Could a college student who admittedly passed the time as a kid by “breaking things” be part of the answer to the country’s lack of security in cyber-space?
A consortium of U.S. government and private organizations thinks so and is trying to enlist the nation’s youth to fill the dearth of cyber-security professionals and tackle increasing tense problem of defending the nation against cyber-terrorists.
The consortium — the U.S. Department of Defense Cyber Crime Center; the Center for Strategic and International Studies; the Air Force Association; and the SANS Institute — developed last summer, is behind the U.S. Cyber Challenge, an initiative to develop young, smart cyber-security personnel.
The initiative combines existing competitions, awards scholarships and internships to the most competent high school and college students to, it is hoped, develop a pipeline of cyber-security “warriors.”
“Think of them as warriors rather than cyber-academics and you get an idea of what they're after,” said Alan Paller, research director of the SANS Institute. “The best way to think about the cyber-challenge is as a sport, just the way somebody distinguishes themselves as a basketball player. It’s in school but it's not of school.”
In other words, the best candidates may not be the best students, at least in the traditional sense, but they have a knack on a computer and a craving for a challenge, Paller said. “You have this situation where kids are skilled and want to test themselves, and the only way they can test themselves right now is illegally.”
Cool Rewards for Competitors
The competitions go like this: A defender is assigned to protect a computer and given certain tools to defend it against intruders. The hacker (sometimes other students, sometimes security professionals) is trying to penetrate the defender’s arsenal. Matches continue for days and there are multiple rounds and a national competition, leading to glory in the form of internships and perhaps a “cool” job, like security crime investigator or penetration tester.
The consortium also promotes the “cyber-geek camps,” described by Paller as similar to basketball camps, where there is structure during part of the day and exercises or competition during another part of the day.
There’s also a forensics challenge where the competitors are given a disk with evidence of a crime on it, and their job is to find out what the crime was, Paller said. “The national competition draws them to demonstrate their skills, and the camp allows them to be nurtured.”
At the end of the competitions, some top agencies and corporations announce internships, for which the top 10 percent of competitors are eligible.
But for 19-year-old sophomore computer science major at the University of Minnesota, Eric Gruber, who competes in the cyber-competition NetWars, it’s just another natural progression.
Photo: Eric Gruber is a computer science major at the University of Minnesota.
“I was always on computers,” he said. “My dad worked at American Express as a technologies manager so there were always computers around the house. I always liked breaking and fixing things, so I guess the natural progression was to see if I could break software.”
When he got to high school he knew his school had “really bad security,” so he had a little fun with it. “Me and my friends were into a lot of wireless hacking stuff; just getting a lot of passwords for people.” He said he could have gotten into people’s accounts to see all their files but he’s “not that type of hacker.”
Gruber said the competition gets rather hectic. “A lot of them are like security pros and it gets pretty tough. They just lock everything down.”
He said it takes some quick fingers to advance. “We get an ISO, a disk image of an operating system, a Linux operating system,” he said. “The first part of the game is to break out of that disk to find a key and connect to the network where the actual game is. It's like weeding out the people who don’t know what they’re doing and getting to the actual game.”
He said once the key is located, you log onto the actual game where you’re given tools such as Netcat, Metasploit and Nmap. “It’s all command based like in a terminal,” Gruber said. “The point of the game is to log into these computers however you can and there are tags in certain files and you can change them to your tag. About every 10 minutes, the scorebot checks to see who has the tag and gives you a point.”
Gruber said out of the 200 or so playing the game, just 20 actually scored a point, including himself.
Ruby Lee, a computer science professor at Princeton University, likes the idea of cyber-competitions, if they’re well funded and serve an educational purpose, not just hacking. “Something like the DARPA [Defense Advanced Research Projects Agency] Grand Challenge that goes on for many years and has high visibility and rewards is good. Even better are competitions that can be used as a ‘term project’ requiring perhaps a month of effort on the part of undergrad students taking a cyber-security course.”
Lee said another idea is to cast the competition in more “commercial and societal terms to attract the students who will not sign up for military or forensic crime competitions, but are interested in protecting our financial competitiveness, social privacy and medical records. The same security skills are needed,” she said.
