Academics

Hack event gives students a chance to battle back against simulated cyberattack

Anne Toomey McKenna, Distinguished Scholar of Cyber Law, Dickinson Law and Penn State’s Institute for CyberScience co-hire and professor of practice, who was one of the leaders of the 2019 Penn State Hack Response Simulation Competition, interacts with the group of about 70 interdisciplinary students who took part in the hack simulation. The simulation was designed to help train the next generation of cybersecurity experts by giving them a multidisciplinary, start-to-finish and hands-on experience in tackling a hack. Credit: Jordan Futrick. All Rights Reserved.

UNIVERSITY PARK, Pa. — Malicious cyber activities — or hacks — cost the United States’ economy more than $100 billion a year, or about .64 percent of the nation’s GDP, according to the most recent figures from the White House. Training the next generation of cybersecurity experts is now a national priority.

A group of about 70 Penn State students, faculty and staff from a range of fields and disciplines took a step toward taking on roles as interdisciplinary cyber hack responders in the 2019 Penn State Hack Response Simulation Competition held recently at the Technology Support Building at University Park. Participants came from Penn State’s Dickinson Law, the College of Information Technology and Sciences, Penn State Law, Smeal College of Business, the Donald P. Bellisario College of Communications, the Applied Research Laboratory, and the U.S. Army War College.

Anne Toomey McKenna, distinguished scholar of cyber law at Dickinson Law, and Penn State’s Institute for CyberScience co-hire and professor of practice, developed the hack response scenario and worked with Russ Houseknecht, lecturer, information sciences and technology, to design of the simulation, said the idea for the exercise was inspired partially by her own experience as a trial lawyer representing clients over the years who struggled with compliance, security, and data privacy in their computer systems as her clients increasingly found themselves vulnerable to hacks and other forms of data breaches.

“Time and time again, I would see situations where clients would be faced with a data breach, but they would either not understand either the information technology aspects of it — the cybersecurity technical piece — or not understand the legal compliance piece of it,” McKenna said. “I recognized in my own practice area that it was very hard to find lawyers who understood the technology and very hard to find people in the technology area, who understood the legal requirements and also electronic evidence preservation.”

One way to address this disciplinary disconnect was to bring together students from business, information technology and sciences, communications and law to help students from diverse backgrounds learn how to collaborate effectively on responses to future hacks.

The exercise centered on a hacker who used a phishing scam to gain access to a university’s computer systems that contained, for research and development purposes, records from a health and insuring program for military personnel, their families, and civilian contractors. In a phishing scam, the attacker sends an email from what appears to be a trusted entity and when the unaware victim replies or clicks on a link in that email, it enables the hacker to have the victim’s access to the computer system. The exposed data in this scenario included sensitive medical and personal information that had national security implications as well, all of which were fictitious.

Nine interdisciplinary teams of faculty, staff and students then studied the hack to form a response to address the full range of possible considerations and responses. Teams had to consider the entire cycle of a hack, i.e., initial detection; defense and mitigation of system damage; evidence preservation; whether hacking back was permissible; and legal compliance, including what the teams were required to report about the hack and to whom. The teams then had to present their insights and recommendations to the executive board.

Donald Welch, Penn State’s chief information security officer and one of the members of the executive board, addressed the group on the critical step of securing the system and mitigating the damage done by a hacker.

“Before you start the securing and mitigation process, you have to understand the breadth and depth of that intrusion,” Welch told the teams. “You have to understand the sophistication of the intrusion and see how they dug themselves in. Having that understanding is really key.”

Members of the executive board who specialized in legal aspects of cyber hacks explained that all aspects of the response, even ones that may sound trivial or obvious, such as the words that the team used to describe the hack, are important and must be well-thought out.

“Vocabulary matters to legal,” advised Amy C. Gaudion, dean for academic affairs, Dickinson Law. “Make sure you are careful before you use the word ‘attack’ because there are legal implications of that word. Be cognizant of the terms you are using.”

Organizers said the teams demonstrated that they learned how to work together as an integrated team with a common purpose. Teams that do not understand integrating all the facets of a hack can cause a ripple effect, making an already bad situation worse, added McKenna.

“Damages increase when people don’t understand these interdisciplinary aspects that flow from a hack,” said McKenna.

Participant Shelly Curling, instructor of accounting in the Smeal College of Business, said the interdisciplinary experience gave students from a range of majors a seat at the table and gave them a chance to break out of their disciplinary silos.

“This is a fantastic event and I would say the importance of the event for students is that these students are gaining an unmatched interdisciplinary experience with some of the brightest minds,” said Curling. “This gives students a big picture look at the complexities that go beyond their majors. An IST student is getting the perspective of a communications student, for example, or a business student is learning the IST perspective — they are pulling together all of these different facets.”

Participants also said that in addition to learning how to work together, the team environment helped them learn a lot from each other.

“For me, it was learning what the other members of my group know,” said Andrew Kline, a student in Information Sciences and Technology, who is interested in cybersecurity and was a member of Team 1. “On our team, we had so many different backgrounds, so while I have a cybersecurity background, we also had members from a legal point of view, or a business background, and so I was learning what they knew and I was learning it in a way that was cohesive.”

The teams had 105 minutes to write responses to the questions in the 9 categories.

In addition to McKenna, Welch and Gaudion, members of the executive board for the Hack included Thomas I. Vanaskie, retired circuit judge United States Court of Appeals for the Third Circuit; James W. Houck, retired U.S. Navy vice admiral; director, Center for Security Research and Education and Distinguished Scholar in Residence, Penn State Law and the School of International Affairs; Wyatt DuBois, assistant director, Penn State’s Office of Strategic Communications; Mike Hohnka, head of access and effects department, data and image sciences division, Applied Research Laboratory; Peter K. Forster, associate teaching professor, Information Sciences and Technology, associate dean for online and professional education and program coordinator, Homeland Security MPS.

The winning team members included Walter Bain and Sean O’Connor, both information sciences and technology students; Haeyeon Kim, Penn State Law; Logan Miller, Dickinson Law; Howard Matthews, U.S. Army War College; and Kevin Kuczynski, an engineer at Penn State's Applied Research Laboratory.

Last Updated June 6, 2021

Contacts