The fourth annual Cyber Defense Exercise (CDX) was held on April 19-23, 2004. The U.S. Merchant Marine Academy was the surprise winner, receiving the Information Assurance Director's Trophy. With a total enrollment of about 800 students, the Merchant Marine Academy doesn't even have a computer science major. The Naval Academy at Annapolis, in contrast, has over 1200 naval midshipmen for their 2006 class alone. The Air Force Academy finished second, followed by West Point, the Coast Guard Academy, and the Naval Academy. The Air Force Academy (last year's winner) and West Point (winners in the two previous years) were the favorites with both institutions having strong computer departments. West Point also has a bit of institutional pride at stake since the idea for CDX was developed and championed there as part of their Information Assurance program.
The Merchies success in the computer security exercise can be traced to two factors. West Point and the USMMA have a close relationship and the two organizations have worked together over the past three years, with West Point instructors teaching computer classes at USMMA. In addition, the Merchant Marine cadets are highly motivated with several "very dedicated" individuals driven to show up their better-known peers. Call it the "Avis We try Harder" factor.
CDX originated over beers and bragging down at Texas A&M between Army and Air Force personnel as to who had the better cadets and developed into a formalized event by 2001, due in large part to the efforts of West Point instructors and the NSA. Each participating military academy is tasked with putting and keeping on line a set of Internet services on a network, including e-mail, a database, and on-line chat room. NSA organizes the event and provides a Red Team to attack and crash services, as well as operating a secure VPN (Virtual Private Netwotk) to connect the academies for the exercise. In the past, aggressors have come from NSA in-house personnel, the Air Force's 92nd Aggressor Squadron, and the Army's 1st Information Operations Command (Land). With the large number and increasing dependence of the military upon computer networks, a defense-based exercise was the most realistic and practical (as well as palatable, since the rules of use and engagement for offensive cyberwar are in legally murky waters). Since literally thousands of attacks per day are targeted against U.S. military web sites, participants are likely to apply lessons learned through the CDX at the first job posting.
CDX also gives Red Cell members the opportunity to practice their skills against highly motivated defenders. Red Cell uses established and known security holes to mount attacks; no classified "Zero-Day Exploits" are permitted. Social engineering is also not permitted, but cadets are quite paranoid that it might occur in spite of the stated prohibition.
Defenders cannot attack other participants' networks. They are free to build any sort of network architecture they wish and hardware/software mix, but services must remain up and stay up during the duration of the exercise, just as it would be necessary to keep services up in case of a real war. Unplugging the network to secure it from attack is not permitted either. To make life more interesting, an "orange box" representing a coalition partner network was placed within each network to simulate an insider threat.
In the future, the Information Assurance evangelists at West Point would like to see CDX evolve into a national exercise with participants from public universities involved in a NCAA-like tournament. They believe that the competition would lead to more experienced and better-trained security practices that would filter into both the government and commercial sectors.
In past years, the academies have had an "open door" policy to the press, but the Naval Academy chose to close its doors this year. West Point, seemingly having nothing to hide, was more than happy to accommodate observers. Doug Mohney
