During a winter weekend in Pittsburgh, more than 50 cadets and midshipmen from three service academies sat elbow to elbow at nine round tables in a packed room. They’d been training since November to compete in a pilot program of the Defense Advanced Research Projects Agency called the Service Academy Cyber Stakes.
Competitors at the Jan. 30-Feb. 2 event ranged from freshmen to seniors, 18 to 24 years old, from the U.S. Military Academy in West Point, N.Y., the U.S. Naval Academy in Annapolis, Md., and the U.S. Air Force Academy in Colorado Springs, Colo.
DARPA officials said the Defense Department must train 4,000 cybersecurity experts by 2017. Meeting that goal requires building a pipeline for training and education, especially for future officers who will oversee protection of the cyber domain. DARPA had two requirements for the competition: impact to the warfighter and innovation.
Leading the competition was DARPA Program Manager Dr. Daniel “Rags” Ragsdale, a retired Army colonel who served for more than a decade at West Point and whose research interests include computer network operations, cyber deception and cybersecurity education and training.
Two world-class experts helped to train the teams: David Brumley, technical director of CyLab, Carnegie Mellon University’s campuswide collaborative cybersecurity organization in Pittsburgh, and Dan Guido, CEO at Trail of Bits engineering and hacker in residence at New York University Polytechnic School of Engineering.
Brumley is a founding member of the Plaid Parliament of Pwning, a CMU cybersecurity team ranked No. 1 overall in world-competition hacking and winner of the DefCon 2013 Capture-the-Flag cybersecurity tournament.
Guido proposed and developed a centralized threat-intelligence function for the Federal Reserve System, and also for the Federal Reserve formed a team that used its expert knowledge of attacks in the wild to develop sophisticated enterprise strategies to mitigate them.
During a recent DARPA teleconference with media members, Ragsdale said the competition arose because DARPA Director Dr. Arati Prabhakar had expressed interest a year earlier in engaging more directly with the DOD service academies.
“Our primary thrust, because all the service academies are going to produce junior officers upon graduation, is to help [the graduates] develop skill sets necessary to be effective cyber warriors,” the program manager explained.
An effective cyber warrior must protect and defend the system using a full-spectrum approach, Ragsdale added, and then expanded on the meaning of full spectrum.
“We fundamentally believe that you have to understand at a deep technical level the approaches, methods and techniques that adversaries take in trying to subvert the security of our systems,” he said.
This involves skills such as being able to reverse engineer binary, or machine-readable, files and, Ragsdale said, finding source-code-level vulnerabilities that could be exploited, and doing so with software source-level analysis and with automated tools that perform functions such as fuzzing, the informal name for automatic bug finding.
Cyber warriors also must be able to identify potentially exploitable vulnerabilities in binaries that adversaries can and often do exploit, he added. They also must understand the many ways cryptography is implemented across the infrastructure and identify the approaches adversaries may use to try to subvert crypto system security.
The competition consisted of five events leading up to a full-spectrum capture-the-flag live exercise, Ragsdale said, adding, “They were given the same infrastructure to defend while simultaneously attacking their adversaries.”
In one of the five events, he said, the competitors were given a large-scale collection of Linux binaries and challenged to find vulnerabilities across the distribution. Raggsdale said an amazing outcome was that the first-place team identified more than 100 new bugs. Between them, the second- and third-place teams found 83 more new bugs.
“The bugs are not necessarily exploitable vulnerabilities,” Ragsdale said, “but they do indicate a bug that needs to be addressed by the open-source community.”
Other events among the five included a race to identify and create an exploitable vulnerability in a binary file, a cracking-crypto challenge, a reverse-engineering challenge and a lock-picking challenge — a traditional event at cyber gatherings.
As for the winners, Ragsdale said, “it was kind of Olympics-style, where over the course of the six events, gold and silver medals were awarded to 18 different individuals in teams over the weekend, and we felt that absolutely met our purposes.”
About the candidates themselves, he said, “they outperformed our expectations.”
Ragsdale added, “I felt like I had a pretty good working understanding of the knowledge they would bring to bear by virtue of the fact that a little over two years ago I was in that environment. … So I had a good idea what was going on at West Point.”
He’d also visited the Air Force and Naval academies while he was still in uniform and after he’d joined DARPA in 2011, “so on the whole,” Ragsdale said, “I felt like going in we had a decent understanding” of student capabilities.
But still, there were surprises, he said.
The cadets and midshipmen were competitive and motivated to win, the program manager said, “but because they were in such close proximity, one of the amazing things was that the event turned into a team-building exercise across this community of future cyber warriors.”
The competitors were operating elbow to elbow in the competitive events, he added, “and there was a lot of sharing of information and friendships that developed, and I think all of them at least in part acknowledged that … in a very short period of time they were going to find themselves in cyber units operating side by side.”
Ragsdale said he expected to see only juniors and seniors on the teams, but freshmen and sophomores also joined the competition. And some students lacked lower-level skills that might have helped them prepare for the competition.
The service academies wouldn’t necessarily have lots of courses appropriate to computer science majors, he said, “but there were a few instances where we were a little surprised, like the ability to do shell scripting, for example.”
“It’s kind of a block-and-tackle kind of technique that some of the cadets and midshipmen didn’t have and didn’t have to have,” he said. “But I’m certain the teams they send next year will have much more well-refined skills, because now they know.”
What’s next for the competition depends on several things, Ragsdale said. “The director approved this as a one-year pilot and, as with any pilot, a variety of things could result,” he added.
Ragsdale said his team is likely to recommend to Prabhakar some continuation of DARPA’s involvement, but that will have to compete with DARPA’s other priorities. The team also intends to reach out to Army and DOD units and other organizations to investigate sponsorships for future competitions.
At the academies themselves, Ragsdale said, all three schools now have competitive cyber teams and all are beginning to put stronger academic focus on cyber majors or cyber topics in various majors.
“We’re certainly not the first [developer of] cyber exercises. I was involved in developing a cyber defense exercise way back in the 2000 timeframe that is a defensively oriented, winner-take-all exercise among the service academies that continues to this day,” Ragsdale said.
“We wanted to bring in a different approach involving looking at it from a more full-spectrum capability,” he added, “so what eventually developed is a series of training opportunities onsite and online … culminating in a very amazing and very uplifting competitive exercise.”