The US Department of Defense is funding research into how hackers hack, with an interesting twist. It wants to wire them up with body monitoring equipment to measure how they react while hunting down and exploiting security flaws.
The study is running this month and next at what’s described as a high-security nuclear science facility run by Sandia National Labs in Albuquerque, New Mexico, according to official documents seen by The Register. Sandia is a Honeywell-owned US government contractor tasked with researching and designing components that go into nuclear bombs, among other work.
Infosec professionals recruited for the research will each be given two days to participate in a standard capture-the-flag competition – in which hackers race to compromise secured systems – using Kali Linux laptops, as well as solving some puzzles and filling in questionnaires.
They will not be attacking live production machines, but it’s understood they will be competing in environments similar to Uncle Sam’s real-world networks. The aim, we’re told, is to figure out which combinations of hardware and software is the easiest and hardest for seasoned pros to infiltrate, and how they physically and mentally cope with the challenge.
Some 120 penetration-testing experts are being sought to take part, and the pay isn’t too bad: depending on experience, it’s between $60 and $90 (£46 and £69) an hour for a total of 16 hours, with travel and hotel accommodation covered. You must be an American citizen to participate.
“This contract is for a study in which we will have numerous participants attacking various configurations of computers within a network simulation,” the brief, seen by El Reg, reads.
“Our goal is to understand which configurations are the most secure on average, and why. Thus, we intend for multiple participants to face the same challenges in order to produce statistical samples.”
The agenda for each day: meet at Sandia’s Cyber Engineering Research Laboratory at 8.30am, get cracking on the capture-the-flag task ay 9am, break for lunch from food trucks at 11.30am, get back on the hacking at 12pm, complete cognitive tasks and fill out paperwork at 4pm, and wrap up at 5.15pm. The study is sponsored by the US Department of Defense.
Essentially, it’s two days out of the office with some fun patriotic hacking, and the opportunity to meet other specialists, trade tips and tricks, and enjoy a break in New Mexico during the winter months. But, wait, what’s that in the small print on the contract?
All participants will be asked to wear a wristband that will measure their heart rate and perspiration during the competition. The hardware is the Empatica E4, which is not a cheap bit of kit – each unit sells for $1,690 apiece, Americans’ tax dollars at work right there – and has electrodes on the inside to measure skin galvanization.
“I was set to go, but I’m somewhat rattled by the bio monitoring,” one information security expert approached by Uncle Sam told us, speaking on condition of anonymity.
The Sandia study is titled “Science of Cyber Defense (Tularosa)” and will be led by Dr Robert Abbott, who previously designed student evaluation tools for the US Navy’s flight simulators.
“You have been identified as having skills in host and network penetration,” the brief for the New Mexico experiment continued.
“In addition to the capture-the-flag exercise, we are conducting a research study to collect and analyze information on how people think and react while performing these tasks, in relation to their individual characteristics.
“This research study is being funded by the US Department of Defense, and conducted to test cyber-defense strategies, and how different individuals think and respond to the strategies as they, as intruders, attempt to exploit the computer network.”
The study was cleared by an ethics panel, we’re told. Test subjects cannot talk to the research team, nor ask them questions; instead, the hackers must direct any comments or queries to officials at the US Department of Energy’s Human Subjects Protection Program.
In the world of psychological testing, it’s sometimes crucial to never tell the subjects the real purpose of a test just in case it skews the results. One wonders what the US Department of Defense is really up to with this study. Perhaps the top brass are hoping to install security defenses on production networks that will literally give miscreants a heart attack while attempting to break in from afar.