Cyber Range: Who, What, When, Where, How and Why?

Cyberthreats are everywhere. Whether counting data breaches, individual ID thefts, system outages from hacker attacks or vulnerabilities detected to critical infrastructure, the growing numbers are staggering.

What’s to be done?

For more and more universities, enterprises, nonprofit groups and global governments, the answer is to build, or join or expand a cyber range. The concept is not new, but the explosion in interest in cyber ranges and participation is clear. Here are some recent examples:

Dark Reading just highlighted seven university-connected cyber ranges to know now:

“Practice. We're told it's what makes things perfect. When it comes to defending against massive, devastating cyber attacks, the tricky thing is finding an organization willing to expose their infrastructure to ruin while defenders practice their craft. That's where the cyber range comes in.

A cyber range is a controlled virtual environment where all of the worst fruits of the criminal hacker's labors can be visited upon an unsuspecting victim — and repelled, again and again, by white hats in training until their craft has been honed and their profession perfected.

That practice is critical for the growing number of cybersecurity students in university programs and the security professionals who increasingly lean on university resources to improve their strategies, tactics, and technology for defense.”

EdScoop reported that cyber ranges are the rage at universities.

CSO Magazine highlighted how a Latvian mobile operator invites cyber attackers to have a go, via their cyber range.

Government Technology magazine reported on new investments in cyber ranges in Georgia as well as cyber lab activities in LA that also aid local businesses.

StateScoop reported that cyber ranges are bolstering the workforce in six states. “With facilities now in various stages of completion in Arizona, Arkansas, Florida, Michigan, Virginia and Georgia, cyber ranges are quickly becoming a mainstay in government's strategy for competing with the public sector for talent and filling a widening workforce gap.”

The Michigan Cyber Range website explains that cyber ranges can help detect, prevent and mitigate cyberattacks.

“Cybersecurity and protecting the nation’s network infrastructure is a vital concern, and Merit Network leads a major project, the Michigan Cyber Range (MCR), to help cybersecurity professionals prepare for real-world situations.

The Michigan Cyber Range is dedicated to providing a secure environment for cybersecurity education, training and testing. It also performs research as an advanced platform for industrial control systems security.

The MCR is an unclassified private cloud operated by Merit. It delivers cybersecurity classes and exercises and enables product development and testing to clients and Merit Members across the nation and throughout the world.”

According to Palo Alto Networks, there are many cyber range benefits:

 

Digging Deeper on Cyber Ranges with Dr. Joe Adams and Jason Brown from Merit Network

So why is this happening now? What is so special about these cyber ranges?

To answer this question, I turned to two experts in the field who eat, breath and live in (or near) cyber ranges.

Dr. Joe Adams is the vice president of research and the director of the Michigan Cyber Range. He joined Merit Network in 2012 after a very successful military career, including CIO of the National Defense University. 

Jason Brown is the chief information security officer at Merit, and a former security architect for the state of Michigan government.

I have known and worked with both Joe and Jason for many years, and they are both outstanding security professionals who are very well respected throughout the security industry. Their thought leadership and expertise has propelled the Michigan Cyber Range to international prominence over the past several years.

Here’s my brief interview:

Dan Lohrmann (DL): Are you seeing an uptick in interest and involvement in cyber ranges?

Dr. Joe Adams (JA): Definitely. As we develop content applicable to more and varied sectors of the prospective workforce, more organizations (i.e., government, academic and commercial) step forward to become involved. The Michigan Cyber Range has contributed to a variety of projects in conjunction with the state of Michigan and others that involved high school students, unemployed veterans and employers seeking to attract and retain talent.

Not only are the organizations that generate qualified cyber workers interested in cyber ranges, but manufacturers are recognizing that the concepts of constant connectivity, autonomy, and all the other aspects of the Internet of Things make cyber-trained employees necessary.

DL: In what areas are clients most interested? (Does this include public and private sector or mainly government-only?)

There are two main lines of effort. The first is by states and government entities who are seeking workforce development and skills training. Prompted by the gap between trained cyber workers and open cyber positions, these entities want to improve the skills of the existing workforce, while also making their state attractive to organizations that are seeking to move to locations with a workforce. The Michigan Cyber Range is an example of this kind of range.

The second line of effort is being pursued by universities and academic organizations for the purposes of expanding their programs and attract students. These ranges can be differentiated from the workforce training ranges in that they service enrolled students of an academic institution and rarely, if ever, seek to provide certification training to those students. Instead, these ranges focus on educational experiences that contribute to a student’s academic experience. The Information Warfare lab, known as IWAR, at the U.S. Military Academy at West Point is an example of this kind of range.

If you read the EdScoop article (above) the “ranges” at Regents and University of West Florida fall into the second category as well. They’re basically classrooms and buildings with a closed network for cyber courses.

DL: Why do you think cyber ranges are growing in popularity now?

JA: I think we’re seeing the results of the work done by [the National Institute of Standards and Technology] through the [National Initiative for Cybersecurity Education] program, the Cyberseek initiative, and other efforts. As they highlight the talent gap and, in my opinion more importantly, help define the KSAs [knowledge, skills and abilities] applicable to each job function in cybersecurity, they have cut through the media hype and vendor advertising to develop an effective workforce.

Jason Brown: It takes the student to the next level of their cybersecurity training. First, students start off in the classroom learning cybersecurity concepts. As the student continues to progress through curriculum, they begin to learn the tools of the trade toward becoming an ethical hacker, which allows them to understand the various attack vectors against an organization. Not only has the Michigan Cyber Range been able to teach ethical hacking in a competitive setting, it allows those students and even professionals out in the workforce keep their knowledge fresh and up to date.

