How your agency can land a future cyber rock star
With the demand for cybersecurity professionals estimated to grow to 2.5 million new workers by 2015, a coalition of government and private industry organizations set a goal two years ago of identifying and recruiting 10,000 people with the native skills required for success in the field and providing a career path for them.
“We have found there are some real gems out there — rock stars or soon-to-be rock stars,” said Ed Skoudis, an instructor at the SANS Institute, a participant in the U.S. Cyber Challenge program.
One venue for identifying and developing talent is a series of invitation-only cyber boot camps for students and professionals held this summer and fall. More than 200 people participated in cyber camps in five states this year, immersing themselves in the technology and ethics of IT security and competing for prizes, including $1,000 scholarships.
Can the nation get smart about cybersecurity?
National competition puts high schoolers to the cyber warrior test
“It was great to be around people who are passionate about the same things you are,” said Erye Hernandez, a 29-year-old computer science student at George Mason University and one of the scholarship winners at the camp held during the first week of August at J. Sargeant Reynolds Community College in Richmond.
Hernandez has classmates at George Mason, but many of them are more interested in getting through classes than in the bits and bytes of cybersecurity, a subject that Hernandez said “gets me excited.” The camps provide a higher level of involvement than is available in classes. And beyond the excitement, cybersecurity is a field that offers the prospect of employment after graduation. Hernandez participated in a job fair that was part of the Virginia camp.
“A speaker from one company said that the unemployment rate for computer security is zero now,” she said.
The camps, now in their second year, are organized by U.S. Cyber Challenge, a government and industry effort launched in 2009 to address cybersecurity workforce needs through a collection of near and long-term programs. In addition to Virginia, this summer’s camps were held at California State Polytechnic University in Pomona; Community College of Baltimore County in Essex, Baltimore; the University of Missouri in Columbia; and Delaware Technical and Community College in Dover. There also will be a camp at Catawba Valley Community College in Hickory, N.C., in October.
The U.S. Cyber Challenge grew out of the report on Securing Cyberspace for the 44th Presidency, which was produced by the Center for Strategic and International Studies. The report cites professional training and workforce development as a critical challenge in improving cybersecurity. Participants in Cyber Challenge include CSIS, the Defense Department Cyber Crime Center, the Air Force Association, the SANS Institute, and a number of universities and aerospace companies.
Although there is an immediate need for cybersecurity professionals, the Cyber Challenge program also is working to create a long-term supply by identifying and recruiting students with the needed skills in high school and earlier.
“You’ve got to start with the kids,” said Hord Tipton, president and CEO of (ISC)2, the International Information System Security Certification Consortium. (ISC)2 is offering scholarships at this year’s cyber camps as part of an effort to improve educational opportunities for interested students.
SANS works to identify likely participants through programs at several levels. The Cyber Foundation is an online educational program for high school students, with three class modules on networking, operating systems and systems administration. When the students have completed the modules, they take online quizzes and compete for awards. Cyber Quest is a similar program for college students that requires more practical work and is part of the selection process for participating in boot camps.
Online competitions are another important draw for youthful cyber talent. NetWars, a computer and network security challenge, is one of the primary competitions in the Cyber Challenge, Skoudis said.
“NetWars is our ultimate challenge,” he said. “It’s an immersive environment,” an online program played out on five skill levels. It attracts some college students but is targeted primarily at working professionals.
SANS tries to avoid using the word game in describing NetWars because it wants the program to be taken seriously by professionals. But it is it is built on a gaming model.
“It’s not just puzzle-solving,” Skoudis said, it is a demonstration of practical job skills needed by real-world cybersecurity practitioners. Players analyze code, find vulnerabilities, evaluate traffic and must answer questions to move to the next level. Players compete one on one rather than in teams.
“Team stuff is important and good,” Skoudis said. “But you need to evaluate individual skills.”
Although it is an online tool, NetWars has been played until recently only in tournament settings, in which a number of players gather in a single location and compete for two or three days. The next NetWars tournament is scheduled for the SANS Network Security conference in Las Vegas from Sept. 17 to Sept. 26.
“We run NetWars a lot for the U.S. military,” Skoudis said, holding one to three tournaments a month to help identify talent and evaluate skill levels.
SANS recently launched a continuous version of NetWars at this site: https://netwars-ngc.counterhackchallenges.com/scoreboard. This version is more complex and requires a subscription that lets players compete against one another for four months. A scoreboard ranks current players. At last check, the leader was DoctorDollar, who is on Level 4 and has scored 172 points during 244 hours of play.
Hernandez qualified for the Virginia Cyber Camp by participating in Cyber Quest. This year’s task was to analyze a package of network traffic and answer questions about it.
“The questions were pretty challenging,” Hernandez said. “You had to know something about networking and how to translate the packets correctly. It was a good indicator” of ability.
Hernandez said she has always liked playing with computers. “I think it came from my dad,” who was interested in electronics, she said. “I was lucky enough to find a job in the computing field” when she graduated from high school, working in tech support. She expects to graduate in May and always wanted to go into computer science.
Spotting outside talent
Efforts are being made to identify students with cybersecurity potential outside the traditional STEM programs — science, technology, engineering and math — said Karen Evans, former IT administrator at the Office of Management and Budget and now national director of the Cyber Challenge. “By having the invitation-only camp, it is attracting different kinds of people,” she said.
Camp participants this year ranged from teenage college students to a 47-year-old. One scholarship winner was a 40-year-old attorney who is changing careers. But the camps are not for casual dabblers in IT. “The classes were tough,” said Hernandez, especially reverse-engineering malicious code. Without a computer science background, it would have been difficult to get through the hexadecimal and code, she said.
Despite the raw talent that is being identified in the Cyber Challenge programs, “there is a lot of need for skills development,” at all levels, both professional and educational, Skoudis said. “Often, we find we have to recalibrate a challenge downward” to enable participants to complete them.
Still, commercial sponsors of the Virginia camp that participated in the job fair were happy with the results, Evans said.“All of them said the candidates were excellent,” she said. “They are considering several of them” for jobs.