ForAllSecure has launched an original podcast focused on hackers that’s available on Apple and Google (with more options to come). The Hacker Mind is a narrative style podcast, meaning we’ll be able to dig deep into subjects by interviewing more than one expert. And it’s hosted by Robert Vamosi, a CISSP and award-winning journalist and bestselling author.
In the inaugural episode, The Hacker Mind looks at why the West Point Military Academy, and other organizations within the DoD, is training its young cadets to hack. The answer? To help fill a critical shortage of infosec experts that is only getting worse.
You can subscribe to The Hacker Mind podcast on:
Transcript for EP 01: Why Is West Point Training Hackers?
Frank Pound, former project manager at DARPA, now CEO at Astrosec.
Adam Van Prooyan, a developer at ForAllSecure.
ADAM: Basically when I got to West Point, there's a club day where you can pick clubs that you want to be a part of. So what to do in your spare time...
ROBERT: This is Adam. Today he helps organizations hack their own products but, back in 2014, Adam was still an impressionable young cadet.
So how did West Point change him?
ADAM: As a First Year, it was kind of the best way you could make friends with upperclassmen, and have a real life outside of school. So I joined the computer club C3T, Cadet Competitive Cyber Team, which happened to be a hacking club.
ROBERT: That's crazy. West Point teaching its cadets to hack? Or maybe, just maybe back in 2014, West Point and other military service academies, are on to something really important.
Welcome to The Hacker Mind an original podcast from ForAllSecure. It's about challenging our expectations about people who hack for a living. I'm Robert Vamosi, and in this episode I'm talking about the shortage of infosec experts and how, through the use of computer Capture the Flag competitions, or CTF, the US military, for example, is attempting to address the shortage of information security experts through gamification.
In 2019, the International Information System Security Certification Consortium -- which is better known as (ISC)2 -- released a workforce study that found there is a shortage of infosec experts, a shortage that's estimated to be nearly 4.8 million worldwide. Think about that. In APAC alone, there's a shortage of 2.6 million experts, and in North America, that's half a million. Half a million infosec jobs that are currently unfulfilled. Part of the problem is both in training, and in recruiting new talent.
FRANK: And we make it harder because we introduce all these problems that require more people.
ROBERT: That's Frank Pound. For nearly five years, starting in 2014, he was a project manager at DARPA, the Defense Advanced Research Projects Agency. He thinks policies we have in place today may have increased the number of people needed, and perhaps these same policies also mask some underlying problems.
FRANK: Like a password policy problem. We don't think passwords are long enough so we need to make passwords longer, well, really what's the root problem that you're trying to address? We're in this constant policy update, the longer passwords didn't work so now we need to add special characters. Well, those didn't work, so now we need to make it even longer and make sure that you don't reuse anything that looks like a previous password. We're in this constant battle and passwords is just one area.
ROBERT: Think about the government for a moment, any government, it's a maze of bureaucracy, departments within departments, agencies within agencies, each with their own computer system. Now, just imagine one department, the Department of Defense, and the byzantine number of systems it alone has to manage.
FRANK: The military has help desks just like the commercial world. The military has these massive computer networks. They have business operations. They have to pay bills and process paperwork just like everybody else does. There's a very boring side to the DoD, believe it or not, and it's all run on computer networks, just like the boring commercial industry. And that all needs to be defended because when something's boring, it becomes very interesting for an adversary. If it's boring to us, we're not going to pay a lot of attention to it, maybe not resource it as much as we want to and that's when it becomes weak. So, the adversary sees it that way and they want to get into it, because there's probably something that they see and it's probably connected to something that they want.
ROBERT: So you have these complex, intertwined computer systems that requires support, so even complex computer systems have their own bureaucracy and maintaining all that requires a lot of people, lots of trained people.
FRANK: And then you have the support staff that have to answer all of the calls for people who forget their passwords or their brains aren't tuned in the right way to be able to remember passwords -- the way that we think they should, all sorts of problems like that. So, then we have a problem recruiting the people to support the policy to train the staff to support the support staff.
The IT staff takes those calls, whether it's passwords or extra exorbitant security enforcement on the desktop and that happens to be configuration management, IT management and IT staffing, so that's the recruiting problem in a nutshell... we make it harder because we introduce all these problems that require more people. So we're in this crazy dilemma.
