Issue 6 - April 2011
Educating the Next Generation of Security Professionals
In the world today, few topics are more talked about and less understood than “cyber security.” Almost daily, it seems, we hear of another threat to the computer systems that support and control the world’s critical infrastructure. Attacks on government and industry have already been recorded. Can power and water supplies, transportation and other critical areas be far behind? Cyber defense of private as well as public systems has become a national priority.
What does this mean for the payments industry? It means that the resources we need to defend ourselves against criminals – who strive daily to invade our systems and commit fraud – are in increasingly short supply. To date, the payments industry has done more than any other to defend itself from these attacks. The Payment Card Industry Data Security Standard, for example, has helped us to maintain low rates of fraud. But standards can’t stand still. We will need expert resources to improve and implement them in the face of increasingly sophisticated cyber attacks. Competition for those resources is growing already: the Department of Homeland Security alone has announced plans to hire up to 1,000 cyber security professionals between 2009 and 2012.
Where will we find enough skilled cyber security professionals to meet the needs of our own industry, as government and other industries ramp up their demands? Unfortunately, there are not nearly enough future experts in the pipeline today.
Professors Dan Manson and Anna Carlin of Cal Poly Pomona are teaching and working with the next generation of cyber experts. They provide an overview of cyber security competitions, and how they help encourage and inspire students to enter the cyber security field. Our industry can benefit directly from sponsoring and supporting these competitions and leagues, helping to guide these students at an early age and nurture their passion for technology.
- Ellen Richey, Risk and Security Editor
Out of 45 companies recently surveyed, cybercrime or computer-based crime costs each organization an average of $3.8 million annually.  The Pentagon recently said that “its systems are attacked 250,000 times an hour, six million times a day.”  Experts state that currently, just 1,000 people in the United States have the skills needed to defend against the most advanced cyber attacks. To meet the computer security needs of federal agencies and large corporations, a force of 20,000 to 30,000 similarly skilled specialists is needed.  This is a tall and potentially pricy order. What is more, failure is not an option – the inability to secure our nation’s computer networks could have devastating consequences for our national security, economy and even our basic way of life.
The industry in partnership with universities has found a new tactic to help inspire and train the next generation of computer guardians: cyber defense competitions. In this paper, we will discuss the evolution of these competitions, growing from hacker and military roots to mainstream acceptance, and explain why they have become so popular throughout the industry. Additionally, we propose that cyber defense leagues (CDLs) are the next step, offering a hands-on learning experience for high school and college students at a fraction of the cost to the industry.
Last winter, a team from Locke High School, a public school in Los Angeles, Calif., spent countless hours every week practicing and honing their skills. This was their first time in a national competition, up against several hundred other high school teams. They advanced through the first round. In round two, they played against other teams from LA and across the country.  The team won their regional matchups and qualified for CyberPatriot, billed as the world’s largest high school cyber defense competition. Though the Locke High School team did not win the national championship, some of the team members claimed individual successes: internship and scholarship offers from top Aerospace companies, including Northrop Grumman. 
If this sounds a lot like a competitive sport, it is. There are winners, losers, boot camps, rivalries, lucrative recruitment offers and all of it held with the highest stakes. The sport is cyber defense – a “mental sport” that involves several hours to days of running, maintaining and defending a simulated commercial network from attack. The attackers are trained security professionals, simulating real threats faced by the industry. Points are gained by keeping network services running and completing security updates called business “injects” – teams lose points if the attacks penetrate their defenses. From high schools to community colleges to national universities, cyber defense competitions are becoming an annual ritual, and these kids are playing for much more than just trophies and bragging rights. Cyber security competitions give students hands-on, real-world scenarios that help develop the technical, organizational, and team skills desperately needed by the cyber industry and government. For many of the participants, it also provides a path to college and future careers.
