Some things just happen by chance.
The creation and rapid success of FITSEC, Florida Tech’s cybersecurity competition team and two-time National Cyber League (NCL) champions, is not one of them.
In fact, the team is one of several tactical components of a broader university “cyber sphere” development strategy that has been in the works since around 2013, when professor Marco Carvalho signed on as co-director of the L3Harris Institute for Assured Information (L3HIAI) alongside professor Richard Ford, who has since retired.
Some other components: stellar, hands-on research and coursework; dedicated, outstanding faculty with diverse expertise; keen leadership; student involvement; and passion enough to fuel it all.
It is, perhaps, best defined as a “sphere,” for “program” or “curriculum” fall short of describing the kind of sweeping, world-class commitment to cybersecurity universitywide strived for by Carvalho and the team of industry experts he has assembled at the L3HIAI.
“In cyber, you have to have a broad understanding of very deep technical parameters and concepts, but also understand how those elements interact with people, humans,” says Carvalho, who will step down as university provost and chief operating officer in July to focus on his research and his role as L3HIAI executive director. “It is this composition that makes this field so complex and so unique.”
With frequent news headlines about data leaks and government security hacks, there’s no disputing the need for skilled cybersecurity professionals in virtually every industry. The challenge is simultaneously cultivating that level of technical skill, social understanding and mental agility.
If the question is, how? The answer is FITSEC.
Just as athletes become champions of fitness and impact people’s perceptions of health, so can an enthusiastic, inclusive cybersecurity community build much-needed awareness of cyber safety and wellness on campus that then bleeds into society, accumulating international notoriety in the process.
“We are helping build and promote awareness of this important discipline, and probably in the best possible way, because we are engaging talented and passionate students who will themselves become ambassadors,” Carvalho says. “They are the best people to convey to their colleagues what it means to be involved, to understand that area of research, what kind of ethical responsibilities you have, what kind of impact you can have in society and what options this opens for their careers.”
Options for their careers and options for their university.
“I think one of the things that FITSEC does is allow us to raise the aperture of the university,” says assistant professor TJ O’Connor, primary FITSEC faculty advisor and director of Florida Tech’s cybersecurity program. “It has helped elevate our standing and our understanding of why this place is so special and the talent that exists here.”
Does achieving so rapid a rise to the top of the collegiate competitive cybersecurity realm take luck? Maybe a little.
But to be sure, it takes vision. It takes commitment. It takes teamwork.
Most importantly, it takes a plan.
First, hire the right people.
The L3HIAI is one of fewer than 80 designated Department of Homeland Security (DHS)/National Security Agency (NSA) Centers of Academic Excellence in Cyber Defense Research, meaning that since its inception in 2009, a primary focus of the institute has been research productivity and scholarly impact.
As it continued to increase its presence in this area, quickly becoming the university’s top institute for funded research, Carvalho recognized the need to broaden this mission, boosting emphasis on education and training, as well.
To do so, Cavalho sought to hire new faculty with the expansive capability to both build new master’s and certificate programs, and to engage with students and the community through internal and external outreach and promotion.
“That helps build a broader cycle for the mission of the institute,” Carvalho says. “You’re engaging with students; you are training them; you’re building pathways for some of these people to either go into industry or transition into research and into other activities that, ultimately, help build the state of the art in this field.”
After 20 years of U.S. Army service, including four assignments supporting the Army Special Forces and a stint at the U.S. Military Academy, West Point, where he oversaw the competitive cybersecurity team and set up some of the academy’s first cyber curriculum, O’Connor’s last military assignment brought him to Florida Tech as director of the ROTC program.
“I had a lot of fun assignments in the Army, but West Point was the one that meant the most because I got to build people and make them stronger versions of themselves,” O’Connor says. “I really enjoyed it, and I was looking for that opportunity after I retired.”
He soon realized, he wouldn’t have to look very far.
The day after he took off his military uniform for the last time, he walked across the parking lot and into his new office in the L3HIAI. The transition, he says, was so seamless, that his biggest challenge was getting the keys to his new office.
“The key ingredient is to have the right leadership, and I would say that Dr. O’Connor—with a couple of people in the group that initiated those efforts—has been instrumental,” Carvalho says. “They provide the basis for people to organize themselves around.”
Immediately, O’Connor began working with his L3HIAI colleagues and local industry leaders to develop a new cybersecurity curriculum, an endeavor that he and Josh Connolly ’21, FITSEC student founder, quickly realized would complement the competitive cybersecurity team and propel it to new heights.
“Here, if you have a really great idea and you can see it through, and you can invest time into it, you can build it into something amazing,” O’Connor says. “And Dr. Carvalho gave us the go-ahead to do that.”
Then, develop a program unlike any other.
The day after news broke that Russia had cyberattacked the top 500 U.S. companies in December 2020, O’Connor and his students took down the malware, analyzed it, evaluated the indicators and worked through the obfuscation of it live in class.
The midterm exam for another of his classes has each student use code to write a program, swap for another student’s and break it.
