We hear a lot about hackers these days. The US election was hacked. The French election was hacked. A hotel was hacked and had to pay ransom to get the locks to work so that their guests could get into their rooms. The electrical grid in the Ukraine was hacked. We read about this and we may not really comprehend it. But when you are forced to pay ransom to get your hospital data back you might believe it more.
Who are these hackers? Are they graduates of some hacker U?
For some time now I have been working with hackers of a particular sort, mainly hackers who want to be good guys and who tend to work for the US government to help their country. How can they help? They can attack our enemies and they can defend our institutions. I wondered how these hackers learned how to hack.
To find out, I interviewed a few of them. Here is “Riverside.” (They tend to be nervous about giving out their real names):
I remember some very vivid memories as a child as early as 2 or 3 of different things that I would do playing in the neighborhood doing things with different kids. I was always into finding ways to get around anything where there were security systems locks. I ran away to go get burritos at three. My mom had locks all up and down the doors. At 3 you should never be able to figure out how to get through that. I built this contraption out of chairs and tables and a whole bunch of other things to unlock every single lock to figure out all of them and wandered over and they brought me home. I’ve always had that natural solved puzzle mindset in my head.
How odd is this story in the world of hackers? Not at all odd as it turns out. Hackers like to break into things and find things to break long before they ever hear about computers. What happens to kids like that when they enter school? Riverside again:
I grew up with a number of disabilities. I was in special ed for a number of years. In the kindergarten first grade timeframe, I could not learn anything. The teacher actually told my mom I was retarded (she used that word) so they took me to do tests and I sat for hours doing tests: ink blot tests, and IQ tests, and they said he’s clearly not retarded and said that I was far above what they expected. They decided that I was in need of a special ed program. This was back in the 70’s, and in the 70’s they really struggled with consistency across the programs. I was extremely lucky to go into special ed with this one lady, Sandy Tatum. She helped to develop my abilities. One of the things she did to help that was put me on a computer in first grade. I could visually see everything. I can work math problems and read off the computer screen perfectly. But if I was trying to do it off a paper or listening to an instructor it was all garbled. And so I accelerated in a couple of months as fast as other kids would accelerate in several years. Just using the computer.
This seems odd, but is it. In the early ’70’s I worked with a psychiatrist (Kenneth Colby) who was working with autistic kids. I built programs that they could interact with and they were very into doing that. Why? Because kids that are labeled “autistic” are quite often kids who prefer interacting with machines rather than people. Colby wanted to see how much machines would help these kids and it worked rather well.
I remember a friend of mine in grade school in maybe 4th grade or 5th grade brought in a project. His father installed alarm systems and he was building an alarm system with magnetic contacts and I was fascinated by that. I wasn’t fascinated necessarily how it works specifically but how to bypass it. So I learned how it worked so I could figure out how to bypass it.
Something is going on here, but what? Riverside was clearly a smart kid and clearly a kid who was interested in learning how to do things that were off the straight and narrow. The school system of course, has no real way to deal with kids like this but that is not my point.
What is Riverside telling us about how hackers learn? He is saying that he can learn whatever he wants to learn and what he wants to learn tends to be how to get around things he is not meant to get around. One figures in hearing these stories that he will wind up in jail eventually. But, of course, that is not what happened at all. Riverside:
For me hacking is really the old-fashioned term where you try to make device do something beyond its capabilities. I'm considered an autodidactic learner. I do a lot of learning on my own I read quite a bit. I grew up in special ed and I had a lot of learning disabilities and challenges so I was really fortunate in that my special Ed instructor set me aside on computers and worked and focused me to learn that that capability. I would have to just bang my head against the problem over and over and over until I figured it out and it is that perseverance and a kind of rigor that I had in solving problems, that has really become an advantage to me in the long run.
Let’s hear from another hacker. His handle is Rigs:
One of the first things I did when I was kid was to play with answering machines. I found out that you could dial star and that would let you enter a password. So I did this the first time by calling some movie theater downtown and hit star and that would let you enter a password. To me, as a kid, that was a really cool moment. That was like a puzzle. It was becoming a game— guessing a password and figuring out what it was. My parents had a very similar one. I would figure out what my parents password was so I could change the message. People would call the house they’d hear what I wanted them to hear not what my parents had recorded. That was a cool thing.
