Developing cyber strategy

Not all competition takes place on a playing field.

For the past several years, teams of University of Northern Iowa computer science majors have been competing in cyber defense contests, often taking on schools several times their size to either fight off or take part in cyber attacks in a purely digital battle. 

The competitions usually take place between an offensive and defensive team. The defensive team, called the blue team, is given charge of a system to protect—online bank accounts, for instance. While the offensive team, called the red team, tries to exploit weakness in the system and break in. It’s a laborious process that’s often punctuated with high-pressure situations.

“It’s usually a mix of frustration and adrenaline,” said C.J. May, a senior computer science major. “As a red team hacker, it can be frustrating to find a tiny gap in a well-defended network, and usually it’s even more frustrating to find the exact way to exploit it once you find it. It’s pretty easy to fall down a rabbit hole. But once you do get to that next level of access, it’s a pretty big feeling of triumph.”

Last year, the UNI team had several impressive showings in cyber defense competitions. The team placed second at the National Cyber Defense Competition hosted by Iowa State and placed in the top 30% of 64 schools participating in the Department of Energy’s CyberForce Competition, hosted at Argonne National Labs in Illinois. UNI also made it to the regional level of the National Collegiate Cyber Defense Competition.

The contests are filled with practical experience in real-world scenarios for computer science majors.

Typically, the blue team will have a few weeks to set up a network that has different services available. The blue team, for example, might simulate being a bank, with a website, a secure database and some kind of banking application. On the day of competition, the red team will come in and emulate the behavior of a malicious hacker and try to break into the systems set up by the blue teams. The blue teams are scored on how well they kept the red team out and how reliable their services were. The red team is scored on the level of access they were able to get on the blue teams’ systems and the detail in their documentation.

“These competitions help you learn a lot of skills that are applicable to the real world,” May said. “Blue teams learn how to securely configure servers and their services. Red teams are exposed to vulnerable systems in a safe, contained environment, which teaches both red and blue about how attackers can gain access to things they shouldn’t have.”

The students also learn both sides of cyber defense—offense and defense.

“You learn a lot by seeing new designs and implementations of systems and see how developers think and get ideas of how to attack them and how to fix them. You have to know both sides,” said Habib Ullah, a senior computer science major. “It not only helps you in cyber security, but system administration and coding. You have all of these fields in one competition, and you have to have a strategy, so management is included as well.”

And these skills will help the students find success in a booming job market for cybersecurity professionals. Andrew Berns, associate professor of computer science, said that reports have indicated an employment gap of 3 million cybersecurity jobs.

“I’ve been noticing more openings at all types of companies for security professionals, not just companies that specialize in security,” said Berns. “I think these contests give students a great way to learn more about cybersecurity through some hands-on experience, and also to network with companies looking for employees.”

In the 2019-20 academic year, the team will return to the three competitions from the previous year, and also take part in the Collegiate Penetration Testing Competition at Tennessee Tech.

The team has ambitions to eventually host their own cyber defense competition at UNI.

“It’s a pretty popular area,” said Berns. “It’s fun, it’s interesting, and it’s helpful for future careers. It’s not very hard to get students involved.”