Hacking camps are one way employers and the government identify talent. | University of Delaware/Evan Krape Hacking contests ID cyber talent for government, industry

NEWARK, Del. — The best warriors are battle-tested. So how do you identify and train the most skillful up and coming cyberwarriors when the combat they practice — hacking — is illegal?

Enter cyber competitions: Contests for aspiring cybersecurity warriors to show their mettle in real hacking challenges, where they can both practice their skills in a legally safe environment and appeal to recruiters that sometimes will hire the top talent on the spot.


While the competition is friendly, the backdrop is serious. Security training organization (ISC)2 estimated in its 2013 workforce study that the world will need 2 million more IT security professionals by 2017, and the Pentagon last year announcedan expansion that would more than quadruple the staff of Fort Meade, Md.-based U.S. Cyber Command. But the same (ISC)2 survey found that 56 percent of professionals already feel their organizations cannot find enough qualified cyberwarriors to fill the existing demand, let alone the increasing need.

That’s why last Friday, on a beautiful July morning, nearly five dozen high school and college students and some graduates woke up early and filed into a University of Delaware classroom with their laptops, ready to out-hack and outwit each other at a “capture the flag” hacking competition run by nonprofit U.S. Cyber Challenge. For the students, it was the culmination of a week-long cyber boot camp, where they honed their coding and hacking skills.

They were joined by a governor, a U.S. senator, state and federal officials and professional recruiters, all attending to show the competitors their work is valued.

“We know that we’ve got a lot of young geniuses in there; we’ve got to convince them this is a noble career,” said Delaware Homeland Security Adviser Ray Holcomb, a former federal counterterrorism official. “It is more than just a computer game — it’s not just a game — that great things are at risk. National security is at risk, potential for huge economic loss is at risk, and personal public safety.”

Such camps are also essential to future employers and the government as a way to identify talent, he said.

“I can’t think of a better way,” Holcomb said. “I don’t think you want to do on-the-job learning with this. I don’t think you want to take a young intern and stick him in charge of cybersecurity for A.I. duPont. Not right away. You don’t get too many second chances with this.”

“This is a war,” said Sen Tom Carper (D-Del.), who spoke at the campers’ award ceremony and posed for a picture with each competitor, in an interview. “It’s a different kind of war than my dad, my uncle served in in Korea. This is a different kind of war than I served in in Vietnam. But the threat is great, in some cases it’s greater than what we faced in those wars. And these are cyber wars, we need cyber warriors, and we need to grow our own.”

Having divided themselves into teams of four and five, the white hat hackers squared off at challenges including cracking encrypted passwords, exploiting server vulnerabilities, SQL injection and XSS flaws. Each challenge was worth different amounts of points based on the difficulty: Crack one low-level password, you might get a hundred points. Capture the first “flag,” by hacking into a server, a hundred more. Crack an entire database of passwords, rack up several hundred.

The four hours of the contest were tense but fun, with a quiet hum of activity and teamwork punctuated by celebrations when flags were captured and challenges were solved. A giant scoreboard projected in the front of the room gave updated point totals for each team, including the top scores to beat from the previous regional U.S. Cyber Challenge camp at Virginia Tech in June.

For students hoping to one day get a job in the field like University of Delaware computer science student James Luck, the camp and competition is an invaluable opportunity to practice and hone skills that are normally out of bounds.

“It’s a gray area in many regards,” Luck said of learning to hack. “The way in which you pursue knowledge in this field can lead you to observing illegal things so you know how to prevent them, and it’s nice to have an environment where you know that doing these illegal things, so that you know more about them, is not going to be getting you in trouble.”

One of the teaching assistants at the camp, a veteran of the previous year, said that it’s an unfortunate fact in the field that getting in legal trouble for experimenting with hacking skills will disqualify a young up-and-comer from most of the government cybersecurity jobs they would be trying to practice for.

“If you don’t have a safe environment, it gets real borderline, and unlike it used to be, if you get in trouble now because of the legal avenues that there are, it can really tank any future career possibilities,” said University of Delaware student Trevor Buttrey. “It used to be that the FBI, the CIA and whatnot would hire people that had less than pure pasts, but not anymore,” he said, alluding to the changes made to hiring practices in the wake of NSA leaker Edward Snowden.

As time ticked down, the competition grew more intense. This year’s camp’s director, University of Delaware professor Chase Cotton, gave updates on how much time was left, and where the point totals stood. With 10 minutes left, a round of applause broke out as he announced that an individual — a high school student — had outdone the highest individual score from Virginia Tech.

After the last seconds of the competition expired, a combination of sighs and groans went up from the room, as chatter and a few high fives broke out. Laptops were packed up as the campers went to share stories from battle over a pizza lunch, where they were joined by the administration’s top cybersecurity education official.

Ernest McDuffie, the lead of the National Institute of Standards and Technology’s National Initiative for Cybersecurity Education, chatted with students and stayed for the awards ceremony, saying he spends much of his time traveling the country to visit such events.

“It’s a great vehicle to attract people to the field, generate some excitement, and now we’re finding that private sector sponsors are using them as recruitment vehicles,” McDuffie said. “They identify new talent, they hire people — people get job offers right off the spot at these competitions. Anything we can do to raise the awareness level of cybersecurity, the fact that there are really good jobs available, that you can get involved, that it’s a team sport … I think these competitions do a nice job of bringing that point home.”

All too familiar with (ISC)2’s workforce study, McDuffie said that although the professional shortage won’t be fixed overnight, every bit of progress helps.

“Anything we can do to attract more people to the field is one going to be a help to mitigating that shortfall,” McDuffie said. “We’re going to have a shortfall regardless, you can’t generate enough students to fill the demand, so getting the best and the brightest that we can to come to those fields is a win-win for everybody.”

Delaware Gov. Jack Markell, who also spoke to students at their awards, said politicians around the country are starting to realize that such cybersecurity education events are beneficial to both the individuals and the local economy.

“This is about playing offense and playing defense simultaneously,” Markell said in an interview. “Defense in terms of protecting our assets, protecting some major employers, helping people protect their most important assets. And at the same time, playing offense in terms of job creation.”

U.S. Cyber Challenge , a division of the nonprofit Council on Cybersecurity with a mission to address the cyber workforce shortage, runs four such camps around the country throughout the summer. Participants qualified in the spring by completing online quizzes, and then chose from the camps in Delaware, Virginia, Illinois and California. The week includes intensive coursework in cybersecurity-specific skills, a job fair with professional recruiters and a final capture the flag contest. More than 300 students are invited to participate from the online qualifiers, many of whom are extended scholarships.

This article tagged under: Cyber Security

Technology

Politics