Recruiting the Next Generation of Cyber Security Specialists
Two Lincoln Laboratory outreach activities seek to steer high-school students toward careers in cyber security.
Today's cyber security specialists
are too few in number and lack
the skills needed to defend networks
supporting the nation's
government agencies, financial
institutions, power grids, and
transportation systems. As cyber
attacks escalate in frequency and
sophistication, this shortage of
adequately trained personnel will
become even more acute, particularly
within the U.S. government.
Lincoln Laboratory is trying to
address one of the roots of the shortage
in cyber security professionals:
the lack of cyber security education
in school curricula. Two programs
designed for high-school students–CyberPatriot and LLCipher–have
been a part of the Laboratory's
efforts to help fill this gap. By engaging
these precollege students in
activities that highlight the appeal
of cyber security work, the Laboratory
hopes they will be motivated to
pursue undergraduate studies and
eventually careers in the field.
Helping a student prepare
for the CyberPatriot
competition, Robert
Cunningham, leader
of the Secure Resilient
Systems and Technology
Group, explains how to
configure a Windows 7
system to ensure strong
passwords. |
Since 2011, Lincoln Laboratory
has sponsored teams of high-school students participating in the
CyberPatriot National Youth Cyber
Defense Competition, a program
initiated in 2009 by the U.S. Air
Force Association to spark young
students' interest in cyber security
or other science, technology, engineering,
and mathematics fields.
A network defense competition,
CyberPatriot challenges students to
find vulnerabilities (e.g., malware,
weak passwords, unnecessary services)
within a set of virtual images
that represent Windows or Linux
operating systems while maintaining
critical network services, such
as email. Each image contains
anywhere from 10 to 20 flaws;
the teams that discover the most
flaws within a six-hour time limit
advance to subsequent rounds.
Although the format of the rounds
and the scoring system have
evolved over the years to support
the growing number of registered
teams (eight to start and more than
2000 in the 2014–2015 season),
the basic advancement process has
remained the same, with teams
competing at the state, regional,
and national levels.
In its first two years of participation
in the CyberPatriot program,
the Laboratory sponsored a
single team; for the past two years,
three teams have been sponsored.
Teams typically consist of five to
six students, many of whom compete
in multiple CyberPatriot seasons.
Veteran members are often
paired with rookies, according to
Chiamaka Agbasi-Porter of the
Communications and Community
Outreach Office, who coaches the
teams and recruits Laboratory volunteers
to serve as mentors. From
September through March, the
students and mentors meet once
a week for two hours at the MIT
Lincoln Laboratory Beaver Works
facility near the MIT campus in
Cambridge, Massachusetts. During
these weekday sessions, students
learn and practice the computer
and teamwork skills they need to compete in CyberPatriot. Throughout
the season, technical staff from
the Laboratory give presentations
on relevant topics, including cryptography,
networking, Windows
internals, and Linux security. On
some weekends early in the season,
all CyberPatriot teams participate
in online qualifying rounds from
their home base, finding vulnerabilities
within virtual machine
images downloaded onto laptops.
These rounds could also include
a Cisco Networking quiz or a
Cisco Packet Tracer (a network
simulation program for students to
experiment with network behavior)
challenge—one of the mechanisms
through which teams can
gain points beyond those acquired
by fixing vulnerabilities. Points
are also awarded for answering
forensics questions about the steps
taken to remediate the vulnerabilities.
Teams lose points if they take
any actions that make a system less
secure (e.g., reintroducing a previously
fixed vulnerability). Scores
are automatically recorded by a
centralized scoring system.
For two years in a row, the first Laboratory-mentored CyberPatriot team, DoNut Hack Us, was one of 12 finalists selected to
compete in the national championship held in Washington, D.C. More than 1000 teams entered the competition in each of
those years. Seen above left are three of the five team members racing against the clock to detect vulnerabilities in the areas
of policy, patch, configuration, and third-party management during the 2013 finals. After graduating high school, three CyberPatriot alumni from the team spent their summer interning in the Cyber Systems and Technology Group (above right). All
three have chosen to pursue computer science in their undergraduate studies. |
Jorge Coll, a technical staff
member in the Secure Resilient
Systems and Technology Group, is
one of the CyberPatriot mentors. A
previous Microsoft employee, Coll
focuses on the Windows operating
system, helping students identify
misconfigured settings; configure
their machines with policies, such
as those for password restrictions;
and ensure software patches are
up to date. One of Coll's major
contributions has been in the area
of competition strategy: How can
students maximize their time to
gain as many points as possible?
"The two largest time sinks students
struggle with during the competition
are discovering what is wrong
with any given system and applying
security best practices to lock down
their machines," explains Coll. To
reduce the time spent on such tasks,
Coll introduced the students to
various automation tools, including
Windows PowerShell (a commandline
interface and scripting language),
security policy templates,
and techniques for recognizing
configuration drift (i.e., changes to a
system's hardware or software environments).
"For example, with PowerShell,
students can automatically
query login records to see when the
last time a particular user accessed
his or her account, instead of having
to manually sift through these
records," says Coll.
The track record of the Laboratory
teams has been impressive.
For the 2011–2012 and 2012–2013
seasons, the one Laboratory-sponsored
team advanced to the
national competition in Washington,
D.C., where they placed
7th among 11 finalist teams both
times. At the end of the 2013 season,
most of the team members
graduated from high school. New
team members were recruited for
the following season (2013–2014),
resulting in three teams, all of
whom came very close to qualifying
for the national finals. In 2014–2015, all three teams competed at
the highest level in the statewide
competition, and one went on to
complete its season at the Northeast
regional competition.
