Computer-savvy teenagers are testing their skills in cyber-contests designed to teach them how to protect the government and private companies from hackers.
The events are sprouting up across the country under the guidance of federal officials who are keen to boost their agencies' computer-defense forces and high school teachers who want to prepare their students for high-paying IT jobs.
At Baltimore's Loyola Blakefield prep school, a team of students meets twice a week after classes to practice for the Maryland Cyber Challenge, which is being held this week at the Baltimore Convention Center. At the event, they'll have to debug viruses from their computer and defeat mock attacks by cybercriminals played by IT professionals.
"They work together as problem-solvers, and they really like the challenge," says Steve Morrill, the school's director of technology and coach of the cybersecurity team.
The contests include "Toaster Wars," an online hacking game sponsored by the National Security Agency, and CyberPatriot, a national challenge that has grown from nine teams in 2009 to more than 1,200 this year.
During the final round of the 2013 competition, staged last March at the Gaylord National Resort at National Harbor in Maryland, Kevin Houk and five classmates sat in a darkened room, huddled around a monitor and looking for any sign of attack. The teenagers, who at the time attended Marshall Academy, a program that draws students from public schools around Fairfax County, Va., were trying to prevent "black hat" programmers from activating hidden viruses in the students' computer network. The Marshall group had to protect its servers from outside intrusions and defuse ticking time bombs that may have been lurking inside.
"It's a lot like gaming, because you don't know what's going to happen," said Houk, who took computer classes at Marshall Academy. "You always have to keep on your toes."
Now a freshman at Penn State University, Houk hopes to become a cyberwarrior, someday protecting corporate or national assets and information from foreign invaders or meddlesome hackers. "Cyberwarfare is the war of tomorrow, and we don't have enough soldiers on the cyber battlefield," he said. "I just want to be one of those."
The Pentagon's Cyber Command is planning to expand its cyberwarrior force from 900 to nearly 5,000. But there's a hitch: Applicants must have exceptionally clean records. That means no arrests or expulsions for hacking into school computers or shutting down Web sites.
While students are taught advanced computer skills during the lead-up to these cyber-contests, they also receive training in computer ethics, according to Scott Kennedy, assistant vice president and principal systems engineering manager at SAIC, a defense contractor and computer security provider based in Northern Virginia. So serious are contest organizers about fair play that some students have been kicked out for getting into other teams' computers or defacing Web sites.
Houk and other students interviewed at the Gaylord contest say they know the line between a white hat and a black hat.
"We are trained in offensive security, or ethical hacking, but we do know how to monitor a network like a school and watch all the traffic going through," Houk said. "And if it's encrypted, we do know how to break that."
The advisor to Marshall's team calls himself a "gray hat," someone who knows the good and bad sides of cyberwarfare and security. Ryan Walters said he got into trouble as a young man for hacking into computers without permission and was given a choice by a judge to either go to jail or join the military.
"I joined the Air Force," said Walters, who now runs TerraWi, a small start-up specializing in security for mobile devices. "Six months later, I was doing cyberdefense for the military. I became very good at what I do because I understand how the bad guy thinks. I went from black hat to gray hat. I could never be a white hat."
Walters, who has more than 60 students enrolled in his after-school cyberdefense program at Marshall, said he teaches his students "the black-hat mentality; I'm not teaching them how to be bad guys."
Morrill, the Loyola Blakefield coach, also is concerned that some of the skills the students are learning could cause damage.
"I tell them: 'You guys better be on the good side, and you can earn a good living,' " Morrill said. "If we approach students at a younger age and instill those values, the country is going to be better off."
Walters says revelations about leaks by Edward Snowden about the NSA's domestic surveillance programs forced him and other teachers to revamp their lesson plans. In fact, during the summer, two of his students worked at Washington area defense contractors as systems administrators, the type of job that Snowden once held, albeit not with the same access to classified data.
"I teach that it's a bad thing" to leak, Walters said.
The growing interest in cyberdefense contests for young people comes at a time when Pentagon officials are warning about computer attacks from China and other nations.
And it's not just the government that is vulnerable. Utilities, power companies, tech firms, banks, Congress, universities and media organizations all have faced attacks in the past few years. In August, the Web sites of several news organizations, including The Washington Post, were hacked by a group calling itself the Syrian Electronic Army, which supports Syrian President Bashar al-Assad.
"The threat has evolved so quickly," said Diane Miller, director of information security and cyber initiatives for Northrop Grumman, which is a lead sponsor of the CyberPatriot contest. "It really has created a sense of urgency."
Northrop Grumman has hired 40 former CyberPatriot participants, including four who are working in the company's cybersecurity control center. "I tell the students that it's a position of trust," she said.
While most experts agree that introducing young minds to advanced computer skills is a good thing, some worry that the efforts need to be more broad than deep. They say that training a few highly skilled cyberwarriors is less important than having lots of people with adequate knowledge on how to avoid getting hacked.
"There's this tendency to go for the cream of the crop," said James Lewis, senior fellow at the Center for Strategic and International Studies and author of a recent study on computer security vulnerabilities in U.S. firms. "The debate is 'Do you need a team of computer special forces, like Navy SEALS or cyber-ninjas? Or something more like regular forces?' "
Other security experts say that computer defense skills aren't the weak link in the cyber-espionage game. It's the little everyday mistakes that cause problems — giving your password to a colleague or leaving your laptop in a cab, airport or coffee shop, according to Fred Cate, director of the Center for Applied Cybersecurity Research at Indiana University.
"We need people trained not just how to write code for stronger protections," Cate said, "but also systems to guard against human behavioral attacks."