ROBERT: Back in 2014, the US Cyber Command had an ambitious goal of integrating at least 6,000 cybersecurity experts into combat commands within the next two years. It was up to DARPA to suggest ways to achieve that goal.
FRANK: I think we've tried to solve it with some of these Capture the Flag contests that are probably the best we can do right now, and those have evolved quite a bit. If you go back all of the way to the early flagship Capture the Flag contests at DEF CON, where you had a force on force, defend and capture, defend your flag and capture the other guy's flag, the CTF has evolved quite a bit
ROBERT: DEF CON is the largest hacker conference in the world. It's held either the last week in July or the first week of August, in Las Vegas, Nevada, and it is home to one of the largest and best known Capture the Flag competitions in the world.
FRANK: You see a lot more interest in cybersecurity because of that. People go to DEF CON and they see the CTF in real-time and they're like, "That's really cool. I want to be able to do that". So that has addressed some of the shortcomings in talent in a big way to popularize cybersecurity and made it cool. And so naturally you're gonna have more people that want to be involved.
ROBERT: There are basically two types of CTF one attack and defend CTF is modeled after real world game of the same name. These CTFs involve two or more teams, all trying to defend their own flag, as well as capture their opponent's flag and in the computer world the flag can be as simple as the word flag, either in English or in leet speak, getting that often requires different skills. The other type of capture the flag perhaps the best known as Jeopardy style, that's where the challenges are grouped by categories, and where the deeper you go in a category, the more points you rack up to win. These are typically used as qualifiers for the live attack and defend capture the flags.
FRANK: We continue to evolve the nature of capture the flag, and when I was at DARPA, we ran a bunch of programs to try to identify top talent in different fields, cybersecurity being one of them. And that was through the CyberStakes program
ROBERT: CyberStakes CTF, a uniquely DARPA inspired competition modeled after DEF CON back in 2014. The original CyberStakes CTF consisted of 60 cadets and midshipmen from three service academies and the Coast Guard Academy. Like DEF CON, it was designed to have two-part qualifiers for the original CyberStakes Online were held in October and consisted of Jeopardy style questions. CyberStakes Live was held in February and consisted of attack and command style CTF.
FRANK: CyberStakes was created to help identify talent and generate excitement within the DoD, and to actually help the DoD recruit cybersecurity people who may not have considered the DoD before because they thought "Oh if I joined the military I'm gonna carry a rifle and dig a foxhole". Well, we wanted that to change and to make sure people knew that there's, in addition to being fighter pilots and soldiers, you could also be an awesome cybersecurity person.
ROBERT: So all that begins to explain why there was a hacking team at West Point in the fall of 2014.
ADAM: I was not surprised because it was called the Competitive Cyber Team. Kind of the whole idea of a cyber branch was already coming into common knowledge, at least at West Point. So I had heard about people going to do cyber stuff which obviously meant hacking.
ROBERT: Given he was a first year cadet Adam wasn't expected to know everything about computers, let alone how to hack or defend them.
ADAM: I think there's this thing called hack the site, I might have seen that a couple times just posted on Reddit, which is just a site that's set up and there's some vulnerabilities that you can poke at it.
ROBERT: Hacking a website can be as simple as viewing the source of a webpage, and then looking for any clues. Is it vulnerable to cross site scripting, which sends data to a different user? Is it vulnerable to a SQL injection, which can sabotage the data that is stored on the site. There's cookie tampering, or poisoning. And there's form tampering. And then there's good old website to face moments where you change the images or text on the site that say something else entirely.
ADAM: Aside from that, I just had some experience like Python. I wrote an app.
ROBERT: So what was Adam’s first experience with capture the flag?
ADAM: For CTF was actually the tryouts for C3T, where it was kind of a small Jeopardy style one, pretty easy questions, kind of my first experience, assembly web hacking all that kind of stuff. That's how I got started doing CTFs.
ROBERT: With CTFs you can't always look at the application source code, you can't actually see the software. So the only option is to reverse engineer the application and look at its machine code in assembly language. What is assembly language? It is a very low level computing language mostly commands. It's almost like looking at the raw ones and zeros. If Adam didn't already know assembly well, that's okay, because most CTFs are usually performed in teams.
