Educating Elite Hackers and Cybersecurity Experts

It started with Michael Coppola taking things apart at the age of five: the remote control, his mother's house lamps, the family's VCR. He was curious about how things worked. By the time he was in fourth grade, he moved on to software. After building Web sites for his parents and their friends, Coppola, now 17, decided to try his hand at hacking. "When you have this passion for technology, you're not satisfied with knowing how to use something, you want to know how it works," he says. What started out as mere curiosity now makes this Connecticut high-school senior a rare—and highly valued—commodity: a hacker in the making.

While billions of dollars are being spent to secure U.S. cyberspace, the number of elite cybersecurity experts needed to protect and traffic this area for the government and the private sector is dangerously inadequate. The Comprehensive National Cybersecurity Initiative (CNCI) launched by President George W. Bush lists the need for better cybereducation and more experts as part of 12 core initiatives, but its large-scale implementation will take time. According to national-security authorities, time is something we don't really have. By one estimate the United States currently has about 1,000 elite experts. It needs 20,000. Until now, the formal recruiting and training of a national cybercorps has been haphazard at best. Fortunately, for the Michael Coppolas among us, private companies and government agencies are amping up their efforts to find and educate a new generation of cyber whiz kids. By sponsoring national cyber competitions akin to American Idol, the goal is to quickly bring at least 10,000 young tech minds into the fold. Among the organizers leading the way is Alan Paller, cofounder and research director of the Sans Institute, a cybersecurity school.

Paller is kind of a real-life version of Professor Charles Xavier, the X-men comic-book character who heads a school designed to find and nurture young mutants with supernatural powers. Early in his career, he cofounded a major graphics company and was an original member of President Bill Clinton's National Infrastructure Assurance Council, which was setup to address threats to the country's critical infrastructure. Since then, the cyber veteran has invested about 20 years helping to mold some of the brightest cyber minds in the world at Sans, and in doing so, keeping their skills on the right side of the law. He only decided to co-host a cyber challenge in 2008, after meeting with computer-security leaders from the White House, the NSA, and other agencies. "Simply put, we find ourselves in the same situation we did during the 1950s and 1960s when we took on the space race," he says. "That [period] inspired young people to consider careers in math and science. Today, we need to approach cybersecurity the same way."

To Paller, that means looking for talent in unconventional places. It was the first Cyber Challenge, in 2009 and sponsored in part by Paller's organization, that piqued Coppola's interest. The cybersecurity simulation (titled "Netwars") required the 240 contestants to hack into 12 servers. Each server was worth points and whoever had the highest tally at the end of the game would be declared the winner. But instead of going from server to server, Coppola decided to hack the scoreboard and give himself the most points. Naturally, he won. "It wasn't part of the initial plan," he says. "I just happened to come across the vulnerability and decided to focus my time on that."

Perhaps this is what makes Paller's Netwars, one of the three cyber challenges he and others promote, the most interesting. It's a game that effectively focuses on finding vulnerabilities in a system and exploiting them to gain access. Some argue that such games are encouraging the kind of skills once relegated to the bad guys. But with a medium where there's a thin virtual line between those that exploit and those that protect, Paller is a big believer in having both a good defense and a good offense. "If we're going to outwit them, then we have to know how they work," says Paller of malicious hackers.

There is something to be said for that argument. Other countries, like China and Russia, have been hosting similar contests for years. Their motivation lies in how often and increasingly their governments are the targets of hacking attacks. Not that the U.S. fares much better. According to the Senate's Sergeant at Arms office, Congress and other government agencies are now under cyberattack an average of 1.8 billion times a month, compared with an average of 8 million times a month in 2008. Businesses are in the same situation. One report suggests that downtime from a cyberattack already costs a company an estimated $6.3 million per day on average.

And the reality is that both the government and private sector can expect the situation to get worse. Dickie George, information assurance technical director of the National Security Agency (NSA), says he could easily use 1,000 qualified cyberexperts in the next year. And going through conventional channels won't do. "When I go to schools, there are more recruiters at the schools than there are people to recruit," he says. "Right now it's a losing game." George points to a recent visit where a student gave a riveting cyber presentation. "There was a line of people there, with me in the front saying, 'I want to hire you,' and a guy from a company behind me saying, 'I want to hire you, too, and I want to hire you for twice as much as he does.'" According to, the average cybersecurity expert makes roughly $102,000 per year, with the highly talented making more.

A large part of this shortage problem is education, George says. While several programs at colleges teach the basics of cybersecurity, there are few that can be considered state of the art. That limits the pool of bright graduates who are properly trained to deal with the shape-shifting nature of security. The NSA has made some efforts to partner with colleges across the country to better prepare those interested in a cyber career with the organization. And Steven Chabinsky, deputy assistant director at the FBI's Cyber Division, says every new agent must take 40 hours of cyber training. But he acknowledges that they too are actively looking to beef up the number of cyberexperts. Jim Lewis, director of technology and public-policy programs at CSIS, a public-policy research institution, which helped host the cyber challenge, agrees that the broader problem is deeply rooted in education, but there are other issues too. "Yes, part of it is that we have academic programs that don't produce the kind of people we need, but part of it is that the U.S. stopped funding computer sciences for about 10 years and a part of it is that until recently we really didn't understand just what kind of people we needed."

This is why Coppola finds himself in a sweet position.After having won the Netwars challenge, he's been offered a scholarship to take courses at the Sans Institute to fine-tune his skills. He's also helping the organization design classes for high-school students.

Several other players also did well. The NSA was able to recruit eight contestants for summer internships. Not a bad gig considering that 85 percent of those who intern are offered permanent jobs. And the FBI plans to partner on a challenge later this year and offer internships to the winners. Even the Air Force, which helped co-host last year's event, will offer five college scholarships to the winners of an upcoming competition.

On concerns about turning any of these kids to the dark side, Paller concedes it may be a little true. "Look, when the military trains young men and women to handle weapons, there's no guarantee some of them won't use that talent inappropriately," he says. "The truth is, I don't see a way to defend a country without growing these skills."

Paller and the other organizers plan to continue to expand the number of competitions and will add a series of weeklong cyber camps, the equivalent of soccer camp, starting in July. He'll be looking for the next kid who gets a thrill from taking things apart ... and who one day may be on the front lines protecting America's cyberspace.