Jack Cable is 17 years old. With a thin build and large, square glasses, he looks like any unassuming high school senior from the Chicago suburbs. Except he’s a military-grade hacker.
Cable recently finished first in Hack the Air Force, a Pentagon-sponsored bug bounty program that recruited ethical hackers to find security holes within Air Force networks. In total, the service paid out $130,000 for 207 vulnerabilities hackers uncovered in the competition. Cable himself found more than 30 of those, including one faulty admin panel that could have been exploited to upload files and modify content on a military website.
Cable is ranked 73rd overall among members of HackerOne, a worldwide community of thousands of hackers that organizes bug bounties in the public and private sector. His success in Hack the Air Force helped him rise to fifth in the group’s third quarter rankings.
The bug bounty program comes at a time when the government finds itself struggling to attract top talent like Cable to cybersecurity positions. Last week, the General Services Administration announced it will host its first ever tech and cyber recruiting event in November, where federal agencies could offer jobs to qualified candidates on the spot.
Nextgov sat down with Cable to ask him about his beginnings, bug bounties and plans after graduation:
Nextgov: So how did you first get involved with bug bounties?
Jack Cable: I started out hacking about two years ago when I accidentally stumbled across a way to get an infinite amount of money on a financial site. I was able to send negative amounts of money to other users, and that would put their money into my account. I reported it to that company and they ran a bug bounty program, so I got into it from there. It was a Bitcoin site called ChangeTip, I think they since shut down. I eventually found HackerOne and U.S. government bug bounties. I’d been programming for about 5 years [at that point].
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
Nextgov: What keeps you coming back to these competitions?
Cable: I really like the challenge that comes with bug bounties. It’s always fun to be able to find something you shouldn’t be able to do — also the acknowledgement from the companies to say that you’ve found vulnerabilities and that had a big impact. I’ve met some really cool people along the way.
Nextgov: Which groups have you participated in bug bounties for?
Cable: I’ve done three of [HackerOne’s] private U.S.-government bug bounties, with the Pentagon, the Army and the Air Force. Outside of that I’ve worked with Uber, Yahoo, Salesforce, and a few others.
Nextgov: Why do you choose to report the vulnerabilities you find instead of taking advantage of them?
Cable: There are a few reasons, I think. First of all, obviously, it’s really risky to try to exploit them. You could go to jail, which is pretty bad. Also it’s just really the ethical way. You can feel good about [hacking]. The company’s glad that you’re doing it and they want you to keep hacking with them. Instead of being punished by them, they want to meet you, they want to help you find as much stuff as you can on their websites.
Nextgov: What is it like to be a military-grade hacker and still be in high school?
Cable: I’d say that it’s not that different. I wouldn’t say that’s anything truly exceptional. It’s just that I’ve participated in programs run by the military and happened to do well in them. I’m taking a normal load of classes [including] two math classes at Northwestern [University]. I’m applying for colleges and I’m interested in going in for math or computer science. I’m looking at Stanford and a lot of East Coast schools like Harvard, MIT and Princeton. Also the University of Chicago.
Nextgov: How do you see yourself and bug bounties fitting into government cybersecurity strategy?
Cable: What the government has recently been doing with bug bounties shows that they’re starting to become much more proactive with their security. By holding these bug bounty programs, they’re able to ensure their sites are much more secure and make sure no hackers can easily get into them. Having hundreds of different people looking at your website allows people to try tons of different ways versus a cybersecurity firm that might only apply a few different methods of trying to find vulnerabilities.
Nextgov: How do you view government cybersecurity after participating in these bug bounties?
Cable: With each program there’s been a significant increase in the security of the websites. Hundreds of the top hackers have tried to get in and they’ve reported everything they’ve found. In that aspect, [the websites are] much more secure. Regardless of how secure a website is, it’s going to have vulnerabilities. That’s why running a bug bounty program is really helpful to weed out vulnerabilities that might not be as easily found.
Nextgov: What are your long term plans after high school and college?
Cable: Right now I’m just sort of exploring different areas. Government could be something interesting. [The Defense Digital Service] might be something interesting to work for temporarily, just to get some experience on a different side of things. It’s only two years so you’re not committing to anything long-term, you’re just working for a set period of time on something cool.
The federal government has a shortage of cybersecurity talent. Would a corps of short-term recruits, hired from the private sector, fix that gap?
That’s one of the questions a House oversight committee attempted to tackle Tuesday during a hearing on federal workforce challenges. Rep. Will Hurd, R-Texas, chairman of the information technology subcommittee, asked witnesses whether a model similar to tech groups 18F and the U.S. Digital Service might work for cybersecurity.
