The town is a virtual place that exists only on computer networks run by a New Jersey-based security firm working under contract with the U.S. Air Force. Computers simulate communications and operations, including e-mail, heating systems, a railroad and an online social networking site, dubbed FaceSpace.
Think of it as something like the mock desert towns that were constructed at military facilities to help American soldiers train for the war in Iraq. But here, the soldier-hackers from the Air Force and other branches of the military will practice attacking and defending the computers and networks that run the theoretical town. In one scenario, they will attempt to take control of a speeding train containing weapons of mass destruction.
To those who participate in the practice missions, the digital activity will look and feel real. The “city” will have more than 15,000 “people” who have e-mail accounts, work passwords and bank deposits. The power plant has employees. The hospital has patients. The coffeeshop customers will come and go, using the insecure WiFi system, just as in real life.
To reinforce the real-world consequences of cyberattacks, CyberCity will have a tabletop scale model of the town, including an electric train, a water tower and a miniature traffic light that will show when they have been attacked.
“It might look to some people like a toy or game,” Ed Skoudis, founder of Counter Hack, the security firm in central New Jersey that is developing the project, said recently while giving a reporter a tour of the fledgling system. “But cyberwarriors will learn from it.”
CyberCity provides insight into some of the Pentagon’s closely guarded plans for cyber war. It also reflects the government’s growing fears about the vulnerabilities of the computers that run the nation’s critical infrastructure. Last month, Defense Secretary Leon E. Panetta said that digital attacks “could be as destructive as the terrorist attack on 9/11” and virtually paralyze the country.
“If a crippling cyberattack were launched against our nation, the American people must be protected,” he said. “And if the commander in chief orders a response, the Defense Department must be ready to obey that order and to act.”
Behind those fears is an unsettling reality: Networks in the United States will remain vulnerable to attacks for the foreseeable future because no one understands cyberspace well enough to ensure security.
In the four decades since the Internet began, most cybersecurity research was conducted on the fly or as an afterthought, according to interviews with security specialists and computer scientists. Now, with the world linking up its communications, infrastructure, military, banking, medical and other systems at a lightning pace, the dynamic of cyberspace has grown too complex. Rigorous scientific experimentation that might lead to security breakthroughs is only beginning.
In the meantime, attackers hold a huge advantage. They can choose the time, place and method of strikes. Defenders almost always have to settle for reacting, making fixes after the damage has been done.
CyberCity aims to prepare government hackers to hold their own until long-term solutions can be found.
“The problem is the bad guys are getting better much faster than we are,” Skoudis said. “We don’t want to fall further behind on this.”
Realistic virtual environments
CyberCity is one of hundreds of virtual environments — often known as cyber ranges or test beds — launched in recent years by military, corporate and academic researchers to confront the mind-bending security challenges posed by cyberspace, where millions of attacks or intrusions occur every day.
Some small ranges study the effects of malicious software and viruses. Some hope to emulate the Internet itself and become scientific instruments of sorts, akin to mountaintop telescopes or particle accelerators, that will enable researchers to seek out the elusive fundamentals of cyberspace. The most ambitious of these, the National Cyber Range, was developed by the Defense Advanced Research Projects Agency. It has cost about $130 million since 2008. The agency said seven large-scale experiments have been conducted by Pentagon researchers.
Creating realistic virtual environments is extraordinarily challenging. In cyberspace, a global network of networks, more than 2 billion people interact with at least 12 billion computers and devices, including global positioning systems, mobile phones, satellites, data routers, ordinary desktop computers, and industrial control computers that run power plants, water systems and more.
In many cyber ranges, the simulated Web servers, routers, mobile phones and other network devices operate essentially as they do in the real world, but they have few if any physical components. The virtual devices simply exist as computer code.
Merit Network Inc., a nonprofit technology group in Michigan, just launched a cyber range at Eastern Michigan University that promises to conduct “live fire” exercises. The Defense Department runs the Information Assurance Range in Stafford County, Va. It gives cyber warriors a safe, closed environment to practice intrusions and security testing.
In Hampshire, England, and Millersville, Md., Northrop Grumman runs cyber ranges that allow corporate and government clients in the United Kingdom and the United States to create models of their own networks and employee activity. Northrop officials liken their systems to flight simulators.
Christopher Valentino, a research and development director in the cyberintelligence division of Northrop Grumman Information Systems, said one key to a successful range is closely approximating the way human psychology plays out on real networks.
“It’s very hard to find ‘normal,’ ” he said.
The University of Southern California’s Information Sciences Institute operates the Defense Technology Experimental Research (DETER) project, one of the most ambitious research ranges in the world. It is driven by 500 computers and funded by the Department of Homeland Security and the National Science Foundation. It aspires to become a leader in “cyber-security experimental science.”
“The development of a science of cybersecurity could take decades,” Fred B. Schneider, the Samuel B. Eckert professor of computer science at Cornell University and a Pentagon adviser, wrote recently in “The Next Wave,” a nonclassified publication of the National Security Agency. “The sooner we get started, the sooner we will have the basis for a principled set of solutions to the cybersecurity challenge before us.”
Network activity of 90 million
Two hundred miles south of Counter Hack and its CyberCity, computer researcher Pat McGarry demonstrated how some powerful cyber ranges attempt to approximate the mix of physics and psychology that rises out of the interaction of billions of people and machines online.
