Hackers in training

Students from two of the world’s top universities raced to conquer a range of cybersecurity challenges at the Massachusetts Institute of Technology. 

You might not expect to find Gregory Falco at a hackathon. The first-year Massachusetts Institute of Technology PhD student is researching urban planning, not computer science.

But last weekend, with more than $20,000 in prize money on the line, Mr. Falco raced two dozen students from MIT and the other famed Cambridge research university – Britain’s University of Cambridge – to hack websites and discover built-in vulnerabilities.

“I came in here knowing I was going to be out of my depth,” Falco said. “For anyone who gets into this stuff, you kind of have to jump off the deep end.”

And that was the point. Organizers didn’t want to fill the event – dubbed “Cambridge 2 Cambridge” – with the most skilled hackers, developers, and coders. The idea instead was to bring people from across the universities and expose them to what it’s like to be part of a cybersecurity team that tries to break into things with the ultimate goal of improving digital security.

“We didn’t want the competition to be dedicated to people who already know it all,” said Frank Stajano, head of Cambridge University’s Academic Center of Excellence in Cybersecurity Research, who helped organize the hackathon that included challenges designed to replicate real world cyberthreats.

Cambridge 2 Cambridge is part of a broader US-British plan announced last year meant to bolster transatlantic cooperation when it comes to battling digital attacks. In addition to the hackathon, the initiative includes joint military exercises, the creation of a collaborative cyberintelligence unit, and grants for US and British students to conduct cybersecurity research.

The weekend hackathon was all about addressing one of the most pressing issues in cybersecurity today – the talent shortage. Indeed, as both the government and companies contend with a growing number of sophisticated hacks, they are racing to fill as many as 1 million cybersecurity job vacancies with skilled technologists and security professionals to blunt the cost of digital incursions. Last year alone, the average cost of data breach rose by 8 percent to $3.8 million, according to the Ponemon Institute, which studies privacy and data protection.

As the cost of digital insecurity rises, so, too, is the amount of money funneling into universities to address broader cybersecurity problems. In fact, Cambridge 2 Cambridge comes amid a wave of funding for research and programs that is leading new academic centers dedicated to cybersecurity research, university training programs here and abroad, and millions of dollars in scholarships. In 2014, for instance, the Hewlett Foundation announced that it would give $45 million to MIT, Stanford, and UC Berkeley to fund new research centers at each school aimed at combating cyber threats.

While much of that attention to cybersecurity has led to the development of serious programs and intense research initiatives, it also means that universities will try to find more creative ways to get students interested in the field – such as hackathons where students can legally break into websites while wolfing down all the burritos they can eat.

But the Cambridge 2 Cambridge hackathon was still a bit more forgiving that actually defending a real network.

“In real life, getting pwned is really bad news – you might have to burn your server down. Here, you just lose a point,” said Joshua Cazalas, a cybersecurity researcher at Boeing, using hacker slang for being taken over or dominated by an adversary. He was a mentor during the capture the flag match at last weekend’s competition, making the rounds to give coaching and advice as participants launched attacks – and the aerospace company he works at was one of the sponsors of the event.

Capture the flag on computers isn’t that much different from the schoolyard pastime. It requires teams to protect their websites by patching built-in vulnerabilities, and engineering hacks to remotely exploit their opponents. At larger tournaments, such as the DEF CON hacker conference in Las Vegas, participants will even hire audience members to spy on other players.

Fortunately, MIT’s Falco didn’t have to cheat – or open up his wallet – to help his team. The PhD student mainly assisted his ad-hoc team of hackers from MIT and Cambridge by signaling Mr. Cazalas and other mentors and conducting Google searches during a six-hour game of capture the flag.

As cybersecurity experts looked on, Falco learned to scour records of Internet traffic for bugs to exploit the five other teams in the room – who attempted to run and patch mock websites similar to Amazon and Netflix. Real-world criminals might use a similar methods to steal credit card information or social security numbers from unsuspecting customers.

With just an hour left in the game, Falco spotted a bug and notified his teammates – who launched a cyberattack – causing blue lines to light up a 10-foot tall projection screen at the center of the room.

However, Falco’s strike had little impact on the standings. In the closing seconds of the capture the flag competition with syncopated house music blasting over the speakers in MIT’s Stata Center, two teams – Johnny Cached and Class Warfare – duked it out atop the scoreboard. The projection lit up with visualizations of more attacks, as Class Warfare, hanging onto second place, launched strikes against five other teams in the room.

As competitors set down burritos and scurried to patch their systems, LED light pads on tables around the room flashed red – meaning some of the websites (designed specifically for the contest) had been taken down.

In the end, after six hours of hacking, Johnny Cached, which included two students from MIT – Cheng Chen, and Julian Fuchs, as well as Cambridge students Gabor Szarka and Alex Dalgleish – won the competition and the $15,000 cash prize – discovering all seven exploits in the game.

Cambridge student Will Shackleton, whose team – dubbed Total Recursion – discovered three exploits and came in third and left impressed by the level of the competition. “We couldn’t fully suss out what was going on – they designed the code with too many holes,” said Mr. Shackleton, who plans to join Facebook’s security team in London after he graduates in July.

Organizers hope that events like these will not only help future researchers root out holes and develop patches for buggy computer software, but also lead to more secure code in the first place.

“It’s not a law of nature that machines are insecure,” said Howard Shrobe, the top research scientist at MIT’s Computer Science and Artificial Intelligence Laboratory. This hackathon “is the first step of piquing curiosity to fix it.”