Feds to kids: Hacking for government agencies can be cool

Federal officials are planning to tell computer-savvy children about the risks and rewards of using their coding skills to break into computers at this weekend's first-ever DEF CON Kids hacker conference.

The lineup for the Meet the Feds panel scheduled for Saturday includes, among others, leaders from the Army's computer crime investigative unit, the Homeland Security Department and the National Security Agency -- the Pentagon's code-cracking division. The two-day computer security workshop for children ages 8 to 16 is part of the 19th annual DEF CON conference in Las Vegas, which attracts a variety of technologists, including ethical hackers hired by companies to find security defects, as well as the criminal kind of network intruders.

"We need to train a new generation of kids to understand how code works and how they can fix it so that they can defend the United States from other people in other countries who may be seeing this [same activity] as a way to gauge warfare against us," said Andrea M. Matwyshyn, a legal studies and business ethics professor at the University of Pennsylvania's Wharton School. The corporate information security scholar has attended DEF CON since 2003.

With breaches now costing organizations $1.2 million per incident versus $700,000 in 2008, according to security firm McAfee, the public and private sectors are looking to recruit and educate more cyber defenders. Not only do they want network administrators to ensure systems meet security standards, they also want so-called white-hat hackers who can penetrate systems to identify weaknesses.

The youth attending likely will possess programming skills that are far more advanced than those of many sophisticated adults, Matwyshyn said. Teens often find vulnerabilities in browsers, but rather than fixing websites, some kids take to defacing them. On July 27, London's Metropolitan Police Service arrested an 18-year-old in connection with the hacktivist groups Anonymous and LulzSec, after reportedly taking in a 16-year-old with ties to the same pranksters earlier in the month.

Matwyshyn, who also has a doctorate in human development, praised the organizers' decision to require that parents accompany their children to the event, noting moms and dads are the primary forces that can mold their kids into ethical hackers.

Today, government careers in information security are simply not as sexy as jobs like that of Computer Sciences Corp. researcher Johnny Long, a famed hacker who demonstrated how to excavate sensitive data by searching through Google. Long is expected to present at DEF CON Kids right before the feds Saturday.

In the federal government "there will be a need to create incentives to get them interested in the positive social impact that they may have by devoting themselves to the greater good of the country," Matwyshyn said.

U.S. government officials acknowledge they have to do more to attract hackers young and old and stock the federal workforce with enough cyber pros.

"A lot of this is cultural change and education and making it cool to be one of the good guys," said Bruce McConnell, a counselor for the DHS National Protection and Programs Directorate, who plans to attend this week's Black Hat conference, another hacker convention that also is being held in Las Vegas. "We absolutely are reaching out both from a recruiting aspect at those conferences as well as educational."

At DEF CON, a staff member from NSA's National Cryptologic Museum will talk about code-making and code-breaking, as well as demonstrate an authentic World War II-era Enigma machine that the Germans used to encrypt secret messages.

Legislation the White House proposed this spring would let Homeland Security offer cyber sleuths pay packages commensurate with their peers at the Pentagon and in the private sector. But Matwyshyn said agencies will have to do more than offer hefty salaries to convince kids they can be rock star code-crackers in government.

The second step is to ensure that their impact is taken seriously as a public service, she said. "There's an important social contribution that they're making as well -- and some kids will value making a difference in that way," Matwyshyn added.

Army officials agree that kids need to realize hacking for hire is not just about the money, but the purpose behind it. They can "keep people safe; keep weapons systems safe from criminals . . . keep banking accounts safe," said Chris Grey, spokesman for the Army's computer crime investigative unit.

The DEF CON session also could serve as a deterrent for would-be cybercriminals. "I think part of the goal of the Meet the Feds panel is to put a face on the people who are responsible for information security enforcement for the criminal end of things," Matwyshyn said.

Air Force Special Agent Daron Hartvigsen, who will be presenting on behalf of the service's cyber investigations office, said he suspects the audience will want to know what kind of computer hacking his division probes. "I expect we will talk a little about our authorities as a result," he said. "And for those who might have less than productive motives, let them know there are people who are now enforcing the law in cyberspace."

Hartvigsen added that he hopes the session will inspire kids to "to do what I do; consider the Air Force as a place they might want to do cool things in cyberspace when the time comes."

The interaction is intended help the kids modify their behavior to walk the fine line between legal and illegal hacking. Apparently even many adults don't know where that line is.

The Electronic Frontier Foundation, a civil liberties group, and the National Association of Criminal Defense Lawyers have raised concerns that people who have no intention of running afoul of the law may accidentally engage in illicit acts because of the way the government interprets the 1986 Computer Fraud and Abuse Act.

"One of the things that I'm worried about is that a mere breach of 'terms of use' constitutes turning all use of a website into unauthorized use," Matwyshyn said. Hypothetically speaking, kids who register using an alias on a social network site to protect their privacy may be breaking the law if that site requires users to enter their real first and last names. "Suddenly this user's otherwise lawful use of the website could be viewed as hacking," she said.

The Senate Judiciary Committee had planned a hearing for Wednesday to consider updating this law but postponed the session Tuesday when the chamber adjourned early for the August recess, a committee aide said.