Cyber Dudes to the Rescue

The boys who might save your life one day really love fast cars. one of them, a 24-year-old named Mark Davis, drives a turbo-powered black Ford Mustang. Earlier this year, Mark took me for a drive through Tulsa, Okla., where he lives. “Check this out,” he said, as we passed a strip mall. He flipped on a Metallica CD, rolled down the windows, pumped up the volume as high as it could go, and revved his engine. A few people standing on the curb staggered back as if they’d been shot. Mark grinned.

“Dude,” he said, supremely satisfied by the effect. “That ruled.”

Mark could talk about car stuff for hours, but he has other consuming passions. A graduate student in computer science at the University of Tulsa, Mark understands far more about bits and bytes and other aspects of cyberspace than a good number of adults. So do many of his friends at the university, most of whom also have excellent cars, awesome stereos, goatees, piercings and tattoos. The Dudes, as we might call them, have been playing with computers since preschool. They have skills they can use in ways most of us cannot imagine, and that makes them a valuable national asset--assuming they behave themselves.

In another, flusher time, guys like Mark Davis would be preparing for lucrative private-sector careers. But these are not flush times, and it’s a foregone conclusion that even the most tech-savvy whiz kid might have to wait a while for serious money. Luckily, the Dudes have other plans. Ready or not, Mark and his friends will soon be working for Uncle Sam. Specifically, they’ll be guarding crucial U.S. infrastructures, thanks to a $30.5-million cyber-security program known as Cyber Corps.

Started last fall and funded by the National Science Foundation and the Department of Defense, the program (officially called the Federal Cyber Service: Scholarship for Service) is for juniors, seniors and a handful of graduate students. The deal: complete a degree in cyber security--which involves the study of computer systems, their flaws and techniques to protect them--courtesy of the federal government, in exchange for a two-year commitment to work for the government. Among the many agencies interested in employing them: NASA, the Navy, the Air Force, the FBI, the CIA, the Office of Homeland Security and the National Security Agency.

These are unsettling times in America. Osama bin Laden is MIA. War with Iraq looms. Enemies--invisible, amorphous, ever-threatening--are out there. They can stage an attack anonymously, from a cyber cafe, a cell phone or the privacy of a bedroom. Last year, roughly 85% of American government agencies and corporations reported security breaches.

Anonymous computer criminals, or “black hats,” launching cyber attacks such as the Nimda worm and the Melissa virus cost the global economy roughly $10 billion during the first eight months of 2001. With a few learned keystrokes, say security experts, hackers working for themselves, corporate espionage operations, organized crime, hostile governments or terrorist organizations could wreak havoc on the country’s critical electronic infrastructure.

On Aug. 16, consultants at a San Diego security firm called ForensicTec Solutions Inc. illustrated this point, announcing that they’d used software widely available on the Internet to enter dozens of confidential military and government computers without permission. Among the files they perused: an Army “smart book,” detailing radio encryption techniques; hundreds of personnel records containing Social Security numbers, security clearance levels and credit card numbers; and, in one case, “a [Defense Department] memo naming couriers to carry secret documents and their destinations,” according to the Washington Post.

Once an obscure item on the government’s agenda, cyber security is now center stage. Securing the cyber infrastructure is paramount to homeland security, says White House cyber czar Richard Clarke, and yet “the government doesn’t have anywhere near the number of trained IT personnel it needs.” Clarke won’t quantify the size of the deficit, but other experts do.

“It’s a big black hole,” says Alan Paller, director of research at the SANS Institute, a security consortium based in Bethesda, Md. He estimates that more than 100,000 federal employees whose jobs involve computer security have almost no security skills.

