Hey, hackers: The NSA is out to get you. If you're an American who can code malware to infiltrate a network, or snoop on SMS messages, or stop a distributed denial-of-service attack in your sleep, you're a person of interest. Age is of little consequence. Location likewise. The NSA's mission is simple: It's trying to identify formidable hackers. But not to arrest them. To recruit them.
Despite all of the United States' spending on defense, many experts say the country is still in a vulnerable position—to cyberattacks. According to General Keith Alexander of U.S. Cyber Command, a division of the Department of Defense, attacks on U.S. computer networks increased seventeen-fold between 2009 and 2011. To counter that threat, the U.S. is seeking cybersecurity experts with the chops to neutralize would-be online invaders. But rather than wait for hackers to reach out via LinkedIn, the NSA is being proactive: This fall, four universities—Dakota State, Northeastern, the Naval Postgraduate School (NPS), and Tulsa—are launching NSA-designated cyber-operations curricula intended to fast-track students into security jobs. The goal is to create a pipeline of government-vetted talent and with it, a robust line of virtual national defense.
There's no questioning, or avoiding, the growing danger posed by hackers. In 2012 alone, hackers have stolen hundreds of thousands of credit-card numbers from American banks. In all, estimates put the cost of cybercrime to businesses and government agencies at more than $100 billion annually—and that sum isn't likely to shrink in the coming years. "We can do things to make it more costly to hack into our systems... but [security experts] didn't say we can stop them," Senator Rob Portman (R-Ohio) told the Emerging Threats and Capabilities Subcommittee in March 2012. Explains Cynthia Irvine, chair of the Cyber Academic Group at the NPS, "There is a mission-critical need for cyberwarriors."
Starting in the 2012-13 school year, Irvine and her counterparts at the other universities will have the chance to train those soldiers. The pilot schools were selected from a pool of applicants based on their existing cyber-operations course offerings, which were then expanded to meet NSA requirements. "We've had these programs for years," says Sujeet Shenoi, a professor of computer science at Tulsa, "but this is the first time a government agency has formalized it."
Though credit and degree requirements for the NSA-designated programs vary from school to school, standard courses include such crowd-pleasers as malware analysis, cloud security, and electronic eavesdropping alongside core subjects like cryptography, network infrastructure, and programming. Beyond that, the schools do as they please. At Tulsa, students in Shenoi's "cyberninja" curriculum will be trained to dumpster-dive for evidence, reconstruct destroyed phones, and develop a Stuxnet-type worm. NPS students, meanwhile, participate in simulated war games played over 11 weeks.
The NSA program is open to both undergraduate and graduate students, who will apply for government security clearances while in school. Scholarships are available to further incentivize the spy-minded: Like ROTC, candidates can get government subsidies that offer free tuition, room and board, a stipend, and a paid internship at a security agency; in exchange, the students are required to work in a federal job for at least two years after graduation. There will be more than 170 newly minted cyberwarriors available to join the NSA and other agencies in 2013 after completing the program—a total that won't come close to meeting demand.
"[Even before the NSA program], agencies came all the time to recruit students," says Irvine, who cited the CIA, the Naval Research Laboratory, Sandia National Laboratories, and NCIS as organizations clamoring for graduates. "If we had the funding, we could increase the size of the program." In the meantime, the participating universities are helping other institutions develop the classes and coursework necessary to meet the NSA's cyber-operations benchmarks.
There's one slight caveat hackers may want to consider: If they've broken the law—or rather, if they've been caught breaking the law—they'll be ineligible for admission to the program. So while the NSA wants young hackers possessed of a working knowledge of menacing web tactics, it doesn't want those who have sharpened those skills illegally. That's a deal-breaker. The agency draws a harder line than countries such as China, Russia, and Israel, which will tolerate a few youthful indiscretions as they troll for talent.
"Although the NSA has an interest in identifying students that have offensive security and hacking abilities," notes Dakota State University program chair Josh Pauli, "the agency is adamant about only using those offensive capabilities to defend the nation." That's understandable—but if the kids are going to hack, wouldn't it be nice to have them hacking for the right team?