Naval Academy Champs Talk NSA’s NCX

The Naval Academy won this year’s competition for the prestigious National Security Agency Cyber Exercise (NCX) trophy. Breaking Defense interviewed two members of the Naval Academy’s team, MIDN 1/C Byron Gallagher and MIDN 1/C Anthony Perry. Below is an excerpt of an email interview, edited for clarity, length, and style.

BD: Was this the first time you participated in NCX?

Gallagher: This was not the first year I’ve participated in NCX. I participated in the competition in 2019, held at the United States Air Force Academy. It was interesting to conduct the competition in the virtual environment this time around, but I am incredibly impressed with the teams’ and the organizers’ flexibility around the challenges of the virtual environment. We had been conducting virtual training and team operations for a great deal of the year, so I think my team was well prepared on what to expect. Also, having students who had done NCX in the past gave us an edge on framing expectations for the scope of the competition.

Perry: I’ve competed in NCX twice before for USNA’s Cyber Security Team. Those events have been hosted at various service academies in the past and have allowed for intermingling amongst teams. This year was vastly different, as the competition was hosted virtually. I personally liked the virtual set-up to best leverage our new team spaces. The team meets in what we call the “War Room,” which is within the newly completed Hopper Hall, named after Rear Admiral Grace Hopper, on the Naval Academy campus. The Naval Academy has been a great proponent of cyber education for several years now, as every midshipman takes two mandatory cyber classes here in Hopper Hall, regardless of major, and I really enjoyed being able to compete in our very own designated spaces this year.

BD: How did you prepare for NCX?

Gallagher: We generally practice 8-10 hours a week through our internal training and qualification pipeline. Training this year began virtually, but has pivoted to an in-person setting as vaccines are rolled out to the Brigade of Midshipmen. Some of our NCX team members this year were brand new members in the fall, so it’s awesome to see their progression come to fruition. I think the structure and dynamic of our team is what makes us so effective: We are completely student run, trained, and managed. Things like building our own infrastructure, developing training material, creating qualification challenges, and competing in internal attack/defense allow our team members to develop practical cyber skills, as well as effective leadership qualities. In addition to utilizing the virtual environment heavily this year, we also relocated to new and updated spaces in the US Naval Academy’s new building: Hopper Hall. The move encouraged the team to build better internal infrastructure, which was a key contributing factor to success in the NCX Cyber Combat Exercise.

Perry: The team is midshipman-run, and midshipman-taught. Over the summer, Byron and the staff put together an education and training plan, and executed it brilliantly. Our success in the NCX is a direct correlation between the effectiveness of the training and the team’s willingness to absorb complex concepts and exploitation techniques.

BD: Which module(s) and/or other aspect(s) did you find to be most challenging, and why? Most exciting to work on, and why?

Gallagher: The Cyber Combat Exercise is always the most challenging and most exciting to work on. Weighted at 40% of the competition — over twice the weight of other modules — the cyber combat exercise presents teams with a live action, directly competitive challenge. Other modules allow teams to score points independently by solving challenges, but the cyber combat exercise allows teams to score points at the detriment of other teams. The organizers deliver “Intel” to the various servers under each team’s control. Stealing intel increases attack points, whereas having intel stolen decreases defense points. While each team is searching to find the vulnerabilities in the other teams’ servers, they must also take into account the security and availability of their own. In addition to the attack/defense scores, there is also a neutral, challenge-based competition to do on the side. Since each of the three aspects are weighted equally to form your final score, each team of four must have incredible cohesion and skill to effectively manage the multiple aspects. Due to our experience building our own infrastructure, we had a great deal of experience fixing vulnerable services and exploiting those vulnerabilities in other teams.

