Lab Notes

Posted July 2016

Recruiting the Next Generation of Cyber Security Specialists

Two Lincoln Laboratory outreach activities seek to steer high-school students toward careers in cyber security.

Today's cyber security specialists are too few in number and lack the skills needed to defend networks supporting the nation's government agencies, financial institutions, power grids, and transportation systems. As cyber attacks escalate in frequency and sophistication, this shortage of adequately trained personnel will become even more acute, particularly within the U.S. government.

Lincoln Laboratory is trying to address one of the roots of the shortage in cyber security professionals: the lack of cyber security education in school curricula. Two programs designed for high-school studentsCyberPatriot and LLCipherhave been a part of the Laboratory's efforts to help fill this gap. By engaging these precollege students in activities that highlight the appeal of cyber security work, the Laboratory hopes they will be motivated to pursue undergraduate studies and eventually careers in the field.

Helping a student prepare for the CyberPatriot competition, Robert Cunningham, leader of the Secure Resilient Systems and Technology Group, explains how to configure a Windows 7 system to ensure strong passwords.

Since 2011, Lincoln Laboratory has sponsored teams of high-school students participating in the CyberPatriot National Youth Cyber Defense Competition, a program initiated in 2009 by the U.S. Air Force Association to spark young students' interest in cyber security or other science, technology, engineering, and mathematics fields. A network defense competition, CyberPatriot challenges students to find vulnerabilities (e.g., malware, weak passwords, unnecessary services) within a set of virtual images that represent Windows or Linux operating systems while maintaining critical network services, such as email. Each image contains anywhere from 10 to 20 flaws; the teams that discover the most flaws within a six-hour time limit advance to subsequent rounds. Although the format of the rounds and the scoring system have evolved over the years to support the growing number of registered teams (eight to start and more than 2000 in the 20142015 season), the basic advancement process has remained the same, with teams competing at the state, regional, and national levels.

In its first two years of participation in the CyberPatriot program, the Laboratory sponsored a single team; for the past two years, three teams have been sponsored. Teams typically consist of five to six students, many of whom compete in multiple CyberPatriot seasons. Veteran members are often paired with rookies, according to Chiamaka Agbasi-Porter of the Communications and Community Outreach Office, who coaches the teams and recruits Laboratory volunteers to serve as mentors. From September through March, the students and mentors meet once a week for two hours at the MIT Lincoln Laboratory Beaver Works facility near the MIT campus in Cambridge, Massachusetts. During these weekday sessions, students learn and practice the computer and teamwork skills they need to compete in CyberPatriot. Throughout the season, technical staff from the Laboratory give presentations on relevant topics, including cryptography, networking, Windows internals, and Linux security. On some weekends early in the season, all CyberPatriot teams participate in online qualifying rounds from their home base, finding vulnerabilities within virtual machine images downloaded onto laptops. These rounds could also include a Cisco Networking quiz or a Cisco Packet Tracer (a network simulation program for students to experiment with network behavior) challengeone of the mechanisms through which teams can gain points beyond those acquired by fixing vulnerabilities. Points are also awarded for answering forensics questions about the steps taken to remediate the vulnerabilities. Teams lose points if they take any actions that make a system less secure (e.g., reintroducing a previously fixed vulnerability). Scores are automatically recorded by a centralized scoring system.

For two years in a row, the first Laboratory-mentored CyberPatriot team, DoNut Hack Us, was one of 12 finalists selected to compete in the national championship held in Washington, D.C. More than 1000 teams entered the competition in each of those years. Seen above left are three of the five team members racing against the clock to detect vulnerabilities in the areas of policy, patch, configuration, and third-party management during the 2013 finals. After graduating high school, three CyberPatriot alumni from the team spent their summer interning in the Cyber Systems and Technology Group (above right). All three have chosen to pursue computer science in their undergraduate studies.

Jorge Coll, a technical staff member in the Secure Resilient Systems and Technology Group, is one of the CyberPatriot mentors. A previous Microsoft employee, Coll focuses on the Windows operating system, helping students identify misconfigured settings; configure their machines with policies, such as those for password restrictions; and ensure software patches are up to date. One of Coll's major contributions has been in the area of competition strategy: How can students maximize their time to gain as many points as possible? "The two largest time sinks students struggle with during the competition are discovering what is wrong with any given system and applying security best practices to lock down their machines," explains Coll. To reduce the time spent on such tasks, Coll introduced the students to various automation tools, including Windows PowerShell (a commandline interface and scripting language), security policy templates, and techniques for recognizing configuration drift (i.e., changes to a system's hardware or software environments). "For example, with PowerShell, students can automatically query login records to see when the last time a particular user accessed his or her account, instead of having to manually sift through these records," says Coll.

The track record of the Laboratory teams has been impressive. For the 20112012 and 20122013 seasons, the one Laboratory-sponsored team advanced to the national competition in Washington, D.C., where they placed 7th among 11 finalist teams both times. At the end of the 2013 season, most of the team members graduated from high school. New team members were recruited for the following season (20132014), resulting in three teams, all of whom came very close to qualifying for the national finals. In 20142015, all three teams competed at the highest level in the statewide competition, and one went on to complete its season at the Northeast regional competition.

