HTML5 Article experience by the HTML5 Hub and Intel
Hey, dude!” says David Bonvillain. “Let me buy you a mojito!” It’s not even noon at the Holiday
Inn bar, but Bonvillain, head of the Denver-based Accuvant LABS, one of the most elite and flashiest
computer-security firms, is already working the crowd because, as he puts it, the competition is
“feverish.”
A brash, Ferrari-driving 40-year-old who chain-puffs an e-cigarette and is sleeved with tattoos,
Bonvillain is among the country’s top hacker scouts. While the feds try to recruit hackers on the
glory of public service, Accuvant has honed a sexier pitch. “We built an environment that allows
people to legally do the things that would put them in jail,” Bonvillain says, exhaling vapor, “and
we have a great time and make a good living doing it.”
Accuvant represents an upside to cyberwar: a booming market. Corporations spent $60 billion worldwide
on information-security services last year, according to a report by Gartner, a technology-research
firm, and are expected to shell out a whopping $86 billion in 2016. To the consternation of businesses
around the world, entrepreneurial hackers hunt for security flaws, then sell the technical info to
governments from Russia to North Korea, as well as the National Security
Agency here. Google and Microsoft are among those who pony up as well, hoping to improve their products.
Technical details on a single vulnerability go for as much as $150,000.
Accuvant specializes in attack and penetration, or “attack and pen” for short, infiltrating their
clients’ computer systems to expose and improve weaknesses. Their clients include everyone from banks
and hotels to federal agencies, which can pay upward of $100,000 for a single test of their services. To
maintain integrity during a penetration test, the client’s underlings aren’t told they’re being targeted.
A Minnesota casino hired Accuvant to try to break into its computer room and access its most sensitive
data. Not only did the team succeed – convincing workers they were tech-support staff – they walked out
the door carrying the casino’s computer servers. They then posed with their bounty by the slot machines,
flipping off the camera for a picture they sent to the casino’s boss. Another time, they hacked a
Department of Defense contractor by parking a rental car outside a warehouse and scanning the wireless
network with laptops and antennas. “It’s sad, honestly, how vulnerable they are,” Bonvillain says.
Accuvant understands the talent better than most, because they rose from the hacker underground themselves.
Bonvillain, a metal guitarist who spent a night in jail in high school after getting busted riding his
motorcycle over 100 mph, started hacking computers and phone phreaking while at James Madison University
in Virginia in the mid-Nineties. “I wanted to break into stuff,” he says. “I thought it was the coolest
thing.” Inspired by the movie War Games but eager to stay out of trouble, he eventually put his skills
to use as a professional hacker testing security for companies that paid him. “As soon as I found out
that information security was actually a job and, even better, a job you could make some good cash at,
that was all I wanted to do,” he says.
Jon “Humperdink” Miller, a hulking, goateed 31-year-old in a backward baseball cap and shorts, who, as
head of research and development, oversees Accuvant’s military clients, is like a supersmart Chris Farley.
He started attending hacker conventions at age 13 and became notorious when he appeared at DefCon with no
shirt and a vanity license plate of his nickname around his neck. He jokes that his greatest hacker skill
is “drinking,” for which he has an award named after himself at the Vegas confab. When he was in high school
in San Diego, he says, he made $80,000 a year doing his own attack-and-pen operations. At 17, the National
Security Agency offered him a college education, a company car and a substantial stipend if he agreed to
work for them after graduation. But he passed on the offer. “Guys like me refuse to get clearance,” he says,
gulping a beer. “You have to be professional. You have to be reserved. Here, like, if you’re a loud asshole
and you’re smart, sweet! We know a lot of loud assholes.”
Bonvillain balks over security clearance too. “If you’ve smoked pot more than six times, you can’t join
the FBI,” he says. “When they interviewed me, I asked, ‘In one day?’” The drug test is no small issue.
A three-year no-use policy eliminates a huge slice of the young hackers coming out of school into the
workforce. “That disqualifies a bunch of people that would be perfectly skilled and trustworthy,” says
Moss, “just because they smoked pot in college.”
Attracting and keeping cyberwarriors is as much about marketing a lifestyle as it is offering big bucks.
