Military Academies Look to Fill Nation’s Cybersecurity Gaps

The rise of all things cybersecurity has been accompanied by a collective groaning that there is a shortage of personnel skilled enough to protect critical government and military networks.

The Defense Department is under constant attack from hackers, and officials said they need to do a better job of recruiting Internet security experts to stop them.

The military academies, for their part, have been churning out potential “cyberwarriors” for years. Though their numbers aren’t staggering, these potential computer gurus often find themselves whisked away after graduation into positions outside the cybersecurity field. The challenge is coming up with a plan to put these young men and women in pertinent roles when they enter their respective services, officials at the military academies said.

“We’ve been doing this longer than the Army has thought it important,” said Lt. Col. David Raymond, who teaches a senior cybersecurity capstone course at the U.S. Military Academy at West Point, N.Y.

About 30 information technology, computer science and electrical engineering majors take the course each year. “But very few of these guys go into cybersecurity positions,” Raymond said. “The Army is just now trying to figure out what the right career path is for someone who graduates with a cybersecurity focus.”

Most of these West Point graduates go into tactical signal work in infantry or armor battalions and may only later in their careers find themselves with an opportunity to work at U.S. Cyber Command or at the National Security Agency.

“That may be changing in the near future,” Raymond said. Officials at Army Cyber Command are investigating if there should be a branch or functional area that allows the service to take a newly minted lieutenant with a suitable background and place him in a cybersecurity role immediately, he explained.

Like West Point, the other academies recognize the sea change and are putting increased focus on their network security curriculum, both for these specialists and for the rest of the students who pass through their doors. All eyes are on the U.S. Naval Academy’s efforts to require every midshipman to study cybersecurity.

The Naval Academy, in Annapolis, Md., has created a Center for Cyber Security Studies and instituted mandatory network defense courses in an attempt to prepare new recruits for Internet warfare. The first class, Cyber 1, covers the basics and is being taught to about 1,300 students this year.

The Navy is in dire need of security experts as it must not only protect computer systems ashore but also each ship’s self-contained network and an intranet shared with the Marine Corps.

Midshipmen are finding out that in order to be good stewards of cyberspace, they must also know what it means to be bad.

From a classroom on their Annapolis campus, a group of freshmen “plebes” and their professor recently sniffed out open computer ports around the world to take control of webcams, moving them around and peering into lives of strangers thousands of miles away.

Far from a primer on voyeurism, these students were being taught a lesson about the dangers of the Internet and how keeping a port open is like leaving a backdoor unlocked for a burglar.

If they want to learn how to protect critical networks, these future sailors and Marines have to know what it takes to bring them down, said their instructor Navy Capt. Steven “Doc” Simon.

Webcam experiment aside, students are shown how to perform offensive and defensive actions in virtual networks that do not connect to the actual Internet.

National Defense sat in on a recent class during which the plebes worked together to create wireless networks on their issued laptops only to have Simon and his assistant, Ensign Justin Monroe, break into them, steal critical information and display it for all to see. The students were forced to go back and add encryption to their wireless access points.

The ease with which hackers can attack networks and capture information surprised Midshipman 4th Class Gavyn Gonzales.

“I always thought it was some genius kid in the basement or more sophisticated procedures, but it’s actually pretty easy,” he said. “I’ve seen the attacks that we’ve studied. They were just someone being careless and an attacker taking advantage of that.”

Gonzales said that he didn’t know much about computers before the Cyber 1 class. That’s typical for the so-called “Computer Generation” entering the academies, officials said.

Simon’s students, whose average age is 19, can use almost any gadget thrown at them but are only now beginning to understand how the Internet works.

“These kids grew up with [smartphones] and computers in their houses. One school of thought says we aren’t going to be able to teach these kids anything, because they know it all already,” Simon said. “What we came to find out was these guys are outstanding computer users. They know Facebook, they know Google, they can do stuff with their phones . . . But they don’t really know, with the exception of a very small number, what’s going on behind the curtain.”

Each of Simon’s classes begins with a presentation by a midshipman about a recent real-world hacking incident. Students also attend lectures by the likes of U.S. Cyber Command chief Army Gen. Keith Alexander and former director of both the NSA and the CIA, retired Air Force Gen. Michael Hayden.

These talks are hosted by the academy’s Center for Cyber Security Studies, which Simon oversees. The center is not an academic department, but rather an independent effort that seeks to inject some level of network security education into all aspects of life on the campus.

