Correction:

An earlier version of this story misidentified participant Kevin Houk’s high school. He graduated from George C. Marshall High School, not George Washington High. This version has been corrected.

Teens hone their hacking skills in national competitions guided by federal officials

(BRITTANY GRAY/ AIR FORCE ASSOCIATION ) - Marshall Academy team members Peter Marr, left, Xhesi Galanxhi and Jacob Walters confer at the CyberPatriot contest in March.

(BRITTANY GRAY/ AIR FORCE ASSOCIATION ) - Marshall Academy team members Peter Marr, left, Xhesi Galanxhi and Jacob Walters confer at the CyberPatriot contest in March.

Computer-savvy teenagers are testing their skills in cyber-contests designed to teach them how to protect the government and private companies from hackers.

The events are sprouting up across the country under the guidance of federal officials who are keen to boost their agencies’ computer-defense forces and high school teachers who want to prepare their students for high-paying IT jobs.

More health and science news

Have you used the new health insurance exchanges?

Have you used the new health insurance exchanges?

What has been your experience with the online insurance exchanges?

Flu rebounds for spring, especially in Northeast states

Flu rebounds for spring, especially in Northeast states

The Northeast is hit particularly hard as flu makes its spring-season return, but with a different strain dominant.

Why do allergies wax and wane as we age?

Why do allergies wax and wane as we age?

Scientists look at clues in the environment, in the role of viruses — and in our minds.

At least two species of mammals lived for 23 million years

At least two species of mammals lived for 23 million years

Paleontologist’s list of enduring animals includes whale ancestors, marsupials, rodents and insectivores.

At Baltimore’s Loyola Blakefield prep school, a team of students meets twice a week after classes to practice for the Maryland Cyber Challenge, which is being held Tuesday and Wednesday at the Baltimore Convention Center. At the event, they’ll have to debug viruses from their computer and defeat mock attacks by cybercriminals played by IT professionals.

“They work together as problem-
solvers, and they really like the challenge,” says Steve Morrill, the school’s director of technology and coach of the cybersecurity team.

The contests include “Toaster Wars,” an online hacking game sponsored by the National Security Agency, and CyberPatriot, a national challenge that has grown from nine teams in 2009 to more than 1,200 this year.

During the final round of the 2013 competition, staged last March at the Gaylord National Resort at National Harbor, Kevin Houk and five classmates sat in a darkened room, huddled around a monitor and looking for any sign of attack. The teenagers, who at the time attended Marshall Academy, a program that draws students from public schools around Fairfax County, were trying to prevent “black hat” programmers from activating hidden viruses in the students’ computer network. The Marshall group had to protect its servers from outside intrusions and defuse ticking time bombs that may have been lurking inside.

“It’s a lot like gaming, because you don’t know what’s going to happen,” said Houk, who took computer classes at Marshall Academy and graduated from George C. Marshall High School last spring. “You always have to keep on your toes.”

Now a freshman at Penn State University, Houk hopes to become a cyberwarrior, someday protecting corporate or national assets and information from foreign invaders or meddlesome hackers. “Cyberwarfare is the war of tomorrow, and we don’t have enough soldiers on the cyber battlefield,” he said. “I just want to be one of those.”

The Pentagon’s Cyber Command is planning to expand its cyberwarrior force from 900 to nearly 5,000. But there’s a hitch: Applicants must have exceptionally clean records. That means no arrests or expulsions for hacking into school computers or shutting down Web sites.

While students are taught advanced computer skills during the lead-up to these cyber-contests, they also receive training in computer ethics, according to Scott Kennedy, assistant vice president and principal systems engineering manager at SAIC, a defense contractor and computer security provider based in Northern Virginia. So serious are contest organizers about fair play that some students have been kicked out for getting into other teams’ computers or defacing Web sites.

Houk and other students interviewed at the Gaylord contest say they know the line between a white hat and a black hat.

“We are trained in offensive security, or ethical hacking, but we do know how to monitor a network like a school and watch all the traffic going through,” Houk said. “And if it’s encrypted, we do know how to break that.”

The advisor to Marshall’s team calls himself a “gray hat,” someone who knows the good and bad sides of cyberwarfare and security. Ryan Walters said he got into trouble as a young man for hacking into computers without permission and was given a choice by a judge to either go to jail or join the military.

“I joined the Air Force,” said Walters, who now runs TerraWi, a small start-up specializing in security for mobile devices. “Six months later, I was doing cyberdefense for the military. I became very good at what I do because I understand how the bad guy thinks. I went from black hat to gray hat. I could never be a white hat.”

Walters, who has more than 60 students enrolled in his after-school cyberdefense program at Marshall, said he teaches his students “the black-hat mentality; I’m not teaching them how to be bad guys.”

Morrill, the Loyola Blakefield coach, also is concerned that some of the skills the students are learning could cause damage.

“I tell them: ‘You guys better be on the good side, and you can earn a good living,’ ” Morrill said. “If we approach students at a younger age and instill those values, the country is going to be better off.”

Walters says revelations about leaks by Edward Snowden about the NSA’s domestic surveillance programs forced him and other teachers to revamp their lesson plans. In fact, during the summer, two of his students worked at Washington area defense contractors as systems administrators, the type of job that Snowden once held, albeit not with the same access to classified data.

“I teach that it’s a bad thing” to leak, Walters said.

The growing interest in cyberdefense contests for young people comes at a time when Pentagon officials are warning about computer attacks from China and other nations.

And it’s not just the government that is vulnerable. Utilities, power companies, tech firms, banks, Congress, universities and media organizations all have faced attacks in the past few years. In August, the Web sites of several news organizations, including The Washington Post, were hacked by a group calling itself the Syrian Electronic Army, which supports Syrian President Bashar al-Assad.

“The threat has evolved so quickly,” said Diane Miller, director of information security and cyber initiatives for Fairfax-based Northrop Grumman, which is a lead sponsor of the CyberPatriot contest. “It really has created a sense of urgency.”

Northrop Grumman has hired 40 former CyberPatriot participants, including four who are working in the company’s cybersecurity control center. “I tell the students that it’s a position of trust,” she said.

While most experts agree that introducing young minds to advanced computer skills is a good thing, some worry that the efforts need to be more broad than deep. They say that training a few highly skilled cyberwarriors is less important than having lots of people with adequate knowledge on how to avoid getting hacked.

“There’s this tendency to go for the cream of the crop,” said James Lewis, senior fellow at the Center for Strategic and International Studies and author of a recent study on computer security vulnerabilities in U.S. firms. “The debate is ‘Do you need a team of computer special forces, like Navy SEALS or cyber-ninjas? Or something more like regular forces?’ ”

Other security experts say that computer defense skills aren’t the weak link in the cyber-espionage game. It’s the little everyday mistakes that cause problems — giving your password to a colleague or leaving your laptop in a cab, airport or coffee shop, according to Fred Cate, director of the Center for Applied Cybersecurity Research at Indiana University.

“We need people trained not just how to write code for stronger protections,” Cate said, “but also systems to guard against human behavioral attacks.”

Niiler is a freelance science writer based in Chevy Chase.

 
Read what others are saying