DL: I’d like to thank Joe and Jason for their willingness to be interviewed and for their leadership in this growing cyberdefense space.

Brief History of Cyber Ranges

The first cyber ranges were confined to secret programs within the department of defense along with defense contractors. These cybersecurity labs were similar to gun ranges or the “proving grounds” where weapons systems have been tested going back to World War I.

But these earliest cyber ranges were for cleared staff only, meaning that these cybertests were performed on classified (secret-level) networks.

Nevertheless, after conversations with top security leaders at the White House and U.S. Department of Homeland Security (DHS), our cybersecurity team in Michigan launched the Michigan Cyber Range in 2012. (More on this below.)

I was chief security officer (CSO) in Michigan at the time, and you can read my blog with specific details, definitions, goals and other details on our efforts regarding the Michigan Cyber Range launch here.

There were many early questions and naysayers that we needed to address back in 2011 and 2012, and I answered several of those questions for CSO Magazine in another article.

Recently I went back and found Gov. Rick Snyder’s talking points from our Michigan Cyber Range launch, and most of these benefits and reasons to launch a cyber range still apply in 2018 — with even increased cyber challenges since those early days. Here are several of those talking points from 2012:

• Last October, I launched the Michigan Cyber Initiative — Defense and Development for Michigan Citizens, Businesses and Industry
• Michigan, along with the entire global economy, relies on information technology and systems. The very technologies that make our lives more convenient can also leave us more vulnerable
• This information ecosystem has created a new avenue for crime, misconduct and espionage.
• Cybersecurity is one of the major security challenges facing the nation. Just last month, computer hackers stole confidential information of 300,000 students and faculty including names, Social Security numbers, birthdates, etc., from Florida Panhandle College — see: http://www.wtvy.com/news/alabama/headlines/300K-Records-Hacked-at-NW-FL-State-College-173720631.html
• Michigan’s vision is to secure this ecosystem and continue leadership in this domain
• I am proud to be standing here a year later where one of the goals of the cyberinitiative is becoming reality — to launch the Michigan Cyber Range
• Cyberattacks on Michigan could have dire economic consequences for the region and the nation. The state of Michigan government blocks 187,000 cyberattacks daily (Side note: This was in 2012)
  

• Mission of the Michigan Cyber Range: Provide a state-of-the-art unclassified facility for safe and world-class cybersecurity training
• Training geared to specific industries and products to promote advanced training in defensive cybersecurity
• Meeting the 21st-century needs of critical infrastructure defense, homeland security, criminal justice and education
• Public-private partnership serving the needs of the nation
• Providing the state of Michigan, federal agencies, education and private industry a venue to gain skills, best practices and experience
• Cutting-edge educational, testing, and evaluation platform that can be used in support of a wide range of activities to help develop mission-critical operational expertise
• Education — Higher education using Range as regular component of course work, research, special K-12 programs and competitions
• Useful to researchers and vendors that need to develop or validate their cybersecurity products
• Developing world-class cyberdefenders will not only help Michigan, it will also help the nation continue to thrive in an age of increasing cyberthreats
• Michigan already has many of the nation’s top higher education cybersecurity programs and a burgeoning cybersecurity industry. The Michigan Cyber Range will work synergistically with these and other resources to develop the best defenders of our critical infrastructure. 
• Success is measured by thwarting adversaries who are intelligent, determined and adaptive

What these talking points don’t show is how this Michigan Cyber Range effort led to the Michigan Cyber Civilian Corps in later 2013 — which became a national model for a "volunteer fire department" for cyber emergencies. Here’s a quote from that article:

“Back at the Michigan Cyber Summit in October 2013, Gov. Rick Snyder announced our new government plan for a: “Rapid response team that would assist the state and industries across Michigan during a major cyber incident.”

The idea was to create a volunteer group of cyberexperts who could train together, hone their skills in cybersecurity exercises and be ready to assist the state government in the event a cyberemergency of “state significance.” (More on what that might look like later.) 

Well the cutting-edge concept has become reality, with the official launch of the Michigan Cyber Civilian Corps (MiC3) last week. The MiC3 website is live at: http://www.micybercorps.org.”  

The Michigan Cyber Range and MiC3 also enabled new cyberexercises to test public- and private-sector teams in their cyberincident response capabilities.

For more information on the Michigan cybersecurity initiatives, which were helped by the Michigan Cyber Range, along with related strategic initiatives that can help, I recommend viewing these two Cisco-sponsored case studies, which have a wealth of relevant information:

• Michigan Cybersecurity Initiatives Reduce Risks Through Improved Employee Training
• Cybersecurity: A Research Report by Public CIO magazine

Final Thoughts

I still find it amazing that our informal conversations in October 2011 between Gov. Rick Snyder, Michigan's government technology team, national cybersecurity leaders like White House Cybersecurity Coordinator Howard Schmidt and Secretary of Homeland Security Janet Napolitano ultimately led to the Michigan Cyber Range — which became a global model for unclassified cyber ranges.

That initial concept included important investments of resources and participation from the public and private sectors, National Guard units, all levels of government, high schools and universities and nonprofit groups like Merit Network and much more. I encourage all readers to not only consider participation in a cyber range, but also to understand the impact that a well-thought-out cyberstrategy can make over the future decade.

Yes, those initial efforts started small, but cyber ranges are now becoming part of the new normal within the cybersecurity industry.

From computer novices to cyberexperts to executives preparing to respond to cyberincidents of significance, we can all improve our cyberskills at a cyber range — now coming to a place near you.