At a time when cyberattacks on America's critical infrastructure have increased 17-fold (between 2009 and 2011), the need for highly trained cybersecurity professionals is acute. However, 83% of federal hiring managers in a recent survey said it was extremely difficult to find well-trained cybersecurity professionals and a projected shortfall of 20,000 to more than 40,000 people is expected in the years to come.
The National Security Agency (NSA) is doing something about this cyberskills gap by partnering with the nation's service academies, colleges and universities to foster the growth of the world's most advanced cybersecurity professionals.
Recently, Network World was invited to visit the Puzzle Palace and interview two interns, one of whom said his time there has caused him to completely lock down his Facebook page, cell phone and computer because "in the world of cyber security a single person can do something really bad."
While the NSA is known for its supersecrecy, it has a long history of working with educational institutions. Programs are divided into Cooperative Education, Internship and Scholarships. The Cooperative Education Program is a rotational program with students alternating semesters of full-time work with full-time study. During the work tour students put in a standard 40-hour week with each tour designed to reveal specific areas of interest and skills that they can then focus on for a career. The internships, at the high school, college and graduate levels, run the gamut from cryptanalysis, cybersecurity, and information assurance to human resources, occupational health, history and languages. Scholarships are available at high school, college and graduate levels. Students who graduate with NSA on their transcripts are much in demand - correspondingly, when later at work in military, intelligence, or industry - much is expected of them.
We recently sat down with lieutenants Matthew Greene and Maxwell Love, both 2012 graduates of the U.S. Military Academy (USMA) at West Point. With bachelor's degrees in Computer Science and Systems Engineering respectively, both were also cybersecurity interns in the NSA's Service Academy Intern Program (SAIP). SAIP complements NSA's 166 other academic-outreach programs with colleges and universities. The other programs - for both two- and four-year schools - emphasize areas such as information assurance education and even cyber operations.
Why did you apply for the NSA intern program?
[Lt. Greene] "West Point allows you to do internships, not just at NSA but at any government organization as well as at Google, Cisco and universities like USC and Penn State, to name a few. I had done one with the U.S. European Command, Information Assurance Directorate, where they had just finished up their yearly cybersecurity exercise and were doing analysis. The NSA guys over there were very active helping them with the analysis and patching holes in their systems. They [NSA] pulled us into the office and said, 'We'd like you to work on this project'. They weren't very specific, they just said 'It's in the field right now; it's a live system; and it's going to save soldiers' lives.' "
Before your first time here, what did you think it would be like inside the NSA?
[Lt. Love] "The total stereotype. We imagined sterilized hallways and spooky people walking around. It wasn't exactly like that. There are normal people here too."
How has your perspective of the NSA changed after your internship here?
[Lt. Love] "The importance of the mission you take on here affected me. It's not just spooky stuff that - in your wildest imagination - they do. They have a lot of outreach towards education and research with both military and civilian people involved."
What is CDX?
[Lt. Love] "The Cyber Defense Exercise is an annual event put on by the NSA and the service academies. We set up a network and the NSA tries to get in. It's a competition, complete with a scoring system, and all five service academies compete against each other."
In the 12-year history of CDX, the USMA has been the undergraduate school winner of the intense cyber battle six times.
If you were talking with students at other schools (such as non-military institutions) studying computer science/engineering, would you encourage them to enter the field of cyber security?
[Lt. Greene] "I would. Just because, looking at it from the military's perspective, sometimes you get tunnel-vision how we enforce policy and then how the Department of Defense manages its networks. Bringing in civilians with an outside perspective brings in a diverse set of knowledge; it helps us create a more secure network for us and better protection of our national security."
[Lt. Love] "Absolutely. The cybersecurity field is not just limited to guys who hit keyboards all day, it takes a whole new perspective and set of disciplines coming into it and it's such a rapidly evolving field night now. There are opportunities for everyone and it needs help from a lot of different kinds of people."
If they were studying other fields, would you encourage them too?
[Lt. Greene] "I would encourage everybody to look into the field because cybersecurity isn't just about computers, it's also about cell phones and pretty much any mobile device you can think about. Cybersecurity is more about protecting yourself and from what I've learned at NSA I've completely changed the way I think about computing and mobile devices; I've locked down my Facebook, my cell phone and my computer. I put a lot more security on my stuff; not because I'm scared but because now I'm aware.
"The general public has no idea that they can post a picture on the Internet and anybody else, with even a basic python script, can pull the picture down and pull all the access data off it and find out where that person is literally standing at that moment! This isn't advanced cyber security, this is basic stuff. Everybody needs a little basic knowledge on protecting themselves."
What would you say to anyone in the public about the importance of training for cyber security?
[Lt. Greene] "Social engineering is an art. It has been around for a while and cyber capabilities - stalking online - isn't a very foreign idea anymore. You can pretty much find out where anybody is if they are not careful so everybody needs to have that good, basic knowledge. People like their privacy and they like having their money. Those are good reasons to have an understanding of cybersecurity; to protect themselves and their families."