ADAM: Because we were also new, some of the upperclassmen on the team were willing to help out if you're putting in the time and asking questions. Really, the tryouts were to see who had the skills but also who was willing to put in the effort. So, if you're putting in the effort, they're gonna teach you anyway, because once you join the team you're gonna be learning with them.
ROBERT: For CTFs, different members of the team are better at some aspects than others.
ADAM: I remember when I first started out, I definitely had the most experience with websites. I had written an SQL back end, and I had written stuff that was probably full of bugs, when I wrote it but that made me a little bit better at doing some web stuff at the beginning, just because I was so familiar with it. Things like cryptography, assembly, reverse engineering and binary exploitation I've never seen before and it was definitely a lot harder.
ROBERT: The advantage of CTFs is that it pushes you out of your comfort zone and challenges you to grow. And one of the goals of the CyberStakes CTF was to teach and encourage new security experts
ADAM: I remember one of the upperclassmen teaching me about assembly during the tryouts, and it was kind of foreign language. I didn't understand anything. I don't think I really understood pointers and seed either at the time so understanding assembly language is really hard because it's basically the most raw that you can do and it's all pointers, all this moving little things around. So that was definitely the hardest part about that. I remember for about the first almost a year, it was really hard. I don't think I liked it very much because everything was using assembly, finding and exploiting bugs on the stack and stuff. Some stuff I hadn't learned about in school yet, or hadn't had any experience with. So I definitely think if I didn't have the CTF path with this team and learning together, it probably wouldn't have happened.
ROBERT: Each CTF is different. Some are themed or named a few standout as memorable.
ADAM: I think the only one I remember was Wolverine, and it was basically just like any other reverse engineering challenge where you get a binary black box.
ROBERT: In security, a black box is an unknown system with unknown software, it's the closest thing to hacking in the real world, where you're on a network, but you don't know the systems that are there. So, as a hacker, you have to analyze the black box and see what you have to work with.
ADAM: The goal is to find an input that it says good job you found the correct input so it's a KeyGen cracker kind of deal. And this one was both functions that loops back into each other. And I think that was when I really started to understand assembly and being able to reason about moving through strings. I just remember, I think I was one of the first persons to solve that challenge and it was really exciting when I finally got it.
ROBERT: Some people only compete in online CTF but Adam says the real fun for him is going to the live competitions.
ADAM: I mean you can do remotely, but I definitely prefer doing it with teammates, kind of like pair programming but not really. It's just more fun to talk to somebody about it. And like, draw it out together and you know bounce ideas off each other when you're doing remotely, it's not quite as easy to do that you can still, you know work with somebody else, but the feedbacks, not really there so it's usually, you kind of work on it for a while, you find some stuff, you can get off, or you kind of just like blog about it on Slack about what you're doing and maybe someone else comes in and contributes
ROBERT: So there's definitely a social aspect here.
ADAM: My favorite thing is always staying up really late but other people. You know, maybe you find one or two people who are working the same challenge as you, and you're working on it, reverse engineering and you're kind of figuring out this map of what this problem is, what's this program is trying to do. Usually at some point, you go to sleep. You're just so tired when you wake up but a little bit of rest and you come back together and you have like this moment where you realize what's going on, and then you solve the problem and it's always really really rewarding because you spend so much time figuring it out. And finally you find some kind of elegant solution, or at least some solution, and you get the point. So it's sort of fun.
ROBERT: Most of the intense camaraderie occurs during the attack and defense CTFs
ADAM: On the attack and defense style, which was similar to the CyberStakes in person events, it's kind of like this ongoing battle between these servers where you have kind of this Jeopardy style problems and each one. And it's your challenge to hack into each of those machines, but also defend your own machine so fixing the bugs and the programs and patching you know whatever services are in there, to prevent exploitation and in that one you can actually look at the web traffic, see what these exploits are up to. So in that one, you do get a little bit of incentive for looking at what people are doing to kind of stay away.
ROBERT: Adam has a unique perspective, he's competed in both CyberStakes as a cadet, and later at DEF CON, the Grand Master of all CTFs
Continuous Testing at the Speed of Development.
Find out how ForAllSecure can bring advanced fuzz testing into your development pipelines.
