 Hi, everyone, thanks for coming. So looking around this room, I think it's safe to say that every single one of you can probably remember living your daily life without the internet. Honestly, even for me, that time is a little bit hazy, but I still can't remember it. But kids who are born after the year 2000 have never lived a day without it. And I was curious a while ago to see how that generational gap was playing out. And whether kids who were 15 or younger had any concern about the dangers that face them in their connected world. And it turns out that there is a group of kids around the country that is very interested in cybersecurity and really thinking about these challenges. And they're looking to do something about it. So I traveled around the country to find 15 kids under 15 years old who are rising stars in cybersecurity. And this is a real thing. They are wearing braces, and they're carrying backpacks, but they're also protecting school networks and hunting software bugs and helping to safeguard electric grids. I'm Sarah Forcher, deputy editor of Passcode, a section at the Christian Science Monitor that covers security and privacy in the digital age. I'm very happy to have with me one of the rising stars from my piece, Paul Van, who is 14, and the CEO of VanTech Cyber LLC. So thank you for skipping school to be with us today. And we have his father, who is also Paul Van. And he's the technical director for international programs at Raytheon Foregound Security. But before we get to this conversation, I do want to introduce you to some of the other kids who were in the piece show you really what they're up to around the country. And we have a few short videos from the project. The first is someone who goes by the name of Syfy. If we could play that video, please. No one at my school really knows that I am Syfy. And you know how superheroes go by? There's a superhero named Superman instead of the villains don't know where to get you. So it's really nice to be able to kind of go into Syfy mode and be all hacker and then to not have to worry about that at all. To keep her alter ego a secret, Syfy refuses to reveal her real name when she's talking about her security research and wears sunglasses to make it harder for people or facial recognition algorithms to recognize her when she's being photographed. She lives in Silicon Valley and is responsible for the disclosure of security weaknesses and hundreds of products from mobile apps to smart TVs. And she's the co-founder of Roots Asylum, which is a security conference held every year alongside Black Hat and Def Con in Vegas and drew about 600 kids this past summer, half of them girls and half of them boys. And then there's Christopher. I hacked into the Xbox One at the age of five. I was desperate to get into games I weren't allowed to play. When I jammed the buttons, I probably saved Microsoft's VUT and security is important because if hackers got into all these internet controlled devices, we would really have no fun. Christopher was born in 2008, which is the same year that Apple launched its app store. And when he was five, he found his way around the parental controls on his parents Xbox One, which was meant to keep him from playing violent games like Call of Duty. And when Microsoft fixed the flaw, he made their list of security researchers who found dangerous vulnerabilities in Microsoft products and became officially known as the world's youngest hacker. And then there's Rubin. So when I get older, I want to be a business man by day and a cyber spy by night. Those people ask me, what is a cyber spy? And I tell them, it's somebody that is stopping foreign threats for the USA, for the government, doing the right thing ethically, and having fun while doing it. We might have some people who meet Rubin's definition of a cyber spy in the room right now today, but he's the country's youngest second degree black belt in the Shaolin style of Kung Fu. And he's also a CEO at the age of 10 of Cyber Shaolin, which is a company that teaches kids about cybersecurity through a digital black belt program. So there's videos and quizzes. Let's see you advance through the belts. And he's presented his research in front of huge audiences from India to the RSA conference in San Francisco. And then we have Paul, who is with me now. And I first met Paul last summer in his lab in Fredericksburg, Virginia. And you can see a little bit of that in this video. When I try to get people such as professors or other people to try and look at my ideas and look at the projects I'm working on, it's really hard because as a kid, they don't really respect you as much as they'd respect it at all. I have a plan almost for what I want to do. I want to use these projects that I'm working on, start up the company, and then I want to have all my employees be working in their certain fields. That's my goal. And I think we need a building and we definitely need more employees for that. OK. So now that you've seen where Paul's company is based, I want to turn it over to you. So why don't you tell us a little bit about your cybersecurity company that since that time that the video was taken, you've actually started and registered as a company. So last year around September, I officially registered my company as an LLC under the name of Vantex Cyber LLC. And about a couple of weeks later, I released my website at vantexcyber.com. And basically, my goal for the company was to provide cybersecurity services and products that help ensure our customers' data security and information security. So where I am right now, I have two penetration contractors who are able to provide penetration testing services for us. All we're looking for right now is work. And once we have that, we'll be able to start making a profit. Great. And so how did you first get interested in cybersecurity? When I was around 10, my dad took me to Shmucon two years in a row, two consecutive years in a row. And I really liked all the talks there. And I really liked the environment and everyone who was there. And a couple of weeks later, after my second time going to Shmucon, my dad got me the book Ghost in the Wires by Kevin Mitnick. And I read the whole book. And I really liked all the stuff he was doing. But I didn't like the unethical stuff he was doing. But I liked the general playing field of all the cybersecurity stuff he was doing. And so was there one first hack where it really clicked for you that this is something that you wanted to invest a lot of your time in? When I was around 11, I got permission from my neighbor to crack the password of his Wi-Fi and break into it and see if I could break into it. Yeah. And how did that make you feel to go through that challenge? It made me feel, first of all, it made me feel like there are too many things that we're able to be broken