CDX pits NSA hackers against service academies

cyberattack graphic

A low-slung building in a suburban office park might seem an unlikely setting for military war games, but that's exactly what's taking place at the Columbia, Md., outpost of the Parsons Corporation. The open laptops and the white board wouldn't be out of place in any corporate workroom; less so the Jolly Roger that hangs from the ceiling. Here, several teams of cyber warriors from the National Security Agency and across the military are acting as adversaries, referees, and bystanders in a cyber-defense exercise that pits students from the five U.S. service academies against each other for bragging rights as top network defenders.

The Cyber Defense Exercise (CDX), now in its 14th year, is designed to put the lessons learned in classroom to real world use. Working from their academies, students construct computer networks with servers, email and web applications, and other services, and protect them using an array of open source, widely available security tools.

For students at the U.S. Military Academy at West Point and the Air Force Academy in Colorado Springs, the CDX is akin to a final examination for an advanced networking class. Those two schools have the more advanced cyber curricula of the service academies, and the biggest teams. [Update, April 11: West Point was declared the winner of this year’s exercise. It’s that school's seventh win since the inception of CDX in 2001. The Air Force Academy has racked up the second most wins with four.] Having bodies to throw at the challenge is important, because the networks have to be staffed on a 24-hour basis to defend against a "red cell" of NSA adversaries. To add an element of realism, there is a "gray team" with network privileges acting as ordinary (and troublesome) users, clicking on emails and opening files that could potentially help launch a hidden attack.

Of course, the NSA boasts some heavy hitters where network penetration is concerned. But the goal here is primarily educational, not to blow the student teams away with overwhelming skill. The red team exploits are open source and defensible.

"We do understand their position and where they're at. We challenge them. This is a very challenging exercise for them. But we also understand it's about teaching them the fundamentals of network security and how to apply them," said Shawn Turskey, a senior official at the NSA's Information Assurance Directorate.

Student teams are scored on their ability to secure the confidentiality and integrity of their network, while keeping their networks online. Unplugging is not an option – scores plummet in the event a team takes its network offline.

"I love putting them in a situation to make risk management decisions on where they're going to apply their resources and how they're going fix the systems that they have," Turskey said. 

Cyber warriors are increasingly in demand. Defense Secretary Chuck Hagel just announced plans to triple the existing force to 6,000. Outgoing NSA Director and Cyber Command head Gen. Keith Alexander recently told Congress that the Department of Defense was planning to elevate CyberCom into a unified command, reporting directly to the Joint Chiefs of Staff. Currently, CyberCom reports to the U.S. Strategic Command. But according to NSA officials, CDX isn't just a talent-spotting exercise, and it isn't a game. The long-term goal is to inculcate the principles of cyber into the next generation of military leaders,

"When these men and women are colonels and generals or captains and admirals, regardless of the position they're in, they're going to be able to look back and remember the complexities of cyber, the resources required, and how we do this," Turskey said. "We're in this for the long haul. We'll get immediate return, but down the road is what we're looking for to have that bigger payoff."

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy, health IT and the Department of Veterans Affairs. Prior to joining FCW, Mr. Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian started his career as an arts reporter and critic, and has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, Architect magazine, and other publications. He was an editorial assistant and staff writer at the now-defunct New York Press and arts editor at the online network in the 1990s, and was a weekly contributor of music and film reviews to the Washington Times from 2007 to 2014.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.

The Fed 100

Read the profiles of all this year's winners.


  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group