CyberPatriot team members collaborate on finding malware and locking down a
Windows virtual machine during one of the online weekend competitions. |
While CyberPatriot is at its
core a competition, with scholarship
money given to the top three
teams, it is more than a game.
"CyberPatriot gives students an early window into cyber security,
a field that most students do
not encounter until college," says
Sophia Yakoubov, one of the mentors
and a technical staff member
in the Secure Resilient Systems
and Technology Group. Yakoubov
taught the team members about
classical cryptography and cryptanalysis."I showed them how, just
by looking at an encrypted message
or file, they can figure out which
encryption scheme was used and
then how to apply various techniques
to crack it," she explains.
With the help of colleagues
Emily Shen and David Wilson, Yakoubov
served as the lead instructor
for a new cyber security-focused
outreach program, LLCipher, in
summer 2015. Held at Beaver
Works, this one-week cryptography
workshop provides an introduction
to modern cryptography—a mathbased,
theoretical approach to
securing data. Lessons in abstract
algebra, number theory, and complexity
theory provide students
with the foundational knowledge
needed to understand theoretical
cryptography. Students then
construct provably secure encryption
and digital signature schemes.
On the last day, the students learn
about two techniques that enable
multiple entities to exchange
data without disclosing to one
another more data than necessary
to perform a particular function:
zero-knowledge proofs (proving a
statement is true without revealing
any information beyond the truth
of the statement) and multiparty
computation (computing a function
over multiple parties' inputs while
keeping the inputs private).
Hello Workshop designer and lead instructor Sophia Yakoubov (standing) makes her
way through the classroom as the students work on a physical secret communication
challenge. Teams of three, an all-girls one of which is pictured above,
assumed the roles of Alice, Bob, and Eve-common archetypes in the cryptography
literature. The premise of the challenge is as follows: Alice is trying to securely
communicate a secret to Bob; Eve is trying to eavesdrop. Alice and Bob are both
given individual locks to affix to a writing notebook, which contains the secret, and
corresponding keys. To solve the challenge, teams must figure out how the lockkey
systems can be applied to the notebook so that Bob can read the secret but
Eve cannot. |
The idea for LLCipher came
from Bradley Orchard, a technical
staff member in the Advanced Sensor
Systems and Test Beds Group
and a part-time teacher at the
Russian School of Mathematics in
Lexington, Massachusetts. While
teaching at this enrichment school
for the past four years, Orchard
encountered several remarkably
bright students who were just
entering high school yet were ready
to take calculus—a course typically
reserved for the senior-year
curriculum. "These students are
often two to three years ahead of
their classmates in regular school,"
explains Orchard. Recognizing
these students' need for learning
opportunities beyond those offered
in schools, Orchard set to work to
design an introductory summer
course for advanced students. With
his academic training as a mathematician,
he naturally thought
theoretical cryptography would
be the ideal subject matter for the
course: "Theoretical cryptography
combines beautiful mathematics
with powerful, useful, and fun
techniques and, most importantly,
aspects of cryptography are very
accessible to advanced students."
Orchard proposed his idea to
John Wilkinson, leader of the
Cyber System Assessments Group,
who reached out to cryptography
experts within the Laboratory's
Cyber Security and Information
Sciences Division to help design and teach the course. Knowing
how much she enjoyed teaching
the CyberPatriot students about
cryptography, Yakoubov was eager
to get involved.
According to Yakoubov, the
pilot program was a huge success:
"The class was very interactive,
with students asking questions
that demonstrated they understood
the material. The feedback
we received from the students indicates
they really enjoyed LLCipher
and learned a lot." When asked
about the most interesting thing
he learned, one student replied,
"Zero-knowledge proofs, as they
seemed impossible. The idea of
proving knowledge without sharing
it is fascinating."
Students in the
LLCipher program
gathered for class
in the morning at
Beaver Works.
Here, Yakoubov
provides a lesson
on the ElGamal
algorithm for public
key encryption. |
As Orchard had hoped, the
subject matter of the course piqued
student interest. "My favorite thing
about this program was learning
about cryptography, as it was different
from traditional math and
required a different type of thinking,"
another student commented.
Among students, the most common
suggestion was to extend the length
of the program. On the basis of
this feedback, the instructors will
increase the sessions from two to
eight hours per day next year.
CyberPatriot and LLCipher
are two of the Laboratory's outreach
programs dedicated to cyber
security education. At the college
level, a Capture the Flag competition
based on an attack-defend
approach seeks to equip students
with the skills needed for realworld
network security (see Lab
Note titled "Can a Game Teach
Practical Cyber Security?" for more
information). The Laboratory's
Science on Saturday demonstrations
have made topics, such as
computer authentication, accessible
to the younger K–12 crowd.
By reaching out to students at
different levels of their education,
the Laboratory hopes to, at some
point, incite their interest in cyber
security—a field that will only
expand in the coming years. "Every
day, attackers break into computers
holding sensitive information. The
need to secure these data is great,
but there is a shortage of people
with the right knowledge and experience
to meet this need. Currently,
the Department of Defense is seeking
to hire 6000 cyber security
personnel but so far has only hired
half of that," explains Robert Cunningham,
one of the CyberPatriot
mentors and leader of the Secure
Resilient Systems and Technology
Group. "Programs like CyberPatriot
and LLCipher help grow the
base of those who are knowledgeable
about computer security while
also teaching students about leadership
and critical thinking."
|