From the perspective of protecting an office's network, is it different at the NSA than at a typical company?
[Lt. Love] "It's not that different because organizations, be they private sector or government, run into the same problems. You have networks to manage, lots of different users and - while we have a few special intelligence requirements - on top of that it's like any large corporate infrastructure as far as networking goes."
[Lt. Greene] "When you come here there is more personal responsibility. When we are on the NSA internal net you have to make sure that you never bridge the outside world with that internal network."
What do you like most about working as an intern at the NSA?
[Lt. Greene] "They gave us a real problem. They said 'This radio system needs improvement. Here is how it works. Figure something out.' Then they let us run with it. We had deliverables; papers, updates, but other than that they kind of left us alone. They gave us equipment and said, 'Tinker with it. If you fail, that's OK. At least we'll know what doesn't work.' "
[Lt. Love] "The impetus that drove everything was real. We worked to improve a real-world system and, if proved successful, it would be implemented. It would help soldiers."
What did you like the least about working as an intern at the NSA?
[Lt. Greene] "Can't Tweet from the office. Have to leave my cell phone outside. And, oh, because of the security requirements at NSA, back up at West Point we couldn't work on certain data sets in our project because they were classified. That was frustrating because we only had one data set and, in order to get an accurate test, you've got to run more than one. We had to work our way around that and still make sure that we met the security requirements of the NSA.
So, what did you do while here at the NSA?
[Lt. Love] "Our project was to improve the performance of an aircraft system that picks up radio signals and figures out where that signal is coming from. We began by analyzing what this system was, right down to the gears turning in it then asked where does it fail and how can we improve it."
[Lt. Greene] "I worked on the same project as Max and, last year, we did a lot of research. We talked to experts in the software and hardware fields as well as in global information systems. Basically, everyone from the nerdiest mathematician to the most hippy biker out there; we talked to 'em and we worked with 'em and we tried to come up with a solution for improving the system. In the end we pumped out a working solution, our academic paper was published and we presented our findings at a conference where we ended up talking with people in industry from Microsoft, GoogleMaps and Yahoo. We even got to brief the Deputy Director of NSA, John "Chris" Inglis, up at West Point."
Do you think a network admin or CTO from industry, with some years of experience, would have much to offer the NSA?
[Lt. Love] "Very much so because, as the size of an organization grows, you start to run into a lot of the same requirements. A lot of the same functions a network admin has experience which carries over to this kind of enterprise structure that we have set up."
[Lt. Greene] "Definitely. Depending on what their interest is, and remember that NSA doesn't just do intelligence; there are a lot of mathematicians and computer scientists doing research as well as people managing the internal networks."
What would you say about the importance of cybersecurity for military and intelligence to someone on the outside?
[Lt. Greene] "It's important because people need to realize that we are not the only ones doing it. There are about 20 countries that have developed cyber warfare programs but they, unlike the United States, are not bound by the restrictions of Title 10 and Title 50. These Titles prevent the NSA, CIA and all the Defense agencies from spying on or monitoring U.S. citizens without a warrant just like the police can't monitor a citizen without a warrant. But in countries that don't love America, apple pie and baseball there are state-run efforts to steal information and to disrupt our nation's IT infrastructure. The Department of Defense works hard to prevent this, but when it comes to your private computer we can give good advice but you have to take the initiative to protect yourself. Then you have to talk about non-state actors - terrorists - and there are no restrictions on them. In the world of cyber security a single person can do something really bad."
What about someone from NSA moving to work at a business?
[Lt. Love] "Oh, big time. Working here you gain an in depth understanding not only of how the infrastructures work, stuff that you could easily apply over to the private sector, but you also get really far ahead in terms of advanced education. When you leave here you are ahead in the field and you could help any business you go to."
Who should apply to the intern program?
[Lt. Love] "Anyone who's interested - not just military - but a civilian school as well. Anyone who wants to get a look at the practical side of some of the theoretical stuff they have been learning. Also get more in-depth into the theoretical things they have been working on."
[Lt. Greene] "Obviously cyber security guys - and gals - anyone who is interested in intelligence, signal communication, math, really anybody. We have a history major who working on the history of cryptology and we have math guys working in research math and experimental mathematics. We interact with a lot of electrical engineers, software engineers, computer science. If you have a degree or you are trying to get a degree you could pretty much work here and would find some form of interesting work. There are a lot of people making sure we follow those Title 10 and Title 50 restrictions so that we have the trust of the American public."
In general, who should apply to work at the NSA?
[Lt. Love] "I'd say patriotic people. Also, anyone who values competency and responsibility because there are a lot of citizens counting on you. And, if you'd like a cool job; when you come down to it it's a pretty cool place to work."
When you returned to the academy, what did you do that was different from what you would otherwise have done?