At 10:49 a.m. last Friday, Prof. Dan Manson cupped his hands over his mouth and shouted to seven teams of five eager people that they could begin a virtual Capture the Flag competition at the 2011 U.S. Cyber Challenge Summer Camp at Cal Poly Pomona. 
 
The players manned laptops and began the simulation in which they entered a network to infiltrate servers, conduct penetration tests, analyze attacks and contents of files, overtake control of networked services and crack passwords. 
 
Manson compared the event to a sport for players using brains instead of brawn. “The goal of the U.S. Cyber Challenge is to find and develop 10,000 cyber warriors,” he said. And by the time the morning was over, these eager men and women had finished a challenge that could determine their career paths for the rest of their lives, whether they won or lost.
 

Finding Potential Cybersecurity Experts

The competition on Friday July 15 was the final event in a weeklong training camp -- one of five scheduled this summer around the country. The national effort’s goal is finding 10,000 people to train as the country’s next generation of IT professionals who can keep America’s cyber infrastructure safe as the digital world becomes more dangerous. Delaware, Missouri, Virginia and Maryland will host the other camps.
 
The federal government announced the first series of challenges in 2009 as boot camps to train and grow an army of cyber security professionals. Sponsors include the SANS Institute, SAIC, Microsoft, Booz Allen Hamilton, Lockheed Martin and the CIO Council. Cal Poly first joined as a campus host in the 2010 series, and Friday’s competition was an activity capping off five days of learning and bonding for participants.
 
“The idea is to get them to stay engaged,” said Karen Evans, the challenge’s national director.
Mental engagement begins long before the camp does. For many participants, attendance is invitation only, but once a person gets the invite, he or she must take a test and has 24 hours to finish after starting. Alex Krepelka, a teacher’s assistant at this year’s camp (who participated in Cal Poly’s 2010 camp and will be a junior at California State University, Sacramento, this fall) said this year’s entrance test involved computer forensics. Test-takers analyzed data after a fake hack and wrote explanations of how the hack was carried out. They had a six-week window to take it, between April and May 2011. 
 
Perks and offers start flowing after a person passes and agrees to attend camp. Cal Poly set aside resident housing for all attendees, but top scorers only had to pay for travel and everything else was free. Others only had to pay a fraction of housing costs, maybe $300, according to Manson, which isn’t that expensive for a five-day camp. Financial aid is available to everyone for travel or housing.    
 
Participants must be between 18 and 49 years of age and can be residents of California, Nevada, Arizona or Oregon, so it’s possible for campers to be teenagers, college students or older professionals looking for a career change. 
 
“You bring all these people together, and what they have in common is a shared passion to learn cyber security,” Manson said. “They stay in residential suites, and during the week, they bond.”
 
SAIC provided its CyberNEXS (TM) software to facilitate the Capture the Flag simulation. SANS assisted in providing instructors and also offered to pay for each camper to undergo SANS certification training in exchange for being a teacher’s assistant on behalf of the U.S. Cyber Challenge. Camp offerings included classes, a career fair, an ethics panel and informative lectures on IT issues from faculty. People who accept must serve as assistants three times over the next five years at future camps. 
 
Krepelka took that deal last year. Though he thinks he’s incredibly knowledgeable about IT and hacking, he says the camp training enhances his knowledge and in some cases act as refresher courses. “[Thursday] was reverse-engineering malware,” he said. “I get to go through the classes again.”
 
Last week, Cal Poly’s camp offered courses, a career fair, an ethics panel and informative lectures from speakers on IT issues. Hal Pomeranz, a SANS faculty fellow and the founder and technical lead for Deer Run Associates, was one of the instructors. He thinks opportunities like this give young people with hacking knowledge better options for their talents than becoming criminals. “We hear about these kids who get involved in this and take it in a bad direction. They can go in a positive direction with this,” he said.
 
According to this school of thought, those who belong to organizations like LulzSec, the group responsible for hacking into the Arizona Department of Public Safety’s computers in June 2011, might have gone down a more law-abiding path if they’d been reached at the right time by programs like the challenge.
 
Thursday night, at least some of the Cal Poly’s campers were commiserating and preparing for Friday’s challenge. Kyle Osborn was one attendee who appreciated the training. 
 
“I wanted the opportunity to learn more and meet other people that are like-minded,” Osborn said.
He was one of several camp students and faculty in a study room in the residential suites that night talking and studying, which they’d all presumably been doing the whole time. This makes Manson proud because he believes a group environment can benefit cyber security in the professional world.
 
“Cyber security is a team sport. I really think it’s a myth that it’s what you do yourself as an individual. We need to do a better job sharing what we do in cyber security, and we need to develop teams that can defend our country,” Manson said.
 

Offensive Cybersecurity Strategies 

The night before the competition, attendee James Stamm wondered what it would be like. “I’ve never experienced anything like the SAIC environment,” he said. Some computer experts, like him, are used to learning defensive techniques where they protect networks. The challenge required players to go on the attack and shut down networks or steal information. “This gives us a chance to go on offense,” Stamm said.
 

Prof. Dan Manson looks on as teams of players in the 2011 U.S. Cyber Challenge held at Cal Poly Pomona prepare to begin the virtual Capture the Flag competition.

Photo by Hilton Collins

One way the teams scored points was by getting markers, or “flags,” after achievements, such as discovering usernames of administrators, IP addresses of discovered targets, contents of password files, cracked passwords and database contents. A team had to earn the most points to win, so there were no judges -- victory was purely achievement-based. Some flags were tougher to get than others, requiring more advanced security knowledge. “You’re not expected to get all the flags by any means,” Krepelka said.
 
As it turns out, Stamm and his partners on Team Rocket knew quite a bit about offensive techniques. They won the challenge with more than 22,000 points and received top honors after the 2 p.m. finish time. The second place team scored 8,000 points.
 
Stamm was surprised at the victory. “This is certainly not my area of expertise,” he said. “This was an offensive competition, and I’m used to defense.”
 
All five winners received prizes, including plaques and a $1,000 scholarship from the International Information Systems Security Certification Consortium (ISC²).
 
The government wants to grow the cyber challenges every year. As years pass, it will recruit participants and winners from previous camps -- like Cal Poly’s -- to help spearhead more camps in more places with more attendees. The ultimate goal? That America will eventually create a skilled cyber army and teaching force.
 
“We need to have individuals that know what really sophisticated bad hackers are doing when they attack this country,” Manson said. “The only way we get there is by providing opportunities to go up the chain and develop in-depth hands-on skills.” 

Hilton Collins, Staff Writer Hilton Collins  |  GT Staff Writer

By day, Hilton Collins is a staff writer for Government Technology and Emergency Management magazines who covers sustainability, cybersecurity and disaster management issues. By night, he’s a sci-fi/fantasy fanatic, and if he had to choose between comic books, movies, TV shows and novels, he’d have a brain aneurysm. He can be reached at hcollins@govtech.com and on @hiltoncollins on Twitter.