Skip to main content
Part of complete coverage on

Pentagon trains workers to hack Defense computers

By Larry Shaughnessy, CNN Pentagon Producer
The idea behind the Pentagon's training is that thinking like a hacker can beat a hacker.
The idea behind the Pentagon's training is that thinking like a hacker can beat a hacker.
  • "Certified Ethical Hacker certification" trains employees to defend computer network
  • Almost 45,000 attacks on Defense computers reported in the first half of 2009
  • Aim of hacker training is to help workers protect the system from real hackers

Washington (CNN) -- The Pentagon is training people to hack into its own computer networks.

"To beat a hacker, you need to think like one," said Jay Bavisi, co-founder and president of the International Council of Electronic Commerce Consultants, or EC-Council. His company was chosen by the Pentagon to oversee training of Department of Defense employees who work in computer security-related jobs and certify them when the training is complete.

The Department of Defense does not consider this hacking.

"DoD personnel are not learning to hack. They are learning to defend the network against hackers," said spokesman Lt. Col. Eric Butterbaugh.

But the EC-Council calls the program "Certified Ethical Hacker certification." The purpose of the training is to teach Defense Department employees to defend their computer network.

Almost 45,000 attacks on Defense Department computers were reported in the first half of 2009, according to a government report. The report estimated that for all of 2009, the number of attacks would be up 60 percent from the previous year. Fending off the attacks costs the Pentagon about $100 million.

Bavisi said the training focuses on teaching the art of hacking, using the same tools and tricks that traditional hackers use to break into computer networks.

The basic concept is Defense Department employees would use the training to hack into the department's computers, Bavisi said. Once the ethical hackers find the vulnerabilities that unethical hackers could use to attack, they increase the security to remove the potential threat. He said they are like bodyguards for the Defense Department network. Their only goal is to defend the network, even if the means of doing so are similar to those used by cyberattackers, Bavisi said.

This kind of training has been done before in the Defense Department on an ad hoc basis, said Bavisi. Now every Defense Department agency and unit is required to include hacker training as one option for employees involved in cybersecurity.

EC-Council has 450 training partners that will handle standard "ethical hacking" training, which has been used by civilian agencies and private businesses for years. If a Defense Department agency wants its employees to focus on a particular type of hacker training, EC-Council will perform customized training.

The training requires 40 hours of instruction and 4,500 pages of reading on the latest hacker techniques.

Bavisi said that Defense Department employees who complete the training and certification will not be assigned to use their new knowledge to hack into privately owned or civilian computers. But he said that any kind of training, including ethical hacking, could be used for nefarious purposes.

"You can teach me to cut an apple with a knife, and I can turn around and stab you with the knife," Bavisi said.

EC-Council will be paid a fee per student, between $450 to $2,500 depending on the extent of the training and certification. It won't be clear for months exactly how many students will be trained.