(The money is good, though, with salaries for top contractors at firms like Accuvant easily topping
$200,000 a year.) &Look at Alex,& Bonvillain says, pointing at Accuvant&s head of
security architecture, Alex Kah, a tatted-up Kentuckian with a slacker drawl. &Could you imagine
him trying to go into the NSA with &Louisville& tattooed across his neck?& Accuvant
hires electronic-music duo the Crystal Method for its parties and makes the hippest swag in the business:
bootleg Adidas tracksuits, stickers and T-shirts modeled after Iron Maiden&s &The Trooper.&
To score one notorious hacker, they agreed to buy him his own gold-plated, $1,000 espresso machine.
&The reason we&re successful is because we market this like a metal band,& Bonvillain says.
And they’re fired up by the enemy. Humperdink grows red in the face when he starts ranting about how China
gives a pass to its rogue army of hackers. “If you’re a lone Chinese hacker not employed by the Chinese and
you want to hack Charles Schwab, go for it,” Humperdink says. “Consequence-free. Do whatever you want.
You’re fighting the great Satan. They’re completely covert about operational security. They don’t talk
about active hacks against the U.S. That’s completely off the record. That shit happens every day.”
Their outrage makes them even more patriotic. Humperdink comes from a family of Marines and law enforcement.
Bonvillain draws inspiration from his dad, a retired lieutenant colonel in the Army, who now works as an
intelligence officer for the Defense Intelligence Agency – serving posts in the Balkans, Afghanistan and
Iraq – and has been nominated for the counterintelligence’s hall of fame. “I’m deeply patriotic,” Bonvillain
says. It’s the same blend of working-class blues and American pride that fueled the old military. “Every
serious hacker that I know came from very, very blue-collar or underprivileged backgrounds,” he says. “It
made them hungry. They’re willing to do whatever it takes.”
Scenario: Hackers use a computer worm to take command of controls at a
nuclear power plant, causing a Chernobyl-style meltdown.
Reality: Stuxnet, which targeted a uranium-enrichment facility in Iran in 2010, proved this possible. Though Iran has not confirmed whether the worm successfully damaged the centrifuges, one Iranian scientist later reported that a hack forced computers to play AC/DC&s &Thunderstruck& at full volume on random machines in the middle of the night & just to drive them nuts.
Scenario: A worker at a power plant clicks on an e-mail link, unleashing
malicious software, which crashes electricity for an entire city.
Reality: A 2013 congressional report on Electric Grid Vulnerability
found more than a dozen of utilities report “daily,” “constant,” or “frequent” attempted
cyberattacks on their systems – one utility reported 10,000 in a month. “We know that foreign cyberactors
are probing America’s critical infrastructure networks,” then-Defense Secretary Leon Panetta said in October 2012.
“They are targeting the computer control systems that operate chemical, electricity and water
plants and those that guide transportation throughout the country.... We also know that they
are seeking to create advanced tools to attack these systems and cause panic, destruction
and even the loss of life.”
Scenario: Hackers take over train systems, derailing locomotives across America.
Reality: In 2008, a 14-year-old boy in Poland proved how easy this is to do. He built a device to control track points in the city of Lodz, causing four trams to jump tracks. &He treated it like any other schoolboy might a giant train set,& police said, &but it was lucky nobody was killed.& In December 2011, a rail company in the Pacific Northwest was attacked by hackers who disrupted train signals for two days. &Cyberattacks were not a major concern to most rail operators& until this time, the TSA stated in an internal memo obtained . &The conclusion that rail was [affected] by a cyberattack is very serious.&
Scenario: Attackers hack into a water utility system, shutting off the
water supply for an entire city.
In 2011, hackers breached a water plant in Springfield, Illinois, toggling the system on and off until one water pump burned out completely. Later that year, a hacker claimed to have used a simple three-character password to access the infrastructure system for South Houston & posting screenshots online to prove it. &I'm sorry this ain't a tale of advanced persistent threats and stuff,& he said, &but frankly most compromises I've seen have been a result of gross stupidity, not incredible technical skill on the part of the attacker. Sorry to disappoint.&
Scenario: Phone systems get disabled. Missile launches can’t be
monitored. Radio distress signals go unnoticed.
