A year and a half ago, I wrote about a Navy computer program called CyberCIEGE, and provided a link to a copy that a reader had sent me. Over the months, upgrades were offered to the program, as new features were added. Now that a new version is available again, it seems as good a time as any to revisit CyberCIEGE, and share it with a new crop of potential users.
If you’ve never heard of CyberCIEGE (that’s how the “official” name is capitalized”, you don’t know what you’re missing.
It is, very loosely, a computer game, though that description probably calls up all the wrong images in your head. Technically, I guess it’s best referred to as an “information assurance simulator”, which sounds dreadfully boring, doesn’t it? Well, once you realize that “information assurance” is government-speak for “computer, network, and information-technology systems security”, things start to get a little more interesting.
Basically, CyberCIEGE is kind of like The Sims… only instead of a fit, athletic suburbanite, you get to play a systems administrator, and instead of going shopping and skiing and all those other fun things, you get to – you have to – administer and oversee physical and electronic security at your place of employment. To make things challenging, you generally get about a third the budget you would ideally want, and your office is inevitably targeted by every hacker, script kiddie, and foreign special agent in the world. More or less, constantly. And, to make things interesting, you get no help from your coworkers – Human Resources seems unable to hire anyone who isn’t working for a foreign intelligence service, and guards – if and when your facility has them – let just about anyone wander around the building, doing all sorts of nefarious things to computers under your control.
Put another way, CyberCIEGE is an incredibly difficult security simulation targeted at military and government network managers, and one which promotes one of the most unbelievably stringent security policies in the world. Now, it’s not necessarily an accurate representation of any specific military or government computer security – excuse me, information assurance – policy, and it doesn’t try to be. What it is, and what it does very well at, is a tool to teach a security mindset – a mindset founded on Murphy’s Law.
One of the most valuable aspects of CyberCIEGE – and one which is, as far as I’m aware, unique among security training materials – is that while a lot of the threats and scenarios are undoubtedly exaggerated, sometimes almost ridiculously so, they teach quite a bit about information assurance – network security – in an appreciable, accessible form. Yes, it’s a sandbox environment, but it manages to drive home its points by making them reasonably tangible, rather than mere abstractions. Actions – including inaction – have consequences, and after your third, fourth, or twentieth abject failure, you start to pick up on subtle nuances like this.
CyberCIEGE’s applicability outside the military/government field is probably, realistically, fairly limited – not because private-sector geeks have nothing to learn from it, but because the bar is set so amazingly – at times, ridiculously – high, for all practical purposes, everything they know is wrong. So, you’ve got an MCSE or MCSA in security? CyberCIEGE laughs at your silly little Cub Scout merit badge. You’ve got a degree? Awww, how cute. CyberCIEGE fries people like you in oil, a dozen or so at a time, drizzles you in melted cheese, and eats you as a late-night snack.
CyberCIEGE, I want to make it clear, is ridiculously challenging, in large part because it adheres rigorously to – and tries extremely hard to teach and instill – a very, very high set of standards. How hard is it? Well, if Bruce Schneier were running through CyberCIEGE with his right hand, coding Perl with his left, doing Sudoku – in hexadecimal – with his right foot, and drawing Mandelbrot fractals with a set of colored markers clenched between the toes of his left foot – which, aside from using CyberCIEGE, is kind of how I figure Mr. Schneier relaxes of an evening – about a third of the way through the program, he’d probably have to give up on the fractal-drawing; two thirds of the way through, he’d probably have to put down the Sudoku, as well.
Have I piqued your interest, yet?
If you work for or attend a government or educational institution – that is, if you have a .gov, .mil, or .edu email address – you can contact the nice folks at the Naval Postgraduate School, who would probably love to provide you with a copy of the program.
If you don’t meet those criteria, you have two options: You can download the demo version here, which lets you do almost everything the full version does, with the exception of things like, oh, saving your progress. Or… you could download a copy of the full program here (87MB executable installer). It works on most reasonably recent versions of Windows. The linked version is 1.9L; an update is available here.
Jokes aside, I think CyberCIEGE is an incredibly valuable tool, not least because it’s one of the only programs of its type. It’s powerful – incredibly powerful – and quite flexible; there’s a SDK available for download, and you can – you are encouraged – to develop and share your own scenarios for the program. The principle shortcoming, as I see it, is that almost nobody has heard of the thing! Obviously, I’m trying to help rectify this, and you can too – please, tell your friends and acquaintances in IT about the program. It’s woefully under-funded and under-promoted, and while you and I can’t really do anything about the former, we can do something about the latter…