Another has to build the challenges for the university’s Space Heroes international capture the flag competition.
“A lot of other universities talk about theories. They talk about methods. Here, we talk about the theories and the methods, and then we apply them to something,” says Kourtnee Fernalld ’21, a computer science master’s student who will soon start her Ph.D. in computer science. “Actually getting to do it yourself and experiencing it is, I think, the best part.”
That’s the idea, O’Connor says.
Launched in 2019, the cyber operations concentration for undergraduate computer science students is composed of six hands-on courses that are very focused on workforce skills that also complement the competition aspect.
O’Connor loosely modeled the curriculum after the NSA cyber operations program, infusing it with feedback he collected from local companies about what they are looking for in new employees.
“The curriculum has allowed us to tear everything apart at the byte level and understand the deep and technical underpinnings of what’s required to both attack and defend in cyberspace and build very talented individuals to help the U.S. cybersecurity mission,” O’Connor says. “Having that hands-on approach, it’s intensive, but why do anything unless you’re going to do it 100%?”
His students agree.
“I think we take for granted how unbelievably amazing the cyber concentration is here,” says Robert Heine, a computer science senior and FITSEC member. “The material that’s taught is very, very unique. The faculty involved, I think they do an incredible job conveying it. I think that plays a massive role in FITSEC’s competitiveness—just the quality of cyber education that we get here.”
In addition to building, breaking and defending code, it is clear that O’Connor has also taught his students how to teach.
The practical lessons veteran FITSEC members teach during the team’s weekly meetings—while admittedly, and purposefully, not as in-depth—are structured similarly to those they experience in the classroom.
Aside from teaching each other—a valuable learning and competition preparation tool in itself, O’Connor says—FITSEC also invites faculty members, FITSEC alumni now working in the industry and local cyber professionals to lead lessons on more complex or specialized topics.
“I’m biased, but I think we do it better than anyone else,” O’Connor says.
Break code. Build community.
The initial pitch is simple: “We hack things.”
Upon hearing that, some are hooked. Some are intimidated. FITSEC wants them all.
When FITSEC started, it was a fairly disjointed group of about 10 computer science and computer engineering students who wanted to see how well they could do in a cybersecurity competition.
Turns out, not so well.
“The first competitions were horrific,” O’Connor says. “We got slaughtered. It was terrible. But we started learning a lot of lessons from this, feeding them back into the equation, growing as a team, competing and bringing in more students.”
Today, FITSEC is up to about 80 active members, with 40 registered with the NCL. Getting there took work.
As the team grew, members honed their competition prep and recruitment process.
First, practice. Each week, members participate in a deliberate strike force meeting focused on working through specific, intimidating problems for an hour or two, depending on the difficulty of the problem(s).
Then, compete every weekend—sometimes just a challenge or two for fun, sometimes travel, sometimes a full-fledged team effort requiring members hole up together in the FITSEC House for 48 hours straight.
Finally, welcome newbies. FITSEC hosts a weekly welcome and onboarding meeting for new and prospective members—something that veteran members like Fernalld, Heine and Alex Schmith, a computer science senior and FITSEC competition captain who is ranked 39th in the nation, agree they wish they had when they first considered joining the team.
“It was really intimidating at first,” Schmith says of his perception of FITSEC when he got to Florida Tech.
“It was mostly a knowledge thing,” Heine agrees. “In my head, at least, it was, ‘How can I break code if I don’t even know how to write it?’ It was a totally foreign concept.”
With no real understanding about what “hacking” meant besides what they’d gleaned from movies like, “Hackers”—which they now recognize as “fun, cheesy and completely and utterly inaccurate”—they felt that joining a cybersecurity competition team would be too far out of their elements.
“Since then, we’ve worked on simplifying it and making FITSEC more approachable,” Fernalld says. “Now, we kind of ease people into it—starting with the basics, mentoring.”
And pizza. Lots of pizza.
Students aren’t the only newbies FITSEC welcomes into the fold. In August 2022, assistant professor Sneha Sudhakaran joined the team as co-advisor. A renowned authority in mobile and memory forensics, Sudhakaran is a technical expert and champion of FITSEC’s mentorship efforts.
Outside of “hacking,” FITSEC is actively seeking opportunities for members to get involved in the university and greater community through things like beach cleanups, participating in the ocean engineering and marine science department’s Living Docks program, developing a Florida Tech chapter of Women in Cybersecurity and more.
“FITSEC feels more like a fun little community than it does a strict club or a competitive team,” Heine says. “We’re always training. We’re always practicing. But it’s just friends hanging out, having a time, learning about cyber stuff. I don’t ever see it as work—it’s fun.”
Fun is a big part of it. The FITSEC approach: breaking code or eating pizza—when done as a team, it builds the community, familiarity and camaraderie necessary to grow and, ultimately, succeed.
“For a lot of these students, FITSEC is the first place that they’ve been accepted for being just a little bit different. There is finally a place where people are like them—passionate and excited about tearing things apart and understanding them,” O’Connor says. “I think our people are our greatest asset. We’re different, but it doesn’t matter because we’re accepted here.”
