US Cyber Defense Exercise gets tougher each year

INFORMATION ASSURANCE is a pretty innocuous phrase. For the instructors at West Point (the United States Military Academy for the Army), it's a matter of life and death on today's computer-powered, Network-centric battlefield. If critical military systems are shut down via hack attack, if a real-time chat server is compromised and inserted with false information, the "best" case may be that the wrong (i.e. civilian) target gets hit. When fighting Al Queda and other terrorist threats, having computers systems corrupted or go down when the bullets and bombs are flying just is not acceptable.

Today's U.S. military is the best in the world because of its extensive and intensive training - "Train like you fight" is the cliche'. Computer science professors at West Point took this to heart and applied it to their curriculum, then threw down the gauntlet to the other U.S. Military Service Academies. The now-annual contest -- the Cyber Defense Exercise (CDX) here) got started in '97, when some Army and Air Force guys at Texas A&M argued over who had the better cadets. It being Texas, there was likely lots of beer and bragging involved.

By 2001, the effort had been formalized with the help of (Maryland-based) NSA and the USMA (West Point) faced off against the Air Force Academy, with the Naval Postgraduate School also participating. Each school would set up a stock network with servers and defend the network from outside attack. The outside attackers were provided by a trio of attacking "Red Teams" - NSA, US Army 1st IO command, and the USAF's 94th Aggressor Squadron. Each school network would be attacked by the Red Teams and the team with the least amount of downtime would be declared the winner. The NSA would operate a secure VPN outside of the Internet so third-party systems would not be affected by the combat. Academies weren't (and aren't) allowed to attack each other's networks (Such tasks are, after all, reserved for higher-ranking officials). Defense-based exercises have the practical benefit of being the easiest to PR-sell and also the most likely scenario a graduating officer would run into once on duty. The U.S. military is very tight-lipped under what circumstances an offensive cyber attack would be authorized, while literally thousands of probes are launched against U.S. systems every day.

Once the smoke cleared from the first exercise, the West Pointers had "won," but inter-service rivalries required a third-party arbitrator for future play. A "White Team" was added from CMU's CERT group to observer (and later mentor) competing teams. In 2003, all the U.S. service academies participated (even the Coast Guard and the Merchant Marine), along with the Air Force post-grad school, with the Air Force Academy claiming the trophy (the Army had won in both previous years). Next year, the Marine Corps Red Team may join the attackers.

Each year, CDX scenarios become more complex. The 2003 full exercise ran across five days. Each team was allowed to build their own network infrastructure, and select appropriate hardware/software combinations for delivery of critical services, such as electronic mail, and web servers; in previous years, they had to work from a common hardware and software configuration. Typically, open source tools were used for both operating services and scanning for attacks. To make life more interesting, an "orange box" was placed within each network to simulate an insider threat and social engineering threats were introduced.

As the exercises have become more sophisticated, they have proved to be of increasing benefit for "Red Teams." The teams don't get many opportunities to open up their bag of tricks and go full speed against operational systems. CDX gives Red Teams an opportunity to test themselves against motivated opponents that know they are coming as well as a chance to exchange techniques between themselves.

In the future, the Army would like to open up the playing field and is working with the National Science Foundation for a way to open up competition to other (American) Universities - theory being that more competition leads to better trained people and better computer security. There's likely some background discussion going on as to how to incorporate independent (i.e. DEFCON) teams into the mix as well.

Team Mitnick, anyone? µ