A new U.S. program trains students in computer security, in exchange for government service
Seth Guenther was midway across the University of Tulsa campus when the first plane hit the World Trade Center on September 11, 2001. Like most students beginning their school year, the 21-year-old was shocked at the brazen act. Unlike them, however, he was in a position to do something about it.
Guenther is one of 54 students across the United States who have been recruited into the Cybercorps, a US $11 million per year scholarship program to train computer security specialists to protect the government's information technology infrastructure. The program works something like a high-tech Reserve Officer Training Corps (ROTC). Selected bachelor's and master's degree students in computer science and engineering receive a full ride for two years at one of a handful of universities, in exchange for two years of service after graduation. As long as there is a threat for the communication computers running the country, there is a need for trained specialists who can combat this threat.
Few are chosen
Computer security is, of course, nothing new. Firms like Symantec and Network Associates have built their businesses on protecting companies and consumers from the wrath of worms, viruses, and hackers. Still, the sophistication and determination of such attacks continues to escalate, as has our dependence on computer networks.
In January 1999, after a series of hacker attacks on federal Web sites, then President Bill Clinton declared that it was time for the U.S. government to combat this so-called cyberterrorism. ‘Open borders and revolutions in technology have spread the message and the gifts of freedom, but have also given new opportunities to freedom's enemies,’ Clinton declared. "We must be ready - ready if our adversaries try to use computers to disable power grids, banking, communications and transportation networks, police, fire, and health services - or military assets."
Thus was born the Cybercorps, formally known as the Federal Cyber Service. Overseen by the National Science Foundation (NSF), the program now has six participating universities: Tulsa, University
of Idaho, Purdue University, Carnegie Mellon University, Iowa State University, and the Naval Postgraduate School. The schools were chosen because each had an existing computer security program within its engineering or computer science department.
Each school selects its scholarship recipients. In the first year, thousands of applications were submitted for the 54 available slots. Students receive full tuition, room and board, books, and supplies, as well as a yearly stipend of $8000 for undergrads and $12 000 for grad students. Applicants must be in their junior year or first year of graduate school. Participants are granted summer internships in computer security within the federal government or the military.
Though each school sets it own selection criteria, the standards are generally high. At Tulsa, for example, Sujeet Shenoi, the computer science professor who oversees the school's program, looks for a minimum 3.7 (out of 4.0) grade-point average. Just as important is a student's commitment to government service. They will, after all, be learning the same kinds of tools that a potential hacker might use, and upon graduation they will gain access to sensitive networks and information.
"It's like giving someone a gun and hoping they'll be a policeman," says Andy Bernat, the NSF program director in charge of the program. "You want people with the right ethical sense." Only U.S. citizens are allowed into the program, but no security background check is required, so the onus is on each school to weed out the bad eggs.
Eugene Spafford, director of the Center for Education and Research Information and Security at Purdue, relies heavily on recommendation letters in making selections. Tulsa's Shenoi conducts in-depth interviews with each promising applicant; he might even ask to interview the student's family. "I don't accept people unless I know them well," Shenoi says. "There's nothing worse than a computer security guy gone bad."
Once a student makes the cut, the real action begins. Coursework consists of standard computer science study...and then some.
Attacking and defending
Armageddon came unexpectedly. Blackouts hit New York and Los Angeles. Washington's 911 service shut down. It looked like the start of the world's first cyberwar.
Almost. These simulated events were part of Eligible Receiver, a U.S. military exercise conducted in 1997 to test the country's preparedness against a cyberattack. The National Security Agency had hired 35 hackers to invade the Defense Department's 40 000 computer networks. By the end of the exercise, the hackers had gained root level access to at least 36 of the networks - enough to shut down the power of several major cities and take control of a Navy cruiser.
Five years later, Cybercorps universities are doing their best to make sure such a scenario never happens. As part of the standard computer science training, each school offers coursework in information assurance. Certified by the U.S. National Security Agency, these courses immerse students in the nuances of how to fight and prevent an on-line attack.
At the University of Tulsa, students create their own fictional company through which they can stage cyberattacks against other student teams. They compete, as Shenoi says, "no holds barred...you've got to learn how to do it and you've got to learn how to deal with it. "Students must go after each other using every trick in the hacking book - from breaking into secure servers to launching distributed denial of service attacks. They work on Internet protocol and phone networks, and various computer platforms and operating systems. In other courses, students explore areas of information systems assurance and enterprise security management.
Their training goes well beyond the technical. At Purdue, for instance, students can pursue an interdisciplinary master's degree, combining traditional computer science and engineering with technology policy, ethics, foreign policy, and criminology. "The whole idea behind security," says Purdue's Spafford, "is that you have to be imaginative and think about how people can abuse the system. This is not simply applying rote technology, this is a more complicated kind of problem area."
A sense of service
In addition to intensive coursework, students also get a taste of community service. Tulsa students helped local police build computer tools for conducting on-line investigations; one was used to bust adults trying to arrange sex with minors they'd met in chat rooms. Students also built computer networks for underprivileged schools and day-care centers.
Julie Evans, a 43-year-old master's student at the University of Tulsa, says her 14-hour days are worth it precisely for this feeling of service. Evans joined the Federal Cyber Service after her daughter received a liver transplant, and Evans felt inspired to give something back to her country. Evans says she is willing to choose service over money. "Material things and money are not drivers in my life," she says. Government jobs, after all, pay considerably less than industry - a federal computer security worker may start at $40 000, instead of two or three times that in the private sector. Such pay discrepancy, in fact, stands as one of the greatest challenges of the program: how to retain trainees after they've completed the obligatory two years of service.
Finding interesting work shouldn't be a problem. There are opportunities in every agency, because every agency has a computer system. And every agency - from the FBI to the CIA to the Defense Department - has standing vacancies for computer security personnel.
To help fill that need, the corps is slated to expand next year. "We've learned lessons from 9/11," says Shenoi. "A small group of people can take down a country and maybe shatter an economy for a short while." With the Federal Cyber Service, the hope is that the right people will sign on. "We need people who are apostolic in their zeal."
