I wanted to talk to people who are learning how to become cybersecurity professionals. With all the security break-ins that we've seen recently, I thought they would be easy to find. At a Silicon Valley university, maybe? Or in a Bay Area tech school?
Nope! In the end I had to go to Vegas, of all places, to a hacker conference called Def Con.
I watched Google’s Parisa Tabriz take the stage. She asked the audience to help the search giant find bugs: “You can make anywhere between $100 and $150,000 for a security bug, and you can also get a job!”
Tabriz, the engineering manager for the security team that protects Google Chrome, was speaking to the right audience. Def Con is a group of people learning to become cybersecurity specialists via computer system break-ins. In other words, they were learning to hack.
There’s even a kid’s track at Def Con called r00tz Asylum. One participant - "Cryptina," 12 - wouldn't give me her real name “for privacy reasons."
I asked her: Would you hack for Google?
“Yeah, I've definitely considered it,” Cryptina said. “I've always wanted to be a computer scientist or a forensic scientist.”
“You can call it a recruiting trip,” Tabriz said when I caught up with her later. She meant it to come off tongue-in-cheek, she was mostly there to teach kids hacking.
She said, there is truth to the joke, though. Google does have a program that pays hackers to report security bugs.
“We run a couple of vulnerability award programs at Google, and there are a lot of kids who are underage and find bugs or contribute to this code,” Tabriz said.
Tabriz has hired one of those kids. He started submitting bugs when he was around 12 and she kept track of him. She says it doesn't happen very often at Google, but that it happens at all illustrates the severe shortage of cybersecurity experts in tech.
Nico Sell, a co-founder of r00tz Asylum, says you can see it in the competition for talent.
“It’s really amazing because nowadays you could get a job without a high school degree for six figures if you know how to hack,” Sell said.
Sell says there are a couple of reasons for this shortage in cybersecurity.
Mobile computing, apps and the Internet of Things has given rise to criminal hackers, who can now break into almost every part of our lives. At the same time, universities are failing to train cybersecurity professionals, which is why so many people go to Def Con.
“Something that my parents get a little upset about me saying...the education that I received at Def Con is way more valuable than my Ivy league education, by 10 times,” Sell said.
Companies that are looking for cybersecurity talent say, in part, it’s because the basic curriculum for computer engineering degrees was set about 50 years ago. It teaches students to build systems instead of breaking into them.
Two universities, Cleveland State University and nearby Case Western University, are trying to change that paradigm. At Case Western, professors like Swarup Bhunia have started teaching students how to break into computer systems.
“It’s basically an approach of 'hacking for credit,'” Bhania said.
Bhunia says the curriculum is controversial. Hacking can be illegal, and lots of universities aren’t comfortable teaching it. He said the debate boils down to this: “Is it ethical to teach hacking to our students?”
Lots of schools have decided it isn’t ethical, and so they teach the theory behind hacking instead. Bhunia says unless students learn how to hack themselves, it’s nearly impossible for them to figure out how to defend vulnerable systems.
“They take these theoretical courses and go to these companies... they’re not capable of understanding the different security vulnerabilities,” Bhunia said. “And they’re also not capable of coming up with solutions.”
Bhunia hopes Case Western’s program will convince universities that teaching hacking is vital to any cybersecurity program.
Until universities make that change, people who want to work in cybersecurity are relying on hackathons and conferences like Def Con to learn the real-world skills they need to keep us safe.