Discovery Files

Creating a white hat nation

Josh Pauli, Director of the CyberCorps program at Dakota State University, explains what it takes to train an army of ethical cybersecurity experts

CyberCorps®: Scholarship for Service is a unique program designed to strengthen the cadre of cybersecurity professionals who protect the government's critical information infrastructure.

Supported by grants from the National Science Foundation (NSF), the program provides scholarships to students who in turn work for the federal, state, local, or tribal government or related organizations after graduating. The program is offered at 55 college and universities, with more added every year and has placed more than 1,700 well-trained experts at 140 agencies across the U.S.

Josh Pauli leads the CyberCorps program at Dakota State University (DSU) in Madison, South Dakota. Below he describes his experiences and offers his perspective on what it means to train ethical cybersecurity experts.

Q. How do you prepare college students to become cybersecurity experts?

A. We take a very hands-on, applied approach to teaching cybersecurity. Our students learn assembly language programming; they do malware analysis; software reverse engineering--hardcore computer science topics. Our lab is completely virtualized, which allows us to roll out any kind of technical environment we need. If an instructor needs every student to have a network with 100 virtual machines in it, so every student can be managing or attacking a network on 100 different computers, we can push that out to every student.

Our virtual environment also allows our students to reverse engineer malware in a safe environment. We can get real malware, drop it in our virtualized environment and students can run it, see it spread, and tear it apart to understand how it works. When the lab is done they can throw it away--no harm no foul--and we move on to the next experience. We can do the same with software exploitation or network hacking. Everything is done on our infrastructure and nothing can escape. It's completely isolated but accessible from anywhere for our students to study.

Q. How's the program going so far?

A. DSU has been in the CyberCorps: Scholarship for Service program since 2011. In that time we've had 47 CyberCorps scholars and they've had 100 percent placement in the government and associated labs. Our students are pretty well sought-after throughout the federal work area. We don't have too much going on out here in South Dakota cybersecurity-wise currently, so most of our students end up going to federal agencies.

We've created a couple of really strong partnerships with the National Security Agency, the Johns Hopkins University Applied Physics Laboratory and the Navy Space and Naval Warfare Systems Command (SPAWAR). And for us, being out here in a rural setting, the CyberCorps program is by far the number one recruiting tool, the number one retention tool and the number one career placement mechanism that we have.

Because of the CyberCorps program, interest in cybersecurity has gone through the roof. When we started the program, we had 110 students studying cybersecurity on campus. Now, out of 1,200 students on campus, 400 are studying cybersecurity. Students come to DSU for this program and the students are better than ever.

We have students coming out of our ears and the federal agencies and research labs are coming back to me saying, "Holy cow, we'll take as many DSU students as you can crank out." The students come well-prepared. They're hardworking. They're good kids. I wish we could take credit for that, but for our students who are really thriving, it's because of them. We set them down the path and give them the base level of knowledge, but they've done great things with it. They have the effort and interest and are digging into topics that are way beyond what they're learning in class.

Q. What kinds of assignments do you give your students?

A. One assignment that really gets students excited is the first time they tear apart a real virus, often something that they've read about or that the instructor has lectured about. We had an instructor last spring who introduced their class to Cryptolocker, a piece of ransomware that was going around in the banking industry. Our instructor captured it, brought it into the lab and let students reverse engineer it to understand how it works.

By reverse-engineering a program, you get back to the code that makes the malware run. This helps you understand how it works, so you can write antivirus software, fine-tune your firewall or find out what kind of information the malware is harvesting and where that information gets sent back to. It's an in-depth and highly technical investigation.

Another assignment that really excites our students is when they get to exploit a piece of software on another computer. This is traditional hacking: You crack into a computer or a piece of software and make it do something that it's not supposed to do--such as allowing remote administrative access to the victim computer. That's always a lightbulb moment for students because it's not like the movies: They don't get to use touchscreens to see everything in graphical format. It's this lower-level assembly programming language and shell code which is actually the code that you write to land the exploit.

Q. How to make sure that you're training the good guys?

A. In addition to teaching cybersecurity skills to students, our program includes a heavy and reoccurring dose of ethics and legal theory. Even before students come to campus, we let them know that we're going to send them down a path where they can do powerful stuff, but that with great power comes great responsibility. And it's working. We've had hundreds of students graduate from our program and we've only had one incident in eight years. We're pretty proud of that.

Our kids understand the gravity of the situation. They have their eye on the prize. They want to get that elite job working for the government or a cybersecurity firm, and they know if they do something dumb while they're in college that those opportunities go bye-bye.

Q. How do students feel about studying cybersecurity?

A. They love it. We're in a town of 7,000 people. People can't believe Dakota State University in the middle of South Dakota has this huge cyber program, and we always joke, "Well, there's nothing else for the kids to do." But mostly what you'll see is the students getting very into it. It doesn't take them very long for them to understand how everything works together and to move on to more complex problems. They look at harder-to-reverse-engineer malware or hack systems that have been patched. It becomes not only what they do in class or for assignments, but what they do on their own for research and what they do for fun. A lot of our students participate in Capture the Flag contests and other information security hacking contests.

Q. Are there any great examples of student projects you can point to?

A. In September, at the U.S. Senate committee field hearing convened by Senate Commerce, Science, and Transportation Committee, Chairman Sen. John Thune, R-S.D., one of our CyberCorps students demonstrated an antivirus bypass tool he developed. The tool can take a well-known piece of malware and change how it looks and behaves, without changing what it does. Fifty-seven out of 57 antivirus products could recognize the original piece of code, but after he ran his tool on it, only three of 57 recognized that it was still malware. With a couple clicks of a mouse, he could make thousands of variants of the malware that were basically brand new. That's a pretty impressive project for a student to develop.

Q. What makes the program a success?

A. It's really a perfect storm. Our graduates are having success at the federal and state level. The agencies are reaching out to us saying "give us more," and the program has become the hub for what we at DSU do academically in cybersecurity.

It's really a tremendous program. Every program wants more funding and to be able to support more students, but this is one those rare times where everybody agrees that the CyberCorps program is a good thing. It's a fire we have to pour more gas on.