Cyberwarriors

When it comes to keeping confidential information safe on the Internet, hackers are seldom thought of as the good guys.

But that’s not the case for Michael Carlson and Alex Krepelka, computer-savvy students from Chico State and Butte College, respectively, who have chosen to use their skills to help instead of harm software companies and individuals whose information is floating around the Net.

“Who’s in charge of the Internet?” they asked with a laugh during a recent interview. “No one.”

The men attended the U.S. Cyber Challenge California Cyber Camp at Cal Poly-Pomona from July 19 to July 23, cramming a different class, including some lasting more than 12 hours, into each day. The grueling crash-course in cybersecurity covered everything from cracking and exploiting code to hacking ethics, all intended to educate the “good guys” on how to help the U.S. government and private companies pinpoint vulnerabilities in software systems before the “bad guys” discover them first.

“Good guys need to learn these things,” Krepelka said, referring to the skill of hacking. “Just like with a serial killer, you have to get in the mind of one to understand one.”

Carlson and Krepelka were two of the 22 college-aged individuals who qualified for the camp after successfully hacking into a designated site over a few months under the watchful eye of camp organizers, said Ron Pike, faculty adviser for Chico State’s new Cyber Defense Team and the Business Information Society.

The all-expenses-paid program was funded by Cal Poly-Pomona, private companies, the California Office of Information Security and the U.S. Cyber Challenge—a program funded by a series of federal agencies intended to train and recruit at least 10,000 young Americans to learn to protect and attack secure systems without fear of legal consequences, Pike said.

“[The government] started the Cyber Challenge to let the cream rise to top, if you will,” he said. “And that way they can identify people with the best skills.”

Pike noted that the government is struggling to find ways to recruit qualified hackers, and “it’s no secret” that the government has experienced successful cyber-attacks by other countries in recent years. Courses for this year’s camp were based on a series of security breaches the Federal Trade Commission experienced earlier this year, as well as those experienced by companies such as Hewlett-Packard and Google, Pike said.

Senior instructors from the SANS Institute, an organization that focuses on research and computer-security training, provided four days of the training. The students participated in education panels featuring companies such as Bank of America and Symantec, along with cybersecurity competitions and evening activities such as job mixers, said Dan Manson, a computer-information-systems professor at Cal Poly-Pomona and one of the organizers of the camp.

“It’s like a very intense sports camp,” he explained. “What we’re doing is identifying talent.”

Manson explained that about 1,000 people are currently qualified to perform at the highest level needed for cybersecurity, but the number of experts the government and private companies need is estimated to be 30,000.

The process of finding and training experts has been tricky. Manson said that similar camps held around the country in the last five years have been largely unsuccessful. Only two other camps—in Delaware and New York—were up and running this year, and only residents of those states were eligible to qualify.

Carlson and Krepelka agree that more educational resources are needed in the area of cybersecurity, for both hacking experts and the layperson.

“People don’t realize the information they put out there,” Carlson explained.

Often, communication between computer experts and the layperson is the biggest struggle, Krepelka said.

In response, the two spend their personal time finding ways to bridge the gap. Krepelka is designing a computer game to educate the average person about how his or her information can circulate around the Internet, and Carlson has hacked websites of local businesses and notified owners about their sites’ weaknesses. Unfortunately, business owners usually respond with anger, Carlson said.

“But I tell them somebody who is not a good person will find this later. If I wanted to hurt you, I wouldn’t be telling you,” he said matter-of-factly.

He added that prevention is cheaper than fixing problems after the fact.

The field’s biggest struggle is finding young people who naturally possess integrity that are interested in a career in using hacking skills for honest causes, Krepelka said.

“You can’t really teach integrity, but you can teach someone how to hack into something,” he said. “It’s easier to get people who want to attack. It’s hard to get people who want to defend. The attack is sexy.”