ADAM: They actually, pretty similar -- DEF CON quals and CyberStakes online. Those are the two kind of qualifying events, both Jeopardy style CTFs ,definitely DEF CON quals ae a lot harder because they're trying to filter out the the best of the best. And then, CyberStakes online has kind of a different objective where it's to find talent but also be this kind of start from zero. The challenges are super easy but then get harder and harder. So, in addition to seeing who's good, it also helps you learn. It's like a whole educational journey of a CTF. And then the CyberStakes Live and DEF CON final CTF -- they're both similar because they're both, at least in the past, attack and defend. And skill wise, difficulty wise, there's a little bit of difference there, but it's the same kind of deal.
ROBERT: Unlike in 2014, CTFs today are becoming more common, it's even becoming part of the typical computer curriculum
ADAM: Yeah, basically, any class that you take in cybersecurity is gonna have some sort of CTF and it's, it's just kind of the way you learn about this stuff. And if you're not doing policy if you're trying to learn how it's like really done, you basically need to do it, and the most convenient most fun way is a CTF. So, I think a lot of people in the industry, who are in the real side of like security, who are actually hacking from a binary standpoint, or probably even the web, does CTF at some point in time.
ROBERT: Speaking of time, maybe you think you don't have the time. Most CTFs are held on the weekend, and most are short lasting 24 or 48 hours. This makes it possible to fit into a busy school or work schedule, the CyberStakes CTF was designed to be even longer running from one weekend straight through to the other.
ADAM: Ten days long. It was a pretty convenient format for us, and it really made the most sense since it was targeted at Service Academy people so you've had enough time in your busy schedule that you can kind of figure out these little chunks of time that you can do it on your own. Most CTFs are targeted towards normal CTF teams, people who can kind of choose their own schedules. And usually on the weekends, so people who work, at school, they can play on the weekends when people normally have time to schedule on their own.
ROBERT: And what about that original CyberStakes CTF program that Adam competed in? It continues today. Although under a different mandate. It's now known as the All-Army CyberStakes CTF, and it's open to not just service academies, but pretty much anybody with a .mil or a .gov email address. And if Adam didn't join the Computer Club at West Point, would he have ended up doing what he's doing today?
ADAM: Definitely not.
FRANK: That was largely successful. It attracted a lot of attention, both organically because you got existing uniform people drifting over into the cybersecurity areas, and it really helped identify top talent that we didn't know. There were all these people just sitting in plain sight, who were amazing cybersecurity professionals in cyberspace. It really put a flashlight on them and helped us pull them into the community.
ROBERT: Some cadets at West Point and other service academies have stayed and have built their careers in information security.
FRANK: With the CyberStakes competitions that have been held, I've seen folks that participated and, say, Lieutenant level or low -evel enlisted grades, gradually get promoted, through the years, 5 to 10 years later, that are now in leadership positions of large numbers of people. And so that's great. It was hard to find somebody in leadership that actually knew the, the low-level details of software exploitation and why it mattered. And why we needed to defend against it. And without the understanding of those nuanced problems. And what's happening in a computer's memory with buffer overflows and the heap arrangement, and the memory of a program and how it can be manipulated from the outside by an adversary, unless you understand those nuanced problems. It's hard to make good strategy decisions about how to defend. And so, if you don't understand this, it makes you fall back on policy, and we already talked about policies. It's a checklist. It's a map of the minefield. So it's kind of an interesting conundrum there, where leaders that know the low-level details of how computers work, how memory works, how networks work, the individual bytes in a TCP IP frame, how they're arranged, and why sequence numbers are important and why checksums are important. They intuitively will be able to make logical decisions about how best to defend their networks and US policy is like, just, just a way to make sure they didn't forget some
ROBERT: The work that Frank did at DARPA, and the competitions that Adam participated in back in 2014 are paying off today. There are more leaders with more technical chops within the Department of Defense because of it. This program has been so successful that there's now a bipartisan proposal before Congress called cybersecurity competitions to yield better efforts to research the latest exceptionally advanced programs are better known as CYBER LEAP Act of 2020. This would establish and formalize a series of computer competitions within the government to enhance information security. That's a great idea. Having more CTFs like CyberStakes should help increase the numbers of infosec experts, it starts to address the shortfall that (ISC)2 was warning us about, and it starts to make us all safer in the applications that we use both at work and at home. And as those experts drift out of government over time, they will continue to benefit the commercial world as well.
For The Hacker Mind. I'm Robert Vamosi.