At Norwich, students learn how to attack and defend using software, not bullets
Dr. Peter Stephenson, chief information security officer at Norwich University
On a cyber weapons range, no bullets fly — the main noise is rapid-fire typing on keyboards. It looks more like a standard American office than a war zone. But experts at Norwich University say this is the future of war.
If recent experience in Iraq and Afghanistan has taught us anything, it’s this: Modern warfare is an ever-changing beast. Gone are the days of trench combat and foxhole fighting. Today’s battles are waged not only on the ground but from behind computer screens. Ideally, in the future, the scales of warfare will tip more toward virtual combat, with bits and bytes replacing bombs and bullets, says Dr. Peter Stephenson, chief information security officer at Norwich.
Stephenson, a Navy veteran and internationally renowned expert on computer security, heads the university’s newest tech endeavor — the Norwich University Advanced Computing Center (NUACC). It houses the Cyber Weapons Range War Room, a virtual practice range for computer warfare. After many years in development, the center will go live this semester.
While Norwich is already a National Security Agency Center of Academic Excellence — one of the smallest colleges to achieve that designation — the advent of NUACC and the Cyber Weapons Range raises the school’s profile within the burgeoning computer-security field. Last year, Norwich president Dr. Richard Schneider officially chartered NUACC. The center is currently moving into its new home in the basement of Dewey Hall, a decidedly low-tech-looking brick building in the center of the school’s Northfield campus.
Of the numerous programs at NUACC, which Stephenson contends rivals any computing center at MIT or Stanford, the one you’re least likely to see on any other college campus is the Cyber Weapons Range War Room. The physical room is what amounts to the world’s coldest walk-in closet, with four stacks of computer servers humming along with the air conditioning. In a nondescript computer lab adjacent to the war room, the future of warfare will be taught to tomorrow’s soldiers and civilians alike. (Last year was a pilot program; this is the first real year of teaching.)
Stephenson, a jovial storyteller dressed in his Norwich-issued lieutenant colonel’s uniform, explains the differences between kinetic, or physical, and cyber warfare. In a kinetic war, there is some aggressive action perpetrated by a known entity. A kinetic war typically has rules of engagement. By contrast, cyber war is often carried out by an anonymous entity that follows no rules.
“It’s hard to know where the attack is coming from,” Stephenson says. “It’s far harder to attribute cyber warfare than physical warfare.”
Stephenson has seen firsthand the damage cyber attackers can do — and his experiences led to NUACC’s creation. About five years ago, the former senior scientist at Norwich University Applied Research Institutes (NUARI) was asked by a friend to help investigate a security breach at Ohio University. Thousands of personnel and student files had been compromised by data thieves mining the school’s system for Social Security numbers and other sensitive information.
When Stephenson returned to Norwich, he presented the information he gleaned from the incident to the university’s president. “I said, ‘If this ever happens at Norwich, we’d be out of business,’” Stephenson says. “‘We need to protect our infrastructure.’”
Shortly thereafter, Stephenson was appointed chief information security officer of the university. His marching orders were to keep the perimeter of the school’s network “rock solid,” so that no one could get in from outside. But Norwich still needed a computer system students and professors could access for research.
With the help of his son, Mike, and funding from NUARI — a wholly owned subsidiary of the college focused on national security systems development — Stephenson began building a secure system that could be used outside the university’s network.
The system the Stephensons created hinges on virtualization. In layman’s terms, the two physical servers they built had 60 virtual computers inside them. So, instead of 60 different computers doing 60 different things, you could have two computers doing 60 different things. When space and money are considerations, virtual computers make a lot of sense.
That initial cluster has been joined by another virtual system, thanks to vendors who owed Stephenson some favors. With nearly $1.5 million in donated equipment, Stephenson had enough computing horsepower to run a small country. In addition to the two server clusters — one for the Cyber Weapons Range and one for the school’s virtual laboratories — the center features a baby supercomputer. It’s smaller than the one at the University of Vermont, but it can grow if you feed it money, Stephenson quips.
With the development of NUACC, the university now has hundreds of virtual computers outside the campus firewall that can be accessed anywhere with an Internet connection. Parts of the system are open to anyone at the university in need of remote computing services — from English to engineering professors, says Stephenson.
But all of this connection demands protection. In a world full of potential theaters of cyber war, people like Stephenson must stay four or five steps ahead of prevailing technology. Accordingly, the job market for information-assurance experts is vast. The federal government estimates that in five to 10 years, it will need to hire 10,000 people with experience in cyber attack and defense. While “the notion of an aggressor dropping bombs on us is something we know how to deal with,” Stephenson says, we are still learning how to combat cyber attacks.
To that end, Stephenson and his colleagues have developed a proving ground of sorts in the Cyber Weapons Range that allows students to mount real attacks and defend real systems. Students in the innocuous-sounding Cyber Exercise Lab will split into teams of three: One will attack a system, one will defend it, and one will monitor the successes and failures of the campaign. The defensive team starts by building a system comparable to one used at any major corporation. Then the offensive team tries to break in.
Stephenson is quick to point out that terrorism via computer is just as much of a threat as kinetic terrorism. Cyber weaponry is dangerous, he cautions. If a student stole one of the programs used in the lab, he or she could crack into financial markets, health care systems or government operations. But NUACC is so secure, Stephenson assures, it is impossible for theft to occur.
Stephenson insists he’s not teaching students to become hackers. Rather, he argues, if you’re going to prevent hackers from breaching a system, you have to know how they do it. Being able to reverse engineer rootkits, logic bombs and Trojan horses — all types of malware — in a controlled environment is essential.
That knowledge is exactly what’s needed in today’s tech-security industry, says Mike Yaffe, whose Boston-based company, Core Security Technologies, provides NUACC with its major cyber weapons programs. Core Security’s products allow governments, universities, financial organizations and other entities to test their networks by breaking into them. This “offense as defense” method is essential to rooting out problems before systems can be compromised.
Lest anyone doubt the reality of cyber threats, both Yaffe and Stephenson say network systems are attacked all the time. One system can be attacked a thousand times a day by bots (automated software systems) and corporeal cyber aggressors.
Mark Besch, systems administrator of NUARI, likens Norwich’s Cyber Weapons Range to a sandbox where you can build and destroy things without threatening structures around it. “It gives you some place you can put an infected system in with a noninfected system and see how it interacts,” Besch says. “It’s a safe place where you can put something like that and let it wreak its havoc.”
Stephenson is nearly giddy when he talks about the program, which is the only one of its kind outside the military-service academies. At the virtual weapons range, he says, Norwich students will be able to simulate the way computer systems weather attack in “live fire” exercises. And when they graduate, there will be no shortage of jobs waiting for them.
“It’s very exciting for us,” Stephenson says.