Military academies take on NSA in cybersecurity competition

'Cyber Defense Exercise' pits spy agency spooks against students from West Point, Annapolis and the Air Force Academy

The annual cybersecurity competition that pits teams from the nation's military academies against one from the National Security Agency began Monday at a facility of defense contractor Lockheed Martin.

Now in its eleventh year, the Cyber Defense Exercise (CDX) gives students from West Point, Annapolis and the Air Force Academy an opportunity to tackle the kind of daily challenges facing cybersecurity professionals.

They'll be detecting intruders, eradicating malware and adapting to increasingly sophisticated and dynamic adversaries.

Lockheed Martin coordinates CDX with the NSA. The defense contractor, which provides cybersecurity technology to the spy agency, sets up  a private network for the exercise, which links all the academies with  Lockheed's facility, in Hanover, Md.

The company also provides technical support for CDX preparation and execution.

Exercises like CDX allow students to get a feel for what it's like to be under attack, said Bill Stackpole, an associate professor who teaches network security at the Rochester Institute of Technology. He also coaches RIT's team that competes in the Collegiate Cyber Defense Competition (CCDC), which is an intercollegiate version of the CDX.

"If you were a boxer, and you never stepped into the ring before and Mohamed Ali or Mike Tyson gave you a couple of pops, it would be difficult for you to defend yourself had you never had any practice," he told CSO. "These competitions give you practice on the receiving end."

Cybersecurity competitions typically have a "red" team that act as adversaries for the students defending their networks.

[Also see: DHS eye kindergarten for next generation of cyberscurity pros]

In CDX, the NSA provides the red team. "The NSA is out there pretending to be the bad guys," CCDC Director Dwayne Williams said in an interview. "Their job is to break into each of the military academy's teams' network, steal information from them, shut down their services, degrade their capabilities -- that sort of thing."

Both the CCDC and CDX competitions focus on similar skills, he continued. They include working in a team, securing and defending a network and hands on practical experience that can't be had in a classroom or lab environment.

However, the attacker profile of the red team in CDX is a little different from the one on the collegiate level. "In the CDX, they're far more likely to concentrate on the attacker being an opposing nation-state or a terrorist organization," Williams said.

"Within CCDC, we don't put a face or name on the attackers. It's just the bad guys. They could be organized crime, a rival company or a rogue nation state," he said.

However, he added, the attack tools are the same -- probe the network, scan the network, break into the network, put in backdoors, steal  information, set up dummy accounts and disrupt capabilities.

One drawback to cybersecurity competitions is that they're not terribly realistic, contended Stackpole. "The time frame is very limited," he said. "That requires those who are trying to break into the infrastructure a little more overt and little less covert."

"If this were an actual player -- someone really interested in breaking into your infrastructure -- the chance of them being 'loud' if they're trying to remain undetected is very low," he said.

Realism is less important for these kinds of exercises than communication, contended security guru and author Bruce Schneier. "The goal isn't be realistic; the goal is to be an exercise," he said in an interview. "I'm glad they're doing it. This is how we learn stuff."

"The fact that they're talking to each other is great," Schneier said.

Join the discussion
Be the first to comment on this article. Our Commenting Policies