Article by Maggie Spivey
Cyber security is not a new concept, but given recent attacks on sensitive systems, including one in 2008 on classified Department of Defense networks, its importance and relevance has rarely been more evident. As the world becomes more aware of this threat, nations have started to position themselves to address such attacks. In May the US Cyber Command was stood up; last month the UK’s National Security Council indentified cyber attacks as the country’s most serious threat; and on 19-20 November NATO will be addressing cyber defense and appropriate collective responses during the NATO Summit of heads of state and government in Lisbon, Portugal.
While cyber security is an area yet to be fully included in NATO doctrine, which is still being drafted, the NATO School in Oberammergau, Germany, realized the need to include it in their curriculum as soon as possible. Having been at the cutting edge of cyber security research and education for over 15 years and having worked previously with the NATO School in its role as the US designated Partnership for Peace Training and Education Center (PTC), the Naval Postgraduate School (NPS) was a natural partner for the NATO School in this endeavor.
Taught in a hybrid model of 1-week in-residence at the NATO School, 6-weeks distributed learning via the internet-based Sakai, and 1 final week in-residence at the NATO School, this format was groundbreaking for the NATO School, never before having offered a course in hybrid or one lasting longer than 2 weeks.
During the course, students were able to explore and gain insight into the methodologies and motives used by those who will attack the networks they may someday have to defend. Extensive, hands-on lab exercises were used to improve the students’ detailed knowledge of security threats and the methods used to exploit them.
These lab exercises proved to be particularly beneficial for the students as they were able to take full advantage of the technology, innovation, and expertise available at NPS. Students had remote access to an NPS network of over 150 virtual machines, which they were then able to attack and defend.
“This was an extensive and arduous system to set-up,” said Coté, “but it worked exceptionally well and had great performance. More times than not, the real difference in the class is the labs, which really cement and drive home lessons learned in the reading.”
One student stated, “The lab exercises were very important to actually getting the material. Watching someone present exploitation is completely different than actually doing it yourself.” Another concurred, “The labs were the best learning tools.”
Coté stated the course culminated with a final project where the students had to complete a vulnerability assessment of a network. “Students have to do this all by themselves from the ground-up, and they realize how extensive a process this can be. But, this is also when the light bulb finally comes on, and it puts everything in context.”
Also, while many similar courses are offered in private industry, they often are conducted in a “bootcamp” fashion, providing all the information over a 1-week period. “In that setting, it is more like training and less like education,” Coté explained. “The biggest advantage to more time is it provides students a methodology to think critically and understand what is going on. They achieve a new mindset.”
With 18 students from Poland, Germany, Iceland, Great Britain, the US Army, US Air Force, and US civilians from AFRICOM, students were exposed to a variety of viewpoints on a range of cyber security issues, including privacy restrictions, ethical hacking, and social networking.
This course also provided many of these students with their first exposure to NPS, but hopefully not their last. Plans are ongoing between NPS and the NATO School to offer this course twice a year and also to develop a NATO School cyber security certificate that will consist of this course and three additional ones. One new course will be brought online each year and subsequently offered twice a year. When asked in an end of course survey if they would be interested in completing this certificate, all respondents stated they would.
As these students have returned to their commands, they bring with them a greater understanding of one of the most insidious, yet least defined, modern day threats. As future NATO leaders, they have a better appreciation for cyber security and the necessary defense of cyber systems and nations.
Posted November 5, 2010