Reality: In 2011, the annual report of the U.S.-China Economic and
Security Review Commission revealed that two U.S. government satellites had been
hacked in 2007 and 2008 by hackers believed to be in China. “Such interference has the potential to pose
numerous threats, particularly if achieved against satellites with more
sensitive functions,” according to the report. “Access to a satellite‘s controls
could allow an attacker to damage or destroy the satellite.”
Scenario: Hackers take over social media, posting messages from news
organizations on Twitter, Instagram and Facebook saying that Obama has been
assassinated – causing Wall Street investors to panic and sell off their goods.
Something like this happened for real in April, when hackers hijacked the Associated Press Twitter feed, posting the phony message &Breaking: Two Explosions in the White House and Barack Obama is injured.& A group called the Syrian Electronic Army took credit for the hack, which caused a momentary $200 billion drop in the Dow.
To get a sense of just how weak our cyberdefenses are, I take a trip with Jayson Street, Chief
Chaos Coordinator for another firm, Krypton Security, into the basement of a hotel in South Beach.
We breeze past an open door with a taped sign that reads, “Doors must be closed at all
times!!!” This is where the brains of the building live – the computer network, the alarm system,
the hard drives of credit-card numbers – but, as Street tells a brawny security guard, he’s here
on the job, “doing a Wi-Fi assessment.” Street, a paunchy, 45-year-old Oklahoman in a black T-shirt
and jeans, flashes the hulk some indecipherable graphs on his tablet and says, “We’re good,” as he
continues into another restricted room.
The doors aren’t locked. No one seems to be monitoring the security cameras. The wires for the burglar-alarm
system are exposed, ready for an intruder to snip. We make our way to the unmanned computer room, where, in
seconds, Street could install malware to swipe every credit-card number coming through the system if he wanted
to. “They’re like every other hotel I’ve tried to go into,” he tells me. “They fail.”
Government agencies and corporations fly Street around the world to see if he can bullshit his way into their
most sensitive data centers. He has scammed his way into a bank in Beirut, a financial center across from Ground
Zero, a state treasury department. He usually records his infiltrations on a spy watch, a 16-gigabyte HD video
recorder with infrared lights, then turns over the footage to his clients. When I ask Street the tricks of his
trade, he tells me there are two keys to stealing data in person: act like you’re supposed to be there and carry
a tablet PC, which convinces victims he’s a tech-support worker. “People see this thing,” he says, waving his
tablet, “and think it’s magical.”
Street, who has authored a book about security flaws called Dissecting the Hack, is a highly sought-after speaker
at hacker conventions from ones in China to this weekend’s in Miami, and has consulting gigs in Cyprus, Jamaica
and Germany. “I am not an American hacker,” he says. “I am not a Oklahoma City hacker. I am a hacker. I don’t
care what country you’re from. If you’re trying to defend yourself and you’re trying to work to better protect
your company or your country, I’m all for it. I’m here trying to help secure the Internet.”
But there’s one job he’ll never take: working for the feds. “The American government has to understand that to
get someone who thinks outside the box to work for you, you can’t immediately put them in a box,” he says. “And
that’s the problem.”
Street is among the many who cite the legacy of the late hacktivist Aaron Swartz as a cautionary tale. A research
fellow at Harvard, Swartz accessed the MIT computer system and downloaded millions of academic-journal articles.
He was charged with violating the Computer Fraud and Abuse Act and, facing decades in prison and $1 million in
fines, committed suicide in January. “The government says, ‘Hey, we really need your help, can you hack for us?’”
Street says of Swartz. “And then, on the other hand, it’s like ‘Oh, you’re a hacker, you’re going to jail! We’re
going to hound you until you kill yourself.’”