Let’s generalize and assume that most hackers have the characteristic of wanting to break into things from a young age. What does this tell us about learning to be a hacker? One thing it tells us is that school is likely to not work so well with people like this. Why not? Because they have their own motivations and tend not to adopt and follow what others think they should do. Here is Rigs again:
So I think it's really cool that I get to wake up every day and take something somebody built and take it apart. To me, it's like a puzzle. You take all these little pieces and learn so much from figuring out how somebody else thought about the problem. Cause if you're building a router, phone, or some software for anything, somebody or some team people spent a long time designing that thing and building it in some special way. All those people who do that are experts in their field and are really smart. They spent all this time building it. To me, it’s sort of like a present that I get to unwrap. I get to peer into the mind of somebody else, figure out how they were doing something. To me that's really neat.
What conclusions should we draw from all this? Let’s consider a real problem in the world of cybersecurity. It seems that every business needs to be very careful about defending cyber attacks. What should they do about this?
Here is Riverside again:
To be a good defender, you need to really truly understand the mindset and the motivations of the attacker. If you have never done any offense or any attacking is very difficult to be a defender. You need to understand both sides of the fence to be really good. By understanding the attackers motivations you can understand what you need to put in place.
One issue is that hackers have a different view of the world than your average Joe. You can't take just make anyone into a hacker. Here is Rigs:
The mindset associated with software developers is about building very clear solutions very elegantly. They know what they want to build and what feature or capability they want in the program they are building. The hacker mindset is: “there’s this thing this guy built and I want to take it apart. I want to see how it works and figure out how to tinker with it.” They want to find some way to make it do something that it wasn't intended to do.
In the U.S. Department of Defense there are plenty of people who are concerned with cyber attacks. Here is one DOD official (called D9):
I've looked at the cyber problem from a supply and demand issue. I've looked at the destructive nature of cyber. I thought we should look at the past and see when was the last time this nation has been confronted with a disruptive piece of technology. Aviation is really a good example. If you look at aviation in its beginnings, it was under the signal Corps in the Army. Cyber is considered in many ways an information technology. It actually is right now assigned to the signal Corps in the Army. Aviation was also used as a reconnaissance tool because of the battlefield in World War I. How do we do cyber today? We do a lot of intelligence surveillance reconnaissance kinds of things. So it's actually not a bad example. Now in between World War I and World War II, the military, in particular the Army and the Navy, realized that actually aviation was much more than just reconnaissance and surveillance tool. And in fact, was a very powerful offensive tool that can overfly the enemy defenses and strike at the heart of their capital of their leadership and at their strategic centers of gravity. So between 1930 and 1942, there was a huge sea change in the way in which the military thought about aviation. For example, the Army in 1938 had 20,000 people in the Army Air Corps. By 1944, they had 2.4 million. So that's clue number one. Can the department energize itself and build a very large force to respond to a destructive piece of technology? The past says absolutely. In fact, it was able to do a thousandfold increase capability in six years. How do they do that? Public-private partnership and a focus on training, and not on building defensive infrastructure.
How can we make more hackers? How do we teach them? How can we organize them into a force for good? What kinds of people should we select? What teaching methods might work?
These are all important questions. Why? Here is Forgotten:
For industrial control systems such as the power grid, most of the threats are going to be from more advanced attackers as they would have to navigate through multiple layers of protections, at least in the U.S.. In other countries, there is not necessarily the same level of protections. Outside of the heavily regulated energy world of industrial control systems, there are very few protections. In some cases, devices are exposed directly to the Internet. A lot of these devices are designed with functionality in mind and weren’t given the engineering to handle exploits and other types of scanning. In many cases just doing a vulnerability scan can actually cause a device in an industrial control system to either reboot or stop functioning permanently. So the threat is huge if somebody gets into any of those networks.
We need to protect ourselves. But who will do that protection? Rigs’ explanation of what interests him is illuminating:
I think it's really cool that I get to wake up every day and take something somebody built and take it apart. To me, it's like a puzzle. I get to take apart all these little pieces and I get to learn so much from figuring out how somebody else thought about the problem. If you're building a router, phone, or some software for anything, somebody spent a long time building that thing in some special way and all the people who do that are really experts in their field are really smart. They spent all this time building it. To me, it’s sort of like a present that I get to unwrap. I get to peek into the mind of somebody else and figure out how they were doing it and what they were thinking. To me that's really neat.
