NSA's boot camp for cyberdefense

If you're the kind of person who worries about the security of computer networks, you should know that the National Security Agency is worrying about it too.

Since Tuesday, the NSA has been conducting its 10th annual Cyber Defense Exercise, a competition that pits students from a series of military academies against each other--and against the competition's leaders at NSA--in a bid to see who has the best cyberdefense skills. The idea? To "build and defend computer networks against simulated intrusions by the National Security Agency/Central Security Services Red Team."

The competition will last until Friday when that Red team, or "red cell," as it's known, will cease its attacks on the students' newly-built networks. The goal is to help the students learn about the topic of Information Assurance, and how it is used to protect the most vital information systems in the United States and Canada. As they work, the students must defend their networks and offer up consistent reports on what they're doing and on the attacks they're identifying.

This year, eight academies are competing: the United States Military Academy (West Point); the United States Naval Academy; the United States Air Force Academy; the United States Coast Guard Academy; the United States Merchant Marine Academy; the Naval Postgraduate School; the Air Force Institute of Technology; and the Royal Military College of Canada.

The exercise is being hosted by Lockheed Martin in Greenbelt, Md., and during the four days of the competition, NSA and U.S. Department of Defense personnel are acting as evaluators--even as the NSA's red team challenges the students with constant network attacks, all of which must be "publicly-available, well-documented vulnerabilities." The competition takes place on a closed network that does not access the Internet.

At the Air Force Academy, one of the instructors helping the students learn how to construct cyberdefenses--and prepare for the NSA's exercise, is Air Force Capt. Michael Henson. He agreed to answer some questions from CNET about the competition, which has been won by West Point for the last three years. However, the Air Force Academy won in 2006, and Henson surely believes that his charges will take the crown in 2010.

Q: Explain the major elements of the competition?
Henson: The students must build a network with all of the services required by the NSA's directive--including e-mail, file sharing, network printing, a Web server, and a bulletin board system. Their mission is to keep those services running while thwarting attempts to compromise our systems. We typically start off with a set number of points and lose points for either a service outage or a successful compromise of our systems. This year, all teams built their service providing systems from scratch while we received our workstation virtual machines from the NSA. We have also been directed not to patch the workstations until we receive approval. It is expected that the NSA will find their way into some of the systems regardless of how tightly we attempt to lock them down and this is when our students actually tend to learn the most. They need to attempt to understand how the attacker got in and how to mitigate the problem instead of just restoring to a backup. Hacking back has been forbidden for as long as I've been involved in the competition, although this year our students will have a few hours on Friday to go after some flags on a network the NSA has set up.

What are the major threats that students must defend against?
Henson: The threats tend to cover the full rage from downloaded attachments and links taking our users to malicious Web sites to direct scanning, enumeration, and attempt at exploitation. We have seen, for instance, that some of our servers have been targeted with buffer overflow attempts, cross-site scripting on our Web server, and so on. Much of what the NSA uses against us is also happening out in the commercial Internet today. This year, we have a new twist in that the NSA has provided us with a gray cell member to simulate an uneducated user. This has caused us considerable difficulty since that user is clicking on every link that comes along and downloading and executing e-mail attachments.

What are the most challenging aspects of the competition?
Henson: Unlike many of the cyberdefense competitions running today, our students have to design, build, secure, and defend their network against attackers from the NSA. In many of the other competitions I've seen, people are given access to a network that has already been designed and told to secure it the best they can. Those types of competitions certainly provide value, but adding the design and build components into the competition requires our students to do a lot more work. It provides them an opportunity to have to make decisions that aren't that different from some they'll face when they commission and go on active duty, such as weighing the benefit of different operating systems with regard to both usability and default security. The other part of the competition that is really challenging is that our cadets have never built a network like this from scratch, so they have to spend plenty of time in trial and error, especially with some of the more obscure systems they set up.

How does the education the students get prepare them for the competition?
Henson: The education we provide gives our students a broad foundation from which to make critical decisions whether they are commanding troops or defending a network. Additionally, many of our cadets are also pursuing the cyberwarfare track within the computer science degree, which requires that they take a cryptography, information warfare, and a network security course. To enable some of the training that's also required for a competition like this, we have a Cadet Cyber Warfare Club that provides a sandboxed network where cadets can learn the craft of network defense.

What tends to make one academy's team better than another?
Henson: This is a tough question but I think the answer is the right mixture of highly motivated students and plenty of faculty support to help when they get stuck on a particular problem. Our cadets spend many hours and some late nights in the lab preparing for the competition. There's also a lot to be said for experience. This is the first year that we have made a concerted effort to have multi-year participation from cadets.

Can you think of any defense innovations that have come out of the competition in the past?
Henson: Most of the innovations that have come from great "out of the box" thinking during the competition are too much of a violation of the psychological acceptability design principle to really be feasible. For example, one school decided to run its Web pages off of CD so that they couldn't be changed. While that worked to stop changes to the Web site, it probably isn't very practical for most companies that need a more dynamic option. One thing I would mention here is that there is a capture the flag event scheduled for Friday, which will be testing out some of the security guidance provided by an office at the NSA. If our students are successful at getting in to that network, it may result in some changes to security guidance.

Talk about how the competition has evolved over the last few years?
Henson: The competition has evolved in several ways since 2001. One of the most obvious ways is the amount of support and the number of players. The competition started out between a few of the schools and now we're up to eight competitors. Also, the number and sophistication of required services has grown over the years. Scoring for the exercise has also seen some dramatic improvements from the early days. Currently, there is a Web site which gives initial indications of the status of all of the important services. We also have a white cell liaison at each of the locations to help adjudicate the points. Another positive evolution has been the move toward a "fighting through" policy instead of that of the "fortress mentality" of past years. Which means that some of the techniques used to lock systems down in the past have resulted in minimal if any successful compromises by the red cell. While this helps a school to win the competition, it's fairly unrealistic in practice and could lead to students getting the wrong idea about security. Instead, all of the faculty have agreed that it is important for the students to be exposed to situations where they can't guarantee a system is 100 percent locked down and have to react when that system is inevitably compromised.

How much more sophisticated are the students today than they were a few years ago?
Henson: This is interesting, since we are often told that the younger generations are much more capable with computers and being connected in general. What I tend to find is that many of our students are very adept at sending e-mail, and using social-networking sites and so on, but don't tend to have a grasp on what's happening "under the hood."

Can you think of any great anecdotes from the last few competitions?
Henson: We take pride in the fact that our cadets are able to think on their feet about networks and security. For example, there are exercise "injects" whereby the students are faced with a brand new task or challenge. Last year, one of those challenges was an unruly Web crawler that was causing problems and gathering information on our Web site. NSA commended Air Force Academy cadets for their quickness in researching and implementing a solution. It's that type of critical thinking that will be of paramount importance for these future officers.