Mark Davis, of course, has excellent skills. He could use them for good or bad. Good seems to be a reasonable choice right now. It pays. It’s “funner.” Plus, Mark is a pragmatist. Life, he explains, is kind of like math. You’re born, you live, and at the end you tally up your experiences hoping that the cool side of the ledger is longer than the boring side. True, Mark is going to work for “The Man,” and he worries that he might have to lose his eyebrow ring, which would be a bummer. On the other hand, he’s the son of a millwright from Broken Arrow, Okla., and his education is being paid for by the feds. Getting paid to hack using some of the most high-tech equipment on the planet might be worth a few sacrifices and a background check, particularly if it means he can work for a super-cool agency like the NSA.

“That agency didn’t even admit it existed until a few years ago,” says Mark. “You’ve got to figure if you want to get into the really hairy stuff, that’s where it’s gonna be.”

He says he really has no idea what kind of “hairy stuff” the NSA might be up to, though he assumes it involves the same type of high-tech gadgetry as was portrayed in the hacker-friendly movie “Enemy of the State.”

“I just want to be privy to all of the secrets and not be able to tell anybody,” Mark grins. “It’s a power trip kind of thing.”

It’s a blustery evening, and Mark and his friend Gavin Manes, 25, are kicking back at a Tulsa pub called the Slow Duck Saloon. Both are happily drinking, though Gavin--whose girlfriend has requested that he come home sober--swears he’ll limit himself to one beer. (He has three.) Mark is on his third Long Island iced tea, a drink he loves primarily because it has more alcohol than any other drink. Which isn’t to say he’s drunk. He’s 6-foot-1 and built like a defensive tackle.

“I’m trying to get drunk,” he says, smoking a cigarette. Drinking is pretty much the only vice Mark can admit to right now. “I’m trying to be good,” he says sarcastically.

“So check this out,” says Gavin. “This guy called the other day and said he’d stolen a Porsche in California.”

“He stole it?”

Gavin clarifies: “No, no. It wasn’t like he stole the car. It was one of those things where you have to be the 102nd caller to this radio station and you win a car. So he hacked in and took over the phone system.”

“Dude, that’s awesome.” Mark grins. He’s hacked the phone system, too, he says, back in the day when he was about 14. When he was 13, he made a “red box,” which is a device that essentially tricks a pay phone into thinking it’s a quarter. (This is not to be mistaken for a “blue box,” which tricks a phone into thinking it’s an operator.) This is kind of a secret--one of many, I suspect.

There seems to be a subtle don’t-ask-too-much/don’t-tell-everything ethos built into Cyber Corps. “A few indiscretions during your ‘experimental years’ won’t necessarily exclude you from serving your country,” says Mike Orenstein, spokesman at the U.S. Office of Personnel Management, which vets most of the Cyber Corps students.

“From what I gather, there’s, like, the past and, like, there’s now,” says Mark. “And as long as you don’t lie about anything, it’s cool.” He, like everyone in the program, signed a contract that will bind him to a background check and polygraph test if they’re required by the agency hiring him. Until then, he’s been instructed to avoid situations and behaviors that would prevent him from getting security clearance.

“I can’t think of anything I’m doing illegal now.” Mark frowns. He feels incredibly tame. He even stopped playing with his band, he says, because band practice cut into his study schedule. His old friends don’t understand the new Mark. “They want to party, and I’m like, I gotta go home and go to bed.” He sighs. “I miss being young and reckless.”

But you’re still young, I suggest.

“Yeah, but I’m not reckless. I miss being reckless.” He sighs again. “You can only be reckless for so long and so far.”

“Dude, that’s such a lame thing to say,” says Gavin, flashing a rakish grin. A doctoral student in computer science, Gavin is not part of the scholarship for service component of the program, which stops at the master’s degree level; he’s a student mentor, a paid position that also falls under the Cyber Corps umbrella. This is fine by Gavin, who admits that his true goal is to prolong graduation as long as possible. “And, of course, to be totally overpaid in the private sector,” he adds.

Mark regards this remark with a blase shrug. “Dude, I was totally overpaid in the private sector when I was 19.” (He made a living for a while, he explains, writing software for a consulting firm that served phone billing companies.)

Gavin smirks. “Yeah, but now you guys have to--I mean, get to--work for the government.”