Real hackers want to try to solve really hard problems. That's what hacking really is. You have a challenge. You are told that you can't do something. That's the motivation behind wanting to be able to go do it. You want to prove that something people said can't be done can be done. If we didn't have hackers, we would never have any innovation and any new technology in the world.
While that seems like a rather outlandish statement, hackers are rather outlandish people. You cannot begin to understand them without talking to them and realizing that they aren’t like everyone else. It is unlikely that they fit into any of our normal ways of teaching and learning because those were designed for good little boys and girls who will sit still and listen and do what they were told.
With that idea in mind, I came across Brown University’s Master’s degree in Cybersecurity. (I can’t help but point out that this program. meant for executives, costs $97,000.) Here are the courses that comprise the program.
Introduction to Computer Security
Advanced Topics in Computer Security
Applied Cryptography and Data Privacy
Human Factors in Computer Security and Privacy
Privacy and Personal Data Protection
Management of IT Systems and Cybersecurity Risks
Global Cyber Challenges: Law, Policy, and Governance
The Future of Cybersecurity: Technology and Policy
I showed the Brown website to Forgotten and this is what he said:
The Brown Master's CyberSecurity Program is built with the intention to give business knowledge to information security managers. It covers high level topics, but attempts to cover the entire technical domain in two courses that are only partly hands-on. Information Security is a technical discipline that requires management to understand the technical implications of their decisions.
Of the instructors listed, all of them seem to be policy focused with the exception of a single technical professional as the non-lead instructor for the introductory class. The instructors are unlikely to have the knowledge to impart the technical implications of their policy enough detail to make informed decisions. This will continue a trend of information security managers who make decisions to introduce unnecessary risk into organizations unless they previously have hands-on technical knowledge.
For example, when setting up wireless networks within a company, a policy is generally created about whether their wireless networks should be hidden. To most, hidden would imply more secure however, it causes all clients to beacon looking for that network. This is important because mobile devices such as laptops and cell phones will continue to beacon in public areas like coffee shops. Even without connecting to those networks, attackers profile people by the networks they have connected to thereby causing unnecessary information disclosure and can even cause them to become a target.
Given the shortage of technical coverage within this program, it's highly unlikely to create technical professionals able to deal with the technical nature of information security, even if they are managers. The technical problem solving and research skills that are so critical for the information security world don't appear to be represented at all in these descriptions.
If our plan is to build course with lecture and tests we have a problem. What must we do instead? We need to understand that hackers like to be thrown into a problem and figure there way out. The Cyber Security course that we built for the DID does just that. There are no classes, no lectures and no tests. Just problem after problem. The problems are so complex that if you are not OCD you are unlikely to succeed at solving them. We employ mentors to help out when our hackers to be are stuck but we don’t help that much. We need to find the kids who like to break into things and teach them how to fight back on our behalf. Otherwise we will be attacked everyday by bad guys who want to harm us. Who are these people? Here is D9 again:
You have to understand the adversary. If you’re going to get hacked by the Chinese, I’ll give you a metaphor. They’re going to walk up to the front door of your building and they’re going to see if the door is open. If it’s open, they are going to walk in. If it’s not opened, they’re going to kick the door down. And if the doors not opened, they’ll go through a wall or a window. They're not worried about anybody seeing what it is that they’re doing. A Russian hacker will come in at the dead of night in a black helicopter. He’ll climb up on the roof of your building and find an open ventilator shaft he’ll sneak in the ventilator shaft steal what he wants and leave. Two totally different approaches to cyber. Now why is that? We have to go back and look at how the Russians learn the craft. Most of the Russian hackers came from the criminal side of the house. They were self-taught, autodidactic, and they were doing criminal things. If they were caught, they had high potential to be killed. And so the Russian society goes goes out and recruits these criminals who grew up in a very clandestine approach to cyber. They didn't want to get caught — life or death. The Chinese on the other hand actually institutionalized it. They built Army brigades made up of hackers so they were sanctioned by the government.Therefore they don't feel the need to hide what they’re doing because their government is giving them all the validity they need. If you don't know who it is, you can tell by the way in which they are coming in your system what might be.
Learn more about the six month immersion course we built here: