Air Force Academy wins NSA Cyber Defense Exercise

  • Published
The National Security Agency announced today that the Air Force Academy is the winner of the agency’s 6th Annual Cyber Defense Exercise.

The exercise was conducted April 10 to 14 here, at the NSA’s Maryland headquarters and the nation’s other military service academies.

During the exercise, Maryland-based NSA network specialists and military network specialists formed the Red Cell team. Red Cell challenged cadet Blue Cell teams to defend a closed-computer network they designed, built and configured at their respective academies. The network software was pre-configured with known vulnerabilities, forcing cadet teams to diagnose and remove the vulnerabilities while maintaining their network’s e-mail, instant messaging, file sharing, Web and several other service features.

NSA and military specialists graded each team's ability to effectively maintain network services while detecting, responding to, and recovering from network security intrusions or compromises.

Red Cell teams used numerous exploitation techniques readily available on the internet, in their attempts to bring down the respective cadets’ systems, including spyware, e-mail bombardment and fake messages trying to get cadets to download malicious “patches.” Red Cell‘s greatest measure of success against the Air Force Academy cadets was making the cadets’ Web page say “We love Red Cell.”

Other service academies also fell victim to Red Cell tactics, which sometimes played on the inherent rivalries between the academies, with a little cyber "smack talk." Red Cell members hacked the West Point team’s Web site and changed it to read “Go Navy, Beat Army,” during the exercise.

But when the cyber-dust settled, NSA evaluators chose the Air Force Academy team as the winner.

“I believe one reason behind our success was a focus on fundamental security principles, rather than specific tools,” said Capt. Sean Butler, computer science instructor and officer in charge of the Academy team.

“While using advanced information security tools and techniques might buy you a little bit of an advantage at the margins, I suspect it probably costs you even more in added complexity, given inexperienced administrators," the captain said. "It's very difficult to defend a network that you don't fully understand, so our cadets spent a lot of effort making sure they all had at least a basic familiarity with all the components of our network and how they fit together. The cadets' eventual network design was a very classic, textbook secure network layout without a lot of frills, and it was obviously quite effective.”

Lessons learned during this exercise will help these cadet computer science majors after graduation, when they join a service whose mission recently expanded to include mastery of not only air and space, but also cyberspace.

“Developing such skilled young network defenders bodes well for the Air Force continuing to lead the way in the network security field,” Captain Butler said.

Blue Cell teams each began with 50,000 points. During the exercise, those points were either reduced or increased, based on the network attacks they became vulnerable to or were able to defend themselves against. Cadets were required to file reports on the status of their network. Points were taken away if their reports were not complete or less than accurate.

The Air Force Academy team finished with a score of 48,425 points, almost 2,000 points ahead of the second-place finisher, the Army’s U.S. Military Academy at West Point.

Winners of the previous cyber defense exercises were the U.S. Naval Academy in 2005, the U.S. Merchant Marine Academy in 2004, the Air Force Academy in 2003 and West Point in 2001 and 2002.