Mark pretends this doesn’t annoy him. “Dude, think about it. We get a master’s degree, government experience, security clearances.... “

“Two years.” Gavin makes it sound excruciating.

“But when we get out?” says Mark, smiling knowingly. “Cha-ching!”

The collapse of the IT sector couldn’t have come at a more opportune time for the federal government. “Throughout the 1990s, we couldn’t get good IT people,” Richard Clarke says. “The government doesn’t have the money to pay high salaries like private companies did.” And now? “This is heady stuff for a 22-year-old,” he says. “You don’t make as much money, but you get to do a lot more exciting things a lot younger.”

And who better to fight the invisible foe than the Dudes? They understand cyberspace intrinsically, says Clarke. “It’s like a language. If you learn it when you’re young, you understand it in a way that those of us who learn it later simply don’t.”

Granted, hiring the kids with the “scary skills”--let alone spending tax dollars to train them to police the very networks they might have dreamed of cracking in the first place--has its risks. Then again, hacking, Clarke explains, isn’t necessarily a bad thing, provided it’s used in the right way.

There are currently 11 Cyber Corps “scholarship for service” programs in the United States, with a total of 150 students. They are spread across campuses including Purdue, Tulsa, Iowa State, the University of Idaho, Carnegie Mellon and the Naval Postgraduate School in Monterey. With 43 of the 150, Tulsa, a school best known for training petroleum engineers, is the national leader, thanks in no small part to the program’s director, Sujeet Shenoi, a cyber-security expert and a member of the Oklahoma Joint Task Force on Homeland Security.

Shenoi, a frequent participant in Defense Department-sponsored symposiums on cyber security and counter-terrorism, is described by Clarke as a “guiding force” in the field of information assurance and one of the few U.S. professors qualified to teach cyber security. Shenoi describes Cyber Corps as a 21st century “Right Stuff.”

Gavin and Mark snicker at this kind of rhetoric. “That’s just Shenoi,” says Gavin. “He’s really enthusiastic.” Of course, Gavin often talks up the program as enthusiastically as Shenoi. It’s part of his job as Shenoi’s assistant. But it’s mostly talk. The goal, the guys explain, is to do whatever is necessary but always keep the ultimate goal--getting free schooling and a two-year job doing something totally cool--firmly in mind. Mark, for example, recently cut his waist-length hair to just above the chin when Shenoi suggested it might make a better impression on the government suits interviewing him for the program. Another one of their friends has a tongue ring. “He took it off for his NSA interview,” says Gavin.

“See?” says Mark. “You have to understand how to play the politics game.”

To be fair, most of the Dudes aren’t like Gavin and Mark. They have short hair and minimal piercings, and some are members of campus fraternities. Many have been motivated by a vague, post-9/11 sense of patriotism--even those who aren’t yet eligible for the program. “You do feel like you owe your country something,” says Brock Blackburn, a beanpole of a sophomore from Colorado who hangs around Gavin’s office and hopes to join Cyber Corps next year. “I mean, Sept. [11] raised the stakes.

“It’s doing something tangible for the country and, like, meaningful,” he says. “I think being a geek these days is pretty much of a compliment. Like, it’s cool if I don’t take a bullet for my country. I can use my head.”

Even Gavin sometimes wears that enduring symbol of post-9/11 patriotism, the tiny American flag pin. He’s also got a large red, white and blue poster in his office on the third floor of the University of Tulsa engineering school: “Cyber Corps: Defending America’s Cyberspace.” Perhaps this is more of a political maneuver, or a sign of gratitude. Thanks to Cyber Corps, the university boasts one of the few undergraduate computer research labs in the country: a $4-million facility complete with dual-monitor computers that are replaced regularly to keep them from becoming obsolete.

“When you think of the perks in all of this, the government can’t be that bad,” Gavin quips.

Isn’t that a little cynical?

“Oh, I am cynical,” he says.

Then why do this?

“Uh, duh. To have more power. Do you even know what we’re doing?”

