WASHINGTON — CyberCity has all the makings of a regular town. There’s a bank, a hospital and a power plant. A train station operates near a water tower. The coffee shop offers free WiFi.
But only certain people can get in: government hackers preparing for battles in cyberspace.
The town is a virtual place that exists only on computer networks run by a New Jersey-based security firm working under contract with the Air Force. Computers simulate communications and operations, including email, heating systems, a railroad and an online social networking site dubbed FaceSpace.
Think of it as something like the mock desert towns that were constructed at military facilities to help American soldiers train for the war in Iraq. But here, the soldier-hackers from the Air Force and other branches of the military will practice attacking and defending the computers and networks that run the theoretical town. In one scenario, they will attempt to take control of a speeding train containing weapons of mass destruction.
To those who participate in the practice missions, the digital activity will look and feel real. The “city" will have more than 15,000 “people" who have email accounts, work passwords and bank deposits. The power plant has employees. The hospital has patients. The coffee shop’s customers will come and go, using the insecure WiFi system, just as in real life.
To reinforce the real-world consequences of cyberattacks, CyberCity will have a tabletop scale model of the town, including an electric train, a water tower and a miniature traffic light that will show when they have been attacked.
“It might look to some people like a toy or game," Ed Skoudis, founder of Counter Hack, the security firm in central New Jersey that is developing the project, said recently while giving a reporter a tour of the fledgling system. “But cyberwarriors will learn from it."
CyberCity provides insight into some of the Pentagon’s closely guarded plans for cyberwar. It also reflects the government’s growing fears about the vulnerabilities of the computers that run the nation’s critical infrastructure. Last month, Defense Secretary Leon Panetta said that digital attacks “could be as destructive as the terrorist attack on 9/11" and virtually paralyze the country.
“If a crippling cyberattack were launched against our nation, the American people must be protected," he said. “And if the commander in chief orders a response, the Defense Department must be ready to obey that order and to act."
Troublesome fears
Behind those fears is an unsettling reality: Networks in the United States will remain vulnerable to attacks for some time to come because no one understands cyberspace well enough to ensure security.
In the four decades since the Internet began, most cybersecurity research has been conducted on the fly or as an afterthought, according to interviews with security specialists and computer scientists. Now, with the world linking up its communications, infrastructure, military, banking, medical and other systems at a lightning pace, the dynamic of cyberspace has grown too complex. Rigorous scientific experimentation that might lead to security breakthroughs is only beginning.
In the meantime, attackers hold a huge advantage. They can choose the time, place and method of strikes. Defenders almost always have to settle for reacting, making fixes after the damage has been done.
CyberCity aims to prepare government hackers to hold their own until long-term solutions can be found.
“The problem is the bad guys are getting better much faster than we are," Skoudis said. “We don’t want to fall further behind on this."
CyberCity is one of hundreds of virtual environments — often known as cyber ranges or test beds — launched in recent years by military, corporate and academic researchers to confront the mind-bending security challenges posed by cyberspace, where millions of attacks or intrusions occur every day.
Some small ranges study the effects of malicious software and viruses. Some hope to emulate the Internet itself and become scientific instruments of sorts, akin to mountaintop telescopes or particle accelerators, that will enable researchers to seek out the elusive fundamentals of cyberspace. The most ambitious of these, the National Cyber Range, was developed by the Defense Advanced Research Projects Agency. It has cost about $130 million since 2008. The agency said seven large-scale experiments have been conducted by Pentagon researchers.
Creating realistic virtual environments is extraordinarily challenging. In cyberspace, a global network of networks, more than 2 billion people interact with at least 12 billion computers and devices, including global positioning systems, mobile phones, satellites, data routers, ordinary desktop computers and industrial control computers that run power plants, water systems and more.
In many cyber ranges, the simulated Web servers, routers, mobile phones and other network devices operate essentially as they do in the real world, but they have few if any physical components. The virtual devices simply exist as computer code.
Merit Network, a nonprofit technology group in Michigan, just launched a cyber range at Eastern Michigan University that promises to conduct “live fire" exercises. The Defense Department runs the Information Assurance Range in Stafford County, Va. It gives cyberwarriors a safe, closed environment to practice intrusions and security testing.
In Hampshire, England, and Millersville, Md., Northrop Grumman runs cyber ranges that allow corporate and government clients in Britain and the United States to create models of their own networks and employee activity. Northrop officials liken their systems to flight simulators.
Christopher Valentino, a research and development director in the cyberintelligence division of Northrop Grumman Information Systems, said one key to a successful range is closely approximating the way human psychology plays out on real networks.
“It’s very hard to find ‘normal,’" he said.
Creating CyberCity
The idea for CyberCity grew out of conversations that Skoudis had two years ago with senior Air Force officials eager to convey to cyberwarriors the impact that hacking can have on real-world operations such as water plants and power grids.
At the time, the Pentagon had recently declared cyberspace the newest domain of war. U.S. forces also had secretly launched cyberattacks against Iran’s nuclear enrichment facilities, disabling almost 1,000 uranium centrifuges in 2009 and 2010. That attack, disclosed this year, involved a malicious computer “worm" known as Stuxnet. It is the most notable attack on critical infrastructure that has come to light.
Skoudis ran a network-hacking training program called NetWars through the SANS Institute, a leading security organization that has trained thousands of government and civilian employees. Working through SANS, he agreed to create CyberCity for less than $1 million. It would be a modest range with an urgent, focused goal.
“We’re not trying to do a lot of theoretical work here," Skoudis said. “Our focus is on very practical applications, training cyberwarriors."
The Air Force believes that training on cyber ranges is a key to keeping pace with changing threats from criminals, terrorists or even nation-states. The practice missions in CyberCity are expected to begin in the next few weeks.
