River Phoenix, Robert Redford, Dan Aykroyd and Sidney Poitier play hackers paid to test companies' electronic security in the film Sneakers, left; a Minuteman III missile inside a silo
After years of building firewalls and other defenses against relentless hacker attacks, the Pentagon is going over to the dark side of computer warfare. But ethically, of course. The Defense Department, like most other large organizations, has recognized that no wall is high enough to keep out skilled and determined hackers for keeps. Instead, it has decided that in order to anticipate and thwart attacks, it needs to know what the hackers know.
"More than 100 foreign intelligence organizations are trying to hack into U.S. systems," Deputy Defense Secretary William Lynn warned last month. "Some governments already have the capacity to disrupt elements of the U.S. information infrastructure." So the Pentagon recently modified its regulations to allow military computer experts to be trained in computer hacking, gaining the designation "certified ethical hackers." They'll join more than 20,000 other such good-guy hackers around the world who have earned that recognition since 2003 from the private International Council of E-Commerce Consultants (also known as the EC-Council).
"We are creating cyber-bodyguards," says Sanjay Bavisi, president of the council. "We're not creating combat people." But as the world becomes increasingly interconnected via the Internet, the stakes have become too high to rely on static defenses alone to protect the immense flows of vital information that operate the world's financial, medical, governmental and infrastructure systems. "The bad guys already have the hacking technologies," Bavisi says. "We can say, 'Tough luck. The bad guys play by different rules, and you can't do anything about it, so just go lock your doors.' Or we can tell the good guys, 'We will arm you with the same knowledge as the bad guys, because to defeat the hacker you need to be able to think like one.'"
Bavisi and the Pentagon are sensitive to the possibility that the tactics taught could be used for other purposes. "We're not training Department of Defense guys to become hackers and start hacking into China or any other countries," he says. Weeklong courses will train them in 150 hacking techniques and technologies, ranging from viruses, worms, sniffers and phishing to cyberwarfare. The cost of the course ranges from $450 to $2,500, depending on the training involved.
Pentagon personnel "are not learning to hack," insists Air Force Lieut. Colonel Eric Butterbaugh. While the EC-Council calls it "certified ethical hacker" training, the U.S. military also calls it "penetration testing" or "red-teaming." These are proven military techniques that have been used for decades to hone war-fighting skills. The Air Force and Navy, for example, maintain "aggressor squadrons" of F-5 and MiG warplanes to give U.S. military pilots practice against the tactics of potential foes. And the Army's National Training Center at Fort Irwin, Calif., has long boasted a highly trained "op-for" — opposition force — that regular U.S. Army units engage in realistic war games.
The program will be no cure-all for the Pentagon, whose networks are hacked hundreds of times a day. Adriel Desautels, the chief technology officer at Netragard LLC, a Massachusetts-based antihacking outfit, says that while "it's better than nothing," there are simply too many vulnerabilities to protect the Pentagon's estimated 10 million computers. Desautels likens it to 1,000 Dutch boys trying to stop water from flowing through a dike springing millions of leaks. "The threat is defined by the real black hats, and it's impossible to know what the black hats are researching," he says. "The number of vulnerabilities far exceeds what any white hats are going to discover."
Both Butterbaugh and Bavisi say there are no concerns that military personnel trained as hackers might go rogue. "Computer-network-defense service providers," Butterbaugh says, "are vetted and have security clearances." Not only that, notes Bavisi, but those trained as ethical hackers have to sign a legally binding pledge that they will not engage in malicious hacking. "So far," he says, "we haven't had a single case where someone became a real hacker."