There is a computer science theorem known as the halting problem that addresses the nature of cyber security and states, in essence: Begin with an assumption that we are destined to lose. Shenoi teaches his cyber-security classes with this theorem in mind. Thus guided, students go about their days thinking up ways to lose--less. The goal of Internet security isn’t to “win.” That, in Shenoi’s estimation, is basically impossible. The goal is to effectively preempt the enemy’s dastardly plans.

“It’s interesting because the anti-terrorism laws are changing, and that gives my students a positive handicap,” Shenoi says. It’s also quite troubling, he adds, due to the erosion of privacy laws that give the government increasing surveillance power. But, this is war. “We have to assume that whatever position we take, at least half of the world’s population will be [angry] at the United States, so we have to do the best we can to build defensive postures.” It helps, he explains, to be able to think like a cyber terrorist. He hopes to train the students to understand how the enemy thinks.

While Cyber Corps’ students are not creating viruses, they are stockpiling viruses and other forms of “computer attacks” for further study. There are 33,000 computer attacks stored on the main computer in the university’s computer lab. Mark has an additional 3,500 dormant viruses stored on his computer at home. The students are also doing a bit of “dumpster diving,” rummaging through campus dumpsters looking for trash. This is a valuable technique used by hackers eager to glean information to which they might not otherwise be privy: discarded bank statements, interoffice memos, passwords.

The university’s dumpster-diving rules are as follows: the activity must be pre-authorized; take place on school property; students can’t keep what they find; there are penalties if you get caught breaking rules 1 through 3.

Civilian criminal investigations are also integral to the program. To learn how to investigate cyber crime, the university has teamed up with the Tulsa police force’s cyber-crime investigations unit. The curriculum includes hunting down pedophiles and child pornographers.

A civilian setting has useful qualities. Learning how to investigate cyber crime like a cop means, by default, learning where the cops might fall short. Theoretically, understanding the weakness in a system helps strengthen the system. Practically, it could point a destructive hacker to the major holes in a system. “You don’t want to tell your friends what you’re up to,” Shenoi says in his computer security course. “Some of what you learn in this class can put you in prison for a very long time.”

To reinforce this theme, Barbara Geffen, the general counsel for the University of Tulsa, visited Shenoi’s computer forensics class and spent about 20 minutes explaining Oklahoma telecommunications law, as well as what might happen if you break it. “You do not want to replicate software,” she said. “It’s illegal to replicate software. It’s illegal to steal passwords. Don’t do this.” She repeated the word “illegal” several times. Mark, sitting in the fourth row, suppressed a laugh.

To be clear, the Dudes do not want to go to jail. They just don’t think they will since no one really understands what they’re doing other than, well, them.

The Dudes respect Shenoi--sort of. But they also believe he’s basically clueless. After all, he’s 42. “Like, theoretically he knows a lot, but practically? I could smoke him,” says Mark.

“Yeah, most of the time what we’re doing is so far over his head we have to show him. He’s way behind on the research,” says Gavin. Then again, almost everyone is behind on the research. “It’s hard when you get old,” says Gavin. “You realize there’s a lot you don’t know.”

Lately, Gavin has been feeling extraordinarily old. “Some of these young guys are so bright, they don’t even need a computer--they just think,” he says.

Jesse Keller, for example, a sweet-faced, gangly 21-year-old junior, is not technically in the Cyber Corps--he’s thinking of following in Gavin’s footsteps and getting a PhD. But thanks to Shenoi, who sees mentoring younger students as a particular mission, Jesse is as integrated into the Cyber Corps as any other student. A computer whiz, he is so brainy that he was tapped to join a team of students, including a 50-year-old grad student, in Gaithersburg, Md., where they consulted on a project for the FBI. Their assignment was to inspect a PBX phone system the government was considering purchasing. The group found many kinks and believes the FBI shelved its plans and went shopping for a new system.

