Uncle Spam Wants You!
Can the U.S. military find a few thousand good hackers?
The reported call last week to quintuple the size of the U.S. Cyber Command — to about 5,000 hackers and other alpha-geek types — poses a daunting challenge if the ranks are to be filled. The services do not have anywhere near these numbers of IT experts with the requisite skills on active duty. Redeploying those they do have to Cybercom would still leave enormous shortfalls, and gaps in the units whence they came. The many education and training programs, including Cyber Corps sites — my school is one of them — have throughput levels that, even at full throttle, would take decades to bring the number of cyberwarriors up to the desired level. In short, it seems that there are few ways to meet the pressing demands for more digital soldiers.
Unless there is a willingness to try innovative recruitment methods for seeking out those with the necessary talents.
One creative way to proceed with recruiting would be to convince skilled IT industry techs to join up and click for their country. This need not be a typical recruitment requiring several years of active duty. Instead, the focus could be on bringing talented men and women into Reserve and Guard formations, perhaps even forming up new, purpose-built cyber units. These could be sited strategically, near IT hubs.
For example, there is space available right now at Moffett Field, in Silicon Valley, where Air National Guard and Reserve psychological operations units are already located. Many of the techies I know would jump at the chance to use their skills in service to their country. And taken together with units at other tech hubs around the country, the numbers would mount very quickly. All would serve short, recurring stints on active duty, but their sheer numbers would guarantee a steady flow of cyberwarriors into the system.
Another way to proceed would be to recruit master hackers. A little bit of this is being done already, though far too little. But I am talking about finding — no small task — and then hiring the best hackers in the world, the ones who can walk right through firewalls. Even now, almost 25 years after the Morris Worm disrupted about 10 percent of the computers connected to the Internet through an innovative spreading mechanism (the first big hack), there are only a few hundred true master hackers — think Morpheus, Trinity, and Neo of The Matrix films. Many other nations and criminal networks are already seeking their services. Terrorists have tended not to go this route, though, perhaps out of worry that if a hired-gun hacker were a double agent, the whole network might be illuminated — and soon after eliminated.
In a very real sense, today’s masters of cyberspace are not unlike the German rocket scientists who, after World War II, were so eagerly sought by both sides in the Cold War to help them build missiles for war and rockets for space exploration. One of the best of them, Wernher von Braun, became a great American hero for his contributions to the U.S. space program. Indeed, I remember sitting in a movie theater as a boy, riveted, watching the 1960 von Braun biopic, I Aim at the Stars. The fact that sometimes he had hit London didn’t seem to matter. He was going to take us to outer space.
Oddly, the people who can best lead our explorations of virtual "inner space" have received less than heroes’ welcomes in the United States. Hackers may be courted and pampered in China, Russia, and other countries, but in the United States they are often hunted by lawmen. The judicial system is very tough on them, too. Aaron Swartz, the hacker who wanted to make scholarly journal articles widely available online — an idea that all of us academics love — faced a possible 35-year prison term for accessing these articles. Lots of them. But instead of taking a plea, or going to trial, three weeks ago he killed himself. Swartz’s is not the only hacker suicide.
And then there are cases like that of Gary McKinnon, who from his perch in Britain broke into many sensitive defense information systems a decade ago — often just by searching for points of entry among default passwords that hadn’t yet been changed. McKinnon, an autistic man, was looking for the truth about UFOs (who isn’t?), and along the way caused some disruption to both Army and Navy systems.
The U.S. government spent years trying to extradite him from the United Kingdom, but the British Home Secretary ruled against the American request last fall on humanitarian grounds (a psych evaluation held that McKinnon would likely kill himself if he were extradited). Still, the charges against McKinnon remain in place, and Washington threatens to keep up the pursuit. But if the notion of trying to attract master hackers to our cause is ever to take hold, this might be just the right case in which President Obama should consider using his power to pardon.
One presidential act of mercy, such as in the case of McKinnon, won’t entirely repair relations or build trust between hackers and the government, but it would be a strong signal of officialdom’s growing awareness of the wisdom of embracing and employing the skills of these masters of their virtual domain. Over the years I have had the chance to meet and get to know several of the world’s very best hackers. What they have in common — aside from a kind of startling intelligence — is a deep attraction to the beauty and complexity of cyberspace. They are not motivated by a desire to disrupt; if anything, they are devoted to free, secure flows of information, believing that virtual liberty will often be the herald of freedom in the "real world." One need only look at the antecedents of the Arab Spring to see how close to the truth this view is.
Beyond recruiting IT industry techs and master hackers — neither of which might, by themselves, fill all Cybercom’s needs — there is one more interesting possibility for filling the ranks: increasing the use of artificial intelligence (AI). The great advantage of AIs — for the most part, think very bright software, not Robbie the Robot — is their speed and accuracy. AIs doing good service in the Navy today, for example, include the Aegis ship defense system and the guidance controls for the Tomahawk land-attack missile. The risk in using them without a human in the loop is that they may have poor judgment — by human standards. So my suggestion is to buddy up AIs with GIs, doubling the force immediately. Smart soldiers paired with smart software. The AIs’ quick reflexes could make Secretary Panetta’s call for a cyber pre-emption capability a reality, as blocking an attack often requires action in milliseconds. Taking the offensive is slower, given that attacks are usually mounted by surprise. So in this case the human soldier could exercise some control over his desktop buddy.
In sum, the good news is that there are at least three creative ways to begin to realize the vision for the expansion of Cybercom that was recently shared with the public. The bad news is that none of them is being pursued with nearly enough vigor. At a time when others are waging cyberwars — see the recent reports of Iranian and Chinese cyber operations — American capacity is growing at a pretty glacial pace. If the fundamental dynamic of the Cold War was the arms race to build nuclear weapons, the driving force in this "cool war" era is an organizational race to build hacker networks.
And so far we have only just laced up our running shoes.