One day this fall, McGarryworked his way through menus on his computer at his home office in Arlington, making a series of choices, like a kid preparing to play a video game. He was setting up a test of a corporate network, using a cyber range in a “box.”
The box, made by his company, Ixia BreakingPoint, is a digital powerhouse seven-inches high and 19-inches wide that strings together the equivalent of 200 computer processors. The boxes start at $100,000, and top-of-the-line machines go for $1.2 million. Customers include the National Security Agency, the Defense Department’s Information Assurance Range, the DETER project and others.
With a click of his mouse, McGarry decided there would be 2 million “people” communicating on his cyber range. With another click, he ordered up much Web browsing and directed those computer users to send e-mail and download videos. (For verisimilitude, the machine generates some e-mails by drawing on real-life sources, such as the short stories of P.G. Wodehouse.) “How the deuce could Jeeves know anything about it?” one passage in a made-up e-mail said.
The firm says that by connecting multiple boxes together it can emulate the network activity of up to 90 million people.
“Think about how cool that is,” McGarry said.
To run his test, McGarry employed a digital model of a corporation’s network. And he selected some standard hacker methods to disable Web sites, steal passwords and find flaws that open the way for intrusions. When he hit enter, the network came alive and the automated attacks began.
As a torrent of traffic began flowing on the network. McGarry monitored the attacks. Ten minutes into the test, he saw that the virtual hackers he had unleased were able to break through firewalls and take control of the network.
Can the hacks be blocked entirely?
“The answer is a clear no,” he said.
Real-world effect of hacking
The idea for CyberCity grew out of conversations that Skoudis had two years ago with senior Air Force officials eager to convey to cyber warriors the impact that hacking can have on real-world operations such as water plants and power grids.
At the time, the Pentagon had recently declared cyberspace the newest domain of war. U.S. forces also had secretly launched cyberattacks against Iran’s nuclear enrichment facilities, disabling almost 1,000 uranium centrifuges in 2009 and 2010. That attack, disclosed this year, involved a malicious computer “worm” known as Stuxnet. It is the most notable attack on critical infrastructure that has come to light.
Skoudis ran a network-hacking training program called NetWars through the SANS Institute, a leading security organization that has trained thousands of government and civilian employees. Working through SANS, he agreed to create CyberCity for less than $1 million. It would be a modest range with an urgent, focused goal.
“We’re not trying to do a lot of theoretical work here,” Skoudis said. “Our focus is on very practical applications, training cyber warriors.”
The Air Force believes that training on cyber ranges is a key to keeping pace with changing threats from criminals, terrorists or even nation-states. The practice missions in CyberCity are expected to begin in the next few weeks.
“We are growing our abilities to use cyberspace to our advantage through training and trials in systems such as cyber ranges,” said Maj. Gen. Suzanne Vautrinot, commander of the 24th Air Force who oversees the service’s cyber operations. “We posture ourselves to move at the ever-changing speed of technology. We are able to do this successfully by providing operationally relevant ranges for operator training and operational test activities.”
This fall, Skoudis and a small team of hackers built CyberCity using the equivalent power of about 50 computers — along with servers in a data center south of Washington, D.C., that maintains records for the military and intelligence communities.
The team also is constructing a “kinetic space” — an old-fashioned scale model of the town — to allow the cyber warriors see evidence of their attacks. They bought the scale-model buildings, trains and other supplies from a hobby shop. With its water tower, train station and low-rise factory building, it resembles towns across New Jersey.
Skoudis stood over the unfinished scale model of CyberCity, picked up the train station and grinned.
“In the future, nearly all military missions will have a cyber component,” he said. “Fingers-on-keyboard experience is vital.”
Five cameras will be mounted around the scale models, providing streaming video of flashing lights and other indicators that the attacks have occurred. Some of the training scenarios sound like movie scripts. Skoudis said they are all plausible.
One scenario requires U.S. government hackers to raise a railroad drawbridge to prevent a train carrying a weapon of mass destruction from entering the city. Another involves a hijacked Navy vessel and plotters who have been communicating on FaceSpace. The mission of the good guys is to hack into FaceSpace and pinpoint the location of the hijackers through WiFi.
Tim Medin, one of the researchers on the project, recently demonstrated a third attack in the offices of Counter Hack. He typed commands on his laptop and entered CyberCity. His screen showed lines of code and commands. But he may as well have been sitting in the fictive city’s coffee shop. He was about to attack the hospital, using the shop’s free WiFi system.
Medin, playing the role of a foreign special forces operative, was intent on exploiting several computer systems, with the aim of assassinating a VIP at the hospital. In the scenario, cyber warriors would try to prevent that from happening by gaining control of the network and blocking the attacks.
Foreign intelligence operatives had been following a senior hospital doctor online and in person to prepare for the assault. The attack began when the doctor “entered” his favorite coffee shop and typed his user name and password into the hospital network. Because the WiFi system was open and unprotected, Medin was able to record the password and used it to get into the hospital’s electronic medical records system. Then he launched a ready-made attack — called an SQL Injection — that gave him control of the in-house Web-based prescription system.
Medin discovered that the target was highly allergic to a certain medication. Medin inserted the lethal drug into the target’s daily prescriptions. He said vulnerable software in the health-care industry makes such cyberattacks possible.
“It’s too insecure,” he said.