Training the next generation of cyberdefenders

Merit Network, Inc., is a nonprofit, member-owned organization formed in 1966 to design and implement a computer network among public universities in Michigan. More recently, the organization has collaborated with the State of Michigan, the Michigan Economic Development Corporation and the Michigan Defense Center to produce impressive results.

The Michigan Cyber Range is one such success story. It provides students and IT professionals with a solid foundation in a number of cybersecurity disciplines. Through challenging hands-on exercises, labs and coursework, students gain technical knowledge and experience that prepares them for cyberdefense.

The Michigan Cyber Range also features a cybersecurity education experience based on the National Institute of Standards and Technology’s National Initiative for Cybersecurity Education (NICE). The NICE framework organizes and presents the skills and work requirements that America’s cybersecurity workforce requires to support the National Preparedness Goals of detecting, mitigating and defeating malicious actors and cyber-based threats. The framework engages all levels of the workforce, presenting essential concepts, techniques and practices based on an individual’s function within the organization.

“Our job is to educate the cybersecurity workforce,” says Dr. Joe Adams, vice-president of research and cybersecurity at Ann Arbor-based Merit Network. “As we continue to grow, people see the benefit in this and become more and more engaged. Starting with what we call the crawl phase, our classes enable students to learn individual skills to contribute to an IT team and earn a NSA-accredited certificate for job training or re-training. The Cyber Range program is accessible, hands-on and adaptable.”

The Cyber Range program continues with what Adams calls the walk phase. “This is where participants learn to communicate with other team members and select the right tools for a specific challenge,” he says. “It’s basically a videogame for hackers and database, Web, network and SCADA [supervisory control and data acquisition] security.”

Following the walk phase, the students move on to the run phase. “These are force-on-force exercises,” Adams says. “They help determine training objectives and pit one team against another. We like to stress that communication and working together to mitigate a threat is the most important thing. We run force-on-force exercises four times a year in Michigan with a large amount of success.”

So far, the experience has been eye-opening for the participants. “We’ve helped the two big power utility companies in the lower part of state with their cybertraining and exercises,” Adams says. “We were able to get them out of their office to see if what they were doing works. It was a great time for them to find out about their own process outside of a constrained environment. We’ve also been doing a lot of work with the National Guard, as well as some very rewarding work with community colleges on job training and re-training. The process has been very helpful for them and for the state.”

Brig. Gen. Michael A. Stone of the Michigan National Guard, and Michigan’s dual status commander for domestic response situations, has worked closely with both Merit Network and Gov. Rick Snyder’s team and has seen firsthand the benefits of Michigan’s aggressive cybersecurity strategy.

“There is a huge, unmet demand for unclassified cybersecurity training in our country,” Gen. Stone says. “We see Michigan as the place to go after the unclassified cyberdomain.
“The NSA is in Maryland. It’s a huge classified machine and they do top-secret cyber exercises. If you’re concerned about threats to the homeland, you can train all you want, but 80 percent of all critical infrastructure is private. How will our civilian partners defend without the proper training? We are creating an environment where we can train with our civilian counterparts for unclassified cybersecurity threats. The energy companies are a perfect example of the types of organizations that can benefit from this trend.”

A bright future

Like many others, Dr. Adams sees nearly unlimited potential in the Michigan cybersecurity sector. “All of this activity is opening up more jobs,” he says. “There are a lot of tech companies here in Ann Arbor, as well as in other areas. As people see a nexus here, we will continue to grow. The cost to set up a tech company is fairly low and we have the people and academic excellence right here in the state. We are educating and training them and need to continue to bring the companies here so the people can stay here and work. We already have the trained workforce. We just need to show companies that Michigan is a great place for them to make a difference.”

Gen. Stone echoes this sentiment. “The number-one demand for jobs in the state is for IT and there is a lot of overlap between cybersecurity and IT,” he says. “It’s not about technology, systems or software. It’s about the people. We have premier educational institutions in Michigan. It’s one thing to find the right people and train them. Michigan has been exporting talent for decades. Now it’s time to retain them.”