Gregory “Mobman” Hanis kicks back with his laptop on a florally upholstered couch in the Holiday Inn lobby,
ready to annihilate another 45 million people. He’s not doing it in warfare, though: He’s hacking Candy Crush
Saga, the most popular game on Facebook. As rows of sparkly treats fill his screen, he opens a second window,
which contains a program he wrote. With a few deft strokes, he casually cranks his Candy Crush score to 10
million, earning the high score and swiftly crushing the dreams of players who devote hours a day – not to
mention real money, which they use to buy extra lives – to the game. “It’s literally taking candy from babies,”
he says, with a sigh.
There’s a reason he sounds so weary. Mobman is a 32-year-old wizard who can hack just about anything but has
to settle for a job as a network admin for an online-poker company. That’s because he’s a convicted felon, a
black hat who, because of one major fuck-up as a teen, can’t get hired directly by the feds or most private
companies. His story represents another hitch in the cyber-recruitment race: the brilliant hackers who’ve crossed
the line earlier in life. “I’ve been in there. I know it, and I’ve done it,” he says. “That’s what you would get
from me.”
Like Street and the others, Mobman fits Bonvillain’s bill of being damaged and hungry. The son of a U.S. Marshall
mother and an absentee father, he got A’s in schoolwork but F’s in conduct. “I was bored,” he says. “They didn’t
push me.” Instead he pushed himself, writing a program that let him cheat in his favorite game, Ultima Online.
Mobman just wanted to steal virtual weapons and gold to get an edge. But when the program, Sub7, leaked
onto the Net, black hats around the world discovered it could be used to steal all kinds of things, including
AOL accounts and credit-card numbers. Sub7, the first hacking tool of its kind, went viral. “I was like, ‘Holy
shit,’” he recalls, “‘I’m gonna get in trouble.’”
Sub7 itself wasn’ it was the criminal use of it that was a problem. But in 1999, when Mobman was 19,
after getting pissed at AT&T for refusing to fix his overcharged cellphone bill, he hacked into the company to
change it himself. Instead, he says, he accidentally took down the entire AT&T network in California and Nevada
for almost two days. (An AT&T spokesperson won’t confirm or deny the attack.)
After pleading to a charge of &modification of intellectual property,& Mobman spent seven
months in jail awaiting trial before receiving five years' probation & and then spent months
living on the streets after his mom refused to take him back in. The experience left him changed and
determined to put his skills to good use. &That&s why I want a job,& he tells me.
&So I can do it legally.&
The federal cyberforces, though, generally don’t hire felons. But private contractors like Accuvant are technically
free to employ whomever they want. “For me – it depends on the felony :),” Bonvillain writes me in an e-mail.
“There was a day (10 years back or so) that such a conviction would have prevented his employment. Today, that’s
not as strict of an unwritten rule.” Though a felon would have trouble getting security clearance for more
hands-on jobs, he could still contribute as part of the security team.
For now, this leaves guys like Mobman to hustle work on the private side, which he’s busy doing here this weekend.
To help amp up his image, Mobman has been conducting his own security research at home, sometimes involving a bit
of hacking. He gives companies the opportunity to fix bugs, then posts his findings in white papers online. One
was about how hacking a single computer could take the entire country of Australia offline. Another one detailed
security holes in the popular Web-page-programming software Joomla. However, a few days after he posted the former,
he got a letter from the Department of Homeland Security. They weren’t impressed. They were informing him they’d
taken the paper down.
March 2002
For about a year, a single hacker had access to dozens of computers within the U.S.
Army, Navy, Air Force, NASA and the Department of Defense. The hacker turned out to
be Gary McKinnon, a man in London, later diagnosed with Aspergers, who claimed that he was merely looking
for evidence of UFO technology. No matter, McKinnon’s hack exposed the absurd vulnerability
of our military systems, which he accessed because they had miserably poor password
protection. United States attorney Paul McNulty called McKinnon’s feat "the biggest
military computer hack of all time."
