At CSO's Security Standard conference last month, DHS Undersecretary of Cybersecurity Mark Weatherford raised eyebrows when he said the nation's future cyber warriors need not have a college education.
"There are people out there who didn't go to college, but they spent much of their time breaking things and putting them back together," and DHS needs their help, too, he said at the time.
He wasn't kidding.
As CSO correspondent Taylor Armerding writes in our lead story this morning, DHS is setting its sites on kindergarten students as future infosec practitioners. As the story unfolds, we see a lot of skepticism. It's not that there's anything wrong with targeting them young. It's just that there's a lot of talent out there now, and DHS isn't doing enough to go after them. From the article:
Several security experts say while better education and training is fine, there is plenty of talent out there now -- it just comes in the form of people who government hiring managers tend to reject because they are, in the words of Hacker Academy founder Aaron Cohen, "socially awkward."
Security consultant Winn Schwartau made much the same point this week at the Hacker Halted conference in Miami. Network World quoted Schwartau as saying, "[Human resources departments] frown on conditions such as attention deficit disorder and autism, or obsessive-compulsive personalities, which are typical of computer geeks willing to focus on an issue through the night."
Geeks don't get past "hiring rules and legal niceties that often categorize them as undesirables. 'We do not fit the mold. We are at the outer limits of normal,'" Schwartau said.
John Felker, a retired Coast Guard captain and vice president of cyber programs at SCI Consulting Services, agrees with Schwartau. "Government hiring is broken," he said. "The government puts all these requirements, like degrees and a CISSP, for jobs that the folks out there don't have, but they're better than the people who do have the qualifications."
They're absolutely right. I especially agree that a lot of good people are being iced out because they don't fit the HR picture of normal. Schwartau isn't the first to make the point. At the start of ShmooCon 2011, Marsh Ray used the fragile mental condition as the basis of a talk called "A paranoid schizophrenia-based model of data security." He told the story of Keith, a fellow who usually sat on the park bench strumming his guitar for spare change.
"Sometimes I would take a break from reading microprocessor manuals and listen," Ray recalled. "Keith had paranoid schizophrenia. He could explain how the world worked: 'There is a great international conspiracy...' he would say. Electromagnetic fields, government satellites, resonant dinner plates, you name it: he had it all figured out. This was back in the days of the 80386, when the CPU had only four levels of indirection in its addressing architecture. But something about the way he explained his world caused it to stick with me all this time."Ray noted how Keith couldn't trust the conflicting information coming from different parts of the brain. He knew he was vulnerable and spent much time and energy thinking about it. "Does this not also describe our current relationship with data security?" Ray asked. "Our architectures have become so complex that they are inherently susceptible to internal schism, leaving us vulnerable to sudden manipulation by shadowy external forces."
He noted that many of the things Keith predicted have come to pass. For example:--Radio transmissions being monitored by satellite--Underground markets emerging for the purpose of trading information
Without a doubt, DHS has to start exploring this area of adulthood in search of talent. Heck, the agency could help break down a lot of stigmas along the way.
But let's not dismiss or ridicule DHS's kindergarten strategy, either. A very cool story by Evan Ackerman about Ethiopian kids hacking OLPCs with zero instruction illustrates why DHS is right to start focusing on kindergarten as fertile ground for future cyber warriors. Ackerman writes:
Rather than give out laptops (they're actually Motorola Zoom tablets plus solar chargers running custom software) to kids in schools with teachers, the OLPC Project decided to try something completely different: it delivered some boxes of tablets to two villages in Ethiopia, taped shut, with no instructions whatsoever. Just like, "hey kids, here's this box, you can open it if you want, see ya!"
Just to give you a sense of what these villages in Ethiopia are like, the kids (and most of the adults) there have never seen a word. No books, no newspapers, no street signs, no labels on packaged foods or goods. Nothing. And these villages aren't unique in that respect; there are many of them in Africa where the literacy rate is close to zero. So you might think that if you're going to give out fancy tablet computers, it would be helpful to have someone along to show these people how to use them, right?
But that's not what OLPC did. They just left the boxes there, sealed up, containing one tablet for every kid in each of the villages (nearly a thousand tablets in total), pre-loaded with a custom English-language operating system and SD cards with tracking software on them to record how the tablets were used. Here's how it went down, as related by OLPC founder Nicholas Negroponte at MIT Technology Review's EmTech conference last week:
"We left the boxes in the village. Closed. Taped shut. No instruction, no human being. I thought, the kids will play with the boxes! Within four minutes, one kid not only opened the box, but found the on/off switch. He'd never seen an on/off switch. He powered it up. Within five days, they were using 47 apps per child per day. Within two weeks, they were singing ABC songs [in English] in the village. And within five months, they had hacked Android. Some idiot in our organization or in the Media Lab had disabled the camera! And they figured out it had a camera, and they hacked Android."
How cool is that?
Children are often a lot smarter than us adults. We're just to wrapped up in our adulthood to see it. I'm glad DHS does see it.
Now if they can go out and tap into the talent of those adults HR shops pass over for being different, we really might have something.