Go Hack or Go Home: CSAW Winners Choose Victory

Jordan Keefer, Chris Shields, Josh Christman and Nathan Hart, from team Delusions of Grandeur, represented the U.S. Air Force Academy in the Capture the Flag challenge at this year's CSAW.

See CSAW 2011 competition winners

Recalling his own days as a hacker who went by the name "Mudge," Peiter Zatko joked with finalists of the Capture the Flag challenge, which tests the application-security skills of computer enthusiasts. "What are you doing here?" he asked, drawing knowing laughs. The eighth annual Cyber Security Awareness Week—or "see saw," as its acronym (CSAW) is pronounced—was in full swing at that point, and Capture the Flag contestants had already spent a full day tackling technical problems of varying degrees of difficulty; the more (and more difficult) challenges contestants solved, the more flags and points scored. Stopping to hear a keynote speech by Zatko took precious time away from problem-solving.

But Zatko was a big draw. The hacker turned professional cyber defender is now with the Defense Advanced Research Projects Agency (DARPA), which he joined in 2010. Housed within the U.S. Department of Defense, the agency uses its $3.2 billion budget to fund technologies that assure the American military will "never be caught surprised," Zatko said. 

Addressing his audience at Polytechnic Institute of New York University (NYU-Poly), host and organizer of CSAW, Zatko outlined the cyber issues facing the country today, showing charts depicting the exponential growth of malicious cyber activity between 2000 and 2009. In the rapidly evolving technological landscape of today, "change happens in months, not years," said Zatko. 

He used data from his talk to underscore the need within America's cyber defense community for more members, more so-called "white-hat" defenders, to overcome daily threats to the country's interests. Already cyber security breaches cost American businesses $1 trillion annually, a fact Don Proctor, a senior vice president at Cisco, alluded to in his presentation during CSAW's awards ceremony. 

"You almost have to assume today that your network has been compromised. What are you going to do about it?" he asked before suggesting "an architecture of trust" based on trusted processes, systems, and services for corporations.

"If large American companies are no longer able to remain competitive, we'll have a much more difficult employment environment than we do now," agreed Dino Dai Zovi, an independent cyber security consultant who has designed challenges for CSAW's Capture the Flag contest for the last three years.

A Hungry Market

Employment for cyber security specialists, however, will not be a problem now or in the years ahead. "This is an industry with jobs," said Jerry Hultin, president of NYU-Poly, in his introduction before Zatko's remarks. The Bureau of Labor Statistics predicts the field will grow by more than 50 percent between now and 2018, and NYU-Poly undergraduates, who rank fourth in salary potential among alumni of engineering schools, according to Payscale.com, can expect to reap the benefits, he said.

The career fair held the following day supported Hultin's claims. Organized especially for CSAW, the fair featured recruiters from top companies, including Booz Allen Hamilton, Lockheed Martin, and Facebook. Ben Cook, manager of cyber research and education at Sandia National Laboratories, a multi-program national security laboratory that traces its illustrious history to the Manhattan Project, said he was there because "CSAW is recognized as one of the preeminent gatherings of cyber security talent in the country." A first-time sponsor of CSAW, Sandia counts past participants of the event among its staff. Explaining how his colleagues have also participated as judges, Cook expressed admiration for "the commitment students, faculty and other participants have made to the event."  "The energy—it's just fantastic," he said, before fielding another student inquiry about his company's internship program 

Bringing Industry to the Table

The career fair was a new element in this year's CSAW, as was Kaspersky's American Cup Challenge, a conference coordinated by Kaspersky Lab, a Russian computer security company, and their prestigious IT Security for the Next Generation international student conference series. Bringing researchers, students, experts and scientists together for three days of workshops and presentations, the event also featured cash prizes for the best research paper. Professor Nasir Memon, director of NYU-Poly's cyber security program and the architect behind CSAW, was especially appreciative of the lab's involvement in the competition. "In order to create practical, meaningful solutions, industry and academia have to work together," he said.

Zhaouhui Wang, CSAW competitor and PhD candidate at George Mason University in Virginia, was similarly excited by Kaspersky's attendance. Other cyber security conferences around the country don't involve industry, he said—but then neither do they display the same variety. A raffle, video competition and live quizzes were also on offer at CSAW, but Wang was most impressed by Hultin and Memon's repeated encouragement to attendees to "get to know the other students who are passionate about cyber security," as Memon said during the event's welcome reception. "You don't hear that at my school," said Wang.

In and of itself, an event like CSAW is rare in other countries, attested David Hély, an associate professor at Grenoble Institute of Technology in France. He traveled with three of his students to compete in the event. "I didn't expect such a big event," he said. "It's very professional. The quality of the presentation is very good."

"It's awesome," said one of Hély’s students, as he clutched the award the team received. They came in second place in the Embedded Systems Challenge, and while thrilled by the victory, the students may have been more excited by their travel to New York, which they described as just like "in the movies." CSAW may fulfill more dreams and fantasies than it realizes.