18F, housed within the General Services Administration, is a consultancy that helps other agencies use technology and adopt principles of agile software development. USDS troubleshoots large-scale federal tech projects; both groups recruit heavily from the private sector, including from companies such as Facebook and Twitter.
The Commerce Department’s former chief information officer, Steven Cooper, described a central team of cyber experts serving 6-month to 2-year terms; those people might conduct penetration tests, deploy security badges or other short-term projects at various federal agencies.
Those people would be most useful in jobs including product testing and forensics, Debora Plunkett, board member at the International Consortium of Minority Cybersecurity Professionals, testified. But deploying members of a centralized cybersecurity cadre to federal agencies experiencing attacks might not be all that useful, because “you’d want to have some a prior understanding of the network,” she said.
“If it really is a ready reserve where they would go anywhere, it would be difficult to send someone in to address a threat when they don’t know the infrastructure and they’re not up on the current vulnerabilities,” Plunkett said.
Coordination between agencies tapping into that group of cyber professionals would be a challenge, said Nick Marinos, assistant director of information technology within the Government Accountability Office. Traditional tech hiring might require a chief information officer and chief financial officer within an agency to coordinate, but the sharing arrangement also may require coordination with more of the C-suite, including the chief human capital officer and chief information security officer as well as other agency officials.
“If the CIO is not actively engaged, the help may not be going to the right places,” he said.
The group of high school students were surprisingly animated at 7:30 a.m. on a chilly Friday morning. But the students were excited to be on the Alamo Colleges campus, talking about their individual CyberPatriot teams– and they just happened to be among the top ranking teams in Texas.
The Air Force Association created CyberPatriot in 2009, a national youth cyber defense competition designed to inspire high school students into entering careers in cybersecurity or other science, technology, engineering and mathematics (STEM) disciplines. The 2016 CyberPatriot competition included nearly 200 teams from the San Antonio region, more than any other region in the nation. Seven of those teams are part of the Information Technology & Security Academy (ITSA), a program offered by Alamo Academies. A national award winning STEM-based program, the nonprofit program works in partnership with industry, the Alamo Colleges, area high schools and local cities to provide high school juniors and seniors with two years of tuition-free curriculum that will lead to in-demand STEM skills and critical job fields.
Bussed daily from their respective high schools to the Alamo Colleges campus for 2 ½ hours of instruction early in the school day, ITSA provides high school juniors and seniors with 30 college credit hours that specializes in information technology, which includes networking, security and programming courses. While enrolled in ITSA, students also have the option to participate in the annual CyberPatriot competition.
The CyberPatriot teams compete to defend a national company’s computer system from malicious cyberattacks, while maintaining IT services for its users. Each team is paired with professional mentors in the community who volunteer through the CyberPatriot Mentor Program. ITSA’s CyberPatriot teams are currently mentored by Jacek Materna from SecureLogix, Troy Touchette, chair of computer information systems at San Antonio College, and Mike Matuszek at San Antonio College.
During the CyberPatriot’s State Round earlier this month, a team of ITSA seniors earned a perfect score, which resulted in a tie for first place nationwide with a team in Colorado. The round also named a team of ITSA juniors as fourth in Texas and 22nd nationwide. The next competition, held Feb. 19-21, will determine the top 12 teams in the nation before the National Finals are held April 10 to 14 in Baltimore.
“Considering this is the first time the junior high school student team competed in CyberPatriot, ranking 22nd place nationwide is pretty impressive,” said Jacek Materna, the team’s mentor. “The senior team’s perfect score on an incredibly difficult cybersecurity competition makes them stand out among all the U.S. teams. I’m sure employers will take notice also.”
The San Antonio area top ranked senior team included: Kyle Volz of Alamo Heights High School, Hector Iruegas of Warren High School, Reed Eggleston of Marshall High School, Carlson Lindley and Eli Ross, who are both homeschooled and Brendan Downs of Warren High School.
The San Antonio area junior team ranked 22nd in the nation included: Isaac Knotts of East Central High School, Eddie Flores of McCollum High School, Rameez Shaukat of Brandeis High School,Ryan Yu of MacArthur High School, Jackson Teige of Seguin High School and Jorge Gomez of New Braunfels High School, who is a senior in his first year of competition.
When the students were asked what led them to CyberPatriot, almost everyone responded that a teacher or fellow student had encouraged them to compete. All but one of the students had professed an abiding interest in computers from an early age.
“I remember first messing with computers when I was four years old,” junior Eddie Flores said.
