CDX pits NSA hackers against service academies

A low-slung building in a suburban office park might seem an unlikely setting for military war games, but that's exactly what's taking place at the Columbia, Md., outpost of the Parsons Corporation. The open laptops and the white board wouldn't be out of place in any corporate workroom; less so the Jolly Roger that hangs from the ceiling. Here, several teams of cyber warriors from the National Security Agency and across the military are acting as adversaries, referees, and bystanders in a cyber-defense exercise that pits students from the five U.S. service academies against each other for bragging rights as top network defenders.

The Cyber Defense Exercise (CDX), now in its 14th year, is designed to put the lessons learned in classroom to real world use. Working from their academies, students construct computer networks with servers, email and web applications, and other services, and protect them using an array of open source, widely available security tools.

For students at the U.S. Military Academy at West Point and the Air Force Academy in Colorado Springs, the CDX is akin to a final examination for an advanced networking class. Those two schools have the more advanced cyber curricula of the service academies, and the biggest teams. [Update, April 11: West Point was declared the winner of this year’s exercise. It’s that school's seventh win since the inception of CDX in 2001. The Air Force Academy has racked up the second most wins with four.] Having bodies to throw at the challenge is important, because the networks have to be staffed on a 24-hour basis to defend against a "red cell" of NSA adversaries. To add an element of realism, there is a "gray team" with network privileges acting as ordinary (and troublesome) users, clicking on emails and opening files that could potentially help launch a hidden attack.

Of course, the NSA boasts some heavy hitters where network penetration is concerned. But the goal here is primarily educational, not to blow the student teams away with overwhelming skill. The red team exploits are open source and defensible.

"We do understand their position and where they're at. We challenge them. This is a very challenging exercise for them. But we also understand it's about teaching them the fundamentals of network security and how to apply them," said Shawn Turskey, a senior official at the NSA's Information Assurance Directorate.

Student teams are scored on their ability to secure the confidentiality and integrity of their network, while keeping their networks online. Unplugging is not an option – scores plummet in the event a team takes its network offline.

"I love putting them in a situation to make risk management decisions on where they're going to apply their resources and how they're going fix the systems that they have," Turskey said. 

Cyber warriors are increasingly in demand. Defense Secretary Chuck Hagel just announced plans to triple the existing force to 6,000. Outgoing NSA Director and Cyber Command head Gen. Keith Alexander recently told Congress that the Department of Defense was planning to elevate CyberCom into a unified command, reporting directly to the Joint Chiefs of Staff. Currently, CyberCom reports to the U.S. Strategic Command. But according to NSA officials, CDX isn't just a talent-spotting exercise, and it isn't a game. The long-term goal is to inculcate the principles of cyber into the next generation of military leaders,

"When these men and women are colonels and generals or captains and admirals, regardless of the position they're in, they're going to be able to look back and remember the complexities of cyber, the resources required, and how we do this," Turskey said. "We're in this for the long haul. We'll get immediate return, but down the road is what we're looking for to have that bigger payoff."