YOKOTA AIR BASE, Japan — Self-taught hackers like 18-year-old Michael Coppola are positioned to become the most sought-after recruits in the U.S. military since the activation of U.S. Cyber Command in May.
Coppola caught the eye of military officials last year during Netwars, one of several national cyberchallenges — some funded by the Defense Department — aimed at finding and nurturing young cyber security talent needed across the public and private sectors.
Rather than earning points, he broke into the scoring system through Twitter and helped himself, exploiting a flaw Netwars’ creators had missed.
“I sort of circumvented the entire competition,” said the Connecticut teen, who was then asked to quit playing and instead help run the game. “They said, ‘You’ve made your point; now give everyone else a chance.’ ”
Coppola’s digital checkmate demonstrated a combination of creativity and technical sophistication that is the hallmark of a gifted hacker.
As CYBERCOM assumes authority of the digital battlefront, the military is embracing the hacker community in its pursuit of people to help secure the DOD’s 15,000 networks and potentially exploit weaknesses in outside networks.
Once synonymous with criminals and anarchists, the term hacker now also refers to the good guys in cyberspace, those who have the same skills the bad guys do, only different intentions.
Hackers who have engaged in illegal activities would be unable to qualify for the security clearances required for military service, or even government employment, said Col. Sebastian Convertino, commander of the 318th Information Operations Group at Lackland Air Force Base, Texas, which develops hardware and software for CYBERCOM.
“But we don’t just write them off,” he said. “We direct them toward contractors or other places where they can work in unclassified fields.”
But with hackers and other cybersecurity experts in short supply, some senior officials contend that the military must fundamentally change its structured buttoned-down culture in order to attract them.
“One of our greatest challenges will be successfully recruiting, training and retaining our cyber cadre to ensure that we can sustain our ability to operate effectively in cyberspace for the long term,” CYBERCOM commander Gen. Keith Alexander said in a June speech at the Center for Strategic and International Studies. Alexander also heads the National Security Agency, which shares a campus with CYBERCOM at Fort Meade, Md.
Short supply
The center, a Washington think tank, released a report in July detailing the manpower shortage and contending it is among the weakest points of the U.S. cybersecurity strategy. The report included an oft-cited statistic attributed to Jim Gosler, founding director of the CIA’s Clandestine Information Technology Office and an NSA visiting scientist.
“There are about 1,000 security people in the U.S. who have the specialized security skills to operate effectively in cyberspace,” Gosler said in 2008. “We need 10,000 to 30,000.”
Computer threats against the United States are growing in frequency and sophistication, as is an awareness of the potentially crippling effect a successful attack could have on such a technology-dependent society.
While Defense Department systems are probed by unauthorized users some 6 million times a day, Alexander said, the targets of cyberattacks vary as much as the sources behind them — from foreign governments fishing for state secrets to criminal rings targeting corporations for financial gain to terrorist organizations looking to wreak havoc by attacking critical infrastructure such as the power grid.
So between other government agencies, public and private regulatory bodies and corporate America, which is as vehemently concerned with protecting trade secrets as the Pentagon is with safeguarding national security, the military faces stiff competition for cybersecurity talent.
“Red teaming” skills — detecting network vulnerabilities by simulating what the “bad guys” would do — are particularly rare and coveted by employers, explained Jim Lewis, co-author of the CSIS report and director of the think tank’s Technology and Public Policy Program.
That kind of expertise — displayed by Coppola in Netwars — also is needed by the military for offensive cyberoperations, Lewis said.
But Coppola rebuffed overtures from recruiters, citing the loss of personal freedom that comes with serving in the military and his impression that the military command structure would not foster the creative environment he desires.
“I want to work as a private citizen,” said Coppola, who starts college this fall at Northeastern University in Boston.
His dream job, he said, would be working at Google, a high-profile company known for nurturing imagination in a relaxed work environment.
Culture
Coppola’s attitude is not uncommon among hackers, whose mindset generally runs counter to that of the military doctrine, said Lt. Col. Gregory Conti, director of a cybersecurity research center at West Point.
Building an effective cyberforce with these types of individuals requires fundamental changes to the military culture, Conti said.
Leaders must recognize and embrace the value of technological expertise not only on the frontlines of cyberspace but also on the physical battlefield, Conti said.
“The good news is that the culture is still malleable,” he said.
But if the tech-savvy soldier is not embraced by his combat-hardened brethren, there is a risk CYBERCOM will be marginalized instead of growing into an elite corps of hacker warriors, Conti said.
“Ultimately you want to create an environment that’s so cool, so bad ass, they don’t want to leave,” Conti said. “We can do that.”
The military will never be able to compete with the higher salaries offered in the private sector, but it could adopt practices, such as Google’s policy allowing workers to spend 20 percent of their time solving problems of their own choosing, Conti said.
A second lieutenant in the Army stationed at Fort Meade, for example, would make roughly $52,000 including subsidies for housing and food, but as a civilian could earn between $70,000 and $80,000 as a cybersecurity specialist with advanced skills, according to the SANS Institute, a nonprofit cybersecurity training and research outfit in Bethesda, Md.
But Convertino, the Lackland commander, contends finding hackers to join the military is “actually not that hard.” He disagrees with the assertion that the military ethos contradicts the creative problem-solving skills honed by hackers.
“Wars in particular are the mother of invention,” said Convertino, who parlayed his own hacking skill into a military career. “Soldiers, sailors, airmen and Marines have always been innovative.”
In 1983, during his senior year of high school, Convertino landed in the principal’s office for a class project that essentially allowed him to eavesdrop on the school’s phones. He said that as he waited for his licks, a military recruiter on campus that day told him that what school officials considered trouble, the military considered valuable.
“At a company, you’re working to make money. But (in the military) we say that we serve a higher purpose, which has a certain charismatic appeal,” he said. “There also an excitement that comes with counterterrorism operations and the wars in Iraq and Afghanistan,” he said.
Convertino and Conti, however, do agree that the services must adjust their personnel systems to reflect career paths so cyberwarriors can be assured challenging assignments and promotion opportunities, as well as consider bonuses commonly used to attract and retain troops with special skills that are in demand.
The Air Force unveiled such a system in May. Convertino helped develop the Air Force’s new “cyber operator” career field.
Before that, airmen from the intelligence and communications field filled the cyber ranks but risked hurting their careers when they would forgo promotions to stay in the field, he said.
Convertino, a de facto recruiter for CYBERCOM, said his pitch to hackers is simple: “You can do what you love, get paid for it and not get in trouble.”