August 2005
The cyberwar with China began with Titan Rain, the U.S.&s code name for a series of attacks on government agency computers at the Defense Department, Homeland Security, as well as the State and Energy departments. &This is an ongoing, organized attempt to siphon off information from our unclassified systems,& one U.S. official said. A 2007 Pentagon report concluded that the People&s Liberation Army was stepping up its cybergame. &The PLA has established information warfare units to develop viruses to attack enemy computer systems and networks, and tactics and measures to protect friendly computer systems and networks,& the report revealed. &In 2005, the PLA began to incorporate offensive [operations], primarily as first strikes against enemy networks.&
April 2007
After the Estonian government dismantled a Soviet World War II memorial, all hell broke loose online. Banks, news media and even government websites crashed in the wake of the most crippling cyberattack a country has ever seen. For the U.S., it was a foreboding sign of hackers& brutally effective tools like denial-of-service attacks and botnets. Nashi, a young activist group supported by the Kremlin, later claimed responsibility, which the Kremlin denies. The hack showed how one lone hacker has the power to take down a country&s critical infrastructure with relative ease. Live Free or Die Hard turned from a fantasy scenario to a looming reality.
January 2008
When YouTube pulled down a leaked Tom Cruise video hyping the Church of Scientology, it unleashed
the wrath of the hacker collective Anonymous. The group attacked Scientology websites and rallied
protests of the church via social media. Over the next several years, Anonymous became a potent
political force. During 2011's Arab Spring, the group launched Operation Tunisia to fight against
government surveillance. The next year, Anons claimed to have attacked 650 websites in Israel after
the country’s latest actions in the Gaza Strip.
April 2009
Current and former U.S. officials revealed to The Wall Street Journal that Chinese and Russian spies hacked our critical infrastructure, including power grids. One official said that the intruders had not yet sought to destroy these systems, but had left behind software programs that would enable them to do so at the flick of a switch. &If we go to war with them,& he warned, &they will try to turn them on.& Department of Homeland Security head Janet Napolitano said that &the vulnerability is something [we] have known about for years.& Reports also implicated China for hacking into the plans for the Pentagon's $300 billion Joint Strike Fighter project. The Chinese Embassy responded in a statement that China &opposes and forbids all forms of cybercrimes& and called the reports &a product of the Cold War mentality&fabricated to fan up China threat sensations.&
After sanctions were imposed on North Korea following nuclear tests in late May, the U.S.
and South Korea faced days of sustained cyberattacks. In the U.S., computers at agencies
including the Defense Department, the Treasury Department, the
Secret Service, the State Department, the Federal Trade Commission and the Federal Aviation
Administration were subjected to denial-of-service attacks, along with tens of thousands of
computers in South Korea, according to that country’s National Intelligence Service. Though
North Korea was suspected of having orchestrated the attacks, the source remains unknown.
January 2010
Google was attacked by hackers in China. Dubbed Operation Aurora, after the type of application
the hackers used, the massive case of cyberespionage was later attributed to the Chinese government,
with U.S. companies including Adobe, Symantec, Northrop Grumman, Morgan Stanley and Yahoo
falling victim. U.S. government officials later said that the hackers breached a secret database
with what the Washington Post called “years’ worth of information about U.S. surveillance targets,” specifically Chinese spies
being monitored in the United States.
Summer 2010
Cyberwar entered a dangerous new era with Stuxnet, a computer worm said to have been created by the U.S. and Israel that attacked a uranium-enrichment plant in Iran. By compromising the industrial systems-operation software, Stuxnet was capable of spying on and controlling the computers, as well as destroying centrifuges. Stuxnet, which could be installed on infected thumb drives, spread out of control to at least five other countries, including the U.S. Defense Secretary Leon Panetta warned of a possible &cyber Pearl Harbor.&
August 2011
McAfee, the security-research firm, uncovered a massive five-year wave of hacker attacks against governments, nonprofits and corporations around the world. Called Shady RAT, for the remote-access tool used by the infiltrators, the breaches hit over 70 organizations including government agencies in the U.S., Taiwan, Canada, and India, as well as the International Olympic Committee and several defense contractors. McAfee attributed the attacks to a single state actor, though didn&t name the country, which some sources believe to be China. &This is the biggest transfer of wealth in terms of intellectual property in history,& a McAfee exec said at the time. &The scale at which this is occurring is really, really frightening.&
In a report prepared for the Pentagon, the Defense Science Board found that hackers
from China had accessed plans for more than two dozen of the U.S.’s most advance
weapons systems. The targets included the Patriot missile system, Aegis ballistic-missile-defense system,
Black Hawk choppers and the $1.4 trillion F-35 Joint Strike Fighter, the costliest
fighter jet ever made. “When I look at the theft of intellectual property to the tune of $1
trillion,” said Texas Rep. Michael McCaul, “that’s a serious economic issue
for the United States.” A Chinese Foreign Ministry spokesman responded by saying that
“China pays high attention to the cybersecurity issue and is firmly opposed to all
forms of hacker attacks.”
