Pages

21 May 2017

Military cadets battle the NSA in mock cyberwar games

by Alfred Ng

The US is a prime target for cyberattacks in the new age of digital warfare. Here's how officers-to-be are preparing for the future.

There were empty cans of Mountain Dew and Monster Energy everywhere.

Despite the pile of energy drinks, there was a surprising calm in the room as I stood by two dozen cadets at the US Military Academy at West Point. They were tasked with building a server and protecting it from breaches by the National Security Agency for a full week.

With a lifetime of research -- watching movies about cyberwarfare -- I figured I was all set for this assignment. But there was no dramatic music, no people running around and yelling about "cyber nukes" -- whatever those are. It looked like a normal office, like the one I'm sitting in as I write this. There wasn't even a sweeping camera shot of all the action.

Instead, four groups of cadets sat around rows of laptops at the ready. There was the Web Services team, to make sure their websites were up and running; the Web and Forums team, which moderates what goes on in their servers; the Network Monitoring team, which stands guard; and the Strike Team, which takes action to combat breaches.

The pace picked up a bit as the NSA sent over a task: creating a password restriction in the next two hours. But even then, there was no dramatic rush or screens filled with flowing rivers of green code.

The most noteworthy part of the attack? URLs like "pooploopery.com" and "canadabrokeit.com."

Those names sound goofy, but the military is taking its cyberdefense capabilities seriously. This exercise, which is held annually at West Point, is part of an increased focus in military academies to train experts against attacks in the future.

After all, cyberwarfare is an increasing concern on and off the battlefield, and the US has already gotten a glimpse of what attacks could look like in the future. The 2016 presidential election was heavily influenced by Russian hackers, while Chinese hackers stole 22 million social security numbers from a federal database in 2015 and North Korean hackers were blamed for a massive breach at Sony the year before. With experts predicting threats like bombings caused by distributed denial-of-service (DDoS) attacks, it's become more important to train future officers to defend online.

"It's certainly a great emphasis. We see the rise of the cyber branch with the United States Army," Major Michael Petullo, an assistant professor at West Point's military academy said. "Individual privacy and freedom is all pending these days on cyber."

That mentality extends beyond the Army's own troops. Last month, the US Air Force issued its "Hack the Air Force" challenge to security specialists around the world, offering hefty rewards to anyone who can break into its public websites. It's a follow-up to challenges like "Hack the Army" and "Hack the Pentagon," in which bug bounty hunters cashed in on $75,000 by identifying the Pentagon's vulnerabilities. It only took five minutes for the first bounty to come during the Army challenge.

Mock warfare goes cyber

Since 2000, the NSA has been testing cadets at military schools by "hacking" servers in their classrooms for an entire week. In April, the Naval Academy, the Coast Guard Academy, the Marine Academy, the Military Academy and the Royal Military College of Canada joined in the Cyber Defense Exercise, looking to see who could best fend off the NSA's cyberattacks.

As part of the challenge, NSA hackers make up the "Red Cell" and teams from each academy make up "Blue Cells." The NSA is allowed to attack at all times, while the cyberdefense teams are restricted from doing anything between 10 p.m. and 9 a.m. To make things even harder, there's the Gray Cell, bots meant to emulate careless users who hackers typically target.

In one Gray Cell scenario, an important politician would come into an Army base with a laptop that potentially has a virus on it. The cadets have to clean off the device and remove any malware before the Gray Cell connects onto the servers.

Do you think that's far-fetched? Vice President Mike Pence and Clinton campaign manager John Podesta probably don't.

"The threat is real and gets more and more advanced every day. It evolves very rapidly," NSA Red Cell lead Curtis Williams said.

A matter of time

The cadets have to prevent the NSA from stealing password tokens, protect their servers from shutdown and block out intruders. The NSA's break-in is inevitable, so the competition becomes about who can defend their servers the longest.

"They end up getting in, but they get into everyone's," said Mitch DeRidder, captain of the Army's Blue Cell. "They're closing in as time goes on."

After DeRidder assigned the duties for the NSA's password challenge, the room fell quiet again. Attacks still flowed in from the NSA, but they were easy to spot because of their goofy names.

The cadets were supposed to monitor for these fake names and block them. Sometimes, it wasn't as obvious as a pooploopery. One ping had come in from lyft.cpm, a rip-off of the popular ride-sharing app.

"They're hoping that we make typos," said Conner Wissman, on the Army's Service team. "They're trying to throw us off because every second of blocking these count."

The team members' eyes glazed over while watching scores of URLs coming into the servers, a boring but necessary task.

"There's nothing I can do, I kind of just sit here and watch," Wissman said. On the Web and Forums team, one cadet folded paper into a small boat. Another cadet, manning the servers, took the boat apart and made a paper hat.

By the end of the week, the Navy had won the exercise, but the cadets at West Point weren't defeated. In their loss, they'll be able to learn what went wrong and how to improve for when the nation's cybersecurity is at stake.

For future exercises, the NSA wants the academies to be able to collaborate. It also expects to add additional challenges like protecting other connected devices -- think smart appliances and light bulbs. The cadets already see the value in these challenges.

"Cyber is one of the biggest national security threats," DeRidder said. "Having trained NSA personnel attacking us, that definitely helped prepare us for the future."

It's Complicated: This is dating in the age of apps. Having fun yet? These stories get to the heart of the matter.

No comments:

Post a Comment