Competitive exercises are a powerful way to build enthusiasm and enhance learning during security education and classroom training. Although competitive exercises require more resources than are required for traditional classes, the improved learning can be well worth the effort.The U.S. Military Academy at West Point includes information security education throughout the curriculum, using competitive exercises to enhance, motivate and focus learning. A prime example is the senior-level information assurance course, which includes the annual National Security Agency (NSA) Cyber Defense Exercise (CDX) as its final exam.
The CDX pits students from the nation's service academies and other military educational institutions against an attacking Red Team from the NSA. Teams design, implement and defend networks offering a specified set of services.The CDX officials use a point system to evaluate team performance and determine the winner. Teams lose points for service failures and successful Red Team attacks, while gaining points for completing the concurrent tasks.
Admittedly, such competitions require significantly more effort than is required for most classroom training. So, why go to all the trouble?
First, competitions provide excellent motivation for learning. Students know they must use their knowledge immediately against live opponents, driving home the importance of preparatory classroom work. We routinely see our students going well beyond class requirements in an effort to beat the Red Team.
Second, a competition forces students to do security. Hearing about vulnerabilities, exploits and safeguards is not nearly as effective as experiencing their effects first-hand. Our students often comment that the weeks of hands-on work before and during the CDX are worth a year or more in the classroom.
Finally, the pressure of facing live adversaries teaches important lessons about team work. Students see the necessity of good communication, documentation and after-action reviews. Working on a team also motivates individual effort. Since a network's security is only as strong as its weakest point, team members tend to work harder to avoid letting the team down.
This praise of competitive security exercises may have you wanting to go out and run one now. However, some cautions are in order. A competition must be controlled to ensure it does
not become a free for all. The CDX, for example, does not permit the student teams to attack. This was a conscious decision. Allowing students to attack one another sounds appealing, but runs the risk of turning an educational experience into something resembling an ugly bar brawl.
It is also important to structure the rules and team objectives to support the desired learning outcomes. Although thinking outside the box is great, a competition should not reward solutions that merely exploit the rules and would not work in the “real world.” Above all, good learning and fair play are the order of the day.The U.S. Military Academy has incorporated competitions into our information assurance curriculum with great success. There is a palpable increase in the students' excitement level at the first signs that the Red Team is attacking. Such excitement is difficult to achieve in a traditional classroom. Consider adding competitions to your security education program, you may find the benefits are well worth the effort.
Robert Fanelli is a lieutenant colonel in the U.S. Army and an assistant professor of computer science at the U.S. Military Academy, West Point. The views expressed here are those of the author and do not reflect the official policy or position of the U.S. Military Academy, the Department of the Army, the Department of Defense, or the U.S. government.