The Evolution of Cyber Competitions
Not surprisingly, hackers helped start cyber defense competitions. The first major hacker convention took place in Las Vegas in 1993, called DefCon. Today, DefCon has grown to become one of the world’s largest hacker conventions. Jeff Moss, founder of DefCon, later started Black Hat, which now hosts an annual conference on technical information security. The Black Hat conferences include training sessions and keynote addresses by high profile industry leaders, such as last year’s speaker, Jane Holl Lute, Deputy Secretary of Homeland Security.
In 2001, the U.S. Military Academy at West Point began an inter-academy Cyber Defense Exercise (CDX).  The CDX has also grown and evolved over the years to consist of attackers, judges and competing teams.
The success of the U.S. military academy’s competition was a watershed moment for cyber security. The industry now had the government’s stamp of approval, and more importantly, its resources. In early 2004, a group of government officials, senior academics, accomplished students and industry representatives created a set of duniform cyber defense exercises for post-secondary education.  The group designed a uniform structure for competitions, allowing any university to hold a challenge regardless of size or resources available. The primary goal was to encourage more universities to offer students real-world experience in information assurance.
The first Collegiate Cyber Defense Competition (CCDC) was hosted by the Center for Infrastructure Assurance and Security at the University of Texas, San Antonio in April 2005.  The National Collegiate Cyber Defense Competition now hosts several state-level and nine regional competitions. Winners from state-level competitions advance to a regional levels, and those winners are invited to the national CCDC held in April at the University of Texas, San Antonio.
In 2008, the Air Force Association (AFA) partnered with the Center for Infrastructure Assurance and Security (CIAS) to create a national high school cyber defense competition.  In February 2009, a proof of concept demonstration and competition took place at AFA’s Air Warfare Symposium in Orlando, Fla. Later that year, 200 Air Force Junior ROTC and Civil Air Patrol teams from 44 states competed for one of eight slots in an in-person championship held in February 2010 in Orlando, Fla. 
Games to Simulate Reality
The competitions are designed to put students in scenarios faced by government agencies and corporations today. Some of the attackers in the simulations have experienced these threats first hand.
Capture the Flag
One of the most popular “games,” Capture the Flag (CTF), began at DefCon and has become an annual conference highlight. In CTF, teams attempt to defend their own electronic “flags” and capture flags on opposing teams’ machines. Advanced skills in penetration testing, reverse engineering and network security are required to play in the DefCon CTF.
An international version of Capture the Flag (iCTF) was started at the University of California, Santa Barbara (UCSB) in 2004. The latest UCSB iCTF was held last December and involved 72 teams and 900 participants from 16 countries.  Brian Pak, an undergrad student at Carnegie Mellon University and leader of the winning iCTF competition team Plaid Parliament of Pwning, described the value of the competition: “We study crypto, we study reverse engineering, but competitions are where we actually test and use them.” 
Collegiate Cyber Defense Competition
The template that a Collegiate Cyber Defense Competition follows includes three main teams named using patriotic colors of red, white and blue. Student teams are assigned the color blue and are segregated from all other teams in their own workspace. They are provided hardware and software to setup their network and try to secure it before the red team begins their exercises. Software installed on some servers may not be current and may have known security vulnerabilities that the blue team needs to evaluate and address.
The red team consists of industry representatives who will attempt to infiltrate or disrupt each blue team’s daily network operations throughout the competition. The attackers use all their technical skills to compromise the student network and disrupt business, in addition to using social engineering to gain valuable information.
The white team also consists of industry professionals responsible for monitoring the network, implementing scenario events and refereeing. The scoring model rewards points for successful completion of business injects and deducts points for failure to maintain required business services or for a successful red team exploit. Injects involve business requests, such as account updates, blocking instant messaging, peer-to-peer and network redesign.
If the attackers successfully complete an exploit, student teams can still receive points by completing an incident report. The incident report should clearly identify the attack and outline steps taken by the defenders to mitigate the risk to the organization. The team with the highest number of points wins the regional competition and advances to the national competition. 
