Subject: USA Africa Dialogue Series - Educating Elite Hackers
Educating Elite Hackers
Inside the rush to recruit, train, and deploy a new generation of cybersecurity
experts to protect and defend our digital borders.
It started with Michael Coppola taking things apart at the age of five: the
remote control, his mother's house lamps, the family's VCR. He was curious about
how things worked. By the time he was in fourth grade, he moved on to software.
After building Web sites for his parents and their friends, Coppola, now 17,
decided to try his hand at hacking. "When you have this passion for technology,
you're not satisfied with knowing how to use something, you want to know how it
works," he says. What started out as mere curiosity now makes this Connecticut
high-school senior a rare—and highly valued—commodity: a hacker in the making.
While billions of dollars are being spent to secure U.S. cyberspace, the number
of elite cybersecurity experts needed to protect and traffic this area for the
government and the private sector is dangerously inadequate. The Comprehensive
National Cybersecurity Initiative (CNCI)launched by President George W. Bush
lists the need for better cybereducation and more experts as part of 12 core
initiatives, but its large-scale implementation will take time. According to
national-security authorities, time is something we don't really have. By one
estimate the United States currently has about 1,000 elite experts. It needs
20,000. Until now, the formal recruiting and training of a national cybercorps
has been haphazard at best. Fortunately, for the Michael Coppolas among us,
private companies and government agencies are amping up their efforts to find
and educate a new generation of cyber whiz kids. By sponsoring national cyber
competitions akin to American Idol, the goal is to quickly bring at least 10,000
young tech minds into the fold. Among the organizers leading the way is Alan
Paller, cofounder and research director of the Sans Institute, a cybersecurity
school.
Paller is kind of a real-life version of Professor Charles Xavier,
the X-men comic-book character who heads a school designed to find and nurture
young mutants with supernatural powers. Early in his career, he cofounded a
major graphics company and was an original member of President Bill Clinton's
National Infrastructure Assurance Council, which was setup to address threats to
the country's critical infrastructure. Since then, the cyber veteran has
invested about 20 years helping to mold some of the brightest cyber minds in the
world at Sans, and in doing so, keeping their skills on the right side of the
law. He only decided to co-host a cyber challenge in 2008, after meeting with
computer-security leaders from the White House, the NSA, and other agencies.
"Simply put, we find ourselves in the same situation we did during the 1950s and
1960s when we took on the space race," he says. "That [period] inspired young
people to consider careers in math and science. Today, we need to approach
cybersecurity the same way."
To Paller, that means looking for talent in unconventional places. It was the
first Cyber Challenge, in 2009 and sponsored in part by Paller's organization,
that piqued Coppola's interest. The cybersecurity simulation (titled "Netwars")
required the 240 contestants to hack into 12 servers. Each server was worth
points and whoever had the highest tally at the end of the game would be
declared the winner. But instead of going from server to server, Coppola decided
to hack the scoreboard and give himself the most points. Naturally, he won. "It
wasn't part of the initial plan," he says. "I just happened to come across the
vulnerability and decided to focus my time on that."
Perhaps this is what makes Paller's Netwars, one of the three cyber challenges
he and others promote, the most interesting. It's a game that effectively
focuses on finding vulnerabilities in a system and exploiting them to gain
access. Some argue that such games are encouraging the kind of skills once
relegated to the bad guys. But with a medium where there's a thin virtual line
between those that exploit and those that protect, Paller is a big believer in
having both a good defense and a good offense. "If we're going to outwit them,
then we have to know how they work," says Paller of malicious hackers.
There is something to be said for that argument. Other countries, like China and
Russia, have been hosting similar contests for years. Their motivation lies in
how often and increasingly their governments are the targets of hacking attacks.
Not that the U.S. fares much better. According to the Senate's Sergeant at Arms
office, Congress and other government agencies are now under cyberattack an
average of 1.8 billion times a month, compared with an average of 8 million
times a month in 2008. Businesses are in the same situation. One report suggests
that downtime from a cyberattack already costs a company an estimated $6.3
million per day on average.
And the reality is that both the government and private sector can expect the
situation to get worse. Dickie George, information assurance technical director
of the National Security Agency (NSA), says he could easily use 1,000 qualified
cyberexperts in the next year. And going through conventional channels won't do.
"When I go to schools, there are more recruiters at the schools than there are
people to recruit," he says. "Right now it's a losing game." George points to a
recent visit where a student gave a riveting cyber presentation. "There was a
line of people there, with me in the front saying, 'I want to hire you,' and a
guy from a company behind me saying, 'I want to hire you, too, and I want to
hire you for twice as much as he does.'" According to Indeed.com, the average
cybersecurity expert makes roughly $102,000 per year, with the highly talented
making more.
A large part of this shortage problem is education, George says. While several
programs at colleges teach the basics of cybersecurity, there are few that can
be considered state of the art. That limits the pool of bright graduates who are
properly trained to deal with the shape-shifting nature of security. The NSA has
made some efforts to partner with colleges across the country to better prepare
those interested in a cyber career with the organization. And Steven Chabinsky,
deputy assistant director at the FBI's Cyber Division, says every new agent must
take 40 hours of cyber training. But he acknowledges that they too are actively
looking to beef up the number of cyberexperts. Jim Lewis, director of technology
and public-policy programs at CSIS, a public-policy research institution, which
helped host the cyber challenge, agrees that the broader problem is deeply
rooted in education, but there are other issues too. "Yes, part of it is that we
have academic programs that don't produce the kind of people we need, but part
of it is that the U.S. stopped funding computer sciences for about 10 years and
a part of it is that until recently we really didn't understand just what kind
of people we needed."
This is why Coppola finds himself in a sweet position.After having won the
Netwars challenge, he's been offered a scholarship to take courses at the Sans
Institute to fine-tune his skills. He's also helping the organization design
classes for high-school students.
Several other players also did well. The NSA was able to recruit eight
contestants for summer internships. Not a bad gig considering that 85 percent of
those who intern are offered permanent jobs. And the FBI plans to partner on a
challenge later this year and offer internships to the winners. Even the Air
Force, which helped co-host last year's event, will offer five college
scholarships to the winners of an upcoming competition.
On concerns about turning any of these kids to the dark side, Paller concedes it
may be a little true. "Look, when the military trains young men and women to
handle weapons, there's no guarantee some of them won't use that talent
inappropriately," he says. "The truth is, I don't see a way to defend a country
without growing these skills."
Paller and the other organizers plan to continue to expand the number of
competitions and will add a series of weeklong cyber camps, the equivalent of
soccer camp, starting in July. He'll be looking for the next kid who gets a
thrill from taking things apart ... and who one day may be on the front lines
protecting America's cyberspace.--
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
To unsubscribe/subscribe or view archives of postings, go to the Gambia-L Web interface
at: http://listserv.icors.org/archives/gambia-l.html
To Search in the Gambia-L archives, go to: http://listserv.icors.org/SCRIPTS/WA-ICORS.EXE?S1=gambia-l
To contact the List Management, please send an e-mail to:
[log in to unmask]
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
|