TIME: To Battle Computer Hackers, the Pentagon Trains Its Own

Thursday, Mar. 18, 2010

After years of building firewalls and other defenses against relentless hacker attacks, the Pentagon is going over to the dark side of computer warfare. Only ethically, of course. The Defense Department, like most large organizations, has recognized that no wall is high enough to keep out skilled and determined hackers for keeps. Instead, it has decided that in order to anticipate and thwart those attacks, it needs to know what the hackers know.”More than 100 foreign intelligence organizations are trying to hack into U.S. systems,” Deputy Defense Secretary William Lynn warned last month. “Some governments already have the capacity to disrupt elements of the U.S. information infrastructure.” So the Pentagon recently modified its regulations to allow military computer experts to be trained in computer hacking, gaining designation as “certified ethical hackers.” They’ll join more than 20,000 such good-guy hackers around the world who have earned that recognition since 2003 from the private International Council of E-Commerce Consultants (also known as the EC-Council).”We are creating cyber-bodyguards,” says Sanjay Basivi, president of the council. “We’re not creating combat people.” But as the world becomes increasingly interconnected via the Internet, the stakes have become too high to rely on static defenses alone to protect the immense flows of vital information that operate the world’s financial, medical, governmental and infrastructure systems. “The bad guys already have the hacking technologies,” Bavisi says. “We can say, ‘Tough luck, the bad guys play by different rules and you can’t do anything about it, so just go lock your doors.’ Or we can tell the good guys, ‘We will arm you with the same knowledge as the bad guys, because to defeat the hacker you need to be able to think like one.’”Basivi and the Pentagon are sensitive to the possibility that the tactics taught could be used for other purposes. “We’re not training Department of Defense guys to become hackers and start hacking into China or any other countries,” he says. Week-long courses will train them in 150 different hacking techniques and technologies, ranging from viruses, worms, sniffers and phishing to cyber warfare. The cost of the course ranges from $450 to $2,500 depending on the training involved.Pentagon personnel “are not learning to hack,” insists Air Force Lieut. Col. Eric Butterbaugh. While the EC-Council calls it “Certified Ethical Hacker” training, the U.S. military also calls it “penetration testing training” or “red-teaming.” These are proven military techniques that have been used for decades to hone war-fighting skills. The Air Force and Navy, for example, maintain “aggressor squadrons” of F-5 and MiG warplanes to give U.S. military pilots practice against the tactics of potential foes. And the Army’s National Training Center at Fort Irwin, Calif., has long boasted a highly-trained “op-for” — opposition force — that regular U.S. Army units engage in realistic war games.The program will be no cure-all for the Pentagon, whose networks are hacked hundreds of times a day. Adriel Desautels, the chief technology officer at Netragard LLC., a Massachusetts-based anti-hacking outfit, says that while “it’s better than nothing,” there are simply too many vulnerabilities to protect the Pentagon’s estimated 10 million computers. Desautels likens it to 1,000 Dutch boys trying to stop water from flowing through a dike springing millions of leaks. “The threat is defined by the real black hats, and it’s impossible to know what the black hats are researching,” he says. “The number of vulnerabilities far exceeds what any white hats are going to discover.”

Both Butterbaugh and Bavisi say there are no concerns that military personnel trained as hackers might go rogue. “Computer network defense service providers,” Butterbaugh says, “are vetted and have security clearances.” Not only that, adds Bavisi: those trained as ethical hackers have to sign a legally binding pledge that they will not engage in malicious hacking. “So far,” he says, “we haven’t had a single case where someone became a real hacker.”