A Summer Camp for the Next Generation of N.S.A. Agents
via The New Yorker
In 2014, not long after the National Security Agency contractor Edward Snowden revealed that the N.S.A. was monitoring the phone calls and e-mail of American citizens, Congress passed the Cybersecurity Enhancement Act, to “strengthen cybersecurity research and development, workforce development and education.” The Snowden leak had a demoralizing effect on the agency, which began to bleed personnel, exacerbating a problem that had been recognized since the end of George W. Bush’s Presidency: the federal government needed a more robust cybersecurity workforce. The Obama Administration made a push “to expand cyber education” beyond the federal government; special scholarships now exist for close to three hundred university programs. But the Cybersecurity Enhancement Act also spurred the N.S.A. to do something unexpected: it began sponsoring summer cybersecurity camps for children. “We realized we needed to teach the basic principles of cybersecurity earlier and earlier,” Judith Emmel, the agency’s director of state and local affairs, told me. “Everything touches cyber nowadays—this idea of cybersecurity and cyber hygiene and cyber ethics, making sure people understand right from wrong in the cyber world.”
That the N.S.A., which may best be known for its own security breaches—Snowden’s, in 2013, Hal Martin’s, in 2016, and the Shadow Brokers’, in 2017—is training kids to root out cybercriminals should tell you that the problem of cybercrime is bad. Twelve billion records were stolen last year; by 2023, that number is expected to triple. Even a short list of recent cyberattacks—on a Tennessee hospice, a Philadelphia credit union, a library system in upstate New York, government offices in New Bedford, Massachusetts, and Syracuse, New York, a Maine health center, the Los Angeles Police Department—illustrates the problem. The vulnerabilities are manifold, the defenses inadequate. As more devices are connected to the Internet and the attack surface expands, those vulnerabilities will not only multiply—they will be unmatched by the number of people trained to mitigate them. As Jon Oltsik, a cybersecurity analyst at the Enterprise Strategy Group, wrote in a January blog post, “The cybersecurity skills shortage represents an existential threat to all of us.”
There are currently more than three hundred thousand unfilled cybersecurity jobs in both government and the private sector in the United States alone. Worldwide, according to research by Cybersecurity Ventures, the number is expected to be three and a half million by 2021; that year, cybercrime is expected to cost six trillion dollars. Even the United States military is at risk, according to last year’s Defense Department Inspector General report, which found that insecure systems left the country susceptible to missile attacks. This year’s cybersecurity-readiness review of the Navy found that “competitors and potential adversaries have exploited [Department of the Navy] information systems, penetrated its defenses, and stolen massive amounts of national security” intellectual property. And, of course, as we now know, our elections, the essential engine of our democracy, are also poorly defended. “I don’t think any of us are questioning the fact that there is a lack of cybersecurity professionals across the board, in all different types of professions,” Emmel said.
This summer, through a program called GenCyber, the N.S.A. is running a hundred and twenty-two cybersecurity camps across the country. There are camps for girls in South Dakota, Maryland, Puerto Rico, and South Carolina; a camp in Pennsylvania that simulates an airport hack; and one in Georgia that disarms a car hacking. On the last Monday in July, as news broke that a hundred million Capital One bank accounts had been breached, I attended Camp CryptoBot, at Pace University’s Westchester campus, the only cyber camp affiliated with the Navy. A few years ago, the camp director, Pauline Mosley, a professor of information technology, found herself sitting next to an admiral at a conference and used the opportunity to deploy her pre-digital networking skills.
Camp CryptoBot, like all N.S.A. cyber camps, is funded jointly by the N.S.A. and the National Science Foundation, and is free to participants. It attracts students from Westchester’s wealthy communities and from districts that are hurting, homeschooled students and others from parochial schools. There are also students with special needs. Mosley, who is African-American, is particularly focussed on bringing girls, especially girls of color, to the camp. She sits on the boards of G.O.O.D. for Girls, and has done outreach with Girls Inc. and Latino U College Access. “I align myself with organizations that appeal to young women,” she told me. “We have to educate women that cybersecurity is not a man’s domain.” Almost all the camp instructors were women; many of them were women of color.
“What’s the password?” John Sarlo, a retired science teacher, asked at the door to the Stephen J. Friedman multipurpose room, in Wilcox Hall. (The answer was the name of the campers’ high school; thirty-one schools, most from the tri-state region, were represented.) In a goofy nod to the camp’s benefactor, students were offered black fedoras, dark glasses, and cardboard briefcases stamped with the words “Top Secret.” Inside was a blank index card, two poker chips, two pens, a card game called Cyber Realm, a number of popular—if inscrutable—ciphers to decode encrypted messages, and a laminated card that had encoded the phrase “the quick brown fox” to read “uif rvjdi cspxo gpy.” Campers would soon have the opportunity to use one of the ciphers to figure out which of four groups they’d been assigned to—Hawks, Eagles, Ravens, Falcons—and another one to decode the tasks required to solve a hacking mystery.
Just after nine, two Navy officers, in dress whites, interrupted an awkward game of Simon Says (Simon was a former vice-president of security and risk management for MasterCard) and announced that the school had been hacked. “Your assignment,” they said, “is to find who did this.” To unmask the hacker, the students would have to build two remotely operated underwater vehicles; they would use one, outfitted with a camera, to view coded messages submerged in the college pool, and use the other to retrieve those messages in sequential order, decrypt them, and launch a drone to find more encrypted messages, and then identify the hackers and take down their network. The naval officers were on hand, in part, to help the teams construct the underwater vehicles, called SeaPerches, which were developed by the Office of Naval Research and M.I.T. to encourage young Americans to become engineers. In the world of professional cybersecurity, it typically takes about a hundred and ninety-six days to identify a breach, and then another sixty-nine to contain it; the campers had four days. In undertaking the task, Petty Officer James Fields, a twelve-year naval-operations specialist, said, “You will learn how to protect yourself and your country.”
A hundred and fifty-three students applied for the Pace camp. There would have been more applicants, but, with only fifty open slots, Mosley did not want to have to send out more rejection letters than necessary, so she shut down the application process. “The criterion is first come, first served,” she said. “It’s not about G.P.A. or honors classes. Not every school has those. It’s really about: How interested are you? We’ve got to spend our money wisely.” The maximum N.S.A. GenCyber grant is a hundred thousand dollars. The Pace camp gets significantly less than that—about sixty-seven thousand dollars.
Dylan Pinos and his buddy Esteban Procel, both rising seniors at East Hampton High School, on Long Island, left home at four in the morning and drove three hours to get to the camp. They were missing a week of work—Pinos is a clerk at a candy store, and Procel helps out in a fish market, lifeguards, and is a counsellor at a day camp. “I want to study engineering or computer science in college,” Pinos said. “Innovation is how the world works.” The long drive gave Procel time to come up with an original design for the SeaPerch, which he drew in pencil on notebook paper. (All the students were asked to arrive at camp with a plan.) There were parameters that had to be accommodated—how much PVC pipe could be used, for example, or how the SeaPerch would achieve buoyancy and account for turbidity, or where its controller could be attached. Once Procel was in the lab, he realized that he was going to have to rejigger his design if it had any chance of working.