26 COMPUTERS IN EDUCATION JOURNAL
DEVELOPING CYBER WARRIORS FROM
COMPUTER ENGINEERS et al.
Barry E. Mullins
Department of Electrical & Computer Engineering
Air Force Institute of Technology
Abstract
This paper discusses the development of a
successful cyber warfare curriculum for computer
and electrical engineering students at the Air
Force Institute of Technology (AFIT). We
leverage two traits exhibited by many engineers as
we continually improve the curriculum. First,
engineers are inherently inquisitive and notorious
for disassembling things to better understand how
they work. Second, the most effective
pedagogical technique is to make the subject
interesting and fun. This paper describes how we
teach various computer-related topics by first
teaching how things (e.g., computer networks and
computer architecture) work in prerequisite
courses and then teaching the students how to
“break” them using cyber operations in our Cyber
Attack course. We find students truly learn when
challenged with defeating a computer protocol or
architecture.
This paper outlines our cyber warfare curriculum
with emphasis on our Cyber Attack and Cyber
Defense course sequences. The paper focuses on
methods used to teach the various phases of cyber
attack to computer and electrical engineers,
computer scientists, cyber operators as well as
other technical majors. The paper also addresses
our participation in the US National Security
Agency-sponsored Cyber Defense Exercise
(CDX). The overarching goal of the curriculum is
to provide students with an understanding of how
to attack and defend in the cyber domain using the
CDX, as well as numerous course-oriented
exercises, as proven effective teaching tools.
Identifying and collecting metrics for
determining success in any course can be difficult.
We use the results of national exercises
(e.g., CDX), student feedback in the form of
anonymous online critiques and test scores as our
metrics. Results show the students are learning
the finer points of computer systems as they hone
their cyber warrior skills necessary to defend our
information systems.
Introduction and Motivation
Securing information systems from intentional
or unintentional information disclosure has
quickly become one of our nation’s top priorities.
There are countless published examples of
corporations and organizations loosing data due to
cyber attacks. A recent high-profile example is
the cyber attack on Google; this incident,
codenamed Operation Aurora, was a highly
sophisticated and targeted attack on Google’s
corporate infrastructure resulting in the theft of
intellectual property[1,2]. It has been postulated
there are even more unpublished or announced
cyber attacks. Given the negative ramifications,
including weakened consumer confidence, many
corporations are leery of publicizing the fact that
they have experienced a cyber attack. U.S.
lawmakers are proposing a bill requiring
corporations to report these attacks[3]. Cyber
attacks are now acknowledged as significant
threats to various nations' security[4-10]. Even
seemingly innocuous attacks can have
ramifications as illustrated by the 2009 U.S.
Presidential election in which Sarah Palen’s
Yahoo email account was hacked[11].
Furthermore, attacks are now targeting SCADA
(Supervisory Control And Data Acquisition)
networks. SCADA networks refer to industrial
and infrastructure control systems which typically
include manufacturing, production, power
generation, water treatment and distribution, oil
and gas pipelines, and electrical power
transmission and distribution including nuclear
power. In fact, the highly-publicized Stuxnet
malware is causing great concern over the future
safety of our citizens given much of our critical
infrastructure relies on potentially vulnerable
information systems[12].
