CDX pits NSA hackers against service academies

cyberattack graphic

A low-slung building in a suburban office park might seem an unlikely setting for military war games, but that's exactly what's taking place at the Columbia, Md., outpost of the Parsons Corporation. The open laptops and the white board wouldn't be out of place in any corporate workroom; less so the Jolly Roger that hangs from the ceiling. Here, several teams of cyber warriors from the National Security Agency and across the military are acting as adversaries, referees, and bystanders in a cyber-defense exercise that pits students from the five U.S. service academies against each other for bragging rights as top network defenders.

The Cyber Defense Exercise (CDX), now in its 14th year, is designed to put the lessons learned in classroom to real world use. Working from their academies, students construct computer networks with servers, email and web applications, and other services, and protect them using an array of open source, widely available security tools.

For students at the U.S. Military Academy at West Point and the Air Force Academy in Colorado Springs, the CDX is akin to a final examination for an advanced networking class. Those two schools have the more advanced cyber curricula of the service academies, and the biggest teams. [Update, April 11: West Point was declared the winner of this year’s exercise. It’s that school's seventh win since the inception of CDX in 2001. The Air Force Academy has racked up the second most wins with four.] Having bodies to throw at the challenge is important, because the networks have to be staffed on a 24-hour basis to defend against a "red cell" of NSA adversaries. To add an element of realism, there is a "gray team" with network privileges acting as ordinary (and troublesome) users, clicking on emails and opening files that could potentially help launch a hidden attack.

Of course, the NSA boasts some heavy hitters where network penetration is concerned. But the goal here is primarily educational, not to blow the student teams away with overwhelming skill. The red team exploits are open source and defensible.

"We do understand their position and where they're at. We challenge them. This is a very challenging exercise for them. But we also understand it's about teaching them the fundamentals of network security and how to apply them," said Shawn Turskey, a senior official at the NSA's Information Assurance Directorate.

Student teams are scored on their ability to secure the confidentiality and integrity of their network, while keeping their networks online. Unplugging is not an option – scores plummet in the event a team takes its network offline.

"I love putting them in a situation to make risk management decisions on where they're going to apply their resources and how they're going fix the systems that they have," Turskey said. 

Cyber warriors are increasingly in demand. Defense Secretary Chuck Hagel just announced plans to triple the existing force to 6,000. Outgoing NSA Director and Cyber Command head Gen. Keith Alexander recently told Congress that the Department of Defense was planning to elevate CyberCom into a unified command, reporting directly to the Joint Chiefs of Staff. Currently, CyberCom reports to the U.S. Strategic Command. But according to NSA officials, CDX isn't just a talent-spotting exercise, and it isn't a game. The long-term goal is to inculcate the principles of cyber into the next generation of military leaders,

"When these men and women are colonels and generals or captains and admirals, regardless of the position they're in, they're going to be able to look back and remember the complexities of cyber, the resources required, and how we do this," Turskey said. "We're in this for the long haul. We'll get immediate return, but down the road is what we're looking for to have that bigger payoff."

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy, health IT and the Department of Veterans Affairs. Prior to joining FCW, Mr. Mazmanian was technology correspondent for National Journal and served in a variety of editorial at B2B news service SmartBrief. Mazmanian started his career as an arts reporter and critic, and has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, Architect magazine, and other publications. He was an editorial assistant and staff writer at the now-defunct New York Press and arts editor at the online network in the 1990s, and was a weekly contributor of music and film reviews to the Washington Times from 2007 to 2014.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.


  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group