Cyber warriors

Teens develop ‘ethical hacking’ skills to defend computer systems

Contests where teens compete to keep computer systems secure have increased in popularity. And that’s a good thing: A recent report from the U.S. Department of Defense recommended more than quintupling the number of workers — from 900 to 4,900 — at the U.S. Cyber Command. Cyber Command is the military unit that protects military computer systems.

Balefire9/iStockphoto

Kevin Houk huddled with five of his high school classmates around a computer monitor. They were the good guys — just like the heroes in old westerns who wore the white hats. The team sought to guard a computer network from a group of programmers just as bad as any movie villains in black hats.

The black hats wanted to activate hidden viruses inside the computer network — if they could get past the white hats. Houk and his classmates stayed on the defensive, fixing vulnerabilities and hardening the network against attack.

Houk and his fellow white hats were participants in the national finals of CyberPatriot. The contest, held each spring in the Washington, D.C., area, is one of a growing number of increasingly popular similar events across the United States. The competitions challenge high school students to see who does the best job at keeping computers safe from any unauthorized intrusion by hackers. In 2009, the first CyberPatriot contest drew computer-programming teams from eight Florida high schools. This year, more than 1,200 teams from around the world competed.

Kevin Houk and the rest of the Marshall Academy team learn how to both defend and attack computers in preparation for the contest. Kevin Houk

“It’s a lot like gaming, because you don’t know what’s going to happen,” Houk says. “You always have to keep on your toes.”

But these competitions aren’t just about fun. During a break, Houk, at the time a senior at Marshall Academy in Fairfax, Va., talked about pursuing a career as a “cyber warrior.” Someday he wants to work for the government or a private company and use his skills to protect their data, computers and everything those computers control from attack.

Real-life hackers can steal computer secrets. They also can intercept communications and even cripple hardware controlled by computer. Those kinds of attacks aren’t just virtual. They can do real physical damage too. That is why the military is so interested in ensuring enough young people gain the skills needed to defend against them.

Kevin Houk (holding trophy) and the rest of the Marshall team after their second-place finish. Kevin Houk
In fact, all four branches of the U.S. military seek more special troops with an expertise in cybersecurity. To stimulate interest in cyberdefense, the Air Force Association started the CyperPatriot contest. A major defense company now sponsors it.

“Cyber warfare is the war of tomorrow and we don’t have enough soldiers on the cyber battlefield,” says Houk, who is now a student at Pennsylvania State University. “I just want to be one of those.”

A recent report from the U.S. Department of Defense recommended more than quintupling the number of workers at the U.S. Cyber Command. Cyber Command is the military unit that protects military computer systems. The report calls for 4,900 workers, up from just 900 today. Military officials worry there aren’t enough students like Houk to fill that many jobs. These new recruits must have not only the computer skills but also no record of crime.

Now hiring: Black hats need not apply

The police don’t hire bank robbers. Similarly, the military or any other government agency interested in computer security typically won’t employ anyone with a shady past. Job candidates can’t have an arrest record. Nor can they have been kicked out of school for hacking.

And yet you’ve probably heard the expression, “It takes one to know one.” The idea is that no one understands more about how, say, a thief operates than another thief.Yet few people want to entrust a thief, even a former thief, with anything of value. That’s the challenge faced by anyone seeking to recruit cyber warriors. Talent scouts must identify experts who can anticipate how criminal or enemy hackers will make their next move — and then thwart them. But these new recruits also must be trustworthy patriots who were never thieves themselves.

So CyberPatriot competitions give teens a safe — and legal — way to get into the minds of thieves. The hope of the contest’s sponsors is that the top participants might one day use their insights and skills to nab real hackers before they can do any harm.

Starting months before CyberPatriot and other similar contests, outside advisors teach the student participants advanced computing skills. The teens also receive training in computer ethics, says Scott Kennedy. He’s a  systems engineer at Leidos (a company that until recently was called SAIC), in San Diego, Calif. The company provides cybersecurity services to the U.S. government.

