But for places that are more at risk—security and financial firms, other large companies, and the federal government, that sort of defense doesn't cut it anymore. Even private companies that only want to defend their own networks are beginning to see the need for skilled hackers.
"The whole field is moving toward penetration testing. We think of them as defensive experts, but it's really the same skills you need for offense," Paller says.
There are some bright spots, however. There's a growing community of hobbyist hackers who try to exploit security holes in sanctioned contests, and university clubs that (legally) focus on hacking. Miller hacked the iPhone as part of last year's Pwn2Own contest, for example. Winners of those contests may not have their pick of jobs, "but any company will talk to you" after you have pulled off such a feat.
And late last month, the NSA announced it would do its part to help solve the problem, partnering with four universities—Dakota State University in South Dakota, Naval Postgraduate School in California, Northeastern University, and the University of Tulsa—to form a cyber operations program that will train students for future careers at the agency.
Students will take classes in subjects that have been all but forgotten in many university cybersecurity programs, such as base-level computer programming languages, reverse engineering, and the legal and ethical issues involved in cyberwarfare.
Students will have to pass a background check and will get top-secret security clearance. Classified summer seminars at the NSA will give students real-world case studies.
"We don't have a specific goal in mind" for the number of students who will be trained through the program, NSA's LaFountain says. "But there's definitely a need, and it's a challenge to find students with these skills. It's our plan to plant the knowledge to do this at the universities."
Jason Koebler is a science and technology reporter for U.S. News & World Report. You can follow him on Twitter or reach him at firstname.lastname@example.org