On the other end of the spectrum, junior Hector Iruegas confessed that he knew nothing about computers before joining the CyberPatriot team.
“My dad is a computer geek who works for Southwest Research Institute,” Flores said. “When I heard about CyberPatriot, I thought it would be interesting to try it out.”
Apparently, it was interesting enough that Iruegas is spending his second year in CyberPatriot as a member of the the top ranked high school senior team in the nation. Iruegas has already been offered admission into Stanford University as well.
Long-term plans for these students point to promising career opportunities. “I’d like to work for either Google or NSA,” said junior Issac Knotts.
“I’m interested in pursuing a double major in cybersecurity and physics,” junior Rameez Shaukat said.
“I’m looking forward to my internship with (the locally based cybersecurity company) Delta Risk,” senior Reed Eggleston said. “I was able to find a possible vulnerability on their website and brought it to their attention.”
The most impressive part of the student answers from both teams was what they considered to be the factors contributing to their CyberPatriot success. Their answers were consistent, regardless of age or year in high school. The students gave answers that were thoughtful, mature and indicative of a great work ethic.
Recognizing the importance of strong leadership figured prominently for both the junior and senior teams.
“Reed (Eggleston) is a huge part of our success—he sets the team dynamic and prepares the team scripts for us to work on,” said senior Carlson Lindley.
“Issac (Knots) and Eddie (Flores) carry our team; they prepare the scripts for the team to practice and they make sure the scripts work beforehand,” junior Ryan Yu said.
Hard work and recognizing the strengths and weaknesses of each team member means each team comes together to form a cohesive package of cybersecurity skills.
“We get along well and we all know who excels at what system, and that contributes to our multilayered understanding of all the systems, how they work together and how deep to look for vulnerabilities,” senior Brendon Downs said.
Both teams agreed with senior team leader Eggleston’s bottom line: “We are all confident in each other’s abilities.”
All CyberPatriot students are offered internships with companies, internships that often lead to job offers. Given the work ethic and skills these students possess, it’s no surprise.
Current high school sophomores from across the greater San Antonio, New Braunfels, and Seguin areas are eligible to apply online now. Early consideration deadline for fall 2016 admission is March 4. For more information visit www.alamoacademies.com.
Douglas MacArthur once reminded us, “Even when opportunity knocks, a man still has to get up off his seat and open the door.” As I consider the look of the business community, growing startup mentality and the enthusiasm for progression in local health care, technology and other industries, I think about what our city is capable of and all the opportunities that are knocking.
In the past year, we’ve watched local investment funds, such as the San Antonio Angel Network launch and the Geekdom Fund continue to grow. Build Sec Foundry, the Cyber Security Incubator was created and is making waves in its progress over the past six months, and the growth does not seem to be slowing. According to the recent 5-Year Economic Impact Study by Geekdom, more than $68.8 million has been raised by local startup companies. There is both incredible brainpower and money to be invested and spent right here in our city.
From a staffing perspective, since I reside in that world, I expect to see the greatest growth in hires and staffing to be industries including cybersecurity, health care and mobile applications. According to the most recent release of the Global Entrepreneur Indicator by Entrepreneurs’ Organization (EO), more than 50 percent of local business owners surveyed anticipate making new full-time hires by the end of Q1. Economic growth is continuing.
The city and our local government have been supportive of making an effort to enhance the technology and IT scene and bring new companies to San Antonio this past year.
What else can we expect in our local economy in 2017? Well, unemployment levels are still — and should remain — at historic lows, and private investments in San Antonio are on the rise. 2017 looks very favorable, and business tax cuts are coming. Now, it is on us — and I put this call out to all local business professionals and entrepreneurs — to keep growth and momentum going to continue to foster a developing San Antonio and cultivate more and more opportunity — to open every door.
Obviously, we must decide which ones to keep open and which to close, but the key is opening them — getting involved. We have to make our mark as business leaders — to create places where people want to work, progress, and be impactful. Get involved — this is a dual role. Be a part of organizations like EO that build and grow you as a leader and help you to inspect every part of your business to support you in continuing to have an economic impact on your city and consumers. And secondly, be a part of activist groups like Tech Bloc, groups that are there to employ change and active progress.
We must invest locally in our growing city — support local businesses, find startups to invest in and be a part of, share new products and services with friends, family and colleagues.
Create more jobs — not just jobs, but meaningful jobs. As we forecast in the staffing industry, employee costs are increasing and more employers are desiring help in attracting top talent. This talent is expressing now more than ever that they are most interested in culture fits, work-life balance, schedule flexibility and high-level impact roles.
