When Stuxnet—a massive computer worm that damaged a uranium enrichment plant in Iran—was discovered in 2010, cybersecurity experts marveled at its intricacy and power.
But maybe just as impressive as the exploit itself was the fact that the National Security Administration was able to find the manpower needed to design the attack.
That's because the NSA, CIA, the Army's Cyber Command, and private companies are quickly learning there aren't enough cybersecurity experts steeped in the skills needed to wage cyberwarfare.
Experts have suggested that the United States government will need to hire at least 10,000 cybersecurity experts over the next several years, while the private sector will need even more. While most of those jobs are in defense, there's also a growing need for people who are able to hack into complicated networks.
Unfortunately, they say, they're getting little help from universities, which are either unable or unwilling to teach students how to exploit network security vulnerabilities.
"Universities don't want to touch [hacking], they don't want to have the perception of teaching people how to subvert things," says Steven LaFountain, an NSA official who helps the agency develop new academic programs. That means students are graduating with outdated and insufficient skills in a field that is constantly changing. When new grads come to the NSA, "We have to teach them the technical skills we thought they should have gotten in school, and then we have to teach them the specific skills related to their mission."
So, until now, the NSA and others have either trained hackers, or so-called cyber operators, on the job or hired hobbyists.
"There's two sources [of hackers], and the universities are not one of them. What you learn in a computer science course doesn't equip you for this," says James Lewis, director of the Center for Strategic & International Studies' technology and public policy program. "One is the hacker community. People get into it for whatever reason, and sometimes they end up working for the government. The second is on-the-job training, particularly in the NSA and some of the other intelligence organizations where you bring people up through apprenticeships."
That's what happened with Charlie Miller, who became famous when he hacked the iPhone last year. He got his start at the NSA as a cryptographer and, when he left five years later, he was a cyber operator. "You can connect the dots about how that happened," Miller says.
He now works for Accuvant, a cybersecurity firm that has a great need for "penetration testers"—people who are hired by firms to try to hack into their network in order to find potential vulnerabilities.
"The people we find don't come from universities—a lot of them are self-taught," Miller says.
Industry conventions such as Black Hat, held annually in Las Vegas, have become big recruiting grounds for the private sector, while a related conference in Washington, D.C., is aimed at federal agencies. "We can't find people to hire. We're looking very hard, but we're having a heck of a time trying to fill all the positions," Miller says.
One of the problems, Miller says, is that the field is changing so quickly—it's getting harder to break into networks, but once someone is in, it's getting tougher to detect them. Stuxnet allegedly wasn't discovered for several years after it infected Iran's uranium enrichment facility."Something that worked one year ago doesn't work now," he says. "It's hard for me to stay on top of everything, and it's harder if your job is to be a professor. Most of the professors at universities don't know the offensive side of things."
So they teach what they know, and it ends up being outdated, says Alan Paller, director of research at the SANS Institute, a cyberdefense and cyberoffense training company. "Most of the jobs are very traditional—you buy a firewall and detect intrusions," he says.
But for places that are more at risk—security and financial firms, other large companies, and the federal government, that sort of defense doesn't cut it anymore. Even private companies that only want to defend their own networks are beginning to see the need for skilled hackers.
"The whole field is moving toward penetration testing. We think of them as defensive experts, but it's really the same skills you need for offense," Paller says.
There are some bright spots, however. There's a growing community of hobbyist hackers who try to exploit security holes in sanctioned contests, and university clubs that (legally) focus on hacking. Miller hacked the iPhone as part of last year's Pwn2Own contest, for example. Winners of those contests may not have their pick of jobs, "but any company will talk to you" after you have pulled off such a feat.
And late last month, the NSA announced it would do its part to help solve the problem, partnering with four universities—Dakota State University in South Dakota, Naval Postgraduate School in California, Northeastern University, and the University of Tulsa—to form a cyber operations program that will train students for future careers at the agency.
Students will take classes in subjects that have been all but forgotten in many university cybersecurity programs, such as base-level computer programming languages, reverse engineering, and the legal and ethical issues involved in cyberwarfare.
Students will have to pass a background check and will get top-secret security clearance. Classified summer seminars at the NSA will give students real-world case studies.
"We don't have a specific goal in mind" for the number of students who will be trained through the program, NSA's LaFountain says. "But there's definitely a need, and it's a challenge to find students with these skills. It's our plan to plant the knowledge to do this at the universities."
Jason Koebler is a science and technology reporter for U.S. News & World Report. You can follow him on Twitter or reach him at firstname.lastname@example.org
- Obama's Iran Options: Talk, Threaten or Attack
- Check out U.S. News Weekly: an insider's guide to politics and policy
- Chen Case Reveals Fragility of Chinese Communist Party