CyberPatriot team members collaborate on finding malware and locking down a Windows virtual machine during one of the online weekend competitions.

While CyberPatriot is at its core a competition, with scholarship money given to the top three teams, it is more than a game. "CyberPatriot gives students an early window into cyber security, a field that most students do not encounter until college," says Sophia Yakoubov, one of the mentors and a technical staff member in the Secure Resilient Systems and Technology Group. Yakoubov taught the team members about classical cryptography and cryptanalysis."I showed them how, just by looking at an encrypted message or file, they can figure out which encryption scheme was used and then how to apply various techniques to crack it," she explains.

With the help of colleagues Emily Shen and David Wilson, Yakoubov served as the lead instructor for a new cyber security-focused outreach program, LLCipher, in summer 2015. Held at Beaver Works, this one-week cryptography workshop provides an introduction to modern cryptographya mathbased, theoretical approach to securing data. Lessons in abstract algebra, number theory, and complexity theory provide students with the foundational knowledge needed to understand theoretical cryptography. Students then construct provably secure encryption and digital signature schemes. On the last day, the students learn about two techniques that enable multiple entities to exchange data without disclosing to one another more data than necessary to perform a particular function: zero-knowledge proofs (proving a statement is true without revealing any information beyond the truth of the statement) and multiparty computation (computing a function over multiple parties' inputs while keeping the inputs private).

Hello Workshop designer and lead instructor Sophia Yakoubov (standing) makes her way through the classroom as the students work on a physical secret communication challenge. Teams of three, an all-girls one of which is pictured above, assumed the roles of Alice, Bob, and Eve-common archetypes in the cryptography literature. The premise of the challenge is as follows: Alice is trying to securely communicate a secret to Bob; Eve is trying to eavesdrop. Alice and Bob are both given individual locks to affix to a writing notebook, which contains the secret, and corresponding keys. To solve the challenge, teams must figure out how the lockkey systems can be applied to the notebook so that Bob can read the secret but Eve cannot.

The idea for LLCipher came from Bradley Orchard, a technical staff member in the Advanced Sensor Systems and Test Beds Group and a part-time teacher at the Russian School of Mathematics in Lexington, Massachusetts. While teaching at this enrichment school for the past four years, Orchard encountered several remarkably bright students who were just entering high school yet were ready to take calculusa course typically reserved for the senior-year curriculum. "These students are often two to three years ahead of their classmates in regular school," explains Orchard. Recognizing these students' need for learning opportunities beyond those offered in schools, Orchard set to work to design an introductory summer course for advanced students. With his academic training as a mathematician, he naturally thought theoretical cryptography would be the ideal subject matter for the course: "Theoretical cryptography combines beautiful mathematics with powerful, useful, and fun techniques and, most importantly, aspects of cryptography are very accessible to advanced students." Orchard proposed his idea to John Wilkinson, leader of the Cyber System Assessments Group, who reached out to cryptography experts within the Laboratory's Cyber Security and Information Sciences Division to help design and teach the course. Knowing how much she enjoyed teaching the CyberPatriot students about cryptography, Yakoubov was eager to get involved.

According to Yakoubov, the pilot program was a huge success: "The class was very interactive, with students asking questions that demonstrated they understood the material. The feedback we received from the students indicates they really enjoyed LLCipher and learned a lot." When asked about the most interesting thing he learned, one student replied, "Zero-knowledge proofs, as they seemed impossible. The idea of proving knowledge without sharing it is fascinating."

Students in the LLCipher program gathered for class in the morning at Beaver Works. Here, Yakoubov provides a lesson on the ElGamal algorithm for public key encryption.

As Orchard had hoped, the subject matter of the course piqued student interest. "My favorite thing about this program was learning about cryptography, as it was different from traditional math and required a different type of thinking," another student commented. Among students, the most common suggestion was to extend the length of the program. On the basis of this feedback, the instructors will increase the sessions from two to eight hours per day next year.

CyberPatriot and LLCipher are two of the Laboratory's outreach programs dedicated to cyber security education. At the college level, a Capture the Flag competition based on an attack-defend approach seeks to equip students with the skills needed for realworld network security (see Lab Note titled "Can a Game Teach Practical Cyber Security?" for more information). The Laboratory's Science on Saturday demonstrations have made topics, such as computer authentication, accessible to the younger K12 crowd. By reaching out to students at different levels of their education, the Laboratory hopes to, at some point, incite their interest in cyber securitya field that will only expand in the coming years. "Every day, attackers break into computers holding sensitive information. The need to secure these data is great, but there is a shortage of people with the right knowledge and experience to meet this need. Currently, the Department of Defense is seeking to hire 6000 cyber security personnel but so far has only hired half of that," explains Robert Cunningham, one of the CyberPatriot mentors and leader of the Secure Resilient Systems and Technology Group. "Programs like CyberPatriot and LLCipher help grow the base of those who are knowledgeable about computer security while also teaching students about leadership and critical thinking."

top of page