Eugene Kaspersky explains hacking like it’s a bank robbery.
“Imagine you visit your bank and there are a thousand people crowding the office,” Kaspersky tells Inverse. “There are so many of them, you simply can’t get inside. They’re just messing around asking irrelevant questions, shouting, and acting silly. Most workers at the bank won’t be able to serve you or anyone else that day. That’s a DDoS attack.
“Later that night, someone unarms the alarms, breaks into the bank, cracks the vault, and steals all the money. That’s hacking.”
The bank in his metaphor is a server, and hackers in 2016 have had a banner year screwing with them. In October, a chunk of code known as Mirai hijacked thousands of internet-connected devices to launch a record-size DDoS attack. Together, they spewed access requests at a DNS server — a switchboard for the internet, basically — and brought down some of the biggest sites on the internet: Twitter, Reddit, and Spotify among them. Again, merely an annoyance. The more sophisticated attack on a server is when hackers — either lone wolves, loose collectives, or state-sponsored snoops — retrieve information from a server and release it to the public to influence public opinion and even sway elections. This scenario should be familiar to everybody by now.
The problem is, there just aren’t enough people smart enough to guard the vaults. Kaspersky would know. He’s a big deal in the world of cybersecurity. As the founder and CEO of cybersecurity giant Kaspersky Lab, he’s often in the news for spotting security flaws for his clients. He also can’t find enough people to work for him.
There are more than 1 million unfilled security jobs worldwide, a number that could grow to 1.5 million by the end of the decade, according to a report from technology conglomerate Cisco Systems.
Would a healthier cybersecurity industry have stopped the year’s biggest hacks — Wikileaks and DDoS attacks — from being pulled off?
“Protecting against these two threats requires different skills and different technologies, including the software and hardware needed,” Kaspersky tells Inverse. “To some extent, there’s an overlap of skills simply because IT security people get to learn about both threats.”
But DDoS attacks are ham-fisted and blunt. They don’t do much damage and often don’t keep a website down for long. What’s more dangerous are targeted attacks carried out to destroy machinery or collect information. And there aren’t enough security experts to stop those, either. Perhaps the most famous example is the so-called “zero day” virus named Stuxnet. Although the United States government still won’t even address it, the destruction of uranium enrichment machinery in Iran in 2009 — the kind that could provide ingredients for a nuclear bomb — is widely seen as an American ploy. The machinery was destroyed after malware infected the program that regulated centrifuges. It was brilliant, but it spread beyond its target of the Iran nuclear facility.
Eric Chien, an engineer at California-based security company Symantec, helped track how the weaponized code used in Iran known as “Stuxnet” worked. (Kaspersky Lab also analyzed the virus over the course of about two years.) At a panel after a screening of Zero Days, a documentary about the attack, Chien lamented that the next wave of computer science graduates might be more interested in making freemium apps rather than uncovering international intrigue.
“We go into the office thinking about how we are going to defeat these adversaries.”
“We see a lot of people getting into things like mobile or social, and people are creating Flappy Bird and people are making millions of dollars, Chien said. “But what we both really love about this job and why we’re super-passionate about this, is it’s unique in some sense. While we have competitors in our business — also creating security products — when we go in the office, we’re not thinking about, ‘Oh, how do we make another dollar? How do we beat our competitor?’ We go into the office thinking about how we are going to defeat these adversaries. How are we going to defeat these actors. And those actors are constantly changing.”
Bruce Schneier, a cyber security expert and author, gets it. “Young engineers might not see security as sexy,” he says. “Which is weird to me, because I think it’s the coolest ever. It’s spy versus spy.”
At a hacking competition at New York University this year, one could find a lot of students who would agree with that sentiment. One of the annual competitive formats during NYU’s Cyber Security Awareness Week is known as “Capture the Flag,” or CTF, and it attracts the kinds of students who could help fill the computer security talent gap. This year, students from all over the world competed in a 36-hour marathon, scrolling through endless lines of code to crack security challenges.
“The skills you learn in a CTF are exactly the type of outside-the-box thinking that is required,” says David Kohlbrenner, a Ph.D. student in security and systems at UC San Diego. He got involved in cybersecurity “purely through CTF,” and is an original member of the Plaid Parliament of Pwning, a dominant CTF team from Carnegie Mellon that won this year’s competition.
“What the companies need are people who can solve a variety of different challenges and can approach them from different angles,” Kohlbrenner tells Inverse.
Kohlbrenner says the Mirai botnet responsible for October’s massive DDoS attack was “honestly trivial to set up,” and a continued dearth of security engineers (and, Schneier argues, a market failure to make the Internet of Things decently secure) could keep it that way in the future.
It’s clear companies need more manpower, whether that’s to ward off DDoS attacks or server hacks. But when it comes to recruiting, Schneier says new technology companies have the upper hand in attracting talented young programmers.
“You don’t want to work for Procter & Gamble,” he says. You want to work for Google, or you wanna go work for Facebook, or the next high tech startup,” Schneier says. But Procter & Gamble, turns out, needs maybe a couple dozen cybersecurity people.”
Nick Winter, the co-founder of a gamified coding community called CodeCombat, agrees. “No one is thinking, hmm, I’m gonna get a job at an insurance company. Doesn’t matter if they have all these interesting technological problems to solve and tons of important data to protect. They’re at a huge disadvantage there compared to any start-up in San Francisco or even, like, a tech-focused, big tech company like Cisco.
Both Schneier and Winter’s examples are reminders that it isn’t just tech companies — from router manufacturers to dating apps — that have a lot to lose when security engineers are in short supply. “All companies become software companies,” Winter says. “And all data becomes more important and mission critical.”
Half of the 4,000 companies in a recent survey by Kaspersky Lab cited cybersecurity as a concern.
“The findings show a general shortage in full-time security staff and expert talent availability, which calls for the need for more specialists in the field,” reads a press release about the survey results.
It’s up to universities like NYU to prepare students for an ever-changing field, Kaspersky says. Server attacks in the future shouldn’t feel like bank robberies that change elections.
“The job market is changing too fast for the education system,” Kaspersky says. “Universities are fairly conservative institutions, plus, of course, it takes considerable time to educate people. We see that there’s a growing number of IT security programs, and more and more people are getting interested in the field, but the job market is expanding faster.”
His advice for young programmers? Learn how to prevent attacks.
“There are many skills that are in deficit that require very focused technical training” Kaspersky says. “Intrusion detection, development of secure software, digital forensics. All these skills are in high demand, but there are not many folks who have them.”