Students Compete to Mount Best Defense Against Malicious Hackers

Article tools

Printer friendly	E-mail article	Subscribe	Order reprints
	Discuss any Chronicle article in our forums
Latest Headlines U. of Delaware Approves New Diversity Discussions for Students The new, voluntary program will replace one tossed out last fall after coming under criticism as "thought reform." In Tight Employment Market, Career Services Gain Clout Borrowers' Uncertainty Has Colleges in Quandary How It Does It: The RIAA Explains How It Catches Alleged Music Pirates State High-School Exit Tests Do Not Improve Academic Achievement, Study Finds Commentary Business Students Should Learn More About Science

By ROBIN MEJIA

Brandon Hladysh's business was in trouble. Mr. Hladysh, a junior at Baker College of Flint, in southern Michigan, was supposed to be managing the computer network of a small company, but hackers had attacked, and several of his computer servers were down. In a battle with unseen enemies on the network, Mr. Hladysh and his colleagues thought they were losing.

It was scant consolation that the struggle wasn't real. It was the end of the first day of the National Collegiate Cyber Defense Competition, held last month in San Antonio.

The Baker College group was one of 56 teams that had entered state and regional contests this spring. "It's sort of like March Madness, but with computers," said the competition's director, Dwayne E. Williams, an assistant director of the Center for Information Assurance and Security, at the University of Texas at San Antonio. The top six, including Mr. Hladysh's team, had been flown to San Antonio for the national finals, with tickets paid for largely by a grant from the Department of Homeland Security.

The need for colleges to graduate students who understand computer security is growing. The Internet Crime Complaint Center, a partnership of the FBI; the National White Collar Crime Center; and the Bureau of Justice Assistance, in the Department of Justice, reported more than 90,000 crimes in 2007, with reported financial losses of almost $240-million. The goal of the competition is to increase interest in computer security and improve training for network defenders.

Each team was given a fictional business network created by the contest organizers. Over the next three days, the teams had to defend their networks from a set of elite hackers — in reality, eight security professionals. At the same time, organizers peppered the students with requests to expand the network and add new business capabilities.

Emphasis on 'Defense'

The competition reflects a shift in computer-security education. Efforts to give students experience with techniques they read about in books have usually met with resistance. In fact, practical training has been seen as dangerous.

For example, in 2002, Gregory B. White, an associate professor of computer science at San Antonio, put together a course on penetration testing, in which students would look for ways an attacker could penetrate, or break into, a network. Computer-security professionals conduct such tests in order to improve network security. But Mr. White says he faced criticism that the tools and techniques he was teaching students could be used to attack as well as defend a network.

So in 2005, when he decided to start a regional computer-security competition — the precursor to last month's national contest — Mr. White was not surprised by some of the responses. "We had a lot of folks worrying that it would look like we were creating a hacking contest," he says. It's no accident that the competition has the word "defense" in its title.

The idea was endorsed by a panel convened by the National Science Foundation the year before, so Mr. White pressed ahead.

In the contest, students are allowed to scan their own networks for vulnerabilities, but if they start poking at another team's networks, they will be disqualified.

The U.S. military academies sponsor a similar defensive contest, the Cyber Defense Exercise, or CDX, which Mr. White looked to as a model.

Not all competitions require students to be on such good behavior, however. Giovanni Vigna, an associate professor of computer science at the University of California at Santa Barbara, runs a security contest each December. A team of his graduate students is pitted against teams from across the United States, Europe, Australia, and South America in a competition that could be thought of as an ultimate fighting match waged on keyboards. Playing over a private network, each of the 30-odd competing teams attacks the others and attempts to defend its own network.

"The students love it. They say, wow, instead of being there doing some boring test, here I am hacking," says Mr. Vigna, who just received a $200,000 grant from the National Science Foundation to expand the competition. "Even if they're getting hacked to pieces, if they hack into one thing, they are so excited."

Most important, he says, the contest is a valuable teaching tool for aspiring security professionals, who must understand precisely how attacks work, and how to think like an attacker, if they are going to be effective defenders.

The Tavern Challenge

But other academics see risks in Mr. Vigna's approach to contests. "I don't disagree with him. I like Giovanni," says Lt. Col. Ronald C. Dodge, an associate dean at the U.S. Military Academy who leads the CDX. But unlike Mr. Vigna's graduate students, he notes, those at West Point are undergraduates training to be infantry officers. While some might eventually specialize in computer security, he says, "what we didn't want to have was the perception that the service academies were training hackers."

San Antonio's Mr. White and Mr. Williams, too, say their students get enough practical training, and excitement, just playing defense.

Mr. Hladysh, the Baker College competitor, says the weekend in San Antonio pushed him and his teammates to a new level. At the end of that difficult first day, they had failed at the first two technical and business tasks the contest had set. And there were those downed servers. So he called a team meeting at a local pub called Tex's Sports Bar.

"After quite a few hours down at the bar, we came up with a long list of solutions" that they tried out as soon as they walked in the door the next morning," he says. By the end of the weekend, the Baker team had bested the previous year's returning champions, a team from Texas A&M University at College Station.

A day later, Mr. Hladysh still sounded surprised by the victory: "Our team isn't just folks who get full-ride scholarships or have 4.0 GPA's." If they were, he said, they would probably be at a computer-science powerhouse like the University of Michigan. What they did have was a will to win. "Our team is just really dedicated," Mr. Hladysh said.