need 20,000 or 30,000. Those hackers are out there. We just need to get them into a much more important and useful role.”
China, for its part, may be well ahead of the U.S. in cybersecurity education and recruiting, Paller argues. In a hearing before the Senate’s Homeland Security last month, Paller told the story of Tan Dailin, a graduate student in China’s Sichuan province who in 2005 won several government-sponsored hacking competitions and the next year was caught intruding on U.S. Department of Defense networks, siphoning thousands of unclassified documents to servers in China. “China’s People’s Liberation Army is running these competitions all the time, aiming their recruits at the U.S.,” Paller says. “Shouldn’t we be looking for our best talent the way other countries are?”
But a parallel track of domestic cyber training raises the specter of U.S. government-trained hackers not only stealing data from foreign enemies–a diplomatically thorny prospect in itself–but also hacking other targets for fun or profit, and potentially becoming a rogue collection of skilled cybercriminals. “There probably could be a couple people we train that go to the dark side,” admits Jim Christy, director of the Department of Defense’s Cyber Crime Center. “But we’ll catch them and send a message. The good guys will outweigh the bad.”
Teaching offensive hacking is a necessary element of protecting networks, argues the SANS Institute’s Paller. “Offense must inform defense,” he says. “We’d like it to be just training defenders, but if they don’t know how attacks are performed, they’ll be incompetent.”
He adds that even without formal training, teens are already becoming active hackers. According to a survey released by Panda Security earlier this month, one in five U.K. teens says he or she knows how to find online software tools for gaining unauthorized access to data. A third of those respondents claimed to have used them. “This isn’t about educating hackers,” says Paller. “It’s about finding them.”
Training games used in digital espionage and data theft, including offensive tactics, are nothing new: The military has long put cadets through defensive and offensive simulations. Programs like the SANS Institute educate so-called white-hat hackers, penetration testers paid to test the security of private companies and government institutions. And cybersecurity conferences like Las Vegas’ DefCon host games of “Capture the Flag,” in which teams win points by compromising the opposition’s PCs.
But the Cyber Challenge would be the military’s first attempt to reach civilian students. And despite the controversy it likely will raise, it may be the kind of early education push American cybersecurity needs, argues the Department of Defense’s Christy. “As cybersecurity comes to the forefront, we’re going to start seeing fratricide between in agencies and the private sectors as everyone tries to recruit a small number of experts,” he says. “We have to grow this workforce.”