When I was 14, I began experimenting with something fascinating, something my teachers never mentioned but that I knew was off limits: creating malware. The code worked beautifully. It was designed and written from scratch in assembly language, a level just barely above the 1’s and 0’s of the computer’s native tongue. After I delivered it to the intended target, it hid in the operating system and waited for the correct trigger conditions, at which time it would overwrite the volume table of contents and destroy the disk’s ability to retrieve any of its stored data. It executed exactly as intended.
I wasn’t the only student in my school experimenting in the murkier realms of computers. Teachers deal with students across the full spectrum of interests and abilities. Gifted programs exist for students who excel in reading, math, and other academic realms. However, one type of student is overlooked or even actively discouraged by school systems—the aspiring computer hacker. At the very same time that we are constantly hearing about the need for talented hackers in industry and government, young computer security enthusiasts are perceived as hoodie-wearing miscreants who must be stopped. The cognitive dissonance is deafening.
Only in recent decades has the term hacking been conflated with “breaking into computers.” Hacker culture traces its roots back to the 1950s and 1960s, and to hack simply meant to understand systems at a deeper level and make them behave in unintended ways. Steve Wozniak (creator of the Apple computer), Brian Kernighan and Dennis Ritchie (creators of the C programming language), and Marvin Minsky (co-founder of MIT’s Artificial Intelligence Lab) were all hackers. That said, I’m going to use the term hacker here to refer to someone with a passion for proactive security research—a person who understands the systems and tries to break them, with good or ill intent, or simply to see if it can be done.
The hacker personality is characterized by curiosity about and passion for technology, persistence, technical prowess, and novel ways of viewing problems. Any parent, teacher, or school should be proud of those traits in a student. Unfortunately, aspiring hackers are typically greeted with anything but pride and encouragement. Extremely misguided laws can result in an eighth-grader being charged with a felony for changing a desktop background. A 16-year-old in Staten Island, New York, was charged with felony counts of computer trespass and forgery for hacking into the system to inflate his marks. The same student acts that used to result in detention can now end in jail time, simply because a computer is involved. (Even Plato may have tried carving an F into an A while Socrates had his back turned. Good thing he didn’t have a computer.)
We’ve created an atmosphere in which promising hackers are actively discouraged from learning and therefore are likely to end up on their own without any guidance to keep them out of trouble.
I was one of several hackers in my high school. We shared ideas and pushed the boundaries of our computers wherever we could. Some of our experiments occasionally caused some issues in the school’s computer lab (perhaps a system going down unexpectedly, taking all of its unsaved work with it), but we self-policed our small group. Our hacking was about knowledge and discovery and also to see what we could get away with. Most of us went on to college and became software and security engineers.
Two teachers ran the school’s computer lab. One didn’t know what to do with us and didn’t like that fact at all. He was teaching the class (and himself) BASIC, the programming language equivalent of a coloring book. We were busy modifying the computers’ operating systems. The other teacher saw us as a resource and would appreciatively ask for and accept our help around the lab. She also encouraged us to “keep on doing whatever it is you’re doing” whenever she saw hexadecimal and op codes flash across the screen.
The first teacher eventually began a ritual of sending me to the principal’s office for just about any perceived classroom transgression—I think he knew I was up to something but could never prove it. Falling asleep in class was easier to spot than custom code hidden in gaps on the file system. After several visits, the principal had the foresight to try something different. Rather than discourage or punish me, she created a “special studies” course just for me. I was given the task of writing software for the school—secure software. For the first time I wasn’t subverting systems and controls; I was instead focused on how to design and implement a system that could keep me out. It was a turning point of sorts. It gave me a sense of ownership. Furthermore, by playing both sides of the fence, I improved both my defensive and offensive skills. My school benefited as well, a constructive symbiosis of computer hacker and institution. It shifted my perspective enough to start me down a path of working in industry, a much better destination than where I may have otherwise found myself.
Creating a constructive environment for young information security, or infosec, enthusiasts is win-win. Students get the chance to study something they have a true passion for—a field that needs all the motivated talent it can get. They can operate in a safe environment, on systems and networks with clearly established boundaries. They can learn how to hack within the system, as part of the system. Schools looking to burnish their reputations can call themselves leaders in cutting-edge and industry-critical skills—not to mention get a little free IT support. And schools need the help: In a 2014 Miami-Dade Schools audit, 8 percent of surveyed teachers “interviewed about their use of the district’s electronic grading system said they had experienced or knew of a situation where grades were ‘inappropriately’ changed in recent years,” according to the Miami Herald. Students could be earning high grades with their skills, instead of just trying to change them.
Of course, schools are going to get pushback from various quarters. Principals, teachers, and parents may well have concerns. That’s good. But look at all of the other risky activities schools have long taught: metal shop, wood shop, student driving. (They might sound passé, but shop, at least, seems to be on the rebound, thanks to 3-D printing and other new technologies.) These are activities that can actually maim and kill. And despite the negative press about football-related brain injuries, how many high schools are going to shut down their football programs anytime soon? Right. So why be afraid of providing a constructive environment for young hackers to learn and explore? Creating a safe place for hackers to learn is like offering comprehensive sex ed. You’re educating students with facts and teaching them how to do things safely, if they chose to. Simply telling an aspiring hacker “don’t hack, end of story” works about as well as the other abstinence-only approach. Curiosity works, but information protects.
So how do schools teach ethical hacking skills if they can’t woo developers away from Google’s security team? They don’t have to. That’s the best part. As in any advanced technology elective for select talented students, the hacker-minded individual is going to pursue his or her own studies. All you need to provide is the framework and environment, combined with appropriate learning guides, oversight, and encouragement. And just like metal shop and wood shop classes, the school’s focus will be on safety. It’ll need to establish appropriate behaviors and clear rules. Violations should be handled the same as the other shop classes, up to and including getting kicked out of the class. Command injection attacks, like power saws, are a privilege, not a right.
I’ve provided a cookbook below for a sample virtual lab and supporting material. There are great online resources and books that taken together can be blended into a core curriculum. Teachers will need a class contract of some kind that clearly states the expectations and boundaries. There is one line that must not be crossed—students are not to hack systems they do not own or that are not assigned to them expressly for ethical hacking exercises. The first, second, and third rules are teaching them to stay safe and stay legal. Clearly defined boundaries on systems and networks must be laid out. The class should start with current events involving hacking and the resulting legal consequences, including group discussions on the topic.
As young hackers improve their skills and demonstrate their ability to operate within proscribed boundaries, schools may want to select a team to help investigate the security of carefully selected systems and subnetworks. Selling the idea to wary administrators will be easier because the chosen hackers will have a track record of both talent and restraint. Anyone who still opposes the idea need only absorb one simple fact: Wouldn’t he or she rather have people working in the school’s interests to be the ones who find security problems? Because if a school’s own student hackers don’t get the chance, someone else will probably take it.
This article is part of Future Tense, a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.