Dozens of people hunkered over computers. Attacking their rivals, they defaced websites, deployed malware, and fired off phishing e-mails to breach internal networks. Their desks were strewn with candy, Goldfish crackers, mugs of coffee, and masses of tangled wires.
They're some of the best hackers the National Security Agency has to offer. And they were battling against an unusual digital foe: Students at the US military academies.
Now 15 years running, the Cyber Defense Exercise, known as CDX, pits cadets against the NSA’s top information assurance professionals. At a defense contractor site in Columbia, Md., – a 20 minute drive from the Fort Meade, Md., base that’s home to the NSA and the military’s Cyber Command – civilian and military personnel are taking a few days break from their regular jobs as security engineers or network defenders to go on the offense.
The students must defend and secure the computer networks they designed and built at their own academy as the agency pros try to infiltrate and take them down.
Teams at the US Military Academy at West Point, the Naval Academy in Annapolis, Md., the Air Force Academy in Colorado Springs, Colo., and the Coast Guard Academy in New London, Conn., are all competing for a massive trophy – complete with an eagle on top – and to win bragging rights over the other schools. More than 160 students are in the exercise this year, including some from the Royal Military College of Canada, which has a shot at the trophy.
“These types of events are crucial,” says Alex Gates, an official at NSA’s Information Assurance Directorate, which handles the agency’s defensive operations. “There’s a lot of value in taking something beyond the concept and actually practicing it during an exercise where you can make mistakes, and learn from them, and improve the way we do our overall mission.”
But it’s more than just practice. There’s a reason why the agency wants to boost cybersecurity skills within the military: The Pentagon wants to triple the number of its cybersecurity professionals to 6,000 by 2016. Training highly skilled workers so quickly is a tough challenge, especially since companies globally are struggling to fill information security jobs. Both Cyber Command and its sister agency the NSA – where many uniformed military also serve – are hoping that competitions such as the CDX encourage young people to choose to specialize in cybersecurity or take jobs at the agency down the road.
“We’re charged with providing support to the government, support to industry, to protect those products and services on behalf of the government,” Mr. Gates says. To fill its ranks, his agency needs graduates in science, technology, engineering, and math. Here’s the problem: “That’s the pool everyone is going to, to basically recruit and hire the talent needed to do that job.”
In the private sector, the security firm Symantec estimates there were as many as 300,000 jobs in cybersecurity unfilled last year in the US alone. Through the CDX, the NSA helps the military academies, where students upon graduation will directly enter the military as officers, develop their own talent pipelines. Winning the competition becomes “a great recruitment tool” for them, says Gates. “They’re also competing amongst the services for individuals with [science, technology, engineering, and math] experience throughout high school,” he notes. “There’s kind of a trickle down effect.”
That’s why the competition aspect is so important. It makes cybersecurity, a very technical field, more enticing for students at the military academies, students and agency officials involved in the exercise say.
During the competition this week, it was clear both the pros and the students were having fun. One screen in the NSA's exercise hub displayed one of the latest victories by its red team of attackers. Students at Royal Military College of Canada had boasted online the night before, in a message posted on a Wordpress site, that their skills were better than the agency’s. “They build themselves up as uber cyber gods,” one red team member joked.
The red team struck overnight, stripping their message from the webpage and replacing it with a new one: “The poor students at RMC today realized that they should not actively poke the sleeping bear,” the message read. “Well, then the sun went down.” The sign-off: "Hackers gonna hack.”
Streamed live into the NSA hub were video feeds from all the military academies, some of them thousands of miles away. On one, the students at West Point clustered by a bag of bagels, smearing them with cream cheese in front of their computers.
There, Ethan Gleue was ready to win, and he was more than happy to help his team from 8 a.m. to 10 p.m. and catch up on homework late at night. Everyone he knows at the academy is following the news of the Army’s new cyber branch, which last year put the technical field alongside traditional divisions such as infantry, artillery and other Army combat arms branches.
Of the 15 graduating seniors that are “branching cyber” after graduation, as Mr. Gleue says, 14 are on Gleue’s CDX team. At the back of the room, they proudly displayed the trophy they won in last year’s competition in prime view of the video conference.
Win or lose, competing in CDX gives students an edge in cybersecurity fields when they graduate, NSA and military officials say.
Some students will graduate and start defending or creating network for the Army, says the officer in charge at West Point, Major W. Michael Petullo. Others will conduct cyberoperations; a few will get graduate degrees and craft the next generation of software “that will hopefully do better than the software my generation created,” Major Petullo says. “But they will all have this experience to draw on.”
Petullo likened the demand for cybersecurity specialists to the need for special operations forces after 2001. There was a high demand for troops skilled for those missions but only a few who could actually handle that job. “Cyber is going to find itself in a similar situation,” he says. “It’s easy to say we need 6,000 cyber guys, but it’s tough to have the pipelines to fill that. Even if you have the pipeline, it takes a certain person to make it through that pipeline and meet the cut.”
CDX will only contribute a small fraction of grads to fill that cybersecurity gap, but it’s also helpful to the military in broader ways. Gleue, who is an information technology major, will train to be a helicopter pilot after graduation from the Military Academy – and believes he will need cybersecurity skills in that job, too. However, while the cadets have marksmanship training and marches where they have to walk around with heavy backpacks and sleep outside, Gleue says there’s no technical equivalent of these drills other than CDX.
“No matter what capabilities we hand our military and charge them to use, their military operations are dependent in some way, shape or form on cyberspace,” says Chris Inglis, former deputy director of the NSA who is now teaching cybersecurity studies at the Naval Academy. “The sensors on airplanes, ships, submarines, they are all networked. [Missions] are dependent on information flows, cybersecurity.”
Since everyone uses connected systems, Mr. Inglis adds, it’s now mandatory that troops across the military generally understand how they work, and can avoid being vulnerable online. “These things can’t be defended if only 1 percent, 2 percent of the workforce is defending them,” Inglis says. “Everyone has a role to play in this.”