ANN ARBOR — Members of The Engineering Society of Detroit got an up close and personal look at the latest in cyber security at ESD’s tour of the Michigan Cyber Range.
Housed at the offices of Michigan’s Internet services provider to the
government, education and nonprofit sectors, Merit Network Inc., the tour was led by Dr. Joe Adams, a 25-year veteran of the United States Army Signal Corps and former associate professor at the U.S. Military Academy.
Merit dates back to 1966, when it was formed for the then-revolutionary purpose of linking up the mainframe computers at Michigan State University, the University of Michigan and Wayne State University — a task it would not complete until the early 1970s.
Back then, of course, there were no hackers. There was barely an Internet, and what there was had been devised solely to allow communications after the devastation of a nuclear war that, thankfully, has not come.
But not long after the Internet started to go commercial in the 1990s, there quickly became people who would exploit its weaknesses for both profit and for the sheer hell of it.
Right now, Adams told the tour group, hacking is a business, governed as any other by supply and demand (and the massive 2013 Target customer hack reduced prices for information like credit card and Social Security numbers). There are also those who act out of political motives. He said participation in hacking is growing in the so-called BRIC countries — Brazil, Russia, India, China.
Then there are DDoS attacks, for distributed denial-of-service. They take down websites by flooding them with millions of requests for information at once. The price of these attacks on the hacker market continues to fall, to as low as $13 a day in 2013, from at least $30 in 2011.
Hackers also aim to cause “first world problems,” for example snarling traffic by hacking stoplights that are managed online.
And that wonderful “internet of things”? Yeah, that’s basically one big hack waiting to happen. And while it would be gross if somebody hacked your smart refrigerator while you were on vacation so you came home to a house reeking of rotted food, it would be a whole lot more than gross if somebody hacked a blood bank’s refrigerators — that would be life-threatening.
Smart cars are also vulnerable to hacking, Adams noted. Any car that can talk to other cars or traffic infrastructure is also a possible vector for malware.
Michigan’s response to all this was created by Gov. Rick Snyder shortly after he took office. The state has created the Michigan Cyber Range to train the Internet’s white hats how to defend against the black hats — and created the Michigan Cyber Civilian Corps to serve as volunteer firemen in case of attack.
Not only do cyber defenders do good, they do well. Adams said the starting pay for a systems analyst is nearly $80,000, and for a security analyst, more than $86,000. And in Michigan, there is negative unemployment for these positions — they get hired (usually after multiple offers) as soon as they’re trained.
The Cyber Range was founded by grants from the National Institute of Standards and Technology, the U.S. Department of Homeland Security and the Michigan State Police. Its sponsors include DTE Energy, Consumers Energy and Juniper Networks. And its customers how include the Michigan National Guard, the state of Wisconsin, the University of Montana, and General Dynamics Land Systems, along with several startups. It has current engagements with the government of Latvia, the National Governors
Assocaition and the California National Guard.
The Cyber Range’s “secure sandbox,” cut off from the public Internet because live viruses are in use, is located at Eastern Michigan University, Ferris State University and Northern Michigan University — or, given the military’s love for titles and mascots, Site Eagle, Site Bulldog and Site Wildcat. The sites feature standard servers, and background traffic is created to simulate the real Internet. It offers exercises like “capture the flag,” to steal an asset in the other team’s memory, and other attacks in a “red team” vs. “blue team” setting.
The Cyber Range also features “Alphaville,” a virtual community with assets like a school, a library, a water plant, an electric company and more. Teams try to attack or defend those assets in exercises.
The Cyber Corps has trained three teams to assist with attacks in Wayne, Oakland and Kent counties, and plans to train nine more, “basically working our way up the mitten,” Adams said. Each corps unit has five members — a team leader, a senior incident response technician, an incident response technician, a senior forensic technician, and a forensic technician. The incident response staff works to restore service, while the forensics people work to figure out what went wrong. If you think you’ve got the stuff to make a team, Adams invites you to take the test at www.michigancybercorps.org — it’s got a 75 percent failure rate. You must also pass a Michigan State Police background check. “In a declared state of emergency, these people would be like the volunteer fire department” for the state’s cyber infrastructure, Adams said.
To improve your chances, you might want to try one of the Cyber Range’s available 17 certifications, including penetration testing, incident handling, ethical hacking, forensics, leadership, disaster recovery and more.
The Cyber Range will hold its annual cyber security convention May 12 at the Marriott Eagle Crest in Ypsilanti.
For more information, visit www.merit.edu/cyberrange.
Below are photos of the tour of the Cyber Range:
