US Naval Academy trains future cyber warriors


Paul Tortora, director of the U.S. Naval Academy’s Center for Cyber Security Studies. (Photo: USNA)

At the U.S. Naval Academy, midshipmen are learning to operate in the cyber domain — to at least some degree — as part of their everyday studies. It reflects the reality of the world they will enter, regardless of what they go on to do after graduation: Wherever they head next, cyber will be part of the job.

The depth of study varies, and the approach is evolving along with understanding of cyberspace as an operational domain. And with the Naval Academy’s location in Annapolis, Maryland, only a stone’s throw from Fort Meade — headquarters of U.S Cyber Command and the National Security Agency — students get some additional benefits from the nearby military agencies that govern the cyber domain.

Paul Tortora, director of USNA’s Center for Cyber Security Studies, recently spoke with C4ISRNET Editor Amber Corrin about the curriculum and how the academy is training midshipmen to operate in cyberspace.

C4ISRNET: Tell us a little bit about the approach to cyber education you’re taking at the Naval Academy. 

Paul Tortora: We decided we’d call it “all, many, few,” that everyone is going to get some level of cybersecurity. All students, 100 percent of them, are going to get two classes in cybersecurity. One as a freshman and then a second one as a junior. Initially, we want to give a baseline understanding of the fundamentals of computers, how they work, how the Internet works, how Wi-Fi works, what is a hack, how encryption might work. Then ultimately we looked at how to give them a virtual environment where they could actually get some hacking and attack a machine, and that all comes together.

Then the junior courses that we also teach here are more on the engineering side. They learn about communications and how communication flows, how to protect and manipulate it — it’s a more technical course.

C4ISRNET: So what does the classroom experience actually look like for your students? 

Tortora: We found that many of the students, actually a majority of them, have limited words of actually what’s going on in the computers or hand-held devices that they have. We adjusted the course over time so that the first part of the course is actually computers. Basically, computer science 101. What is information, what is a zero and a one, what are the basics of computers? We actually make them take apart a desktop computer and then put it back together, then show that it still works so that they understand each component of it.

Then they learn a little bit about systems, what’s on a Windows computer or Apple computer. They learn a little bit about coding in the lab, how the internet works … then we start talking about how they can then use those for attacks, for stealing information, and then we show them how the networks work. Each week there’s a lab in the course and they can take some of that content, the wireless lab, the wireless network … and we’ll actually show them how you take over someone’s wireless network very easily using simple tools you can download online.

We also emphasize to them the ethical and legal aspects of not doing that in public. But they understand how simple it is to get Wi-Fi in some locations … so we show them all the risks about what can happen. We do a little bit about encryptions … they’ll learn a little bit about what it means when it’s encrypted, it’s locked, how do I know this website is secure? They’ll learn about how to break passwords, knowing if a website is secure.

We wrap up the freshman course with a series of labs where they actually get into a fake virtual network. It doesn’t impact any real internet, and they can steal things and try to get elevated access to files … they can go in, browse around a network, and then try to pull information off, try to erase the web page.

In the last laboratory of the school year for that class, for the first hour of the two-hour lab, there’s a particular network you have to set up. The firewall needs to be disabled, accounts changed, all the passwords. They have to do a number of things to understand what it takes to be the network protector – the administrator.

The first hour is protecting your network, cleaning it up. Then the second hour is basically an all out cyberattack against the other half of the class. They take everything we taught them: hacking, a denial-of-service attack, trying to spoof information. Everything they can possibly do to try to see if they can get into the adversary’s network. Toward the end of the class, we’ll actually give them a simulated zero-day vulnerability, and they try to get into that other person’s network. So the entire course starts with the fundamentals of computing, digital information, and it culminates with basically an all-out cyberwar in a virtual environment so they can put it all together.

C4ISRNET: Do you have a cyber major at the academy? 

Tortora: We did decide to create a new cyber operations major. There’s only a few midshipmen in the larger class that will actually then do a cyber operations major. And in a nutshell, the cyber operations starter courses are on the fundamentals of computing, networking, programming, physical systems … the fundamentals that we see in a computer science program or computer engineering program. But then we’ll start to branch out so they see a larger view of what cyber operations might mean. It culminates in their senior year when they take a class in cyber policy and then in cyber law. The fundamentals of the technical aspects of cybersecurity, of the computer, of the network, of the physical system that they connect to.

We tie it all together when they’re seniors … both in their non-technical classes and then in a capstone sequence course that focuses on attack. That’s when they get a bigger picture of what it is to operate in the cyber domain: They’ll have to spend some time looking at the technical aspects of that, the system, the physical system, the network, the data…and also, in some cases, the ethics. Can they do that, should they do that? What are the policy implications? The big picture is what our cyber operations make us look at. With most of the cases, three of them being non-technical, we wanted to have a broader view of what’s really going on in the cyber domain.

C4ISRNET: How much do you incorporate things that are happening in the real world? If you’re talking about the electromagnetic spectrum, how much do you bring Russia and Ukraine into the classroom? Or if a high-profile hacking incident happens, how much does that get integrated into what is discussed in the classroom? 

Tortora: I teach the freshman introductory courses and a couple other courses, and my daily class begins with a 24-hour recap of what’s been in the news. As students get more comfortable I encourage midshipmen to raise a three-to-five minute current event discussion. The challenge is it’s got to be cyber and it has to be less than 48 hours old. They always accept that challenge. There’s never been a challenge where they have trouble bringing a topic that’s more than 24 hours old on cyber.

Whatever the topic they choose, we’ll then use that to guide the class discussions. So for the class discussions on spearphishing, an example of spearphishing. Then I can bring up all the aspects that: the social engineering, the technology, small cyber operations to take that targeting. The bigger one is what they were after, what was the context, the policy of legal authority.

So, the answer is we incorporate as many recent events as we can. This is the most demanding because there are so many current events happening in the cyber domain that rapidly change. The instructors can always bring up a current event in the course work: cyber engineering, basically understanding how peers can move something in a physical domain. In the cyber policy course they have to take as a senior, we’ll actually give them a scenario … it could be Russia or China.

We do our best to try to bring in current events and then tie it back to the bigger picture and how it affects the Navy and beyond. It’s very challenging, but it’s exciting because you can have so much material for a relevant discussion.