WASHINGTON – In the eighth grade, Arlan Jaska figured out how to write a simple script that could switch his keyboard’s Caps Lock key on and off 6,000 times a minute. When friends weren’t looking, he slipped his program onto their computers. It was all fun and games until the program spread to his middle school.
“They called my parents and told my dad I was hacking their computers,” Jaska, now 17, recalled.
He was grounded and got detention. And he is just the type of youngster the Department of Homeland Security is looking to hire.
The secretary of that agency, Janet Napolitano, knows she has a problem that will only get worse. Foreign hackers have been attacking her agency’s computer systems. They have also been busy trying to siphon the nation’s wealth and steal valuable trade secrets. And they have begun probing the nation’s critical infrastructure — the power grid, and water and transportation systems.
So she needs her own hackers — 600, the agency estimates. But potential recruits with the right skills have too often been heading for business, and those who do choose government often go to the National Security Agency, where they work on offensive digital attacks on foreign nations. At Homeland Security, the emphasis is on keeping hackers out, or playing defense.
“We have to show them how cool and exciting this is,” said Ed Skoudis, one of the nation’s top computer security trainers. “And we have to show them that applying these skills to the public sector is important.”
Make it a game
One answer? Start young, and make it a game, even a competition.
This month, Jaska and his classmate Collin Berman took top spots at the Virginia Governor’s Cup Cyber Challenge, a veritable smackdown of hacking for high school students that was the brainchild of Alan Paller, a security expert, and others in the field.
With military exercises like NetWars, the competition had more the feel of a video game. Paller helped create the competition, the first in a series, to help Homeland Security, and likens the agency’s need for hackers to the shortage of fighter pilots during World War II.
“I like to break things,” Berman, 18, said. “I always want to know, ‘How can I change this so it does something else?’ ”
It’s a far different pursuit — and a higher-minded one, enlightened hackers will say — than simply defacing websites.
“You want people who ask: How do things work? But the very best ones turn it around,” said Paller, director of research at the SANS Institute, a computer security training organization.
It’s no coincidence that the idea of using competitions came, in part, from China, where the People’s Liberation Army runs challenges every spring to identify its next generation of digital warriors.
Tan Dailin, a graduate student, won several of the events in 2005. Soon afterward, he put his skills to work and was caught breaking into the Pentagon’s network and sending reams of documents back to servers in China.
“We have no program like that in the United States — nothing,” Paller said. “No one is even teaching this in schools. If we don’t solve this problem, we’re in trouble.”
Starting a club
At Northern Virginia’s acclaimed Thomas Jefferson High School for Science and Technology, which both Jaska and Berman attend, there are five computer science teachers, but none focused on security.
When eight students expressed interest in starting a security club, they had to persuade a Raytheon employee to meet with them once a week. One idea for a name, the Hacking Club, didn’t last. “We don’t want people who are going to go around defacing sites,” Berman said. They recently rebranded from the Cybersecurity Club to the Computer Security Club. The group dropped the “Cyber” because “it sounds like you’re trying to be cool but you’re not,” clarified Jaska.
Jaska and Berman heard about the Virginia competition through their school. To qualify, they had to identify bad passwords and clean up security settings — a long way from a Caps Lock program.
About 700 students from 110 Virginia high schools applied, but only 40, including Jaska and Berman, made the cut.
So three weeks ago, the pair traveled to the Governor’s Cup Cyber Challenge at George Mason University. There, they found something they rarely encounter in high school — a thriving community of like-minded teenagers, the best and brightest of a highly specialized task.
“For some of the kids, who tended to be a little bit loners, this was the first time they had a peer group,” Paller said. “They were having excited conversations about arcane technical issues — something they never get to do — and their parents exalted in it.”
The students faced the same five-level test that the military uses to test its own security experts. They earned points for cracking passwords, flagging vulnerabilities and breaking into a website administrator’s account where, had they changed any settings or defaced a site, they would have been eliminated. Their scores were displayed in real time on a leader board.
After several hours, the winners were announced. A third of the students had made it to Level 3 — a level that Rear Adm. Gib Godwin, chairman of the Governor’s Cup, said typically requires someone with seven to 10 years of experience to achieve. Jaska won, earning him a $5,000 scholarship. Berman won $1,500 for third place.
The idea for such competitions is nothing new. For years, a hacking conference called DefCon has hosted games like Capture the Flag in which teams earn points for hacking into the other team’s computers. The Air Force started a Cyber Patriot competition in which hackers defend against a “Red Team” of hackers trying to steal their data. And the Defense Department has its own Digital Forensics Challenge. But none of these has been meant for high school students.
“The goal is to create a continuum, similar to the way kids go to junior high, high school, college and get their Ph.D.,” Godwin said. “We want to create the same flow for kids in the cyber domain.”