Training a new generation of crimefighters
College to build a high-tech network for live practice defending against hackers
Every 39 seconds a cyberattack occurs.
Only a few of these hacks end up in the news: a ransomware attack shut down Colonial Pipeline earlier this year, disrupting gas supplies along the East Coast until the company paid a $4.4 million ransom in the cryptocurrency Bitcoin. Another attack shut down a hospital data system in San Diego. And in Florida, hackers accessed a water treatment facility and raised the lye in drinking water to dangerous levels. A few years ago, 32% of Americans had their personal information stolen when hackers broke into a credit bureau.
In movies, hackers are portrayed as people who manually break into a specific computer for a targeted reason. In reality, most cyberattacks are perpetrated using software that bombards huge numbers of computers, searching for security vulnerabilities and guessing passwords.
These high-tech crimes require high-tech crime fighters. That’s why Clark College is training a new generation of cyber defenders.
The college offers a new cybersecurity degree and is raising money to further elevate the program. In addition to adding more staff, the college plans to build a cyber range to give students hands-on practice at fending off attacks. Clark is raising $250,000 for staffing and another $500,000 to build an on-site cyber range. When that happens, Clark is poised to become the first community college in the country to have its own cyber range on campus.
“The need is so huge,” said Dwight Hughes, a network technology professor and head of Clark’s computer science department, which includes cybersecurity.
Cybersecurity is a fast-growing, high-paying industry as more companies and institutions recognize the need to safeguard their data. The median salary for a cybersecurity analyst in Washington was $105,000 in 2018.
In 2020, one in three Americans was affected by a cyberattack. The FBI reported that cyberattacks are up 300 percent since the start of the pandemic. As more facets of daily life move online, more data is vulnerable. In 2021, cybercrimes are on track to cause $6 trillion in losses to private businesses.
“These are the jobs of tomorrow,” Hughes said. “Demand is high and well-trained workers are in short supply, so it’s very lucrative.”
Hughes says right now Clark and other institutions offer “a lot of the training as textbook training.” But a cyber range profoundly changes the traditional model.
A cyber range provides a live experience that’s about as unlike a textbook as one can get—it’s the cybersecurity equivalent of a flight simulator.
“The big difference is a cyber range is real. It’s not you versus the simulator,” Hughes said. “These are real routers, real servers, real PCs. These are real viruses and malware.”
It’s named after a gun range where law enforcement officers train—it’s a virtual space to practice using defensive weaponry.
“You try it and you get scored,” Hughes said. “You might do poorly and go retrain before coming back to the range and testing again.”
Armetta Burney, interim dean of workforce, professional and technical education, said the purpose of the cyber range is to provide students with relevant, real-world training.
“What we want to do for our students is equip them to be competitive,” Burney said. “So they’re taking their theoretical knowledge and while this is still in the classroom, it gives them an opportunity to apply that knowledge in a real- world way, similar to what they would experience in a workplace.”
The price tag for the range is mostly for hardware. Hughes said Clark plans to save money by building a cyber range using labor from the college’s faculty and staff, as well as some industry volunteers.
Once the facility is built, Clark could rent it to private companies to train their staff. Clark’s will be the first cyber range located in the Pacific Northwest.
Clark already has experience renting its computer facilities. The college has a networking lab that it rents to 10 other colleges that train network technicians. During the pandemic, demand for that lab skyrocketed because it could be accessed and controlled remotely. Clark brought in $20,000 in rental fees.
Most cyber ranges are hosted off-site and accessed remotely by colleges and universities that pay a licensing fee to use them. The upstart costs for this kind of cyber range are much lower but over several years, the fees—for every hour of use by every student—add up. Hughes said the college will ultimately save money and offer a better, more comprehensive learning experience by building a range on site.
A cyber range is a system of computers—racks and racks of computers, occupying an entire room—that’s completely cut off from any outside network.
Experts refer to a system like this as “sandboxed.” If computers inside the range get infected with malware or a virus, they can be reset quickly and easily without infecting or disrupting other computers. This is important because the hacking that takes place on a cyber range is real. In other words: do not try this at home.
