The clock is ticking. Hackers have invaded the system and it’s going down piece by piece. They’ve just lost another one and the attack keeps on coming. Eight people both huddled together and glued to their screens are racing to keep these critical systems, systems charged under their care, up for as long as they can.
The Collegiate Cyber Defense Challenge, CCDC, is a simulated battle, but the pressure participant’s face is real. Red-hat hackers, professional cybersecurity experts who break into systems for a living, volunteer to participate in the competition against teams of college students whose mission it is to defend against the invasion. It’s a scenario that cybersecurity experts are expected to be able to face in real-life, and the real-time experience of working together to try to protect a system as it’s being invaded doesn’t feel all that simulated in the moment.
Capitol has participated in the Mid-Atlantic region’s CCDC competition every year since its inception. Walking into the cyber battle lab the evening of the competition, there was a hum of urgency in the air. Screens were up, charts were bouncing back and forth, the countdown clock was racing, but the students weren’t shouting. They spoke in low calm voices, with their team captain, Jacob Rush occasionally getting up from his seat and walking around to check on everyone. They even sometimes laughed at one another from across a table stacked with at least two dozen water bottles. They knew who they were facing, but there was never any panic as I watched the chart that indicated each team’s standing move up for Capitol’s cyber warriors.
I asked Professor Rick Hansen, the CCDC team coach, how our team managed to remain so calm. “There are different roles on the team,” said Professor Hansen, “Jacob Rush is the team captain, and we have everyone split between Windows servers and Linux/Unix systems. They’ve got all these problems to solve, the judge is monitoring the situation, and as the coach I’m not allowed to touch anything. They've practiced their skills and are doing best that they can.”
“It’s a big challenge,” he continued, “especially for a small school like Capitol. We’re competing against some of the big schools like University of Maryland. If you think about the resources they have available versus what we have, there isn’t a comparison. The thing is though, you could have four people who knew what they were doing stone cold and they would beat eight people who didn’t. Our people, you can hear them, they’re very quiet, no one is screaming, they’re professional. We’ve got professional grade students.”
Team captain, Jacob Rush, says his team has been practicing for months to get ready. “We’ve put in a lot of hours and done a ton of work. We’re really excited about it.”
“They’ve been practicing defense and setting up systems,” says Hansen. “We set up what’s called a virtual machine. You take a computer, you set aside a piece of memory, and you lie to it. You tell the memory that it is its own separate machine. The students load Windows or Linux or Unix in there and they practice configuring and defending it.”
The professionals they’re up against are the real-deal. Capitol’s chair of cybersecurity, Dr. William Butler, said of the challenge, “If they really wanted to, the red-hats are good enough they could probably crush us in five minutes…The good thing about this competition though, is that they have a debriefing at the end where they actually talk to you and say, hey Capitol I was the guy attacking you and here’s what I did. They tell them how they got around you, which weaknesses they exploited, and this is why it works, this is how you fix it.”
The Mid-Atlantic CCDC competition is sponsored by the International Science Foundation in combination with supporting organizations like Raytheon and the NSA. It’s a fantastic learning experience for the students participating, and pushes them one step closer towards a professional career in cybersecurity. Making it to the next stage of the competition is extremely challenging, especially in the Mid-Atlantic region. For the last two years, the national champions have come out of our region.
The top eight teams from the first round move to the finals. This year Capitol placed 12th out of 38 competitors. It was a heartbreak to the team, but they are already planning for next year. They are analyzing where they could have done better and found one area that prevented them from reaching the finals. In two weeks they will be practicing for another competition and applying these lessons.
Why are competitions like this so important? Professor Hansen says it’s all about training the next generation, “Having cyber professionals in your business really is essential because even if someone isn’t breaking into your systems all the time, when you are attacked it’s like trying to catch a mouse without a cat. You know the mouse is somewhere in the house, but you don’t know where and you don’t have the instincts to route it out. When you’re talking about someone potentially turning infrastructure critical to your operations into their personal playground, you just can’t afford not to have a cat.”