Cadets keep NSA crackers at bay

Cadets and midshipmen from the nation's service academies faced off last month in real-world cybercombat. They used all their skills to keep production networks up and running while under attack by National Security Agency experts. In the end, the U.S. Military Academy at West Point kept the coveted NSA Information Assurance Director's Trophy it won last year.The exercise 'was a lot harder than talking about it in class,' said West Point cadet Chris Gates of Little Rock, Ark. 'Until you fail, you don't know how hard.'Wayne Schepens, an NSA visiting fellow, called the exercise 'a win across the board from the NSA's perspective.'The second Cyber Defense Exercise was the first in which all the service academies participated.There was 'a phenomenal increase in the skills of the cadets,' said Lt. Col. Daniel Ragsdale, assistant professor of computer science at West Point. 'They were better prepared and better organized. All the things we taught them about defense in depth and breadth, they implemented.'The exercise bridged the gap between the classroom and the real world, Ragsdale said. 'You can only go so far in the classroom,' he said. 'People get a false sense of security.'West Point's focus on information assurance skills started about three years ago when Col. Andre Sayles, head of the Computer Sciences Department, 'had an epiphany' about it as a critical need, Ragsdale said.This year, 24 seniors at the 200-year-old academy enrolled in the 3-year-old information assurance program. 'They essentially had to commit to having no free electives to get to this course,' Ragsdale said.West Point is the first undergraduate school to be designated by NSA as a center for academic excellence for information assurance. And it was West Point that in August 2000 issued the challenge to its sister academies to participate in the cyberexercise, which was held in April of last year.The only taker last year was the Air Force Academy at Colorado Springs, Colo. The Naval Postgraduate School in Monterey, Calif., took part but did not compete for the trophy.This year the Naval Academy at Annapolis, Md., and the Coast Guard Academy at New London, Conn., also competed.'We have a strong interest in information assurance, and the department encouraged us to take part in the exercise,' said Maj. Robert Peterman, a computer science instructor at Annapolis.All the academies have integrated security into their computer science courses. The Naval Academy began offering an information assurance course last spring, and it is now a requirement for a computer science major, department chairman Patrick Harrison said.The Naval Academy felt it was coming from behind in the exercise''in start-up mode,' Harrison said, whereas West Point has 'fully blossomed.'The Coast Guard Academy also saw itself as an underdog. 'The Coast Guard is the forgotten armed service,' said Herb Holland, an academy instructor. It defends against smugglers and illegal immigrants, and it handles classified information, so security expertise is critical, Holland said. But the academy has no computer science department; computer classes are taught as part of electrical engineering.'This exercise is a project for students taking the computer communications and networking course,' Holland said before the exercise began. 'These guys are hyped. Since we don't have a computer science major per se, they may not have as much background. On the other hand, they are engineers and have lots of experience in problem solving. So I think we'll hold our own.'That assessment turned out to be accurate.The Coast Guard cadets 'did a hell of a job providing [network] services' during the contest, Ragsdale said. 'They got compromised quite a bit, but they hung in there.'Keeping services running while a network is under attack is key to winning the contest, he said, because 'it's only in the context of providing services that the rest of this makes sense.'All the academies set up identical networks with a variety of services running on three subnets protected by a firewall. They all transmitted daily reports about intrusions and responses to the White Team'referees from the CERT Coordinating Center at Pittsburgh's Carnegie Mellon University.NSA and the Defense Department's Public-Key Infrastructure Program Management Office provided funding for the networks.NSA's Red Team of attackers and the referees on the White Team all used virtual private networks to connect with the academy LANs.The White Team deducted points for intrusions but awarded points for identifying them and fixing the vulnerabilities, so a network compromise was not always fatal.'Keeping the services running was surprisingly hard,' Schepens said. 'We impress on the cadets that a system is worthless if the services aren't running.'The participants had to perform a balancing act. 'Keeping it up is really a challenge when fixing one part breaks two more parts,' said West Pointer Ian MacLeoud of Philadelphia.Last year, Ragsdale said, the West Point network was a day late going online and was then penetrated by the Red Team within three hours. The West Pointers' defense plans were immature and static, he said, and the key lesson learned then was that boosting security 'makes administration even more difficult.'This year's cadets built on the experience. The attackers 'were never able to take the network down at any point,' cadet Gates said.Defenses improved so much, in fact, that next year the exercise might add communications among the academy networks, to give the Red Team more opportunities to break in.'Each school put in heavy resources,' Schepens said. 'They were very well-prepared.'But his claim that there were no losers did not comfort West Point's rivals.'There's only one first place,' the Naval Academy's Peterman said.Ragsdale, however, said he doesn't expect West Point to maintain its lead for long.'I would be astounded if next year or the year after another school doesn't come to the fore,' he said. 'Much as I would like to think of it, I don't see any dynasty.'