Hackers, with the support of the Iranian government, were exposed for targeting oil
and gas companies in the U.S. "This is representative of stepped-up cyberactivity
by the Iranian regime. The more they do this, the more our concerns grow," one U.S.
official said. "What they have done so far has certainly been noticed, and they should
be cautious."
An unpublished presidential directive from Obama leaked, showing that the U.S. is going on the cyber offense. &Offensive Cyber Effects Operations,& the report stated, &can offer unique and unconventional capabilities to advance U.S. national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging.& Among other things, the report authorized cyberwar attacks when &U.S. national interests and equities& were at stake, but also left room for &anticipatory action& just in case. Adding fuel to the fire, National Security Agency leaker Edward Snowden claimed that the U.S. has already hacked thousands of targets, including computers in China.
Cyberwar, like any war, never rests. Neither does the simulated one taking place at HackMiami, where
co-founder Rod Soto, a 38-year-old computer-security specialist from the area, is running a cyberwar
game. Though the consequences of their hacking are fake, the technology they’re breaking is real. They
actually are hacking Fedora, an operating system used by computers in China, infiltrating Zeus, a
malicious “botnet” army of computers, and commandeering North Korean industrial controls for power-plant
systems. It’s just that everything’s simulated and run on a closed network, so as not to inadvertently
start World War III. The purpose of this event, besides the recruiting going on, is to teach the hackers
how to find vulnerabilities in other nation’s machines. “It gives you the blueprint and the knowledge if
you ever want to attack them,” Soto says.
So far, the truth about the extent of the U.S.’s offensive attacks against other countries has been
shadowy at best. There’s Stuxnet, which has yet to be officially attributed to the U.S. (or Israel),
and NSA leaker Edward Snowden’s recent claim the U.S. has launched widespread cyberattacks against China.
Beyond that, the closest we’ve come was Hillary Clinton’s admission last year of a State Department attack
on an Al Qaeda propaganda site in Yemen.
The tensions around this topic are partly because the laws governing cyberwar are still being determined.
As Rear Adm. Margaret Klein, chief of staff of Cyber Command, the Ft. Meade-based defense center for U.S.
military networks, put it last year, “Attorneys and scholars face a variety of complex legal issues arising
around the use of this new technology.” But experts are pushing for more offensive measures regardless.
The Commission on the Theft of American Intellectual Property concluded that “new options need to be
considered.” It seems our government is already heeding the call.
A June leak of a presidential directive from Obama, which had been issued in October, reveals
that the U.S. is, at the very least, getting its cyberwarriors in line. In addition to calling
for a list of international targets, the directive argued that “Offensive Cyber Effects Operations...
can offer unique and unconventional capabilities to advance U.S. national objectives around the world
with little or no warning to the adversary or target and with potential effects ranging from subtle to
severely damaging.”
But while the government remains quiet about the existence or extent of their offensive measures, hackers
and contractors I spoke with are, albeit cautiously, more forthcoming. HackMiami organizers James Ball and
Alex Heid, security specialists for a major financial company they prefer not to name so as not to anger
their bosses, say they have based this weekend’s cyberwar simulation on real-life hacks they conducted on
their own of terrorist networks and organized-crime groups. Ball infiltrated an Al Qaeda forum online and
posted the archives on his site, . Heid became notorious for hacking the stealthy Zeus
botnet in Russia.
But the government hires private contractors to do such attacks on its behalf as well. The cyberwar
underworld is rife with contractors who fashion themselves to be “the Blackwater of the Internet,” as
Heid puts it, “information mercenaries…private sector guys who are going on the offensive, but you don’t
hear about it.” At least not usually.