Support that community.
Success requires support. From a university standpoint, Carvalho says, that support is threefold: space, sponsorship and engagement.
To adequately train requires a secure space to practice without risk of exposure. Dedicated infrastructure, network support, network isolations and technical access allow FITSEC to work as a team, free to safely explore different initiatives.
Financially, the L3HIAI has provided funding not just for expenses such as travel and operating costs for the FITSEC House, but also scholarships. Each year, FITSEC offers funded positions to four students who compete with the team.
“That allows us to really offer those positions to individuals who bring a lot of notoriety, just like a sports team would, here on campus,” O’Connor says. “By competing—and competing well—they bring the Florida Tech brand to great spaces. That’s really awesome.”
Fernalld, who started at Florida Tech earning her bachelor’s degree, received one of FITSEC’s funded positions, allowing her to enroll for her master’s and, now, doctoral degree in computer science at the university while continuing to compete with and build up the team.
“Basically, if we need something, Dr. O’Connor finds a way to get it,” she says. “Whether we need travel expenses, pizza for a meeting or training on some very specific topic that none of us are particularly good at.”
Finally, engagement. Excitement builds opportunity, Carvalho says. Both abound for FITSEC thanks to internal and external promotion, dedication of time and resources, and steadfast, vocal belief in their abilities.
“I think Dr. Carvalho did a phenomenal job investing not just financially in the team and supporting them, but just letting them know that he believed in them, and he believed in them at a high level: that they were the best in the nation,” O’Connor says. “And then, they showcased that—multiple times.”
Win. A lot.
“I don’t like losing,” says O’Connor.
He came to the right place.
Since those first “horrific” competitions, where the team’s goal was simply, “don’t come in last,” FITSEC has had a rapid, steady climb to the top of the nation’s competitive cybersecurity arena.
In spring 2020, FITSEC came in at No. 12 in the NCL tournament. By spring 2021, the team had jumped to fourth place. In fall 2021, FITSEC won its first NCL championship and picked up a second the following fall. Most recently, the team placed sixth in the spring 2023 NCL tournament.
These national victories were punctuated by several smaller-scale wins, as well: third place in the 2021 U.S. Cyber Challenge regional qualifier; second place in the U.S. Cyber Challenge Cyber Bowl; second place in the JumpWire CTF at ShmooCon; and first place at Saint Leo University’s Cybersecurity Capture the Flag Invitational; to name a few.
“There were some really talented people on that early team, they just didn’t know they were talented yet,” O’Connor says. “Once we just got them going in the right direction, all of the wins started happening very fast.”
What does competing in a cybersecurity challenge feel like?
“Anxiety.” “Stress.” “Dread.” “Then, euphoria.”
“When you figure it out, it’s just the most beautiful feeling in the world,” Heine says.
“It’s a rollercoaster of emotions, but it always feels so good when you finally get something,” Schmith says.
“I guess that’s what keeps us coming back,” Fernalld adds. “We pretty much live with an addiction.”
FITSEC has won everything from sizeable trophies and huge cash prizes to a Zimbabwe bill equivalent to about $2 in the U.S. and a display trophy with a “winner” sticker stuck to the placard.
The point, Fernalld says, “You don’t actually need a prize.”
“Competitions are great, but they’re short-lived,” O’Connor says. “Our students are graduating and going into industry and doing great things. I’ve got companies really excited about the students we’re producing and asking for them by name. That’s because of FITSEC.”
Schmith, for example, is fielding internship offers from three companies—and he hasn’t even graduated yet.
“FITSEC has made college better, but it’s also done really well for my career,” he says. “I’ve gotten a lot of internship opportunities. I’m getting jobs that I actually enjoy and where I enjoy the people around, as well, and I’m doing stuff that I’m really interested in—that’s really great.”
Finally, keep it going.
The work, O’Connor says, is never done: Learn. Grow. Win. Repeat.
“They have the respect of their adversaries for sure, and they should be very proud of that,” Carvalho says. “I think what the team needs to do now is gain in numbers, gain in breadth, gain in presence, involve more students and really grow in terms of infrastructure and support.”
As they continue refining the team, O’Connor seeks to lighten the load placed on individuals’ shoulders, building an organization that’s bigger than any one—or five or 10—person(s).
“I think we’re a niche to the field of computer science, but I don’t think we have to be—there are a lot of opportunities for people outside of our discipline to participate,” O’Connor says. “We’re just looking to be the best.”
When FITSEC had won its first national championship, Carvalho congratulated O’Connor and his team.
When FITSEC won its second national championship the following year, he asked O’Connor what was next.
To O’Connor, there was only one answer.
“I guess, win it again, sir.”
For more FITSEC fun facts and team tales, read “A Byte of FITSEC: 8 (Tid)Bits About Florida Tech’s Champion Cybersecurity Competition Team.”
This piece was featured in the spring 2023 edition of Florida Tech Magazine.