With two teams pitted against each other—one tasked with breaking into a network, the other tasked with defending it—a cyber range can sound a lot like a video game. In some cases, the teams could even
sit across from one another, at the same table, as if playing a complicated version of Battleship.
“It is kind of like a video game,” said Michael Tucker, professor of cybersecurity. “It actually has to do with the gamification of cybersecurity.”
After 9/11, when the military was looking for new ways to defend against attacks from independent sources, such as terrorists, a general devised an idea to improve cybersecurity: asking a team of security analysts to break into a network using their creativity and technical know-how. Before then, most security exercises involved testing known vulnerabilities. The so-called red team exposed vulnerabilities that hadn’t been foreseen.
Eventually, the practice grew more complicated with the introduction of blue teaming. As the red team worked to break into a computer system, the blue team worked to defend it. In some instances, security analysts on both teams work together—a practice called purple teaming.
To learn to defend against hacking, cybersecurity experts first must learn how to hack.
“Any cybersecurity expert is a cybersecurity risk,” Hughes said.
Lessons in ethics
To Tucker, that means ethics must be reinforced throughout a student’s entire education. At Clark, students learn how to break into a network with precision—without causing unnecessary damage. And the program includes frequent discussion about why it’s important to behave ethically.
“We do explain throughout the program, ‘You can lose your privilege to work in this industry if you betray that trust.’ Deep down, I think we all want to do what is good, so we work hard to foster that in our students, to nurture that sense of doing what is right,” Tucker said.
A cyber range can be programmed for all different scenarios. Beginners might perform a simple scavenger hunt: get to a particular system and gain access to it. Or an assignment could be less defined.
“You could have a one-hour simulation where you know you’re going to receive some kind of threat but you’re not sure when,” Hughes said. The student would have to sort through some well-disguised threats in addition to normal network traffic that looks like a threat.
Students need to learn to discern between the two. When a legitimate business gets shut down because it was mistaken for a security threat, a company could lose a lot of time and money. And, as the cyberattacks that make news headlines show, there are grave risks of overlooking real threats.
Part of the value of the range is that it uses real viruses and real malware. Whenever a new virus or security threat is identified, security experts are quick to publish the code for the digital weapon online so that others can study it, defend against it and be on the lookout for it. That allows programs like Clark’s to use real viruses and malware in classes.
Clark has something like a cyber range in place now, but with one critical difference: the system can’t be reset in a matter of minutes.
“If you break it (in a hacking exercise), you have to fix it,” Hughes said. “That’s a lesson in and of itself.”
The end of a cybersecurity term usually involves a lot of repairs as weeks of viruses and malware have taken a toll on the computer network that students use for practice.
“With a cyber range, in two minutes you can reset the entire sandbox to repeat the exercise,” Hughes said.
Seven years ago, Hughes took a sabbatical from Clark. Washington had just announced that it would allow community colleges to confer bachelor’s degrees, and Hughes knew the perfect subject matter. While other professors might spend their time away from the classroom traveling or drafting a book, Hughes spent six months designing a cybersecurity program. When he came back, he made a presentation to the board of trustees.
The program launched in the fall of 2020, offering students a Bachelor in Applied Science degree. The plan had been to welcome 20 cybersecurity students, but the waitlist was so long that the college admitted 48 students in its first class. Now, the program has two start dates per year, with almost 90 students currently enrolled.
Clark is poised to offer a fully online Bachelor in Applied Science degree in cybersecurity this spring. This will be Clark’s first online bachelor’s degree where students never set foot on campus.
If you have an interest in learning more about Clark’s cybersecurity program or wish to contribute as a donor to this exciting trend, email Joel B. Munson or call 360.992.2301.
Lily Raff McCaulou is a journalist whose writing has appeared in The New York Times, The Atlantic, The Guardian and Rolling Stone. She lives in Bend, Ore. Visit her online at www.lilyrm.com