Skip to navigationSkip to content
An art and message board is seen in a hallway at the new headquarters of Facebook in Menlo Park, California
Reuters/Robert Galbraith
Get cracking.

There’s a hacker shortage, so Facebook is turning to middle schools

Joon Ian Wong
By Joon Ian Wong

Technology Reporter

This post has been updated.

Facebook has arranged for hundreds of kids, from middle-school age up, to play a hacking game that it’s developed—because it’s having trouble recruiting for security roles.

The company has been arranging competitions using the tool for years, but yesterday (May 11), it open-sourced the game in the hope of exposing more people—including kids, the Facebookers of the future—to the skills involved in cyber security work.

“A software engineer job gets filled in a month,” said Javier Marcos, a security engineer at Facebook. “But a security engineer job gets filled in six, seven months.”

Mark Zuckerberg, Facebook’s founder, is famous for espousing “the hacker way” as a philosophy for life and business. But is Facebook really comfortable asking middle-schoolers to start imagining ways to break security systems? “Becoming a hacker is not a bad thing; it’s a person who finds an innovative way to solve a problem,” Marcos said. “But we’re not encouraging people to become criminals.”

It’s not just Facebook that’s facing a shortage of security engineers. A survey by ISACA, which certifies security professionals, showed that more than half of companies had to wait between three and six months to fill security jobs last year. Some 9% of those polled never found a suitable candidate for vacant positions.

A screenshot from Facebook Capture the Flag.

Facebook’s game is called Facebook Capture The Flag, and it’s played a little like the classic board game Risk, in which teams compete to control the most territory. The twist is that players must answer questions related to information security, and sometimes hack a website or service, in order to gain territory. Now that it’s open source, anyone can organize a session themselves, or contribute to the underlying code. Facebook is also offering cash rewards to people who find bugs in the code.

Facebook started organizing games itself three years ago, even supplying physical equipment, like servers, to make it possible: ”At the beginning, we were bringing hardware with us,” Marcos said.

But the game’s popularity meant that demand began outstripping supply, prompting a small team at Facebook to adapt the software into the open-source version it just published.

It’s already had some success as a recruitment channel for the firm: one of the engineers who built the latest version of the game joined after he got interested in security issues while playing it in college. ”It’s hard to find enough engineers to go to all these places,” said Marjori Pomarole, who works on security infrastructure at Facebook. 

The game has proved popular inside Facebook as well. Marcos used a version of it for employees during “Hacktober,” which the company observes every October to raise awareness about security issues. The game, with a leaderboard that everyone in the company can see, turned the normally tepid engagement on security topics into a fierce competition, with 8,000 staffers taking part.

Marcos hid made-up bugs for players to find, but employees were so intent on rooting them out that some actual flaws in the infrastructure of Facebook itself were discovered in the process. The eventual winner, an employee in Dublin, racked up over 10,000 points, about three times more than his nearest rival. “People were going crazy, reporting every single thing they could find,” Marcos said.

The winner received the grand prize, a wifi analysis device, among other goodies, including a coveted T-shirt bearing the Hacktober logo:

Facebook
Facebook’s Hacktober logo.
Subscribe to the Daily Brief, our morning email with news and insights you need to understand our changing world.