ARLINGTON, Va. – This is not your typical summer sleepaway camp.
Bonfires and archery? Try Insecure Direct Object References and A1-Injections.
The dozen or so teenagers staring at computers in a Marymount University classroom here on a recent day were learning – thanks to a new National Security Agency cybersecurity program that reaches down into the ranks of U.S. high school and middle school students – the entry-level art of cracking encrypted passwords.
"We basically tried a dictionary attack," Ben Winiger, 16, of Johnson City, Tennessee, said as he typed a new command into John The Ripper, a software tool that helps test and break passwords. "Now we’re trying a brute-force attack."
Others in the room stumbled through the exercise more slowly, getting help from instructors who had prepped them with a lecture on the ethics of hacking. In other words, they were effectively told, do not try this at home.
"Now, I don’t want anybody getting in trouble now that you know how to use this puppy," Darrell Andrews, one of the camp’s instructors, warned loudly. "Right? Right?" he added with emphasis.
As campers around the country sleep under the stars and dive into mountain lakes, 1,400 youths have packed their overnight bags or lunchboxes for a very different experience.
They are attending dozens of free overnight and day camps across the country supported by the NSA, better known for its bulk collection of Americans’ phone records and its spying on foreign leaders. Like the CIA and other elite intelligence agencies, the NSA has for decades recruited on college campuses and run collegiate programs, but this summer the agency is making sure that middle- and high-school-age students – and some teachers, too – are learning how to hack, crack and defend in cyberspace.
The goal of GenCyber, as the summer camp program is called, is to catch the attention of potential cybersecurity recruits and seed interest in an exploding field as more and more of the nation’s critical transactions, from warfare to banking, move into the realm of cyberspace.
NSA officials say building the next generation’s cyberspace workforce is a matter of national security, as breaches at the federal Office of Personnel Management and private companies have highlighted. Studies anticipate the need to fill hundreds of thousands of new cybersecurity jobs in coming years.
That includes jobs with the NSA, which has its own worries about filling recruitment quotas these days because of increased competition from higher-paying private companies and bad publicity after Edward Snowden, the former NSA contractor, leaked a trove of classified documents showing the agency’s surveillance programs as far more extensive than most Americans knew.
"These kids are the ones that are going to be building the next products that we all rely on, the things we can’t even imagine will exist in the future," Steven LaFountain, the head of the NSA’s in-house College of Cyber and the leader of the camp program, said in an interview at the NSA’s heavily fortified headquarters in Fort Meade, Maryland.
"If they have just a little bit more understanding of security when they’re doing that," he said, "I think it will make the products that much better."
With the help of a grant from the National Science Foundation, the agency started a small pilot program under LaFountain’s direction last year, sponsoring six camps at colleges and universities. This summer it has expanded to 43 camps, and about half of the 1,400 students are girls.
LaFountain hopes the program will grow to 200 camps in all 50 states by 2020. So far there has been strong interest, he said, given the long waiting lists for the camps this year.
The NSA gives each camp loose guidelines but largely leaves it up to the colleges and universities and the instructors running the camps to decide which topics to cover. The NSA mandates that GenCyber camps be offered free.
At California State University, San Bernardino, an NSA camp open only to local Girl Scouts, campers will build, program and fly drones. Campers at Norwich University in Vermont will put together their own computers. And here at Marymount, where campers are staying in dorms for their two-week stay, visits to the NSA and a security operations center break up classroom time.
The idea – and the challenge – of the camp, according to its head, Diana Murphy, a professor of information technology at Marymount, is to first teach students how to hack, so they can understand and defend against attackers they might encounter in cyberspace.
"It’s a fine balance for me as a teacher, because you have to teach them some of the hacking techniques and layer that in with an ethical discussion," Murphy said in an interview before camp began. "They are most interested in the attacking things."
A packed schedule of activities – lectures on network forensics, student presentations on protecting private accounts, and what turned out to be a high-volume debate on the ethics of Snowden and WikiLeaks – drives critical points home.
"One of the things you have to discuss – since you are going to rule the world in a couple years – is, is this good or bad?" Murphy said she repeatedly tells campers.
LaFountain said the agency would not make sales pitches to campers but hoped that the agency’s work would be enough to lure them into the field.
"We’re not trying to make these camps something to make people pro-NSA or to try to make ourselves look good," he said. "I think we’ll look good naturally just because we’re doing something that I think will benefit a lot of students and eventually the country as a whole."
Back at Marymount, a group of campers crowded around a lunch table did not seem all that concerned about the spy agency’s reputation.
They said they were just happy to get to stay on a college campus with other tech-savvy students their own age while learning skills their high schools back home were not ready to teach.
"I’d definitely take this camp over a basketball camp," Garvan Vines, 15, of Bowie, Maryland, said as he finished a bite of a sub sandwich. He said he was trying to decide between a career in cybersecurity and one in programming and hoped that the camp, his second GenCyber camp of the summer, would offer a good sampling of those alternate paths.
Besides, he said, "at basketball camp they are mostly just giving you the same instructions over and over.
"This is like, progressive."
Andy Lieu, 17, of Denver, picked up where his lunchmate left off.
"At a basketball camp, everyone’s trying to better themselves," he said. "Here you have to collaborate and work as a group."
Others around the table, including Allyssia Dela Cruz, 15, who was in her second year at cybercamp, nodded in agreement.
"To be honest, if you were to ask," she said, "I think most people here spend more time on the computer than playing sports anyway."