The third running of the annual CyberStakes competition for cadets and midshipmen Feb. 5-7 showed again what a great tool this competition, and others like it, are for helping talented young men and women build cyber skills.
The Defense Department has a big and ongoing need for cyber experts. The military services all have cyber units — the U.S. Army Cyber Command, the Navy’s U.S. Fleet Cyber Command, and the 24th Air Force-AFCYBER. Then there’s the U.S. Coast Guard Cyber Command and, for DoD, U.S. Cyber Command.
U.S. Cybercom alone needs 6,000 cyber warriors for its mission in the next couple of years, and practically every federal agency has a growing cyber mission.
In 2013 at the Defense Advanced Research Projects Agency, where looking to the future is just part of the job, DARPA Director Dr. Arati Prabhakar expressed an interest in engaging more directly with the DoD service academies.
B O O M !
February 2014, a winter weekend in Pittsburgh, and more than 50 cadets and midshipmen sit elbow to elbow at nine round tables in a packed room. They’ve been training since November to compete in the DARPA pilot program, initially called the Service Academy Cyber Stakes.
“Our primary thrust, because the service academies are going to produce junior officers upon graduation, is to help [the graduates] develop skill sets necessary to be effective cyber warriors,” DARPA Program Manager Dr. Dan ”Rags” Ragsdale said in a briefing after the first competition.
An effective cyber warrior must protect and defend the system using a full-spectrum approach,
he said, and then he expanded on the meaning of full spectrum.
“We … believe that you have to understand at a deep technical level the approaches, methods and techniques that adversaries take in trying to subvert the security of our systems,” he said.
Skills like being able to reverse engineer binary, or machine-readable, files and finding source-code-level vulnerabilities that could be exploited, and doing so with software source-level analysis and with automated tools that perform functions like fuzzing, the informal name for automatic bug finding.
Cyber warriors have to be able to identify potentially exploitable vulnerabilities in binaries that adversaries exploit, he added. They have to understand all the ways cryptography is used across the infrastructure and identify approaches that adversaries use to subvert crypto system security.
In that first competition the cadets and midshipmen “outperformed everyone’s expectations,” Ragsdale said. At CyberStakes 2015, still a DARPA pilot, the competition was harder than the first one and the students did even better.
This month, no longer a pilot and now with DoD funding, CyberStakes 2016 was even more advanced and so were the students. Also competing along side them for the first time were four members of an active-duty cyber protection brigade.
They all competed in events that included reverse engineering, cyber forensics, cryptography, discovering and exploiting vulnerabilities in executable programs, and actual, not cyber, lock picking — a physical counterpart to cyber vulnerability analysis that’s a regular event at cyber competitions.
Participants in the final full-spectrum capture-the-flag live exercise were chosen after completing up to six months of intensive online training. The trainers were people like cybersecurity expert Dr. David Brumley. He heads a company called ForAllSecure, a high-tech spinoff of Carnegie Mellon University.
He’s also a CMU professor of electrical and computer engineering and a founding member of the Plaid Parliament of Pwning, a CMU cybersecurity team that’s highly ranked in international competitions and whose members acted as mentors to the midshipmen and cadets.
Brumley explained, “The students who came here are autodidactic self-learners and -starters. We challenged them, gave a pathway and a set of examples, but it was on them to develop the skills and scores necessary to get to the Pittsburgh event. We would say things like ‘Here is a lock and a lock pick. Can you open it?’ We’re not looking for the sort of person who would say ‘I don’t know how to lock pick.’”
Brumley said they want someone who’ll go online, watch YouTube videos and develop that skill on their own — not just for lock picking, but for exploitation, reverse engineering, defense, forensics and all cyber skills.
“Relying only on training is too slow. We need people who are agile and can acquire new skills and capabilities dynamically,” Brumley said.
The instructors at each academy also play a huge role, he said, developing cybersecurity curriculums, mentoring their teams and putting in a lot of extracurricular effort.
“This year the participants were able to find not just vulnerabilities but also show they could harden exploits to defeat operating system security measures,” Brumley said. “They were better at pulling attacks off the wire, analyzing them and being able to take action.”
Brumley said people have been so interested in the CyberStakes training that on the forallsecure.com website they’ve begun offering it to DoD at large.
Right now he said they have more than 2,000 players on their system, including 34 from the U.S. Air Force Academy, 9 from the U.S. Coast Guard Academy, 20 from the U.S. Military Academy, 126 from the U.S. Naval Academy, and the active-duty cyber patrol brigade is running a competition with 35 members.
Shall we play a game?
Reprinted from the DoD Armed with Science blog. Follow Armed with Science on Twitter!
Special report: DoD Cyber Strategy
Disclaimer: The appearance of hyperlinks does not constitute endorsement by the Department of Defense of this website or the information, products or services contained therein. For other than authorized activities such as military exchanges and Morale, Welfare and Recreation sites, the Department of Defense does not exercise any editorial control over the information you may find at these locations. Such links are provided consistent with the stated purpose of this DOD website.