recommended reading

Feds to kids: Hacking for government agencies can be cool

Federal officials are planning to tell computer-savvy children about the risks and rewards of using their coding skills to break into computers at this weekend's first-ever DEF CON Kids hacker conference.

The lineup for the Meet the Feds panel scheduled for Saturday includes, among others, leaders from the Army's computer crime investigative unit, the Homeland Security Department and the National Security Agency -- the Pentagon's code-cracking division. The two-day computer security workshop for children ages 8 to 16 is part of the 19th annual DEF CON conference in Las Vegas, which attracts a variety of technologists, including ethical hackers hired by companies to find security defects, as well as the criminal kind of network intruders.

"We need to train a new generation of kids to understand how code works and how they can fix it so that they can defend the United States from other people in other countries who may be seeing this [same activity] as a way to gauge warfare against us," said Andrea M. Matwyshyn, a legal studies and business ethics professor at the University of Pennsylvania's Wharton School. The corporate information security scholar has attended DEF CON since 2003.

With breaches now costing organizations $1.2 million per incident versus $700,000 in 2008, according to security firm McAfee, the public and private sectors are looking to recruit and educate more cyber defenders. Not only do they want network administrators to ensure systems meet security standards, they also want so-called white-hat hackers who can penetrate systems to identify weaknesses.

The youth attending likely will possess programming skills that are far more advanced than those of many sophisticated adults, Matwyshyn said. Teens often find vulnerabilities in browsers, but rather than fixing websites, some kids take to defacing them. On July 27, London's Metropolitan Police Service arrested an 18-year-old in connection with the hacktivist groups Anonymous and LulzSec, after reportedly taking in a 16-year-old with ties to the same pranksters earlier in the month.

Matwyshyn, who also has a doctorate in human development, praised the organizers' decision to require that parents accompany their children to the event, noting moms and dads are the primary forces that can mold their kids into ethical hackers.

Today, government careers in information security are simply not as sexy as jobs like that of Computer Sciences Corp. researcher Johnny Long, a famed hacker who demonstrated how to excavate sensitive data by searching through Google. Long is expected to present at DEF CON Kids right before the feds Saturday.

In the federal government "there will be a need to create incentives to get them interested in the positive social impact that they may have by devoting themselves to the greater good of the country," Matwyshyn said.

U.S. government officials acknowledge they have to do more to attract hackers young and old and stock the federal workforce with enough cyber pros.

"A lot of this is cultural change and education and making it cool to be one of the good guys," said Bruce McConnell, a counselor for the DHS National Protection and Programs Directorate, who plans to attend this week's Black Hat conference, another hacker convention that also is being held in Las Vegas. "We absolutely are reaching out both from a recruiting aspect at those conferences as well as educational."

At DEF CON, a staff member from NSA's National Cryptologic Museum will talk about code-making and code-breaking, as well as demonstrate an authentic World War II-era Enigma machine that the Germans used to encrypt secret messages.

Legislation the White House proposed this spring would let Homeland Security offer cyber sleuths pay packages commensurate with their peers at the Pentagon and in the private sector. But Matwyshyn said agencies will have to do more than offer hefty salaries to convince kids they can be rock star code-crackers in government.

The second step is to ensure that their impact is taken seriously as a public service, she said. "There's an important social contribution that they're making as well -- and some kids will value making a difference in that way," Matwyshyn added.

Army officials agree that kids need to realize hacking for hire is not just about the money, but the purpose behind it. They can "keep people safe; keep weapons systems safe from criminals . . . keep banking accounts safe," said Chris Grey, spokesman for the Army's computer crime investigative unit.

The DEF CON session also could serve as a deterrent for would-be cybercriminals. "I think part of the goal of the Meet the Feds panel is to put a face on the people who are responsible for information security enforcement for the criminal end of things," Matwyshyn said.

Air Force Special Agent Daron Hartvigsen, who will be presenting on behalf of the service's cyber investigations office, said he suspects the audience will want to know what kind of computer hacking his division probes. "I expect we will talk a little about our authorities as a result," he said. "And for those who might have less than productive motives, let them know there are people who are now enforcing the law in cyberspace."

Hartvigsen added that he hopes the session will inspire kids to "to do what I do; consider the Air Force as a place they might want to do cool things in cyberspace when the time comes."

The interaction is intended help the kids modify their behavior to walk the fine line between legal and illegal hacking. Apparently even many adults don't know where that line is.

The Electronic Frontier Foundation, a civil liberties group, and the National Association of Criminal Defense Lawyers have raised concerns that people who have no intention of running afoul of the law may accidentally engage in illicit acts because of the way the government interprets the 1986 Computer Fraud and Abuse Act.

"One of the things that I'm worried about is that a mere breach of 'terms of use' constitutes turning all use of a website into unauthorized use," Matwyshyn said. Hypothetically speaking, kids who register using an alias on a social network site to protect their privacy may be breaking the law if that site requires users to enter their real first and last names. "Suddenly this user's otherwise lawful use of the website could be viewed as hacking," she said.

The Senate Judiciary Committee had planned a hearing for Wednesday to consider updating this law but postponed the session Tuesday when the chamber adjourned early for the August recess, a committee aide said.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.