Cyber Defense Competitions as Learning Tools: Serious Applications for Information Warfare Games

Introduction

Cyber defense, as well as protection of other critical infrastructures, is at the forefront of security professionals' agendas, as well as the nation's psyche. The ongoing release of new viruses, day one attacks and the threat to our national infrastructure, including Supervisory and Control and Data Acquisition (SCADA) systems, demonstrates the need for professionals trained in the science, as well as the art, of cyber defense and computer and network security.

Several institutions of higher education offer degrees in information assurance or computer and network security. These programs generally teach at least one course in information warfare or information assurance where students conduct lab experiments that demonstrate current security vulnerabilities and allow students to exploit those vulnerabilities in a controlled manner. Some programs, ours at Iowa State University (ISU) included, provide a break-in laboratory which allows students several weeks to attack a dummy corporation's network in an attempt to understand how an attacker may use social engineering, software or application vulnerabilities and brute force to gain access to systems, networks, databases and corporate documents.

While these classes are useful and provide training to many four-year students, we have found that cyber defense competitions develop additional skills and a deeper understanding in computer and network security than coursework does alone, even when labs as described above are included. Students who compete in cyber defense competitions not only gain knowledge, but also increase their interest in working in the cyber security area. They also receive real world experience in configuring and protecting a network just as security professionals do on a daily basis. At ISU, we run four cyber defense competitions per year for students. One each for Iowa high school, Iowa community college (two-year), ISU students and four-year students from universities across the nation. To date we have run 18 cyber defense competitions with more four more planned for 2011. While participation varies from 40 to 175 depending upon the event, we have had nearly 1350 students participate in cyber defense competitions over the past five years. We also run cyber defense competition/security workshop combinations for Information Technology professionals who are tasked with ensuring security for computer and network system, as well as Computer Science or Information Technology faculty who want to learn more about security and running their own cyber defense competitions. We have found these individuals also benefit from the ability to learn and work, as well as test out new attack and defense mechanisms, in a controlled environment.

This book chapter provides a brief history of cyber defense competitions, as well as describes how they are run. It also addresses the needs of different audiences who participate in cyber defense competitions. This chapter demonstrates that beyond building and strengthening computer and network security skills, the cyber defense competitions can be used for recruitment, retention, advanced training and experimentation for students. The audiences that will be covered include high school students, community college students, four-year university students and Information Technology professionals and faculty.