A society and its members rely on certain moral principles, called ethics, to determine right versus wrong. Ethics are portrayed in attitudes, behaviors and conduct. Ethical violations have gotten some students kicked out of cybersecurity contests. These might include hacking into a competing team’s computers or defacing a website.

“It’s more obnoxious than anything else,” Kennedy says of these hacking attempts. “In prior competitions, we have caught them trying to cheat and trying to game the game. We give them a warning and then they are expelled.”

Marshall team members Peter Marr, Xhesi Galanxhi and Jacob Walters study a problem at the CyberPatriot contest. Air Force Association
Houk and other students interviewed at this year’s contest say they know there is a fine line between wearing a white hat and a black hat. For Houk, hacking and fending off hackers are two sides of the same coin.

Hackers seek to exploit weaknesses they find in a computer program or network. Hackers might crack passwords or look for “back doors” into a computer system that have been left unguarded. Some black hats use small software programs, called viruses, to infect and damage computer systems.

Meanwhile, the white hats might sweep a computer of viruses. They might also pore over lines of computer code to check for pieces of code a hacker may have snuck inside. The only way to properly defend a computer is to understand its weaknesses, much as a hacker does, Houk says.

“We are trained in offensive security, or ethical hacking,” says Houk, whose team placed second overall in the 2013 CyberPatriot contest. “But we do know how to monitor a network, like a school’s, and watch all the traffic going through. And if it’s encrypted, we do know how to break that.” (Encrypted data are protected through use of some hard-to-break code.)

Learning from ‘gray hats’

Ryan Walters helped train Houk and his teammates. Walters describes himself as a gray hat — neither black nor white. He knows both sides of the cyber warfare coin really well.

As a young man, Walters was arrested — and convicted — for computer hacking. At his sentencing, the judge gave Walters a choice: Go to jail or join the military. “I joined the Air Force,” says Walters. “Six months later, I was doing cyberdefense for the military. I became very good at what I do, because I understand how the bad guy thinks.”

Because of his history of illegal activities, Walters admits, “I could never be a white hat.” Still, Walters has an insight into how black hats operate. He used that insight after he finished his military service to start a successful business providing security against hacking.

Saige Mehl, Brian Green, Kevin Schulmeister, Ben Wolff and Keaton Thomson of the Summit Technology Academy in Lee’s Summit, Mo., take part in the CyberPatriot event near Washington, D.C. Air Force Academy
Today, Walters also coaches and mentors the Marshall Academy team. It meets after school in his office in Tysons Corner, Va.

“I give them tools,” Walters says. “I’m teaching these guys the black-hat mentality; I’m not teaching them how to be bad guys.”

Even with training, it’s easy to swap hats. That is something Walters’ own son, Jacob, found out. In 2012, the 15-year-old attended a computer summer camp. There, Jacob got to exercise the strong computer skills and sense of curiosity he picked up from his dad. He also got a feel for what it is like to wear a gray hat. Bored, Jacob and a friend pulled a prank. They hacked into the computer of a “cyber chimp” (the term some teens apply to the rookies in some competitions).

“We got into this kid’s box and took a picture of him typing on the computer,” smiles Jacob, using a slang term to refer to the boy’s computer. “We posted it on the screen. The teacher walked in and projected it on the big screen. We got in trouble and got yelled at.”

Jacob realized his mistakes and is now part of the Marshall team. The teen knows first-hand now that there is an unwritten line between good and bad in the computer world. The problem with this line, he says, is that “you can walk across it faster than you think.”

“I want you, White Hat,” says Uncle Sam

The rise in teen interest in cyberdefense contests comes at a time when governments around the world warn against damaging computer attacks from foreign hackers. In the United States, utility companies, technology firms, banks, Congress, universities and news organizations have all faced suspected Chinese computer attacks in recent months. Because of these and other attacks, American officials worry there aren’t enough trained cyber warriors to protect the country’s important computer systems.

