College students from across the mid-Atlantic region descended on The Johns Hopkins University Applied Physics Laboratory (APL) last month to participate in a competition to test their cybersecurity skills.
During the four-day 2013 National CyberWatch Center Mid-Atlantic Regional Collegiate Cyber Defense Competition (CCDC), college cyber defenders spent two days protecting a fictitious nation’s electronic voting system against expert computer hackers.
The competition also included a symposium on electronic voting and its advantages and pitfalls, a job fair and a high school expo.
The CCDC, now in its eighth year, is designed to give students the chance to apply classroom theory and skills to defend against real-time targeted cyberattacks led by professional security testers in a controlled, scored setting.
“The CCDC really shows these students what it’s like to protect a network from a coordinated, malicious cyberattack,” said Casey O’Brien, director of the National CyberWatch Center at Prince George’s Community College. “For two days, they tried to keep voting systems running while our red team threw every trick and hack in the book at them. It’s a phenomenal educational experience that’s also teaching them what it’s like out there in the cybersecurity world.”
It’s no coincidence that APL has played host to the CCDC for the past three years.
“[I]t’s been a natural partnership between the laboratory and the National CyberWatch Center,” said Richard “Dickie” George, senior adviser for cybersecurity at APL. “We both saw this was a great chance for research and university organizations to work together to promote cybersecurity awareness.”
Eight teams of students from two- and four-year colleges and universities competed in the event. They included teams from Anne Arundel Community College, Capitol College, University of Maryland at College Park and the University of Maryland University College, as well as Craven Community College and North Carolina State University (both in North Carolina), Millersville University (Pennsylvania) and Radford University (Virginia).
The Millersville University team won the overall competition and moved on to represent the mid-Atlantic region at the National CCDC, held from April 19–21 in San Antonio, Tex.
Democracy at Stake
Four national experts on cybersecurity were on hand for a day-long symposium at APL: Dr. Alex Halderman (University of Michigan); Dr. Avi Rubin (The Johns Hopkins University); Dr. Alan Sherman (University of Maryland Baltimore County) and Dr. Dan Wallach (Rice University).
The experts described current concerns and weaknesses associated with electronic voting and shared case histories that illustrate how difficult — and how important — it is to ensure uncompromised electronic elections.
“When it comes to electronic voting, average people, when they first think about it have the same reaction: ‘That’s a great idea,’” said Rubin.
The only problem is that hackers, computer viruses and even design flaws can all too easily corrupt voting results.
“The problem is that you can see inputs going into a computer and outputs coming out, but it’s very hard to have a transparent way to see what happened inside this computer when it was performing all kinds of computations,” Rubin said. “Everybody has to trust that the right outcome came out, and everybody has to believe that even the people running the election didn’t cheat, even if they wanted to.”
Indeed, some threats can be decidedly low tech, as Rubin noted in his description of a recent Virginia election in which a candidate actually lost votes cast for her due to an equipment malfunction. In that case, stacking the modular voting machines for storage between elections was to blame. Pressure was applied to touch screens lower in the stack, in the exact area where the candidate’s voting box appeared, causing a glitch that did not record the vote.
“I don’t care how much source code you do, I don’t care how much you examine your procedures, you’re never going to catch that,” Rubin said. “It’s just one [mystery] where they happened to figure out what was going wrong.”
Aside from the chance for students to put their skills and training to good use and represent their learning institutions, the annual event is also touted as a mechanism by which these schools can evaluate their programs.
While cyber competitions aren’t exactly unusual these days, CCDC organizers point out that theirs is unique because it focuses on the operational aspects of managing and protecting an existing network infrastructure that might be found in a commercial network.
Among the challenges the teams face are detecting and responding to outside threats, maintaining the availability of services on servers, responding to business requests to add or remove additional services, and balancing security needs against business needs.
“We were excited to once again explore new ways in which academia, government and industry can collaborate and make a difference in the career choices of young people,” George said.