Information Security News: Cyber War Game Tests Future Troops

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.washingtonpost.com/ac2/wp-dyn/A21871-2003Apr23

By Brian Krebs
washingtonpost.com Staff Writer
Wednesday, April 23, 2003

In a basement lab littered with computers, monitors and chalkboard 
diagrams, 14 Naval Academy midshipmen are buzzing about the latest 
hacker assault on the computer network they created.

Hackers have penetrated their network and erased a database. But lead 
technician James Shey, stifling a yawn, says this attack is no big 
deal -- his team saved a backup copy.

Shey has slept a total of five hours out of the last 36. He and the 
other future Navy officers have been standing cybersecurity watch as 
part of the third annual Cyber Defense Exercise. The midshipmen, along 
with teams from the nation's four other service academies, are 
defending home-grown computer networks from attack by specialists from 
the National Security Agency, the United States's ultra-secretive 
surveillance and spy agency.

The war in Iraq drove home the fact that the U.S. military is heavily 
dependent on sophisticated electronic communications and information 
technology. As the Pentagon deploys even more advanced systems, 
planners are acutely aware that a hacker could kill more U.S. soldiers 
with bits and bytes than with bombs or bullets.

A porous military network deployed on the battlefield, for example, 
could allow the enemy to inject misleading information about the 
location of allied and enemy forces, leading to friendly fire 
casualties or an enemy ambush, said U.S. Army Lt. Col. Daniel 
Ragsdale, assistant professor of computer science at the U.S. Military 
Academy at West Point, and co-founder of the exercise.

"We are so highly dependent on information technology that if we don't 
do the hard work we're doing here, that could soon become a real 
Achilles heel for us," Ragsdale said. "A network compromise in the 
battlefield means we could be fed bad information, which could easily 
cost lives."

Thus the cyber defense program was born to challenge the notion that 
cyberattacks are an annoying but non-lethal threat to U.S. forces. 
Begun at West Point in the late 1990s, the training program took off 
in 2000 when the NSA sent computer scientist Wayne Schepens to the 
academy. Schepens offered the services of the NSA's own computer 
security experts, who regularly probe the Defense Department's 
networks for security holes.

The program is specifically a product of the service academies and the 
NSA, and is not part of any Pentagon computer security of 
cyber-warfare effort.

The excercises are, however, "a microcosm of what's going on in our 
military overall today," said John Arquilla, associate professor at 
the Naval Postgraduate School. 

"Our military relies on advanced communications and technology to know 
where the enemy is, and the destruction or disruption of that flow of 
information can cripple them," he said. "The information technologies 
that make us so strong are also our biggest weaknesses."

This year's exercise took place on closed "virtual private networks," 
rather than on the Internet. Teams of eight to several dozen students 
-- mostly computer science majors -- defended their systems against 
the NSA hackers from Monday morning to Thursday afternoon. The teams 
were based at their respective military academies, while the "hackers" 
operated from NSA headquarters at Fort Meade, Md. West Point and the 
Air Force Academy competed in the first exercise in 2001. The Naval 
and Coast Guard academies joined last year, and the Merchant Marine 
Academy joined this year.

As with golf, the winner is the team with the least number of points. 
Earning points is bad, because it means the enemy was able to bring 
down part of the network or corrupt its contents.

"What you have here is an exercise in battlefield conditions, where 
teams were assessed points for any sustained damage to their systems, 
with each point considered equal to a loss of life," said Bradford 
Willke of the government-funded CERT Coordinating Center at 
Pittsburgh's Carnegie Mellon University, which provided the referees 
for this year's exercise.


Technological Curveballs

Computer security experts know that the battle against hackers never 
ends. To shake things up this year, the NSA changed the ground rules, 
adding new twists like insider threats and "injection attacks," where, 
for example, teams are asked to shut down the machine running their 
database and e-mail servers and find other ways to provide those 
services within a given amount of time.

Such tactics force even the most well prepared teams to improvise and 
innovate under unforeseen, high-pressure situations, said Midshipman 
1st Class Jessie Grove, the leader of the Naval Academy team.

"Our network went from this big beautiful, complex, super-secure 
system to something we were fixing on the fly and hoping we could just 
make work," she said.

On Wednesday, the NSA told the teams to disable their firewalls for 
several hours at a time. The request came after a period of relatively 
little activity from the hackers, which led Midshipman Trevor 
Baumgartner to boast that the Navy group's defense technologies had 
stymied the NSA hackers.

"I thought we were going to be fixing things left and right nonstop, 
but [it] seems like they just got tired of trying to hit us," 
Baumgartner said.

Thomas Hendricks, a visiting NSA professor at the Naval Academy, 
chuckled at the notion that the NSA team used the firewall exercise as 
a last resort. The loss of the firewall, he said, exposed an unsecured 
administrative account on the Navy's network, allowing the NSA to 
wreak havoc.

"They were taught -- though I'm not sure how much they listened -- to 
protect as many layers of the network as possible," Hendricks said. 
"This part of the exercise was designed to see how many layers of 
protection they had in place."

Some in the Navy group also suspected that the hackers tried to use 
social engineering to gain access to privileged information. That is, 
instead of relying on their knowledge of computers, they tried to con 
their way in.

Midshipman Jason Kolligs said he got a telephone call Thursday morning 
from someone claiming to be a "white cell" member at the Coast Guard 
team. The caller asked him to send an e-mail to test their message 
server, but Kolligs and his teammates refused after agreeing that 
something about the call didn't seem quite right.

"I just told the guy on the other end of the phone that our mail 
server was down, too," said Kolligs.


Tomorrow's Online Defenders

This year's winning team won't be announced until later this week, but 
Willke said that all of the teams exceeded expectations. "From the 
folks at [CERT], I was told that the team that finishes last this year 
would have won the competition hands down last year," he said.

The Coast Guard and Merchant Marine academies are the presumptive 
underdogs because they do not have information security or computer 
science study programs. The Coast Guard team members are electrical 
engineering majors, and the majority of the Merchant Marine students 
are majoring in subjects like maritime business and marine 
transportation.

Shashi Shah, the Merchant Marine Academy team's director, said he has 
been "blown away" by the dedication of his 13-man team, which prepared 
for the exercise by attending four days of weekend classes on 
information assurance -- on top of their course load. They also set up 
metal cots in the school's computer room to have at least one 
midshipman manning the battle stations at any time, Shah said.

"I must say I am touched by dedication and devotion of midshipmen who 
took part in this exercise, and I know each one of them has learned 
far more than they expected," he said.

Many of the program's participants said that they think the training 
will help them once they are serving on active duty. Erik Sarson, 22 , 
West Point senior cadet from Latrobe, Pa., said he is going into the 
armored branch, "but I'll be an important asset no matter where they 
place me because the Army is becoming more digitized every day."

After the exercise ended, a handful of midshipmen from the Navy team 
gathered around an xBox video game console to compete in the 
first-person futuristic combat game "Halo." Baumgartner and others 
said they felt confident they had kept their attackers at bay.

But outside the war room, Hendricks sounded a note of caution, saying 
the team may not have spotted all of the NSA's attacks.

"A lot of these schools got a false sense of success last year and 
left the exercise thinking they had beat the red team. But it was 
pretty bad because the red teams were hardly trying," he said. "This 
year, I think most of the schools may have gotten beat up quite a 
bit."


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.