“The threat has evolved so quickly. It really has created a sense of urgency,” observes Diane Miller. Miller is director of information security and cyber initiatives for Northrop Grumman Corp., in Bethesda, Md. Northrop Grumman is a defense company best known for building airplanes and spacecraft. It is one of the main sponsors of the CyberPatriot contest, now in its fifth year. (The company also supports the Society for Science & the Public, publisher of Science News for Students.)

Northrop Grumman does cybersecurity work for the U.S. military and other customers too. The company has hired 40 former CyberPatriot contestants to work on defending computer systems from cyber attacks. These include four high school students who work as interns in the company’s cybersecurity control center. “I tell the students that it’s a position of trust,” Miller explains.

Most experts probably would agree that introducing young minds to advanced computer skills is a good thing. However, some worry the effort should be more broad than deep. Training a few highly skilled cyber warriors is less valuable than giving lots of people just enough knowledge to protect their computers from getting hacked, these critics argue.

“There’s this tendency to go for the cream of the crop,” says James Lewis. Lewis is a senior fellow at the Center for Strategic and International Studies in Washington, D.C. He recently conducted a study on computer security weaknesses at U.S. companies. “The debate is: ‘Do you need a team of computer special forces, like Navy SEALS or cyber ninjas? Or something more like regular forces?’” Lewis asks.

Kennedy, of Leidos, acknowledges that CyberPatriot and similar contests all reach the same group of top-tier students. These contests might have a bigger impact if they recruited teens who didn’t already know a lot about computers. “We need to reach inside the schools and into the standard curriculum,” Kennedy says.

Some nations have started doing just that — even early in grade school. The northern European nation of Estonia, for example, introduces computer programming to first-graders and cybersecurity to sixth-graders. This early focus may reflect how this tiny nation found itself the target of a massive cyber attack in 2007 from its big neighbor, Russia.

Another security expert argues that computer-defense skills aren’t the weak link in efforts to stop cybercrime. It’s the little everyday mistakes people make that cause problems. It might be telling your password to a friend, or leaving your laptop unattended in a cab, airport or coffee shop, observes Fred Cate. This Indiana University law professor directs the Center for Applied Cybersecurity Research in Bloomington.

“We need people trained not just on how to write code for stronger protections,” Cate says. What’s also needed, he notes, are systems to guard against sloppy or inattentive behavior.

Power Words

code(in computing)  A set of instructions for running a computer. Computer software is composed of code.

curriculum  The courses or books and materials used in courses that are offered by a school or other teaching institution.

cyber  Relating to computers or computer networks.

defense  Military and other measures taken to protect a country against attack.

encrypt  Convert data into code to prevent unauthorized access.

ethics  A set of moral principles that establish the difference between right and wrong.

hack  To break into a lock or a locked system.

harden (in electronics)  To protect components from damage, usually from stray current or electromagnetic radiation. (in computing) To protect computer programming from being damaged or altered by hackers.

hacker  A person who uses computers without approval to view, alter or steal data belonging to another.

information security Actions aimed at guarding information and the computer systems that manage that information from illegal access, use, disclosure, disruption, modification or destruction.

mentor  An individual who lends his or her experience to advise someone starting out in a field. In science, teachers or researchers often mentor students, helping them refine their research questions.

network (in computing)  Two or more computers linked as a system, usually through use of a wireless router.

programming The process of writing computer code, which provides exact instructions on how a computer is to operate, or process, data.

systems engineering  This field applies research to manage all aspects of solving some major technical problem. That “problem” could be the development of a new machine or even a large solar- or nuclear-power plant large. Sometimes the scale will be far smaller, such as the creation of computer chips and the computer programming instructions required to use them. Systems engineers take a big-picture view to consider every aspect of a project. This includes everything from the people, materials and financing that will be needed to the environmental impacts of some system and the expected lifetime of its many parts.

utilities Private- or government-owned organizations that provide public services, such as water, electricity and transportation.

virus (in computing)  Small software programs that can infiltrate (infect) and damage computers or computer systems.

Word find (click here to enlarge for printing)

More Stories from Science News Explores on Computing