Sunday Morning

​Strengthening the nation's defense against hackers

/ CBS News

Training future cybersecurity warriors

It appears that White House emails are the latest target to be hacked. According to today's New York Times, hackers -- believed to be linked with the Russian government -- did not get a hold of classified information, but they were able to gain access to some of President Obama's email correspondence. It is another cyberattack that has many on edge. Our Cover Story is reported by David Pogue of Yahoo Tech:

In Huntsville, Alabama, they're training the next generation of cyberwarriors. Here, high-school students can take Cyber Security the way other kids might take Geometry or English.

And they have no problems being called nerds.

"I am definitely a nerd," said senior James Brahm.

"Yeah. All of us would definitely be classified as nerds," added fellow student Matthew Rogers.

Cailin Simpson laughed, "I think nerds seem to have jobs!"

She's not kidding. These kids already have after-school jobs, and it's not flipping burgers. "Some of us work at a local engineering firm," said Brahm. "And we're developing an experimental form of malware detection."

"And sometimes they forget we're in high school," he laughed.

"They're calling us at, like, 1:30, and it's like, 'I'm in the middle of my fifth period!'" Morgan Wagner laughed.

Members of the "Cyber Sloths" and JROTC Team Alpha, from high schools in Huntsville, Ala. Clockwise from top left: Malcolm Jefferson, Morgan Wagner, James Brahm, Cailin Simpson and Matthew Rogers. CBS News

Just listen to these kids talk and you can see why it's so easy to forget they're still only in high school.

"Cyber warfare is really attractive to other countries because it's affordable and allows them to strike at other countries and whatever political interests they don't like with relative impunity, and cause damage without having it traced back to them," Brahm said.

Rogers said, "It's really easy to attack, but it's very difficult to defend. Which is why teaching cyber security's very important."

All the experts agree: America needs a lot more kids like the ones in Huntsville, because hacker attacks aren't just occasional headlines anymore -- they've become routine.

Pogue asked Frank Heidt, co-founder of the Seattle-based security company Leviathan, "Suppose I pick 100 American companies at random. How many of the 100 could you get into?"

"Nearly all of them," he said. "And it's not just me."

Heidt employs hackers, but Leviathan's hackers are good guys. Companies hire them to help secure their computer networks.

A few years ago Heidt's team figured out a way to break into the computers of a huge oil company -- not to do damage, just to show that it could be done. They started with a Google search, where they found a press release from one of the oil company's subcontractors, which had sold networking gear to the oil company.

"They published a press release, because they were very proud to supply all this excellent equipment to this very, very large project for this truly amazingly big company!" Heidt laughed.

Heidt's team found the user manual for that equipment, and in that manual, they found the factory setting for its owner name and password: "admin admin." "It's the most famous username and password," said Heidt.

Which you're supposed to change once you buy the equipment, right? "You are supposed to," he said.

But the oil company hadn't change that password -- and Heidt could have taken control of its phone and data systems.

How big a team, and how long was involved, in unearthing this information that could have targeted an enormous gas company?

"A single intern, one engineer, and one week of effort," Heidt laughed.

Lisa Monaco, President Obama's top homeland security and counterterrorism advisor, told Pogue, "What we're seeing increasingly is a range of breaches -- credit card theft, theft of trade secrets, economic espionage. All of these things combine to form what we've described as one of the most serious national security and economic threats that we face."

Monaco meets with President Obama every morning. And increasingly, she said, "those meetings are featuring discussions about cyber threats, discussions about breaches to companies around the country, breaches to our own federal networks."

She says that last November's attack on Sony Pictures was especially troubling. The hackers took control of Sony's computers, deleted millions of files, and made public Social Security numbers, salaries, and embarrassing emails. And the fallout continues: Just this past week, one of those emails revealed something about Ben Affleck didn't want public: He had asked the producers of the PBS program "Finding Your Roots" not to mention that his ancestor had been a slave-owner.

Back in January, in his State of the Union address, President Obama had this call to action:

"No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families."

Which is why this month the President signed a new executive order. It lets the Treasury Decretary freeze the assets of hackers who disrupt networks or steal trade secrets. And to better coordinate the government's response to attacks, he's creating a new office in the White House: the Cyber Threat Intelligence Integration Center.

"It will be one center, one place in the government, that synthesizes this information, analyzes it, understands who are the range of threat actors that we face, and -- very, very importantly -- have a place that can identify the information that can be shared with the private sector," said Monaco, who will oversee the new effort.

"Pretend I'm a non-technical American," said Pogue, "and all I know is movies, where bad guys remotely take control of traffic lights and dams and nuclear power plants. Is that realistic?"

"The danger or the risk of a catastrophic cyberattack of the type that you just described is fairly remote," said Monaco. "Nevertheless, I think it's very important to remember that we are an increasingly interconnected world. And that means we are increasingly vulnerable."

The White House isn't the only outfit preparing for more cyber attacks.

Ed Skoudis shows David Pogue "CyberCity," part of a simulated environment used to help train computer experts how to ward off cyberattacks. CBS News

Ed Skoudis built "CyberCity" for the Sans Institute, a cybersecurity training firm. It may look like something out of Mr. Rogers' neighborhood, but Skoudis says it's one of the military's premier cyberwar simulators.

"Everything under the table is the actual same equipment that is used to control a power grid or a water reservoir or the other kinds of equipment we have," said Skoudis.

"So, when people are learning to hack, they're interacting with the actual commercial computer systems that control real-world power grids, dams?" asked Pogue.

"Exactly."

At this facility, cyberwarrors practice defending real-world networks from hacker attacks. Seated at remote computers, they're challenged with stopping pretend hackers from causing a blackout, poisoning the reservoir, or even derailing the train.

"Cybersecurity's in our medical systems; it is in the military; it is in government. It controls our air traffic control systems -- and if we don't get this right, we lose," said retired Air Force Brigadier General Bernie Skoch. "We lose our place as the dominant economy in the world."

Gen. Skoch runs the Air Force Association's National Cyber Patriot Competition, a tournament where young teams from all over the country compete to see who can best defend their computer networks against attacks from security pros.

Students participate in the Air Force Association's National Cyber Patriot Competition. CBS News

"This is an area of the economy that has negative unemployment," said General Skoch. "We can't hire enough of these people. and that's because cybersecurity transcends everything that we do."

Which brings us back to the kids from Alabama. A team from Huntsville won first place in the Cyber Defense nationals. An encouraging sign, but experts say we're going to need a lot more like them.

Pogue asked Leviathan's Frank Heidt, "Are we outgunned? Are there enough security people to handle the hackers who are trying to fight them?"

"No. No, and there won't be for quite a while," he replied.

According to Heidt, preparing for the new era of cyber war is a job that may never end: "Will it be an arms race forever? My intuition is to say 'yes.'"

"So what's the reality of these headlines? Is it really terrifying, or is it just business?"

"It's terrifyingly normal business," Heidt said. "Unfortunately, this is a problem that takes years to address. And we're only now beginning to address it."


For more info:


© 2015 CBS Interactive Inc. All Rights Reserved.

f

We and our partners use cookies to understand how you use our site, improve your experience and serve you personalized content and advertising. Read about how we use cookies in our cookie policy and how you can control them by clicking Manage Settings. By continuing to use this site, you accept these cookies.