LAUREL, Md. -- As a major winter storm lashes Maryland, causing “catastrophic damage,” a group of malevolent hackers decides to compound the chaos by attacking the emergency management computer infrastructure. The “black hat” operation is largely successful, disrupting the disaster response and, in one case, switching an order for emergency bedding supplies to an order of toy animals.
Fortunately, the simultaneous blizzard and cyberattack were not real. They were created by the organizers of a collegiate competition held at the Johns Hopkins University Applied Physics Laboratory last week intended to test the wits and reflexes of what they hope will be the next generation of government and corporate cybersecurity professionals.
“The competition is like drinking from a fire hose, while being beaten,” one of the students, Hannah Kirse said with a laugh after the adrenaline-fueled simulation, which ran from Thursday through Saturday. “You know, it’s so overwhelming. You have your systems breaking, you’re trying to manage so many different things at one time. It’s definitely a stressful environment.”
The contest, dubbed Operation Cyber Blizzard, pitted eight teams from mid-Atlantic colleges against one another. Adding to the mayhem in what is officially known as the Mid-Atlantic Collegiate Cyber Defense Competition, was a “Red Team” of cyberattackers -- cybersecurity professionals playing the roles of hackers for a transnational terrorist group aiming to exploit the disaster and undermine U.S. national security.
Attracting young computer wizards to government and corporate service is a growing concern for both sectors, given the now lengthy series of successful network incursions by government-sponsored and freelance hackers. And recent disclosures by Edward Snowden of the U.S. government’s extensive electronic spying operations have only added to those concerns by damaging the reputations of agencies like the National Security Agency and the CIA.
Dickie George, the senior adviser for cybersecurity at Johns Hopkins APL who previously worked for NSA for 41 years, said the U.S. needs young people like those in the competition to become “cyberwarriors” for the nation.
“It’s so important to this country that the young people understand the cyberthreat and are ready to help protect the nation,” George said. “Forty years ago it was a nuclear weapon, that had a very limited number of people who could wield that kind of power. Today when it’s cyber, anybody can.”
George also said NSA officials tell him that Snowden, the former NSA contractor whose disclosures of U.S. intelligence-gathering practices have sent shockwaves throughout the U.S. intelligence and cybersecurity communities, hasn’t had the impact on recruiting that some might suppose.
“I wish more people could see how excited and how talented this next generation of students is,” George said. “The things they do and the abilities they have are really phenomenal. “
If that enthusiasm can be measured by effort, the student competitors who spent countless hours hunched over their laptops in the competition sponsored by the National CyberWatch Center at Prince George's Community College certainly passed the test.
Protect the network, fend off attacks
Each team was responsible for setting up a network of emergency first responders during the disaster, as well as collecting and reporting to a management center all incoming data, including information about the identities and skills of responders, emergency aid assets and deliveries.
They had to do this while simultaneously defending their network, consisting of various servers and systems, from the Red Team hackers, who made it clear from the outset that they were taking no prisoners.
“The red cells are going to get in, they’re going to hurt you,” the Red Team’s leader warned on the first day.
Over the course of the competition, the Red Team made good on the threat. The hackers managed to access and disrupt each team’s network to some degree, including accessing their supposedly secure passwords and stealing and modifying data.
Helping to further elevate the students’ blood pressure was Dr. Costis Toregas, associate director of the Cyber Security Policy and Research Center at the George Washington University, who played the role of a harried and politically motivated county executive.
Sitting at a desk on an auditorium stage, he demanded information about emergency management efforts during the blizzard scenario in briefings with each team, grilling and berating the captains about their progress and failures.
“We have failed to secure the systems properly,” one team captain admitted, shoulders slumped.
“The news you are bringing me is not very helpful at all,” replied Toregas, shaking his head.
“We needed to have more time,” pleaded another captain.
“You have got to do better,” Toregas insisted.
Afterward, the students said the exercise was intense and realistic.