Our city is showing great promise, and as we embark on another year, it is on us — on the business community — to open every door. Get involved, be active, make an impact, and provide opportunities to allow others to do the same.
San Antonio needs our drive and dedication. Opportunity knocks, and it’s our job to get up off the chair and answer the door, time and time again.
More than 220 people came out Wednesday evening to celebrate their colleagues’ achievements at the San Antonio Business Journal’s third annual Tech Titans Awards.
The event, which was held at Pearl Stable, recognized 10 people and organizations, highlighted by the Top Tech Exec Award, which went to Rackspace Hosting Inc. CEO Taylor Rhodes and two Special Achievement Awards that were given to University of Texas at San Antonio Professors Glenn Dietrich and Greg White, both pioneers in developing UTSA’s nationally recognized cybersecurity program.
Delta Risk LLC, a San Antonio-based cybersecurity company founded by former military veterans, got a boost to help build its midsize business market share after investors pitched in $3 million, according to records on file with the U.S. Securities and Exchange Commission.
The company raised $3 million in debt among six investors, and didn’t specify any minimum investment threshold, records show. It was not in combination with any merger or acquisition activity.
When reached by email, a company spokeswoman said the funds will be used to build its employee base and expand services to mid-market in addition to sales and marketing efforts.
The Chertoff Group, a Washington D.C. advisory firm for security and risk management, has a majority stake in Delta Risk after a major capital influx of $13.8 million was raised through its subsidiary TCG Diamond Holdings LLC in 2015.
David Leach is the president of TCG Diamond Holdings and principal of The Chertoff Group’s private equity operations.
Delta Risk’s headquarters sit along South St. Mary’s Street inside the One Alamo Center in San Antonio.
The company is hiring nearly a dozen employees across all its offices – two employees are expected to be based in the Alamo City. These positions include a cybersecurity business development analyst for federal contracts and a proposal writer for the company, according to its website.
In July, Delta Risk acquired a competitor in the Philadelphia region named Allied InfoSecurity. It is hiring cybersecurity professionals in that market also. At the time, the company had about 90 employees — the new hiring round will likely take the business above 100 workers.
The inspiration for aiming to sell cybersecurity talent to middle market businesses stemmed from experiences with clients who sought out Delta Risk in disaster scenarios. The goal is for more cyber breach prevention, said the company’s CEO.
“There were firms that in some cases had billions of dollars of annual revenue but were very limited in their security staff,” Scott Kaine, CEO for Delta Risk told the San Antonio Business Journal in July. “They would have maybe one part-time security person.”
Among the three co-founders, Chris Fogle remains most closely involved in Delta Risk operations as an executive adviser for the company.
WHAT IS CYBERPATRIOT?
CyberPatriot is the National Youth Cyber Education Program. At the center of CyberPatriot is the National Youth Cyber Defense Competition. The competition puts teams of high school and middle school students in the position of newly hired IT professionals tasked with managing the network of a small company. In the rounds of competition, teams are given a set of virtual images that represent operating systems and are tasked with finding cybersecurity vulnerabilities within the images and hardening the system while maintaining critical services in a six hour period. Teams compete for the top placement within their state and region, and the top teams in the nation earn all-expenses paid trips to Baltimore, MD for the National Finals Competition where they can earn national recognition and scholarship money.
A cybersecurity venture created by three former U.S. intelligence analysts with local roots got an influx of capital recently to further its development of software to protect critical infrastructure owned by private industry — like the electric grid.
Dragos Inc. is a hybrid product and services startup that creates cybersecurity tools for businesses to hunt for unauthorized users lurking around industrial control systems inside their networks, from nuclear power plants to chemical manufacturers.
The startup raised $1.2 million from DataTribe — described as a startup studio, which is a mix between an angel incubator and a venture capital firm — based in the Washington, D.C., region.
The seed capital is being used to build a threat operations center, or a cybersecurity analyst hub, that can hunt remotely for known and unknown “threat actors” inside a company’s infrastructure.
It costs about $1 million to hire specialized analysts and the equipment needed for the center, according to estimates from PricewaterhouseCoopers LLP. Most threat operations centers focus on hunting for hackers or malware across a company’s computer system, not typically industrial control systems.
DataTribe is an investor group focused on military veteran-led companies looking to commercialize products across cybersecurity from big data to the Internet of Things. It is backed by Deloitte, Allegis Capital and Yahoo Japan.
Alamo City ties
While Dragos has its main office at DataTribe, the startup has a satellite office in San Antonio for now and aims to hire more cybersecurity analysts in the Alamo City in the coming months.
