DARPA can't do it.
That's what the Defense Advanced Research Projects Agency admitted at its first-ever Cyber Colloquium in November 2011: It can't defend its own defense networks without more help from geniuses.
At the conference, DARPA officials pleaded with hackers to help them out, saying that the agency plans to boost spending as it battles adversaries in cyberspace.
DARPA director Regina Dugan told the audience that the military needs "more and better options" to meet cyber threats to a growing range of industrial and other systems. Even security companies—those staffed by the security elite—are getting pwned by players such as Anonymous, and the U.S. infrastructure is getting gnawed on by hackers from hostile nation states. Two of many examples: Anonymous's Christmas-day hack of Stratfor Global Intelligence, which resulted in data loss on an astonishing 860,000 Stratfor subscribers. And foreign hackers, likely working for China, who gained unauthorized access to U.S. satellites in multiple instances in past years.
To fight off such attacks, our country's defense industry needs geniuses. The ones who think radically, not Washington bureaucrats. At this point, DARPA's ready to infuse every level of the organization with that kind of brilliance, Dugan said.
Of course, DARPA's not alone. Every organization faces the same formidable list of enemies. Every organization that has any cyber presence whatsoever faces the same challenges. And every organization could likely use a few more geniuses.
But how do you find that kind of brilliance? How do you hire top-notch security experts? Since hacking is inherently illegal, much of hackers' exploits are done in the dark. The breakthroughs and those who mastermind them aren't easily Googled. Do you hang out where they do, say, at conferences such as DEFCON or Black Hat? Do you train them? Do you wait until your business's customer database gets doxed by your local Anonymous Ops and then offer the perpetrating genius(es) a job?
Maybe not that last one.
I asked a few security experts. Here's what they told me.
Don't find security experts. Make them.
Earl Boebert has been involved in security since the early 1970s. His curriculum vitae includes a stint as senior research fellow at Honeywell, another as technical founder and chief scientist of Secure Computing Corp., and one as a senior scientist at Sandia National Labs. He's taken part in 10 National Research Council studies on security.
More to the point, he's built multiple world-class technology teams from scratch.
His first rule: You don't find security experts. You make them.
Boebert looks for temperament, knowing that he can build skills on top of that. He looks for drive and high intelligence, and he looks for people in places you wouldn't necessarily expect to find security geniuses. If that means you're hiring somebody whose resume lists managing a McDonald's, so be it.
"You look for people who've overcome some disadvantage," he says. When he was at Honeywell, for example, he actively sought out female engineers, since he knew they'd overcome the attitude of the times, which was the 70s and 80s. He looked for what was, essentially, a street kid's background, since that gives a person "a certain wiriness," he says.
"I refer to the general characteristic of being one of the un-anointed," Boebert says. "No scholarships, medals, or PhDs. Hard-scrabble people. The most brilliant person in a security-related business I ever worked for I described as a coal miner's daughter with an IQ of 200. You know the type: She shoots shotguns, rides horses, fixes her pickup trucks, and beats the living shit out of a problem when she gets it."
The problem with hiring PhDs—and I have heard this from multiple technology managers—is they sometimes think they can coast through the job.
"The biggest mistakes I ever made were with the anointed," Boebart says. "They didn't understand how hard you had to work. Particularly with a strong formal education, they weren't used to facing un-formal problems."
Formal problems are the type of highly structured problems that have too often been presented as information security coursework in U.S. higher education, Boebart says: "You solve it, you get your box checked, you get praise for solving a canned problem."
What more closely approximates the morphing daily hell that is cyber security would be the classic reverse-engineering problem of an alien box that comes flying out of the atmosphere to plunk down in the back yard. Everybody looks at it and asks, "What the hell is it? What does it do? And what do we think of it?" That is the type of unstructured problem that security analysts deal with as alien boxes come hurtling through cyberspace. Not even alien boxes, per se—more like alien vampire leeches that suck your brains and erase your memory—say, like the new SpyEye Trojan that was found shortly before the 2011 holidays, intercepting online banking customers' debit card data and then erasing the transactions it used to drain accounts.
Hire from higher ed programs that instruct in the dissection of alien vampire leeches
OK, so, where do you find people trained in dissecting the unknown?
I had a conversation with one Shawn Bérubé, an 18-year-old student studying information assurance—in a nutshell, defensive hacking—at Capitol College, in Laurel, MD. He believes his coursework is the type of unstructured problem solving we're talking about. He's studying defense against malicious hackers and disaster recovery. He hopes to go on to study information operations—i.e., offensive hacking—if Capitol offers it within the next few years.
If your eyes tend to glaze over when you see laundry lists of security certifications (no offense, but I have never known a security expert to speak glowingly of CompTIA's Security+ certification), Capitol's description of its program might not impress you.
But what might be more interesting to battle-scarred security people is the college's freshly minted Cyber Battle Lab, where hacker attacks are simulated, detected, analyzed, and defeated. The CBL's pretty brand-spanking new, being birthed only in December 2009, so time will tell if it graduates security people with the type of hands-on experience Boebart is talking about.
But at least it's appealing to potentially decent hackers like Bérubé. He started repairing computers for a company at the age of 12 back in his homeland of France and is still employed as their one-man IT shop. To fix those computers, he had to learn how to hack, so he'd know what he was up against, he says.
