Program Teaches Cybersecurity Students How to Think like Hackers, Dyman & Associates Risk Management Projects
RICK KARR: The bad guys stole more than three million Social Security numbers from the State of South Carolina. As many as seventy million credit card numbers from Sony PlayStation. They got access to all of the personal details of some customers of a nationwide mortgage lending firm. But cybercriminals aren’t just looking to steal personal information and credit card numbers when they break into corporate computers -- they’re looking for other valuable information.
STEWART BAKER: Everything about your business is accessible to an attacker.
RICK KARR: Stuart Baker is former general counsel of the NSA who’s now a computer security consultant.
STEWART BAKER: They can steal your designs. They can steal your-- knowhow. They can steal your customer list and your internal analysis of what the biggest problems are in your product. This is pretty scary.
RICK KARR: The bad guys are mostly working from China and former Soviet states. They’re well-trained. Some of them are protected by -- or even working for -- their governments, so they don’t care about getting caught. And they might be able to do even more that steal information from businesses. Security experts worry that they could cripple the banking system ... or shut down parts of the electric grid. Baker says ... American businesses need a new mindset if they’re going to defend themselves.
STEWART BAKER: I'm a big believer that-- the best defense is an offense. And-- if we're going to have an offense-- we've got to have people who are really talented drawn to that field.
RICK KARR: People like these college undergraduates, who just might be able to save America’s corporations and governments from the bad-guy hackers: They’re students at Carnegie Mellon University, one of the nation’s top computer science schools ... and they’re learning to fight off the bad guys ... by thinking the same way they do. They’re learning to be the good guy hackers.
DAVID BRUMLEY: You have to understand and be able to anticipate how attackers are going to come at you. 'Cause if you're only doing defense, if you don't look at offense at all, you're always reacting and you're always one step behind.
RICK KARR: Is that different? Is that a change in the way computer science faculties have approached this?
DAVID BRUMLEY: Traditionally, yeah. Traditionally, there hasn't been a lot of expertise in offensive computer security. And it really hasn't been taught at the university level.
RICK KARR: Computer security professor David Brumley says ... its tough stuff to teach ... because the brand-new, cutting-edge cyber-attack of today will be available to anyone with a web browser by next week.
DAVID BRUMLEY: For example, my courses in computer security? We don't have textbooks. Everything's so new. We have to go out and look at websites, we have to go look at-- the latest things from conferences, and really teach from that. Every year it's a significant update.
RICK KARR: Is it ever the case that you actually have a student discovers something that nobody knew about, in the middle of a semester?
DAVID BRUMLEY: Oh, that's actually a course requirement. One of the things we ask students to do is go out and find a vulnerability that no one else has found, figure out if it's exploitable, and then report it ethically.
RICK KARR: Which means what?
DAVID BRUMLEY: It really means they're going and finding something they could use to break into someone's computer. And then they go tell the programmer, look, here is a flaw; fix it.
RICK KARR: All those flaw that Carnegie Mellon’s undergrads find every semester ... don’t necessarily mean that the software on your P-C or your bank’s web site is badly written. Almost every piece of software, every computer system has vulnerabilities that can be exploited -- it’s virtually impossible to make anything that’s connected to the internet perfectly secure. And today -- compared to 10 or 20 years ago, all of us have just so many more computers and smartphones and tablets -- all of them connected and vulnerable. So we’re vulnerable, too.
Carnegie Mellon’s students are so good at exploiting those vulnerabilities ... that the NSA enlisted them to create a game that teaches hacking skills to high-school-aged students -- and paid for the job. Cylab, the university’s cybersecurity institute, is home to the to-ranked competitive hacking team in the world: the Plaid Parliament of Pawning -- “pwn” is hacker-speak for “own”, as in the hacker takes a computer over and owns it. For third straight year, the team won top honors at international contests that pit teams of hackers against one another ... and utterly demolished the competition at a prestigious contest in Las Vegas.
DAVID BRUMLEY: It's a little bit like a little, mini-cyber-war that's going on. And you get points by how well you find exploits in your adversaries and how well you can defend against their attacks. They're-- secure from the normal internet and they're set up specifically for this purpose.
RICK KARR: How stiff is the competition here? I mean, who's on your heels in terms of the top ten rankings.
MALE STUDENT #3: Man, so, you know who's not? There's all sorts of government contractors who have, you know, teams that we compete with. And, you know, they do this professionally.
RICK KARR: “Hacker” is a label the students embrace. The word has a long history in computer science circles -- where it was originally meant as praise. The students say ... it still can be.
MALE STUDENT #2: We don't think of it as bad. We think of it as-- getting a deeper understanding for how something works in order to make it do something that maybe it wasn't intended to do but it's capable of doing.
ANDREW CONTE: It's often the people who as young high school students they started goofing' around with-- electronics or computers, and they started figuring out, you know, how to do simple attacks, how to get inside of-- machines.
RICK KARR: Andrew Conte is an investigative reporter at the Pittsburgh Tribune-Review who’s written dozens of articles about hackers and cybersecurity.
ANDREW CONTE: And at some point they make the decision. You know, "Am I going to be-- a good hacker or a bad hacker? And there's not that much difference between them in terms of-- their abilities. Huge difference in terms of their motivations.
RICK KARR: That raises the question of how wise it is to teach these abilities to students barely out of their teens ... with unknown motivations. Cylab graduate student Peter Chapman says not to worry.
RICK KARR: If you're figuring out how to attack things, isn't it possible that somebody who comes outta here isn't going to do it for the right reasons?
PETER CHAPMAN: If that person's motivated, they can certainly find it out on their own. This isn't hidden information. Someone who's determined to break into a system, they can take normal courses and just add this, "How am I going to ruin the world mindset" to it. It's the same way a locksmith who knows how to fix locks can probably also break into them.
RICK KARR: Cybersecurity consultant Stewart Baker says ... sometimes it makes sense for a company that’s been the target of bad-guy hackers to engage in a little digital breaking and entering of its own -- to hack back, in other words. He thinks it could be an important weapon in the cybersecurity arsenal. But it isn’t always so clear-cut ethically. Or legally, because in can violate federal computer security laws.
STEWART BAKER: I have been making a very public-- argument that we should allow this and we should read the Computer Fraud and Abuse Act to permit it.
RICK KARR: What if the machine in question is outside the U.S.? I mean, is that still a violation of the act?
STEWART BAKER: Unfortunately, it is.
RICK KARR: Baker says good-guy hackers who have “hacked back” have learned that cybercriminals aren’t always as clever as they seem to be. Take the example of a hacker who broke into law-enforcement computers, copied personal information about officers ... and posted it online. He also left a ... provocative ... picture of his girlfriend as a calling card, which turned out to be a mistake.
STEWART BAKER: They took the picture with an iPhone. And that meant that somebody had helpfully included the-- geographic coordinates where the picture was taken. So the F.B.I. finds the girlfriend of the hacker, and went and busted the guy in Texas. So these digital clues are everywhere.
RICK KARR: The hacker pleaded guilty to accessing a protected computer without authorization; and received a sentence of twenty seven months in prison. Stewart Baker says ... that’s the kind of outcome he’d like to see from good-guy hackers, like the students at Carnegie Mellon.