“It’s like a puzzle to solve,” said Kirse, 22, a senior with a double major in computer science and math at Liberty University in Lynchburg, Va., who served as the captain of the school’s team. “You know, we’re getting in the minds of the hackers, learning how they work.”
“These are the things we need to be aware of and the changes we need to make to our own systems,” said Eileen Hindmon, 39, captain of a team from Radford University in Virginia. “Because this will happen. This scenario will happen. It’s just a matter of when.”
“And we’ll be the ones dealing with it,” she added.
Casey O’Brien, director of National CyberWatch Center at Prince George’s Community College, the competition’s lead sponsor, said the intensity was by design, as the competition was created with the idea of providing students with a “pants on fire” experience.
“The competition is designed with a lot of unrealistic expectations, unrealistic time frames for deliverables,” he said. “It requires them to make decisions with either ambiguous or competing sets of information and they’re under constant attack."
Cybersecurity professionals told NBC News such simulations are critical because they prepare students for the real world at a time when there are too few qualified professionals to counter existing threats -– let alone those to come.
“There’s an issue with having available workforce in this field in this country,” said Lewis Lightner, the competition’s director. “These are students who are preparing for a career in that field and actually in most cases, this is their first experience.”
Paul Joyal, managing director for the Public Safety and Homeland Security Sector of the consulting firm NSI and a member of the National Cyberwatch Center’s leadership team, said the competition “is trying to provide a path for students to get access to practical skills sets -– such as how do you secure a network, a router. These practical experiences have great value.”
The competition, now in its ninth year, was the brainchild of cybersecurity professionals and academics, but it enjoys considerable support from the U.S. government, the U.S. military and military contractors, who use it to observe and recruit.
The Maryland Defense Force, the Maryland Army National Guard and the U.S. Navy all were on hand to support the competition and conduct their own training in computer network defenses.
Other sponsors had recruiting tables, including the Department of Homeland Security, the FBI, the U.S. Army, the U.S. Navy, Booz Allen Hamilton, Northrop Grumman, Raytheon, Goldman Sachs, and Johns Hopkins APL.
"It is a real-word scenario. It could happen."
The National Security Agency, NSA, was represented at a table covered with job opportunity literature and NSA promotional magnetic logos.
The FBI's senior representative to the U.S. Cyber Command and NSA, Gordon Johnson, also attended and addressed the teams on the first day.
“It is a real-word scenario. It could happen,” Johnson said. “I think they picked a really good way to challenge you all.”
At the end of the competition, Red Team hackers took to the stage to explain how they wreaked havoc on the students’ teams, teaching them what to look for the next time they may face such situations.
When the scores were tallied, the team from Towson University in Towson, Md., was the winner. It will compete in the national competition April 25-27 in San Antonio, Texas.
Kirse’s Liberty University team was second. Will what she learned during Operation Cyber Blizzard help her defend the nation’s cyber infrastructure in the future?
“Oh definitely, absolutely,” Kirse said. “I mean, just this experience really kind of makes you realize that sometimes you miss the basic things – and that is where the hackers get in, that’s where they exploit you.”
“This was an incredible educational experience,” said Matthew Mickel, team captain of the Towson University team, during his team’s acceptance speech from the stage during the final awards ceremony.
Mickel, 32, previously an undergraduate in religion and classical studies and now a graduate student in computer science, said he wants to work for the government.
“My dream job is to do something that will utilize my skills in a way that will give service to the country, be of service to people and hopefully help people be safe.”
While Mickel’s remarks support George’s contention that the Snowden affair has not unduly influenced young computer-savvy students from seeking government cybersecurity jobs, it did deter some from expressing personal opinions about Snowden or his actions.
When a reporter approached one team with such questions, its members looked around nervously before declining to answer.
“Depending on how I answer that question,” one team member explained, on the condition that we not use his name, “it could affect whether or not I get a security clearance.”