Although there are common rules that must be followed by all state, regional and national competitions, the length of time and infrastructure can vary from one competition to another – the 2011 Western Regional CCDC held at Cal Poly Pomona lasted approximately 22 hours.
Cyber Boot Camps
CyberPatriot is one of several competitions under the umbrella of the U.S. Cyber Challenge (USCC). The USCC is a national coalition of public/private sector entities that supports a nationwide cyber security talent search and skills development program.  CyberPatriot is now open to all high school students between the ages of 13 and 18. CyberPatriot is designed to provide students with hands-on, practical knowledge in cyber security that develops their interest and desire for degrees and careers in cyber security and related fields. 
In addition to CyberPatriot, USCC promotes competitions, including the DC3 Digital Forensics Challenge, NetWars and an online CyberQuest competition where anyone over the age of 18 can compete for spots at intensive cyber security summer boot camps. California, New York and Delaware hosted cyber camps last year. The camps provide students with four days of cyber security training by senior instructors with the SANS Institute ending with a Capture the Flag competition on the last day.
Cyber Defense Leagues
Up to now, most state, regional and national collegiate cyber defense competitions have been face-to-face competitions, with all competitors and support personnel in the same location. Major obstacles to expanding these cyber defense competitions exist, including cost, scalability and logistics of physically bringing many schools, students and supporting personnel together for an extended period of time.
Holding the competitions in a virtual space allows organizers to create and deploy computer security exercises to even larger numbers of participants while minimizing the associated configuration time and hardware requirements. A regional or national cyber defense competition can cost upwards of $20,000, including food, lodging, facility and infrastructure set-up costs. A standard physical cyber security competition also requires the creation of identical physical infrastructure for each team.
Virtual competitions eliminate the vast majority of these costs. Once the virtual “playing field” is created, the main cost is developing a library of virtual machine images for specific competition scenarios. After the playing field and library of virtual machine images is created, hundreds of virtual competitions can be run for less than the cost of one face-to-face competition. A virtual competition can use the same operating systems and network devices as a physical competition, but the student competing only needs Internet access and a Web browser. A topology that we have tested for virtual cyber defense competitions is below.
What is missing for both the National CCDC and CyberPatriot is a league allowing head–to-head competitions over the course of a season. The 2011 National Collegiate Cyber Defense Competition included nine regions with approximately 100 schools. The National CCDC is a cyber defense version of “March Madness” – each team has to “win or go home.” The same is true for CyberPatriot. All high school teams have to win to advance in the competition. By allowing teams to play for several hours every week for a 10-week season, all participants have the opportunity to improve their skills in a competition mode over an extended period of time and prepare themselves for either CyberPatriot or CCDC.
The CDLs can be a training ground for both the CCDC and CyberPatriot teams by providing several opportunities to identify team deficiencies/inadequacies and benchmarking their skills against their competitors. Between rounds, the team members can develop their required skills and train to overcome their deficiencies. Through each round, the teams can determine whether their development and training efforts are paying off.
How the Industry Can Help
We believe that creating virtual cyber defense “playing fields” will help meet our nation’s demand for tens of thousands of expert cyber defenders. These opportunities will allow students to participate in virtual pickup games, exhibitions and league play. The National CCDC and CyberPatriot have received sponsorship support from top cyber security, aerospace, defense and utility companies, as well as consulting firms, professional audit and security organizations and the Department of Homeland Security. These organizations see the value in developing cyber security talent through team competitions. Similar support for virtual leagues would create an entry point for high school and college students to hone their skills through ongoing competitions. These competitions could build on existing sports leagues and rivalries based on the NCAA and California Interscholastic Federation.
Organizations can participate in the cyber defense league through monetary sponsorship, in-kind support and team participation. Industry sponsorship provides access to some of the best and brightest young cyber security talent. Added perks also include the publicity associated with competitions, product awareness and product placement, as well as the opportunity for cyber security professionals at their companies to gain hands-on experience themselves.