The other academies also offer opportunities for any student to become immersed in Internet operations. The Air Force Academy at Colorado Springs, Colo., began offering eight days of hands-on training last summer. This year, more than 80 cadets between their freshman and sophomore years graduated from the “Basic Cyber” course. Officials expect more than 180 to attend next summer, said Col. David Gibson, head of the computer science department.

The academies also hook students up with internships at NSA, U.S. Cyber Command and even Google. Other extracurricular activities allow them to cross over to the dark side a little.

West Point cadets attend hacker conventions such as DEFCON and SchmooCon. Students in their free time also take part in an organization that exposes them to hacking tricks and the art of preventing such activity. The mission of this Special Interest Group on Security, Audit and Control (SIGSAC) club is to “develop information security professionals from within the Cadet Corps by hosting a variety of competitions, speakers and challenges,” according to its website.

The West Point group recently hosted a talk by a renowned hacker and security expert who pointed out numerous dangers, from malicious JavaScript to the forgery of domain names over WiFi connections.

“I think everybody is afraid to use the Internet now,” a SIGSAC member wrote afterwards on the group’s website. “We are scared.”

The Air Force Academy’s Cyberwarfare Club has its own training range with nearly 50 workstations. There are more than 100 people on the email list for the club, which is open to all cadets who want to experiment with tools and viruses on virtual networks safely separated from legitimate ones.

The academies send teams to a variety of competitions, where they face off against each other. Navy midshipmen last year won the NSA’s Cyber Defense Exercise, which also featured teams from the Air Force Academy, West Point, Stanford University and the Massachusetts Institute of Technology. The competition required the teams to build networks and set firewalls that were then attacked by NSA personnel. The groups were graded on how long it took NSA to bring down their networks.

By establishing the new core curriculum and cybersecurity center, the Naval Academy aims to double the number of computer science and IT majors at the school, which currently graduates 20 to 25 in each area of study annually. The numbers are similar at the other academies, where officials say they are watching the Navy’s efforts closely.

But cybersecurity activities have piqued the interest of students in other majors, too. The Army SIGSAC club, for instance, has 300 registered members, way more than the number of computer science and IT majors at West Point combined.

The focus on cybersecurity seems to be paying off in the form of students such as Navy Midshipman 4th Class Corbin Steele, who recently taught himself a computer programming language. He also has been inspired to research routing and encryption systems in an attempt to understand exactly how information travels from computer to computer.

Most of the Naval Academy’s graduates will go on to be pilots or operators of submarines and ships, Simon said. But Steele is one of those students who intends to use his math and computer skills to defend the Navy from the increasingly complex Internet attacks he is learning about in class. Given all of the hoopla about cybersecurity in recent years, Steele was shocked to discover that hackers are not being deterred.

“It’s an active battle front,” he said. “The line is shifting both ways. We make progress and they make progress. It’s a dynamic battle, not just something we’re slowly winning.”

Officials are currently writing the curriculum for the Naval Academy’s mandatory Cyber 2 course, which will delve deeper into the technical “magic” behind computers and policy issues, Simon said. The academy will offer electives that cover even more advanced concepts. Officials are pushing to have both the core courses taught in ROTC programs at other universities throughout the country.

Curriculum for a cybersecurity class must constantly evolve to keep pace with the amorphous threats on the Internet.

“We are in a field of constant change,” said Martin C. Carlisle, professor and deputy for academics in the Air Force Academy’s computer science department. “It’s not like teaching calculus. We’re constantly revising the curriculum.”

Educational efforts like these will help the government fill crucial network defense positions, officials said. It also will assist those who go onto traditional positions in the services. At West Point, a good portion of juniors take a core IT course that shows them the networks they will operate within on the battlefield and the different systems they will see, such as blue-force trackers and those in their tactical vehicles.

“Wherever they go they are going to be using IT systems and need to be comfortable with those systems and be able to problem solve with them,” Raymond said.

Simon agreed. Regardless of whether the plebes in his classes become computer experts, they will always benefit from having a solid understanding of cyberspace, he said.

“It doesn’t matter if they’re crawling through a desert, standing watch on a ship or flying an airplane,” Simon said, this knowledge will allow them to make the right decisions.

That is why he shows them how to hack into a message board, right along with how to close security gaps on their self-created networks. It is also why Simon wants to introduce his students to real-world hackers — those that have gone legit, of course.

“Remember, I’m teaching computer defense,” Simon said. “We’re not training 1,300 hackers to turn out into the world. That is not our goal. That is not our policy here.”

But do the Naval Academy’s best and brightest have what it takes to hack into sophisticated systems and bring down networks? Probably, Simon said. Though he is quick to cite an honor code that forbids them to go back to their dorms at night and try.

Topics: Cybersecurity