Perry: I personally found the policy module to be the most difficult. As NCX is composed of five different modules, four of the five are all technical. The fifth module focuses on public policy, which in the United States is quite complex. This part of the competition begins with the judges providing you with a fictional scenario where a large government contractor was hacked. The implications of the hack were massive, and it took an in-depth review of multiple legal documents and federal policies to navigate best on how we should recommend to the president to respond. Having been taught courses at USNA in cyber policy and cyber law by two exceptional teachers, Chris Inglis [former NSA deputy director, recently nominated to be the first National Cyber Director] and Prof. Jeff Kosseff [a national leader in cyber law], the policy competition itself was not necessarily too difficult to manage and grasp, since their mentorship allowed us to ensure all issues in the case study were adequately addressed. I definitely gained a greater appreciation for how complex government policies can be, and the imperative task to find a common goal amongst many different agencies and organizations in both the public and private sectors.

BD: Did anything surprise you about/during the competition? If so, what surprised you, and how did you respond?

Perry: There were not a lot of surprises in this competition. The team prepared well this year, and we have great teachers, coaches, and mentors in Hopper Hall that have given us great background knowledge that we were able to apply across all of the modules.

BD: Are you planning to specialize in cybersecurity during your Navy career?

Gallagher: Yes! I will be commissioning as a Cyber Warfare Engineer (CWE) upon graduation in May. The community allows officers to be both leaders and technical specialists, and it is awesome that the US Naval Academy has started to allow limited direct commissioning into the designator in the last few years. Hopefully, the commitment to the cyber warfighting domain continues as the Naval Academy and the Navy realize the untapped potential of both the CWE community and the value that USNA Midshipmen bring to the fight. The cyber field interests me because of the emphasis on self learning and tinkering. In order to be a great cyber operator, you need to be able to find the weakness or vulnerability that no one else noticed. It involves a lot of thinking outside the box and investigating new and different ways to do things.

Perry: Yes! I will be commissioning in May into the Navy’s Cryptologic Warfare (CW) community. Our three mission areas focus on signals intelligence, electronic warfare and cyber operations. I personally sought this line of work for the opportunity to lead gifted individuals in a very technical domain. It’s also becoming more and more critical to improve our digital security, and for the Navy to operate at full capacity, we need talented sailors to protect our networks from adversaries.

BD: Any general reflections on your NCX experience?

Gallagher: NCX was and always is an awesome culmination to our competition season and school year. NCX and its predecessor CDX [NSA Cyber Defense Exercise] have been held annually for the past 20 years, and serve as the original foundational purpose for the USNA Cyber Security Team Extracurricular Activity. NCX has never been just about the three eight-hour competition days; it’s about the leadership, training, and dedication that goes into preparing for it for the entire year. As president of the Cyber Security Team, it has been my mission to win NCX 2021 since turnover last year.

Perry: It’s honestly surreal. Successfully competing in the NCX has been our goal for most of this year, and to see the team bond and work together was extremely gratifying. From the freshmen to seniors, I was very proud of the team’s growth over the past year, and I’m confident in their abilities moving forward. With the pandemic creating various challenges throughout the year, it made the win that much sweeter.

BD: What advice do you have for younger people considering studying and/or working in cybersecurity?

Gallagher: Effectiveness in the cyber domain requires a creative mindset and a flexibility in problem solving approach. Young people have the mindset naturally, so they should embrace it and not be afraid to explore their interests in computing and cybersecurity. It’s no surprise that we see more savvy underclassmen each year, especially in an age with so many resources available on the internet. The military allows one to serve their country while also contributing to an important mission that you cannot get anywhere else in the private sector. Plus, the Navy specifically has some of the greatest historical involvement with the origins of electronic warfare and signals intelligence, dating back to World War II.

Perry: If you want to protect our nation, pursue cybersecurity. If you want to use creativity to solve problems, pursue cybersecurity. If you are persistent and enjoy challenges, pursue cybersecurity. In truth, there are more jobs then there are people to fill them. If you want to protect networks or go after those who threaten our national security, the Navy and USNA are great pathways to a much larger cyber world.