Hacking gets a bad rap. That’s the view of Pete Herzog, Managing Director of ISECOM, the non-profit Institute for Security and Open Methodologies, who spoke on attracting a new generation of cybersecurity professionals at the RSA Conference Wednesday.
Herzog highlighted a series of high profile cyber break-ins reported in the news as attacks by hackers. For example, the headline “Man Hacks Monitor, Screams at Baby Girl” was a news story “about a guy who got some default passwords for baby monitors on the Internet and did some mean things,” said Herzog. “That’s not a hacker.”
Another headline example was “Hacker Compromises Data of Nearly 30,000 FBI and DHS Employees.” But here again, Herzog said the actual story was about someone who used a phony premise to get the information he needed to break in with a simple phone call to tech support.
“If I asked for candy and you gave it to me, that’s not hacking,” said Herzog. “He called tech support and they gave him way too much help.”
Herzog’s point is that there is such a thing as criminal hacking which is bad (“anything criminal is criminal”) and hacking in general—which he said is a great skill set for exploring new things and overcoming the fear of failure. That’s the premise behind ISECOM’s Hacker High School, an on-line set of courses designed for teenagers.
In Herzog’s view, society has criminalized hacking and stunted the curiosity of today’s youth.
“We expect kids today to use technology, yet not know how it works,” he said. “We need to teach them how to enjoy taking control of their gadgets and inspire future cybersecurity rock stars.”
By encouraging exploration and even failure to ultimately reach their goals, Herzog says Hacker High School gives kids a better sense of control and a feeling that they can determine their future. “We know our young teen hackers can become anything. Hacking is a process to make that happen,” he said. “We use empathy and narrative with stories that show consequences both negative and positive to give them a feeling for what can happen as a result of their actions.”
That also extends beyond taking on computing challenges. For example, one challenge was to take a bunch of IKEA shelving and turn it into go-karts.
Herzog argues the hacker curriculum also brings teens a new awareness of cybersecurity. As one of his slides states: “Hacking lets you use technology, not have it use you,” encouraging students to verify their own privacy and verify how safe their data is when they go online.
He also says the curriculum is ideally suited to teen brains. “As adults our brains are developed, but for teens it’s completely different. They have a lot of ego, they’re looking for social acceptance and if you’ve talked to any teenagers, you know they can turn any conversation to be about them,” he said. The curriculum fits well with teen’s developing ego, he added, because it gives them bragging rights for what they accomplish.
Younger kids are, of course, very different and less rebellious. Giving a young child an iPad to play with will keep them busy and perhaps they’ll learn something useful from educational games, but Herzog says that won’t work with teenagers.
“If your teenagers are anything like mine, you can’t just give them a lesson book; that won’t work,” he said. “Do the exercises yourself and challenge them.”