A consortium of U.S. government and private organizations thinks so and is trying to enlist the nation’s youth to fill the dearth of cyber-security professionals and tackle increasing tense problem of defending the nation against cyber-terrorists.
The consortium — the U.S. Department of Defense Cyber Crime Center; the Center for Strategic and International Studies; the Air Force Association; and the SANS Institute — developed last summer, is behind the U.S. Cyber Challenge, an initiative to develop young, smart cyber-security personnel.
The initiative combines existing competitions, awards scholarships and internships to the most competent high school and college students to, it is hoped, develop a pipeline of cyber-security “warriors.”
“Think of them as warriors rather than cyber-academics and you get an idea of what they're after,” said Alan Paller, research director of the SANS Institute. “The best way to think about the cyber-challenge is as a sport, just the way somebody distinguishes themselves as a basketball player. It’s in school but it's not of school.”
In other words, the best candidates may not be the best students, at least in the traditional sense, but they have a knack on a computer and a craving for a challenge, Paller said. “You have this situation where kids are skilled and want to test themselves, and the only way they can test themselves right now is illegally.”
Cool Rewards for Competitors
The competitions go like this: A defender is assigned to protect a computer and given certain tools to defend it against intruders. The hacker (sometimes other students, sometimes security professionals) is trying to penetrate the defender’s arsenal. Matches continue for days and there are multiple rounds and a national competition, leading to glory in the form of internships and perhaps a “cool” job, like security crime investigator or penetration tester.
The consortium also promotes the “cyber-geek camps,” described by Paller as similar to basketball camps, where there is structure during part of the day and exercises or competition during another part of the day.
There’s also a forensics challenge where the competitors are given a disk with evidence of a crime on it, and their job is to find out what the crime was, Paller said. “The national competition draws them to demonstrate their skills, and the camp allows them to be nurtured.”
At the end of the competitions, some top agencies and corporations announce internships, for which the top 10 percent of competitors are eligible.
But for 19-year-old sophomore computer science major at the University of Minnesota, Eric Gruber, who competes in the cyber-competition NetWars, it’s just another natural progression.
Photo: Eric Gruber is a computer science major at the University of Minnesota.
“I was always on computers,” he said. “My dad worked at American Express as a technologies manager so there were always computers around the house. I always liked breaking and fixing things, so I guess the natural progression was to see if I could break software.”
When he got to high school he knew his school had “really bad security,” so he had a little fun with it. “Me and my friends were into a lot of wireless hacking stuff; just getting a lot of passwords for people.” He said he could have gotten into people’s accounts to see all their files but he’s “not that type of hacker.”
Gruber said the competition gets rather hectic. “A lot of them are like security pros and it gets pretty tough. They just lock everything down.”
He said it takes some quick fingers to advance. “We get an ISO, a disk image of an operating system, a Linux operating system,” he said. “The first part of the game is to break out of that disk to find a key and connect to the network where the actual game is. It's like weeding out the people who don’t know what they’re doing and getting to the actual game.”
He said once the key is located, you log onto the actual game where you’re given tools such as Netcat, Metasploit and Nmap. “It’s all command based like in a terminal,” Gruber said. “The point of the game is to log into these computers however you can and there are tags in certain files and you can change them to your tag. About every 10 minutes, the scorebot checks to see who has the tag and gives you a point.”
Gruber said out of the 200 or so playing the game, just 20 actually scored a point, including himself.
Ruby Lee, a computer science professor at Princeton University, likes the idea of cyber-competitions, if they’re well funded and serve an educational purpose, not just hacking. “Something like the DARPA [Defense Advanced Research Projects Agency] Grand Challenge that goes on for many years and has high visibility and rewards is good. Even better are competitions that can be used as a ‘term project’ requiring perhaps a month of effort on the part of undergrad students taking a cyber-security course.”
Lee said another idea is to cast the competition in more “commercial and societal terms to attract the students who will not sign up for military or forensic crime competitions, but are interested in protecting our financial competitiveness, social privacy and medical records. The same security skills are needed,” she said.
Too Few Qualified Fighters
The U.S. Department of Defense trains about 80 cyber-security experts a year, far too few, experts say if the country is going to seriously defend against the potential threats. In China the military has trained more than 60,000 “information troops,” according to U.S. News and World Report.
Paller said the idea of the U.S. Cyber Challenge was hatched in a meeting at the Pentagon in December 2008 with the major players in cyber-security, and they agreed there are about 1,000 people capable of cyber-defense when 20,000 to 30,000 are needed.
He said the way in which cyber-security professionals have been chosen over the years is all wrong — they’re hiring the wrong people. “They take an exam and if they pass it and pass a security clearance they can make $150,000 to $200,000 a year — writing reports. They aren’t operators. They knew security, could write about security but didn’t know how computers worked.”
He said the government has spent about $4 billion on those reports in recent years and the reports were out of date before they were published. “They added no value to the cyber-security of the country. Four billion bucks — wasted. We have to tap a new vein of talent.”
Perhaps someone looking for more of a challenge than writing reports?
The Top Seven ‘Coolest Jobs’ for Computer Geeks
1) Security crime investigator
2) Penetration tester
3) Forensics analyst
4) Incident responder
5) Security architect
6) Malware analyst
7) Network security engineer
Source: The SANS Institute