The beauty of the Internet is that it has enabled even the nerdiest among us to become superheroes: to wage a hack attack on, say, the Pentagon (which was done in the late 1990s by an 18-year-old Israeli hacker who called himself “The Analyzer,” and who had the help of a few California teens), and then pad downstairs in your sweat socks for dinner with mom and dad.

None of the Dudes have ever been caught doing anything illegal, including hacking--at least their records are clean. But who are they really?

Off the record, it’s a question dogging every federal agency that might employ them, say a few officials. On the record, “I can assure you that we have a very robust screening process,” says Michael Jacobs, former information assurance director of the NSA and an early booster of Cyber Corps. “It’s very successful in assuring we hire not just competent people, but people dedicated to serving the nation.”

That takes care of straight-arrow boys like Jesse and Brock. But what about Mark? “You can’t know for sure that they won’t break the law, but, frankly, if they wanted to do harm to us, they probably wouldn’t choose to work for the federal government anyway,” says Clarke. In other words: Only true patriots are willing to sacrifice.

Of course, that assumption leaves out much of the lesson of Sept. 11. What about the “enemy within”?

Here, neither Jacobs nor Clarke has much of an answer. “Hopefully, our networks are designed in such a way that they can’t be damaged drastically by one insider,” Clarke says. “They’re not going to be making decisions. They’ll be supervised.”

The problem is, most of the Dudes would like to be left alone. It is part of the hacker code, as stated in “The Hacker Manifesto.” You can find it on the Internet. It defines a hacker as someone who, among other things, “enjoys the intellectual challenge of creatively overcoming or circumventing limitations.” It also defines a hacker as someone who “detests and avoids” business suits, dishonesty, boredom and bureaucracies.

“Don’t take it literally. It’s old-school thinking,” says Mark. “Being a hacker is a mind-set more than anything else.”

We are having greasy Chinese food somewhere in the vast strip mall universe of Tulsa. Mark mentions Kevin Mitnick, a famed “social engineer” who hacked into online databases and stole thousands of credit card numbers in the mid-’90s after tricking several network administrators into giving him their passwords. Mitnick spent a few years in federal prison. “He did a decent hack. He got caught,” Mark says. “A lot of people do decent hacks, not all of them get caught, though.”

Mark prefers John Draper, a.k.a. Captain Crunch, the creator of the infamous “blue box.” Draper also got caught. Now he is running a successful cyber-security firm. “Captain Crunch was cool because he was the first person who figured out how to beat a system,” Mark says, looking at his friends.

So what do they think about cyber war? And who’s a “cyber warrior?” The guys think for a minute. “I guess we are,” says Jesse’s friend Tony Meehan, obviously psyched. “See, most of us in this program are already pretty gray hat, leaning toward white but not totally.”

In 2000, Tony, who is 20, and Gavin went to the Air Intelligence Agency at the now-closed Kelly Air Force Base in San Antonio, Texas, where they presented a paper on cyber security to a room full of military brass. Gavin was curious to know how much the generals knew. “I asked one of these dudes if there was, like, some illegally funded computer operations in the government--you know, like some shady Cambodia-Panama kind of thing,” he says. The generals didn’t take to that question, he adds. “One guy was like: ‘Son, if there is, I’m not going to tell you.’ ”

The guys chuckle, but beneath their facade is a distinct sense of unhappiness. “See, a lot of people simply don’t understand security. There’s this dearth of awareness out there,” says Gavin. “People who are not willing to listen to young people do not last long in security. You know, a lot of the research we’re doing is all just thinking. We don’t even really need a computer, since we have this super-tool.” He points to his brain. Tony smiles, contemplatively chewing on a sparerib.

“The cool thing about Cyber Corps is it’s almost like being the bad guy--except you’re a good guy,” Tony says. “Of course, you have to have some moral sensibility,” he adds.

So does that mean you’ve learned how to think like the enemy?

The Dudes laugh. “Oh, that’s just a line Shenoi uses to sell the program,” Gavin says. “It’s all just curiosity.” In other words, no one’s teaching anyone to think like the enemy. Says Gavin: “These guys already think like the enemy.”