into. And people's valuable data and the things they pay for can be broken into. But it also made me think that to go to the ethical side of cybersecurity, not the unethical side, in order to protect those types of things from being attacked and not actually be the person attacking those. How did you learn about those ethics? You mentioned you didn't really like the unethical stuff in that you read in the book. But is there a way that you formed your own moral compass in this space? Well, I kind of thought that people pay for a Wi-Fi router. They pay for Wi-Fi. They pay for that service. So I think that that should be protected. And that shouldn't be something that people can break into. And I think that I was thinking that if I was unethical, I'd just be adding another person who's going to break into that stuff. But if I was an ethical hacker, I would be someone who would be protecting those things and not actually breaking into them. And so I want to bring you into the conversation as well. How do you support his interests when he comes to you at 10 or 11 having read the Ghost in the Liars book and wants to get involved in cybersecurity? Sure. So I think the easiest answer is he helps me want to learn more as well, right? I mean, as we get older, we get set in our ways. So it's easy for me to continue to provide him with different tools and products because I'm hoping it's something that I haven't learned yet. We can kind of learn it together. Nice. And so what about ethics? Do you play a role in teaching him what's right and what's wrong in this space? Because it seems like some of these things can be kind of murky. Sure. I mean, he's a bright kid. He understands the difference between wrong and right. I think if I had one of my other two kids up here, it'd be a different story. But I haven't had to guide too much. There's been a few times he's had questions about hacking and what you can and cannot do. And he understands that permission is required for anything that we do, right? And so when he comes to you and says, I want to hack the neighbor's Wi-Fi, they said yes. I say which neighbor? Yeah, I think we had them over for dinner one night. And he had asked, can I chat with them about just cracking their password? And so he had that discussion with the neighbors, and they knew to change their password when he was done. Great. And so what was the first big project that you tackled in cybersecurity? I know you've spoken at a few conferences. Back in 2015, I spoke at DerbyCon on a honey pod I built. And I used, it basically looks like a fake NSA login portal that I programmed. And I wanted to measure all of the metrics of how many people would want to break into and how many people would want to actually attack. What they thought was an NSA login portal. And I wanted to see, just in general, how many people were interested, how many unethical hackers were interested in actually attacking that. And what did you find in that project? I found that there were, I don't have an exact number, but I found there were a lot of people who were interested in attacking that and trying to find what was behind that login portal. And that kind of led me to want to create a solution to prevent someone from breaking into that if that were the case, if it were released like that. So from what countries were people trying to log in to your fake NSA portal? And do you think that they knew that it was, I think 12-year-old at that time in Virginia sitting and creating this? I saw a lot, I saw a lot of different countries and locations being put out and being attacking it. But I did see a lot of China and Russia and places like that. And I also, I don't think they thought it was a 12-year-old, but I do think that some of them may have realized that it was a honey pot that was being built, but I don't think they would have realized it was a honey pot being built by some of my age. And so you were also dabbling in critical infrastructure threats, can you tell us a little bit about your research on black energy? Yeah, in the last year and a half, I've done a lot of research using tools such as Maltago Threat Connect and Google Dorking to get as much data and information as I could on the black energy malware. And I wanted to research- It's just a posie there, which was what? What was the black energy malware? The black energy malware is a malware that has been being used to attack the Ukraine energy sector. It has been used three times to shut off the power in Ukraine. And it's also a dangerous, it's a threat to the energy sector. So I first did a lot of research in the energy sector and the threat of cyber security to pipeline, the pipeline industry, and then into the energy sector. And after that, I realized one specific threat was the black energy malware. So I found information such as IP addresses, aliases, net blocks, and a lot of other information on the black energy malware itself and the team running the black energy malware. And I just recently gave a talk on it at Raytheon Foreground Security Conference. And so as a team, how do you view the threats that the country is facing? And what do you think is the most pressing cyber security challenge? I'd say the most pressing cyber security challenge would be against our energy sector. It's been a lot of research I've done personally, but I also think because that's a major, that's a resource that all Americans use, that all Americans use, and if that were to be attacked, then we would be at, then it would cause a lot of disruption and the different other industries as well. Do you think that kids have a responsibility to try to tackle some of these challenges? Yes, I do because as we grow, if we can get the information now, we can learn it now, we'll be able to better protect ourselves and our energy sector in the US from cyber threat in the coming years when we're adults and have jobs in the industry. How do you look at that? Do you think that as someone in the industry, what's it like looking at his progress and challenges and what's motivating him at his age? Sure, first thing is I think it's very important if you have children that are interested in not only what you do, but other things that adults do to make sure that they're kids first. So with him, it's not been a challenge to keep him social, keep him active in school activities and sports, being able to guide them in the right direction, but still making sure that they know they're not adults yet, and that's the difficulty I think I have with him sometimes is you got a lot of stuff to do first and a lot of times he wants to do five things at once, five cyber products, let's say, and it's like, let's learn one at a time first. So getting them to slow down a little bit and understand that it's a much bigger world than just what you're looking at right now. What advice would you