How to Train (Ethical) Hackers

The future of cybersecurity depends on students’ learning to break the rules.

Posted Sep 28, 2018

By 2022, the demand for qualified cybersecurity personnel will outstrip supply by 1.8 million workers. What can the industry do to reduce this global threat? According to Richard Buckland, a computer scientist at the University of New South Wales (UNSW) in Sydney, the answer is education. He’s been experimenting with ways to train budding defenders for two decades. In 2016, he and Commonwealth Bank also launched SecEDU, a program to strengthen the university’s curriculum, spread their practices to other universities and high schools, and make all their security courses freely available online. I met with Buckland at UNSW to discuss software engineering and the future of white-hat hackers. This interview has been edited for brevity and clarity.

What draws you to cybersecurity?

For me, cybersecurity is the ultimate engineering problem. If you were driving here today, if you went over the Sydney Harbour Bridge—I reckon no one ever worries about the bridge. And that’s partly because civil engineers have solved the problem of bridge making. But security is not a solved problem. If I had a Windows product, every week on a Tuesday I would download patches to it. And patches are a polite way of saying bug fixes, and a bug is a polite way of saying error, and an error is a polite way of saying massive stuff-up. We don’t know how to engineer security.

Why is security engineering different? 

If I had to pick one reason, it’s complexity. There's also this asymmetrical nature to cybersecurity. To make something secure, you have to defend every point, but to successfully attack, you just have to find one little point. Like the old medieval castles: It didn’t matter how thick the walls were, because people would dig tunnels, so they’d put moats, and attackers would bribe the person who operates the gate. Also, it’s really fun to attack. It’s human nature. My students like that. If I give them a rule, I’m giving them a challenge. You’ve got to be careful not to give them rules.

Do you prefer squashing bugs or spreading the word about security? 

I like solving particular bugs, but my passion is education. And in security, the biggest problem we face is there aren’t enough good security people around, by an enormous factor. My students leave uni—one of them got a Corvette as a signing bonus. People ring me all the time and say, “Let me come into your security class. I’ve got great jobs for your top ten students.” And I say, “Man, you can’t even have my worst students. They’ve all got jobs already.” So we’ve got this thing called SECedu. We’re trying to train as many people as possible, but also work out ways of training, and then publicizing that.

What have you learned so far?

For me, the biggest surprise was that to be a good security engineer you need to be creative and a rascal, a bit cheeky. The best security people question every rule. And the really delicious problem that poses is that everything we do at uni, more or less, is about producing industrially compliant people. I think you learn compliance in kindergarten. [He expanded on this in a more colorful and elaborate way, but I cut it for space.] By the time I get them, they’re rule followers. Really, if you do business as usual at a uni to teach cybersecurity, you’re really not teaching the right people the right things, and probably the right people won’t even get into uni, and if they are at uni, they’ll probably get bored and go home because they’re the crazy ones.

Is it hard to draw out rascalism, or does it come naturally once you let students loose? 

I think it’s close to the surface in all of us, and often there’s this sense of glee and delight when they realize it’s permissible. I remember someone handed something in early once, and I said, “I’m really disappointed that you’re handing this in early. You let me down, man. Next time I want it to be a little bit late.” So just little things like that to encourage them.

How do you make rascalism compatible with a university environment?

It’s values-based. I don’t ever want anyone to do something because I’ve told them to do it. I want them to believe in it. If any of my students ever did anything bad and got in the media, I’d have to stop my course at once. There are just all these nightmare headlines I can imagine: “Uni Trains Hackers,” “UNSW Trains Some Student Who Broke into the Bank the Other Day.” I think you need to know how to attack in order to defend, so how can I teach people to attack and not have it go terribly, terribly wrong? First I had all these rules. But then I read about this really interesting piece of research. They sent a whole lot of people money. One group, they threatened things if they didn’t send it back. Another group, they said, “Oh, please send it back.” When the people were trusted, they rose to the trust. So I thought, “Oh, I’m doing it wrong.” I came up with this good-faith policy, which is just not to do anything that’ll bring the uni or the profession any sort of disrepute.

Why do attackers make the best defenders?

The example that made me first realize it was when I used to teach computer security to first years, I’d take them down to a building foyer at night, and I’d say I want you to identify all the security mechanisms in place. They would notice the thick glass, and the lighting, and the sensors, and the cameras. At the end of that I said, “Wow, you guys have done a really good job. How hard do you think it would be to break in?” And they would say, “Very hard.” “On a scale of one to five?” “Four! Four and a half! Really good! Best design ever!” And I’d say, “Awesome. Now we’re going to have our evening tea break. We’ll meet back together in ten minutes. Oh, and if anyone can break in, without breaking the law, without causing any damage, first person to break in gets a Mars bar.” And someone could always get in. It only took about five minutes. By getting them to enumerate all the physical defense systems, I was making them think like a defender. But as soon as you start thinking like an attacker, you don’t worry about the strong things. You start thinking, “What’s the weak thing?” You need to really be skeptical about everything you’re doing.

This conversation took place while on a journalist-in-residence fellowship at UNSW with travel expenses covered by the university.