NSA Built Stuxnet, but Real Trick Is Building Crew of Hackers

Finding people skilled enough to wage cyberwarfare is increasingly difficult, experts say.

FE_PR_120608attack2.jpg
By + More

When Stuxnet—a massive computer worm that damaged a uranium enrichment plant in Iran—was discovered in 2010, cybersecurity experts marveled at its intricacy and power.

But maybe just as impressive as the exploit itself was the fact that the National Security Administration was able to find the manpower needed to design the attack.

That's because the NSA, CIA, the Army's Cyber Command, and private companies are quickly learning there aren't enough cybersecurity experts steeped in the skills needed to wage cyberwarfare.

Experts have suggested that the United States government will need to hire at least 10,000 cybersecurity experts over the next several years, while the private sector will need even more. While most of those jobs are in defense, there's also a growing need for people who are able to hack into complicated networks.

[World Powers Play the Blame Game With Flame Virus]

Unfortunately, they say, they're getting little help from universities, which are either unable or unwilling to teach students how to exploit network security vulnerabilities.

"Universities don't want to touch [hacking], they don't want to have the perception of teaching people how to subvert things," says Steven LaFountain, an NSA official who helps the agency develop new academic programs. That means students are graduating with outdated and insufficient skills in a field that is constantly changing. When new grads come to the NSA, "We have to teach them the technical skills we thought they should have gotten in school, and then we have to teach them the specific skills related to their mission."

So, until now, the NSA and others have either trained hackers, or so-called cyber operators, on the job or hired hobbyists.

"There's two sources [of hackers], and the universities are not one of them. What you learn in a computer science course doesn't equip you for this," says James Lewis, director of the Center for Strategic & International Studies' technology and public policy program. "One is the hacker community. People get into it for whatever reason, and sometimes they end up working for the government. The second is on-the-job training, particularly in the NSA and some of the other intelligence organizations where you bring people up through apprenticeships."

[Cyber Attack Talk May Outpace The Actual Threat]

That's what happened with Charlie Miller, who became famous when he hacked the iPhone last year. He got his start at the NSA as a cryptographer and, when he left five years later, he was a cyber operator. "You can connect the dots about how that happened," Miller says.

He now works for Accuvant, a cybersecurity firm that has a great need for "penetration testers"—people who are hired by firms to try to hack into their network in order to find potential vulnerabilities.

"The people we find don't come from universities—a lot of them are self-taught," Miller says.

Industry conventions such as Black Hat, held annually in Las Vegas, have become big recruiting grounds for the private sector, while a related conference in Washington, D.C., is aimed at federal agencies. "We can't find people to hire. We're looking very hard, but we're having a heck of a time trying to fill all the positions," Miller says.

One of the problems, Miller says, is that the field is changing so quickly—it's getting harder to break into networks, but once someone is in, it's getting tougher to detect them. Stuxnet allegedly wasn't discovered for several years after it infected Iran's uranium enrichment facility."Something that worked one year ago doesn't work now," he says. "It's hard for me to stay on top of everything, and it's harder if your job is to be a professor. Most of the professors at universities don't know the offensive side of things."

So they teach what they know, and it ends up being outdated, says Alan Paller, director of research at the SANS Institute, a cyberdefense and cyberoffense training company. "Most of the jobs are very traditional—you buy a firewall and detect intrusions," he says.