give parents who are not in the cybersecurity industry, but their kids might be trying to delve into the cybersecurity space? One of the first things, I mean, I go to quite a few conferences and I've met quite a few parents who are not in the industry and they've brought their kids there and you can spot them pretty easily. The parents actually, they're not in cyber, but maybe their kids are. So getting them involved with something. What's a telltale sign? Just walking around looking like, where am I? Yeah. I mean, you can see it. So getting them to things like that, I mean, no matter where you live, there's cyber conferences all over the country now. There are so many good books that are teaching cyber today, whether it be tool-based or malicious malware-based, just get them anything you can to help them. There's so many websites out there. I mean, in this room we all know them, but going to the public schools and talking to other parents about that up front can really help share that information with them. And there is also something that's come up a lot even today. It's just the workforce challenge. Do you see kids like your son and other kids that you see at these conferences playing a role in bridging that, even though they might not be immediately eligible to go and work? I mean, the shortage, as we all know, is so large. I mean, I think the last statistic I saw was like 1.4 million in the government alone. There's not that many 14-year-olds that are in cyber, so it's gonna continue to be a challenge. I think it's gonna continue to get worse before it gets better. There's not enough colleges and universities that really teach how to be a cyber analyst or how to be a computer network defender. So if we could start pushing our colleges to teach that more, I think that'd be helpful for that job shortage. And so do you think that it's harder to get taken seriously as a kid? You mentioned that in the video. What are some of the challenges that you faced? So it's harder when you're like a kid or a teenager because they don't recognize you as much as they would as an adult. So when you're trying to talk to someone who's like, for example, like a professor on an idea or a higher-up on an idea or anyone on an idea, they'll take an adult more seriously, but they won't take a kid more seriously because they don't really think that they're as skilled as an adult would be in that field. So how do you plan to overcome this? Kind of just show that I am skilled in the field, like show that I'm not, I know what I'm doing and I'm not oblivious to certain things. And so one last question and we'll kick it to audience questions. What is one stereotype of a kid hacker that you wish wasn't around? They kind of don't know what they're doing. They're kind of just trying to have some fun and learn and they're not actually trying to make it change in the cybersecurity industry. Great. Okay. Does anyone have any questions for the Van family? No. We have one question over there. Hello, I'm Zachary Truex. I actually am in projects for going to Mary Washington. And I'm curious, you are very big into ethics, which is very fascinating to me when we see a stereotypical hacker not being ethical doing it because more or less they're bored. What do you see, what kind of role do you think a government should play in when it's coming to an ethical code when it comes to businesses or individuals who are in the hacking community? That's it. Okay, so just to repeat the end part of your question, it was a little, so what should the government play when in coming up with an ethical code for hackers? Oh, okay. Okay, so I think that they should first, I think they should first address that you got like the big point of permission, like that I think if they were to create an ethical code that there has to be a specific guideline that you have to have permission. And if there isn't permission there, then that's unethical. That's like, that would be the big thing for me. And then another thing would be if it harms the system and isn't fixed, but if it harms the system and it is fixed, then it's fine. But if it harms the system and isn't fixed and that I consider that unethical. So I think they should look into those two major things is if it's harmful and if they have permission. Very thoughtful response. Yes, so we have another question in the middle here. Do you plan on going to college? Yes. So what would you look for as like a future college graduate than in a program around something that would teach you operational roles in your field? I think that'd be a good opportunity. I think I'd be interested in going into that. Is there something in a school when you start applying that you would want to look for when you're choosing and making your decision? I'd like to look for a very science and tech related, like a science and tech related school in a school that has like, that focuses on that technology and that computer science and things like that. Any last question? Yes, in the back there. I'm one of those university administrators you're talking about and we have a desperate shortage of young people who want to go into this field. I also was at the Naval Academy where we topped out at 5% of a class that wanted to go into cybersecurity. So a question to the young band would be do you find your classmates natural affinity or natural connection to the computer rising or do you find you and your colleagues kind of an exception even among your year group? I do feel that. There are some of my peers that are in school who are interested in it but can't find the resources to actually get into it. And that's like one problem. Like I think that with young people in cybersecurity is that the resources aren't present. You have to go and like find them. And but I do think there are people I know as peers at my school who are interested in it and who want to go into it but they don't know where to start. And so yes, I do think that they're, my peers are being more, are more computer inclined, more cybersecurity inclined. It would like to go into that field but they just need more of a, they need more of like a path to go on. They need to know what they need to do first and then they can probably, then like where to go and what to do. So last question just for you. What is your, what is at stake for you personally? If you think about your life 10, 20 years if these from now when you're 24 and 34 what does your life look like if these cybersecurity problems are not fixed? Well, I'd like, then I would have my, I would like my company to focus on fixing those problems and building solutions that and products that would help fix those problems and working with people who would support that and help fix the, and help fix the problems. Okay, okay. I think that's all the time we have. So thank you very much for joining us.