Every week, a group of teenagers and 20-somethings dressed in hoodies gets together in a tiny room on a college campus and plug in their laptops. They turn up pulsing electronic funk music, order pizza and begin furiously hacking into computer networks.
But they're not shadowy criminals: They're students training to become "white-hat" hackers, experts to help business and government agencies protect their data from cyberattacks that have become an almost daily occurrence.
"It's the new espionage. Spies operate from behind keyboards now," says Evan Jensen, a senior at the Polytechnic Institute of New York University and one of the leaders of the Hack Night events where about two dozen students hone their hacking skills.
Since actual hacking is illegal, the students can't just sneak into a webpage and poke around for learning's sake. So industry experts, professors and the school's very own "Hacker In Residence," Dan Guido, collaborate to create exercises that expose the students to real-world hacking scenarios.
Guido, who runs his own cybersecurity firm, will walk students through one of the most common means hackers use to gain access to a computer network — attacks on the software of a browser like Internet Explorer. In June 2011, Google said it had traced to China a cyberattack that attempted to access hundreds of Google email accounts.
Guido uses the case, much of which has been made public, to recreate the exploit, having students map out step by step how the hacker was able to access a desktop computer and infiltrate the company's network.
While bigger schools such as Georgia Tech, Purdue and Carnegie Mellon are known for their cybersecurity programs, experts say Brooklyn-based NYU-Poly is now considered among the best schools for training students with hands on, mission-critical cybersecurity skills. That's due in part to Hack Night, an active cybersecurity club and an annual hacking competition each fall that the school bills as the largest in the country.
"Every one of the faculty, every one of the undergraduates and every one of the graduate students is engaged in real-world exercises," says Alan Paller, director of the SANS Institute, a cybersecurity training organization. "They come out having actually developed and tested their skills."
Paller says the need for cybersecurity experts with real world training is severe — a 2012 report he co-authored found that the Department of Homeland Security alone needs 600 such experts. Last month, the Defense Department announced it is establishing a series of cyber teams charged with carrying out offensive operations to combat threats of cyberattacks aimed at disrupting the country's vital infrastructure.
And just this week, the House Intelligence Committee voted in favor of a bill proposing a new data-sharing program that would give the federal government a broader role in helping banks, manufacturers and other businesses protect themselves against cyberattacks.
"The only defense against these things are skills," Paller says. "We have too many people in the cybersecurity field that don't have the hands-on skills. We call them frequent fliers. We don't have enough pilots."
In the last few years, some companies have staged "bug bounty" programs, paying cash or other prizes to cybersecurity researchers in controlled situations who are able to breach their systems and expose flaws in their software. Though they haven't yet won a major cash prize, NYU-Poly students are currently participating in "bug bounty" programs for companies like eBay, PayPal, Google Chrome and Samsung. A few months ago, one student received a bag full of random gifts such as T-shirts, a board game and a handwritten note after he identified a security flaw in the software of online merchandise seller Woot.com.
NYU-Poly professor Nasir Memon, director of the Information Systems and Internet Security laboratory, says the goal is to teach aggressive tactics beyond the classroom, while staying inside the boundaries of the law.
"Becoming good at security involves doing these challenges, exercises that put you in the context even if it's artificial and made up," he says. "There's something in front of you that you have to overcome and reach your goal — very much like athletes or military soldiers."
Memon says he hasn't yet had a student get busted for hacking illegally but every time the FBI calls to recruit a student his heart skips a beat.
"We try and create that culture of no messing around. If we find they've done anything we throw them out of the lab," says Memon, adding that he knows of no students who have crossed the line.
Many of the 270 NYU-Poly cybersecurity students are already starting to line up jobs earning lucrative salaries at private cybersecurity consulting firms or big banks in need of people able to identify and correct vulnerabilities in their networks.
Others, especially those with graduate degrees, will go on to careers in law enforcement working for the National Security Administration, the Department of Homeland Security and other federal agencies in need of hackers with special computer skills, such as advanced programming and digital forensics.
Because they are in such demand, cybersecurity students can pick and choose where they want to work.
"You see all the time a lot of job descriptions for people who are trying to hire guys like us say things like, business casual is not acceptable here," says Julian Cohen, 22, a senior and a founder of the weekly Wednesday evening Hack Night. "No one wants to go to work in a button-down shirt and slacks."