Kyle Osborn does a good job impersonating a technical support rep. On a recent day in Southern California, the 19-year-old is working the phones, trying to persuade people on the other end to download malicious software.
In cybercrime circles, this is called "social engineering," and criminals use the tactics to circumvent companies' Internet security software by tricking employees to download harmful software or cough up passwords. Osborn doesn't look the part of a hacker, with his short blond hair, baby face, and glasses. Yet he's persuasive—after a few calls, he finds an employee who agrees to download malicious software that will open a door into the computer network and let Osborn break in.
In real life, Osborn isn't a cybercriminal; he's a student participating in a cyberdefense competition at California State Polytechnic University in Pomona, Calif., that drew about 65 students from Western colleges. The campus is situated on a former ranch east of Los Angeles. Horses and sheep still graze in the pastures.
Boeing (BA) and the Black Hat computer security conference sponsored the regional competition, held Mar. 26 to 28. Cisco Sytems (CSCO) and Intel (INTC) donated computer equipment. The goal is to help companies recruit students who can assist in bolstering their defenses against cyberattacks.
Last year Boeing hired seven students who competed in this event, and the company hopes to fill a few slots with talent discovered this year, too. "It's about [developing] the next generation of cyberwarriors to protect the nation," says Alan Greenberg, technical director of cyber and information solutions at Boeing.
Boeing employs about 2,000 cybersecurity workers, up from roughly 100 in 2004. This year, the company may hire 15 to 30 cybersecurity workers, Greenberg says.
Not Enough Applicants
Demand for cybersecurity professionals is growing quickly. Government and industry executives say they need more cybersecurity employees but struggle to find qualified applicants. Just 40% of government hiring managers say they're satisfied with the quality of applicants for federal cybersecurity jobs, and only 30% are satisfied with the number, according to a July 2009 report by Booz Allen Hamilton.
While the government's scholarship program can fill about 120 entry-level cybersecurity jobs, the feds need about 1,000 recent grads to fill those spots, according to the report.
Together, the U.S. public and private sectors will need about 60,000 cybersecurity workers in the next three years, says Greenberg. "There will be a shortage."
The number of cyberattacks from organized hackers against the computer networks of U.S. companies continues to escalate. "Two recent examples have highlighted why companies need to work together: the Conficker worm and the Google attack," says Melissa Hathaway, a former cybersecurity adviser in the Bush and Obama administrations.
Trouble in China
In one particularly high-profile case, the computer systems of Google (GOOG) and more than 30 other companies, including Adobe Systems (ADBE), were breached by hackers based in China.The incident ultimately led Google to redirect its Chinese users to company servers in Hong Kong.
In February, security software vendor NetWitness said it had discovered that about 2,500 organizations had their PCs recruited into a network of spam-sending computers.
At a computer security conference at Stanford University on Mar. 17, government and industry officials said theft of intellectual property from hacking endangers the U.S. economy. Richard Schaeffer, director of information assurance at the intelligence-gathering National Security Agency, said during a panel discussion that the U.S. isn't taking theft of intellectual property due to hacking "seriously enough." Government and industry need to work together to stop it—or risk losing economic leadership, Schaeffer said. "It's not something we as a nation can afford to lose."
In 2008, chief information officers of 800 companies estimated that they had lost $4.6 billion worth of intellectual property due to cybercrime and employee theft, according to a January 2009 report from security software vendor McAfee (MFE).
Best Weapons: People
Cyberdefense competitions at Cal Poly Pomona and other universities are one example of increased public-private cooperation, as recruiters scour contestants for the next generation of cybersecurity talent.
Because cyberattacks happen so quickly and attackers can change tactics rapidly, experts say the fight often boils down to people skills—which side has the best-trained cyberwarriors. "The weapons of the next war will be people," says Alan Paller, director of research at SANS Institute, a research and educational organization for security professionals.
About 85% of critical U.S. infrastructure, including electric utility grids, telecommunications networks, and banking systems, are owned by private industry, according to the U.S. Homeland Security Dept. That means national security is interwoven with private companies' ability to protect their digital networks. "We're all playing defense, and we're all doing it for shareholder value, for customer value, for economic purposes," says John Stewart, Cisco's chief security officer.
The competition at Cal Poly Pomona is a grueling multiday affair. By 7 p.m. on Mar. 27, the 19th hour of the event, the cases of Red Bull are gone, but the teams are still working in an auditorium on campus, some operating mock corporate networks, and others trying to infiltrate them.
The winners will go on to a national competition that begins Apr. 16 in San Antonio. That conference has drawn such corporate sponsors as Microsoft (MSFT), McAfee, and Accenture (ACN). A separate government talent search, the U.S. Cyber Challenge, aims to find 10,000 young cybersecurity workers through a series of national competitions.
Alluring Pay Scales
Starting salaries in Internet security can reach $100,000, says Boeing's Greenberg.
Alisha Kloc, 25, began working as a systems security engineer at Boeing last year after competing in the 2009 cyberdefense competition at Cal Poly and meeting technical director Greenberg. "The competition gave me a good feel for how things work in the real world," she says.
Students said knowing that potential employers were watching the conference gave them extra incentive to perform. "We took this very seriously," says David Hunter, a member of the winning team from Cal Poly Pomona.
Osborn says it's his dream to work in the cybersecurity field. He spends evenings and weekends learning what he can on his own. "I've been doing this since I was 14," he says. At the end of the conference, two people approached him about jobs.
It's another small step in the hunt for fresh talent to bolster the nation's computer security defenses.