In the future, we believe organizations can partner with tailored competitions for specific industry needs, testing out new products and gaining experience with specific vulnerability scenarios. Industry professionals provide a much-needed “reality check” on the validity of cyber defense competitions. Competitions can also be used by the industry as an in-house training environment and a “virtual simulator” to assess employee cyber defense skills and competencies.
Support for cyber security “boot camps” are another way the industry can promote hands-on cyber security learning and passion in young people. The U.S. Cyber Challenge camps began in 2010 are expanding. Students attending the camps not only gain in-depth skills and practice through Capture the Flag competitions, they leave the campus hungry for more opportunities to practice and further develop their abilities.
From high school through college and beyond, the cyber industry can make a huge difference by mentoring future experts. As schools deal with ongoing budget cuts, the ability of professionals to step in and work closely with faculty and students involved with these competitions can ensure that young talent is nurtured, not neglected.
 Lance Whitney, “The Cost of Cyber Crime.” InfoTech Spotlight, August 5, 2010, available at http://it.tmcnet.com/topics/it/articles/94247-cost-cybercrime.htm
 PBS News Hour. Special Report with Spencer Michels, “Governments Battle to Stay Ahead of Threats on Internet, ‘The Great Levler’,” August 10, 2010, available at http://www.pbs.org/newshour/bb/science/july-dec10/cybersec_08-10.html
 Tom Gjelten, “Cyberwarrior Shortage Threatens U.S. Security,” National Public Radio, July 19, 2010, available at http://www.npr.org/templates/story/story.php?storyId=128574055
 Air Force Association Blog, “CyberPatriot, Beyond the Bell Strive to Further Students’ Education Experience,” Dec. 22, 2010, available at http://airforceassociation.blogspot.com/2010/12/cyberpatriot-beyond-bell-strive-to.html
 Leiloni De Gruy, “Locke High Advances to Nationwide Cyber Defense Competition,” Los Angeles Wave, March 31, 2011, available at http://www.wavenewspapers.com/news/local/west-edition/Locke-High-advances-to-nationwide-cyber-defense-competition-119030039.html
 L.J. Hoffman et al., "Exploring a national cybersecurity exercise for universities," IEEE Computer and Reliabilities Societies, Vol. 3, No. 5, pp. 27- 33, Sept.-Oct. 2005, available at http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=1514397
 National Collegiate Cyber Defense Competition, available at http://nationalccdc.org/index.php?option=com_content&view=article&id=47&Itemid=34
 Gregory White and Dwayne Williams. “Collegiate Cyber Defense Competitions,” The Issa Journal, October 2005, available at http://www.issa.org/Library/Journals/2005/October/White,%20Williams%20-%20Collegiate%20Cyber%20Defense%20Competitions.pdf
 Gregory White et al., “The CyberPatriot National High School Cyber Defense Competition.” IEEE , Vol. 8, No. 5, pp. 59-61, Sept.-Oct. 2010, available at http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=5601489
 Op cit.
 University of California, Santa Barbara International Capture the Flag Overview available at http://ictf.cs.ucsb.edu/index.php
 Giovanni Vigna, “The 2010 International Capture the Flag Competition.” IEEE Computer and Reliabilities Societies, January/February 2011, 12-14
 Anna Carlin, Daniel P. Manson, and Jake Zhu. “Developing the Cyber Defenders of Tomorrow With Regional Collegiate Cyber Defense Competitions (CCDC)” Information Systems Education Journal, Vol. 8, No. 14, April 22, 2010, available at http://isedj.org/8/14/index.html
 U.S. Cyber Challenge, “Cyber Challenge FAQ,”. available at http://www.uscyberchallenge.org/about/faq.cfm
 CyberPatriot, “Frequently Asked Questions,”available at http://www.uscyberpatriot.org/about/Pages/FAQ.aspx