He started with Ophcrack, a Windows password cracker: handy when he had physical access. He's used other stuff, such as Wireshark, a network protocol analyzer for intercepting TCP/IP packets, then of course Armitage/Metasploit to find and use exploits and open sessions, as well as key loggers. He learned Aircrack-ng to crack WEP and WPA passwords for router access. He taught his employers how to protect themselves and what to keep an eye out for. And most all of it was self-taught, through Google and forums, also learning how to create labs (so he didn't ruin any equipment) while he was at it.
What does he want to do with all this? He's hoping to work for the National Security Agency or the Department of Homeland Security as a white hat, or for big organizations such as Google or banks, or maybe as a pen tester, or then again, maybe doing cybercrime forensics.
I don't know if you'd want to hire him or not. But you want to hire somebody with familiarity with those type of tools. Most particularly, you want to hire somebody with what Bérubé's got: curiosity and a love of puzzles.
Look to scrappy little institutions that glue it all together with duct tape
And maybe you want to do what Boebart recommends: He suggests you look to small schools, not places like Stanford, where students are the sys admins. The ones where students have to hack their own network together. "They don't have money," Boebart says. "They're not getting [big tech companies'] entire support department coming to put it together for them. They got a bunch of boxes and wires, and somebody told them, 'OK, kid, make it go.'"
Where to start? Try looking at results from security researchers working in higher ed. Take a look at places like Utah Valley University, where researchers are dedicating 120 computers to study and decode the passwords exposed by the Stratfor attack. Kevin Young, an adjunct professor and area IT director who recently assessed the bafflingly easy to crack passwords used by people who should really know better—say, [yikes!] the U.S. Marines—already, obviously, has a job. If I were looking for hackers, though, I'd be curious to know whom he'd recommend out of the student body, wouldn't you?
Also keep an eye out for programs that focus on offensive hacking. Rick Moy, CEO of ExploitHub—a marketplace for validated, non-zero-day exploits—employs 15 hackers and exploit writers, and he's looking to hire around five more. He finds a surplus of programs focus on the defensive side, like those at the University of Maryland or the University of Texas/San Antonio.
"The thing that's generally still missing is the offensive part," Moy says. "To have a good defense, you need to fully understand offense."
He likes that Capitol College has the two approaches working in tandem. Hmm, he says. That one, he plans to have his people check out.
And here's where you say:
He's running a market for exploits and he can't find hackers?!
ExploitHub, a venture from security research/testing vendor NSS Labs, is in the early stages, newly launched at Black Hat in August 2011. There are about 600 hackers/security researchers on the site at this point.
It actually might turn into a tasty spot for recruiting hackers. As Moy points out, the marketplace for jobs for hackers has not, historically, been particularly robust. That's starting to change for pen testers, he says, but pen testing's a little different than hacking: It's generally focused on the thing that an organization hires the pen tester to do, not the broader arena of defensive/offensive hacking of whatever flies at you.
A lot of people contributing to ExploitHub have full-time jobs. They hack because they like to. ExploitHub could be a showcase for their talent, could well turn into a hacker job site—a concept its founders are mulling.
"If DARPA's serious about hiring hackers, they should be courting hackers on ExploitHub," Moy says.
OK, so, he's got five openings for hackers. Why doesn't he just hire from that pool of 600 on ExploitHub?
"It's not easy," he says. "It's not like trying to hire for other industries, like doctors or lawyers: professions that have existed over 2,000 years. Right back to Mesopotamia they had law and medicine. It's been two millennia of development for institutions to codify knowledge and pass it on through accredited learning programs, through universities, through textbooks.
"You look at modern cyber security, it's really just the last 15-20 years that it's been an active, growing profession. You have very smart people, and plenty of books written, but by and large, it's still not very well-codified. And there's not much agreement on best practices. Not much research has been done compared with other professions. There's a much smaller pool of talent. Most talent you find is self taught: They read books or self taught" themselves in other ways, Moy says, a la Bérubé and the Google/forums/playing with the tools/tinkering with the hardware approach.
But here's the thing: Hackers tend to have personalities that Moy describes as, well, "different." Good hackers generally do not want to manage people. "They're doers," he says. "That's what drives them."
There's a big cultural difference. Most hackers do their best work after the sun goes down. "A lot of our people stay in the lab and work till 3 or 4 in the morning on a fairly regular basis. … It's hard to run a traditional organization that expects to have business meetings at 8 or 9 a.m. Or to have your hacker send a memo regarding their status to a customer."
Given the typical hacker mindset, somebody like Moy often find himself looking for purple squirrels. That's recruiter speak for an unlikely combination of perfect temperament (able to show up at business meetings, gives a damn about communicating with clients) with appropriate experience and qualifications.
So that's why even the guy who runs a marketplace for exploits doesn't have it easy when he has to hire his purple squirrels.
"As soon as we're done talking, I'm going to get in touch with that university to see if we can hire some of them," Moy informed me, referring to Capitol College.
Good luck and Godspeed, ye sitting ducks
If he beats you out and hires all the good ones, there are always security conferences to stalk. If you can hit up Def Con or Black Hat or CanSecWest or any of the other numerous shows, and if you can leave without your smartphone/laptop/whatever getting pwned (or even if you do get pwned), you will be treated to a smorgasbord of white hats, black hats, gray hats, and maybe even a few purple squirrels.
Good luck, Godspeed, and if you survive, let us know how you liked the belly of the beast and if you managed to come out with the freshly pledged allegiance of a genius or two.