Exploring a national cybersecurity exercise for universities
Hoffman, L.J. Rosenberg, T. Dodge, R. Ragsdale, D.
George Washington Univ., Washington, DC, USA
This paper appears in: Security & Privacy, IEEE
Issue Date: Sept.-Oct. 2005
Volume: 3 Issue: 5
On page(s): 27 – 33
I selected the paper “Exploring a National Cybersecurity Exercise for Universities” by Professors Hoffman and Rosenberg of the George Washington University and Dodge and Ragsdale of US Military Academy West Point for my week 6 journal reading.
In the opening statement of their abstract, the sentence “in cybersecurity competitions, participants either create new or protect preconfigured information systems and then defend these systems against attack in a real-world setting [italics added]” especially resonated in me. This is because, as part of my teaching philosophy, I would give assignments or hand-on activities that mimic the real world situations or problems that students will encounter in the workplace; the problems posed should have some realism so they have a chance to hone their problem solving skills in a safe environment that is somewhat more forgiving than the workplace.
The article summarizes the report of Cyber Security Exercise Workshop sponsored by the US National Science Foundation. It describes various types of cyber exercises in academic setting and raises several, legal considerations for organizers who establish, evaluate, and participate in such exercises. The exercises can involve inter-postsecondary schools, take place in a closed, isolated network or remotely via tunnels established through virtual private networks, and mostly pertain to the task of building and protecting their network by enforcing proper configurations on systems and services. Just like other gaming activities or professional competitions, the report calls for cybersecurity exercise guidelines that clearly define the rules for attackers and defenders, referees, scoring methods, and ways of assessment such as how to know, what, where, and when attacks may occur. Legal issues associated with malpractice, “intentionally or accidentally harm to an innocent third party…failure to secure the network, prevent attacks from spreading, or warn others of the possibility of attacks” (p. 30) are bought to the forefront, implying a need for a plan to address civil liability and criminal activity should it happen.
Overall I believe that it is a great idea to start to build the foundation for the next generation of cyber security professionals at the high and postsecondary school level. I agree with the authors’ goal to help students understand the potential damages and implications if they engage in unauthorized activities. It has been in the news many times how cyber attacks have been launched against the US from countries (e.g., China,, Iran, and other Middle East nations) by young hackers under a patriotic banner of varying levels of formality, but rarely formal enough to implicate the government. While students are primarily focused on defensive goals, there is a facet of the discipline, so-called Ethical Hacking that develops expertise in offensive cyber attacks. This is necessary so practitioners understand how to thwart intruders and also to conduct penetration tests to assess the capabilities of defensive systems. Because of the great harm that can come from the misuse of these attack skills, just like the case with bioengineering and nuclear physics, it is always worrisome that unavoidably some bad practitioners are being trained with the good. And, beyond that, it is also worrisome that there may be many younger people who are attracted to the idea of hacking/attacking and see the competition exercise as a legal, even implicitly government-endorsed, umbrella under which to engage in offensive attacks as long as, by their reasoning, it is directed toward nations seen as antagonists of the US). This is what I see as the Dark Side of the Cyber Security discipline and I believe it underscores the need for ethical conduct to be an integral component of education in general and the Cybersecurity exercise in particular.
Khanh, I think that your subject of cyber security will continue to be very important as more of the world conducts their financial, corporate, and government business online. As you say, having a safe place to practice problem solving will be necessary for students to practice and learn.
I really enjoyed your thoughtful analysis of the activity discussed in your article, and the checks and balances that are required when we, as teachers, ask students to conduct hands-on activities, simulations, competitions, etc. Your focus on the ethical dimensions really demonstrates your nuanced approach to your field. The thinking through the implications of our innovations in teaching and learning is so important.