Companies like Accuvant are capable of creating custom software that can enter outside systems and gather
intelligence or even shut down a server, for which they get can paid up to $1 million. For example, Humperdink
says, they would be able to unleash an attack to take a country like China completely offline. “We could
stop their cyberwarfare program,” he says. “Five years ago, I remember the North Koreans were doing missile
testing, right? If [the U.S. government] came to a company like us and said, ‘Here’s $15 million,’ we could
turn a North Korean missile into a brick. If you came to us with $20 million and said, ‘We wanna disable every
computer there in Iran, and they’d have to replace them’ – not a problem.” For added flair, each program
Accuvant sells gets its own cyberpunk handle – like Purple Mantis – and is delivered on a jet-black thumb
drive inside a custom case with the name laser-etched on a plaque.
“So how many offensive plays are going on now?” I ask.
“A lot,” Bonvillain says.
“More than people would realize?”
“Yes,” he replies.
Then Bonvillain falls silent. He puffs his e-cigarette, considering a more diplomatic response.
“The U.S. government,” he says, “is great at hiding everything they do.”
To see what the front line of cyberwar really looks like, I visit the National Cybersecurity
and Communications Integration Center in Arlington, Virginia, the Department of Homeland
Security’s mission control. It’s one of our most important hubs in digital warfare, alongside
the FBI and NSA. A wall of video screens show online the attacks on the IRS and NASA – both agencies were compromised by a Distributed Denial of Service Attack, a
technique that floods a site with access requests, slowing or downing it completely.
The four-year-old NCCIC – employees pronounce it “enkick” – is the country’s nerve center for
online threats. Twenty-four hours a day, teams drawn from a pool of 500 DHS cyberpersonnel sit
at the ready in this sprawling, windowless command cave. Flickering diagrams on the front wall
track the dangers in real time: traffic anomalies at federal agencies, cyberalert levels for
each state’s website, a map of our country’s telecommunications system (“There’s no cyber without
fiber!” a steely engineer tells me).
Fortunately, at the moment, the threat against the IRS and NASA proves to be relatively harmless.
However, the number of cyberincidents is on the rise. Fiscal year 2012 saw 190,000; this year&s
number is already over 214,000.
Overhauling the feds& image to lure young tech talent has become a major priority. In a way, it&s akin to the shift in Silicon Valley & away from the business suits of IBM to the Adidas sandals of today. The National Science Foundation now offers a CyberCorps Scholarship for Service program that places winning students in government agencies. The DHS is among the sponsors of the invite-only &Cyber Camps,& which hold hacking contests for prospective employees. Aside from the &sense of duty& and high-level security clearance that NCCIC director Larry Zelvin tells me lures his team away from fat paydays elsewhere, the power of being inside the government system is the greatest perk. &You just don&t get that in a corporation,& he says.
Last year, the DHS assembled a cyberskills task force, which drew from hacker hubs including Facebook
and DefCon, to recommend changes in their recruiting. To get the estimated 600 more hackers the DHS
needs, the report concluded, the agency should “focus more attention and resources on…‘branding’ of
cybersecurity positions,” including “cool jobs.”
Napolitano says that “the money and the culture” are the chief obstacles the Department of Homeland
Security runs into when recruiting hackers to join. “We don’t require our folks to wear a coat and
tie,” she says, “and I’m not interested in the precise hours they work as much as I’m interested in
getting the work done” – but she stops short of saying hackers can work from home in Teenage Mutant
Ninja Turtle pajamas.
But maybe if you’re young and brilliant and looking for online action, there’s something undeniable
about working for the biggest, baddest government on the planet. Sitting here under the dormant red
warning lights, there’s a sense of being at the center of the matrix – and this is plenty tantalizing
for some, including th3_e5c@p15t, winner of the cyberwar contest back at HackMiami. With his skills,
he can write his own ticket, which he hopes to cash in with the feds. He says he wants to be as close
to the front line as he can get: “I see it as a righteous cause.”
Rolling Stone contributing editor David Kushner is the author of “Jacked: The Outlaw Story of Grand Theft Auto.”