Hacking competitions seek cybersecurity superstars

By Sune Engel Rasmussen
BBC News, Roanoke, Virginia


As cybersecurity becomes a bigger threat for American government and businesses, high school and college students are being recruited early to help fill vacant technical positions. In Virginia, these students compete against one another for top slots.

The attack started a little after 08:00.

Numbers streamed across the computer screens in cryptic order, containing disguised codes that could make the whole system collapse. The mission: find the intruding language, isolate it, and keep the system safe.

In the basement, about 80 young adults, mostly in their late teens and 20s, sat in silence, hunched over laptops, exchanging only a few words of strategy and nods of approval.

As the offensive got underway the sound of hundreds of fingers tapping on keyboards were drowned out by the thumping bass of Swedish House Mafia, blasted from the speakers in the corner.

The battle was the final leg of a four-day cyber camp, hosted by the US Cyber Challenge and Virginia Polytechnic Institute and State University.

As part of the camp, a dozen teams raced against each other in a so-called "capture the flag" competition. In this case, flags are strings of information on websites that don't belong there. Teams score points depending on the difficulty of isolating the rogue data. From the sidelines, future employers watch, waiting to be impressed.

American corporations and government entities face cyber-attacks every day, and are in dire need of people to defend them. These college students may be the country's best hope.

With the rest of country facing a 7.6% jobless rate, recruiters assess that the national unemployment gap - the number of vacant positions compared to the number of available candidates - in cybersecurity could be as high as one million, with 10,000 vacancies in the state of Virginia alone.

"The age of the cybersecurity workforce is generally over 40 years of age, and we need new talent," says Samuel Schneider, representative of (ISC)2, a global IT security organisation.

Private contractors and government agencies like the Federal Bureau of Investigation and Department of Homeland Security use the cyber camp to scout for that talent. A student with the right skills can pretty much pick and choose a career.

"Personally, I'm looking at the intelligence community and government," says Jonathan Weber, 22, a student of computer security at East Stroudsburg University, Pennsylvania.

The camp is also a way to introduce potential careers to those with the skills, but without the knowledge of where those skills can take them.

"After coming to this camp, there's so many ways to branch out. I've discovered a lot of options," says Nicholette Fortune, 19, from Brooklyn, New York, and one of the few women among the contestants. "I haven't had hands-on experience, so this is great for a first time," she says.

Academic institutions have beefed up efforts to meet the need for cyber professionals, but the demand is still much greater than the supply, says Diane Miller. She directs Cyber Patriot, a national high-school cyber defence competition that's grooming tomorrow's cyber protectors, presented by the defence technology contractor Northrop Grumman and the Air Force Association.

By designating select institutes "centres of excellence" and awarding scholarships to students, government agencies and private contractors work with academia to try to keep America at the cutting edge of the business.

image captionHacking contests have become an international phenomenon, like this one held in France

"Everybody is scrambling to find that exceptional talent," says Ms Miller. In June, Northrop Grumman launched a cyber-education programme for kids in their early teens. The programme started in Los Angeles, with plans to expand to the entire country.

"The earlier we reach them, the less risk they are at, you know, going out and performing illegal or illicit activities," says Mr Schneider of (ISC)2. He says he is looking to "indoctrinate or incorporate a new security mentality into children".

Instead, potential lawbreakers can put their talents into good use in national interest. "They are going to get into the system, whether you like or not," says Mr Schneider.

Break and build

During the competition, participants use methods of attack, which could easily be used for malicious intent. And that's the point.

"You have to know how to break things to be able to build them really well," says Gary McGraw, a renowned security expert. McGraw serves as chief technology officer for the software security consulting firm Cigital, which he says grew 25% last year, and constantly has vacancies equalling 10% of its workforce.

He is not worried about teaching young people techniques that could potentially be misappropriated. Like other companies, Cigital insists it performs rigorous checks on a potential employee's background and ethical conduct.

And once in, Mr McGraw says, employees get a training that is far superior to that of the "script kiddies" - his name for those who attempt rogue attacks on Cigital's clients.

The issue of employee reliability has gained new importance in the past month thanks to former defence contractor Edward Snowden, who claims to have sought employment with the technology firm Booz Allen Hamilton in order to leak classified NSA intelligence.

Among the cyber campers, many condemn his actions outright, and some even warn against turning Snowden into a hero.

"It's added some glamour to the whole thing," says Charisse Scott, 23, as the competition in Virginia wraps up. "My worry is that kids are going to be like, 'That's what I want to do'."

However, in the basement in Virginia, all prestige and glamour falls on Team 3, which wins the competition after taking an early lead. The young adults behind their laptops are - at least for now - more concerned about preventing security breaches than causing them.

More on this story