That’s because the company’s co-founder and CEO, Robert Lee, has lived in San Antonio for years after he was transferred to Joint Base San Antonio Lackland Air Force Base. For about five years, he worked as a cyberwarfare operations officer. Lee is now pursuing a doctorate in war studies at King’s College of London focusing on the attack and defense of control systems alongside developing Dragos.
A few years ago, Dragos built a cybersecurity tool called CyberLens that enabled businesses to watch unauthorized users navigate their networks, like a magnifying glass, although it is not the focus of the company’s products currently under development.
The startup aims to stand out from its competitors, mostly high-growth tech startups based in Israel, by leveraging experience securing the U.S. infrastructure while in the military.
“A lot of what’s being developed in the market are built by pure software developers, so they are difficult to use for analysts,” Lee said in a recent interview. “We have our threat operations center not only generating revenue but driving the development of future workflow and tools so that our platform is easier to use for security analysts.”
Assembling a team
In September, Dragos hired Ben Miller — former associate director at the Electricity Information Sharing & Analysis Center created by the North American Electricity Reliability Corp. — to lead its threat operations center.
The other company co-founders were stationed at Fort Meade, an Army post in Maryland with a high concentration of cyberwarfare-related activity, before forming Dragos.
Co-founder Jon Lavender worked as a data scientist and senior network analyst at the U.S. Department of Defense in Maryland for nearly eight years. Justin Cavinee was a software developer and senior network analyst for the Defense Department.
Dragos was one of several companies from the private sector selected recently to begin working on a test bed with the University of Illinois at Urbana–Champaign. The university was awarded an $18 million grant from the Defense Advanced Research Projects Agency to develop technology that would enable the U.S. electric grid to recover after an attack on its infrastructure.
Dragos was founded in 2013 under the name Dragos Security LLC and was later incorporated as Dragos Inc. Matthew Luallen was one of the Dragos Security co-founders, and in September he started a new company, CYBATI, which focuses on education in critical infrastructure and control system cybersecurity.
With cybersecurity affecting many aspects of everyday life – from cyberhacking and breaches of personal data, devices connected to the internet, and even voter databases – the new Cyber Talk Radio show on News Radio 1200 WOAI fills a growing need to stay current on the latest in the technology industry, especially the cybersecurity space.
Jungle Disk CEO Bret Piatt hosts the weekly show and features guest speakers who discuss cloud computing, cybersecurity, and internet trends facing businesses in industries such as health care, financial services, real estate, and legal professions.
The Rivard Report interviewed Piatt to find out more about the new Cyber Talk Radio show.
Rivard Report: How and why did you decide to launch this radio show?
Bret Piatt: WOAI came to our Jungle Disk ribbon cutting and said they’ve been looking for someone to host a cybersecurity radio show. This sounds like a lot of work, but we’re passionate about this.
We feel like it’s a matter of preparation and taking advantage of an opportunity. We have a great team at Jungle Disk, with some of our staff who happen to be sound engineers. We were able to build a sound recording studio right here in the (Jungle Disk) office. On our team, we have the people that are experts at building a recording studio and (editing) sound.
We’re passionate about doing this weekly show because we think it’s important to help our listeners by telling local cybersecurity stories. We’re at a point now where we can devote the time and resources to highlighting these local stories.
RR: What’s the general format for the show?
BP: We do a long format sit down interview discussion with experts on various cyber topics. We’re on air for an hour. The first half of the hour we’re generally going through the high level explanation of the topic and providing detailed background. Then in the second half, we have the cybersecurity related discussion on that topic with our guest expert.
We broadcast Saturday at 11 p.m. on 1200 WOAI. We catch the folks leaving the Spurs game, or the ones relaxing on a Saturday night.
In case of a late running West Coast Spurs game we get bumped to a new time – and that’s understandable.
RR: What has the reaction to the show been so far?
BP: The audience is growing every week. The show is now available on the iTunes podcast service after the fifth episode. You’ll see 10 segments so far, with each show split into the learning segment and the cybersecurity segment.
We have gotten multiple requests for guests to come on the show to talk about various cybersecurity topics. That’s the first major milestone – when you have a queue of guests lined up waiting for opportunities to come on the show.
RR: What do you hope to accomplish with this show?
BP: We have guests lined up through the end of the year, with some slots still open in December. We intend to discuss relevant cyber topics which are new even for a highly technical audience, but we’ll use the learning segments to help frame the topic for a general audience. In short, we aim to cover cyber topics typical for the WOAI business listener, “from the dark web to your radio dial.”
To tune into the show live, listen to News Radio 1200 WOAI on Saturdays at 11 p.m.