April 17, 2017
At what point does a cyberattack become an act of war? Should the government react to a cyber-attack on the private sector? Is cyber privateering the answer to the government’s woes? These were some of the questions students (including this author) contended with at the Atlantic Council’s 2017 Cyber 9/12 student challenge on March 17 and 18.

Held at American University’s Washington College of Law, this was the fifth and biggest iteration of the annual student competition. Forty-five teams from 32 universities from across the United States took on the roles of cyber policy experts advising the National Security Council on how to react to a fictional cyber catastrophe.

The year is 2018 and China and the United States are on the brink of an all-out trade war. There is eroding trust in the US government after media reports emerge of the NSA using planted vulnerabilities in Internet-of-Things devices to create cyberweapons. Following a Distributed Denial of Service (DDoS) attack on a Chinese bank using an IoT botnet, President Xi Jinping publicly accuses the US of conducting the cyber-attack to cover up economic espionage. Following this is a near identical attack on an American bank using hacked devices from the bank’s network infrastructure. Complicating the whole situation is the Cyber Marque and Reprisal Act of 2018 which allows the President to issue a Letter of Marque to private companies that authorizes them to essentially hack back into the attackers’ systems. An ominous e-mail from the Vice-President of the US bank to DHS Secretary Kelly promises action under this act but leaves the nature of this action purposefully vague.

As participants, we had to suggest policy options for the President and the National Security Council that balanced domestic concerns with international, the desire to maintain economic stability with the desire to assert power and the concepts of proportionate response and hacking back with their effect on global perception of the US. We prepared and presented our policy options to a panel of judges drawn from a pool of almost 60 cybersecurity and policy experts. Following the presentation was a rigorous round of questions and a constructive feedback session.

Every round of the competition upped the ante; the US bank’s employment of a privateer to hack back resulted in the degradation of hospital (and other) equipment around the world including in China and severely affected public safety. The final round culminated in a cyber-attack on the USS Blue Ridge in the East China Sea and intelligence of PLA preparations for an armed attack.

Teams were judged on their understanding of the cyber landscape, interpretation and analysis of the scenario and its implications and the creativity of their policy options. “We want to present cybersecurity policy as a viable and exciting career option for students. We hope to bridge the gap between the technical and policy sides of cybersecurity by involving the next generation. We want students to walk away from this event with a deeper understanding of the cyber policy landscape,” said Anni Piiparinen, Associate Director of the Cyber Statecraft Initiative at the Atlantic Council.

Student teams presented policy options ranging from de-escalation to moving strategic assets to attack positions. “It was evident that these groups had undertaken thorough research on the issues in the scenario and thought deeply on possible responses and their implications. Considering the participants will be leading responses to these complex challenges in the future, what was most reassuring to me was the breadth of their understanding and the creativity they applied to developing solutions,” said John Watts, a Cyber 9/12 judge and Senior Fellow at the Atlantic Council.

Not only did we get to present in front of experts and get their feedback, we also got the chance to socialize with them at side events and networking receptions. This year’s highlights included a career fair and panel discussion, a Mock Cybersecurity Hearing before the House and Senate Armed Services Committees, a spear phishing demonstration, presentations from experts in the field, and keynote speeches by Rep. Jim Langevin (D-RI, 2nd District) and BG Jennifer Buckner of the US Cyber Command.

The scenario was realistic in its vagueness and that left room for multiple interpretations of the same events. It made us grapple with concepts like hacking back, IoT security, liability and attribution and their consequences in the real world. While studying the subject gave me ideas on what can be done to improve things, my experience at Cyber 9/12 gave me a better understanding of the larger context in which these ideas need to be placed.

Following the 5th annual competition in Washington, DC, the Atlantic Council’s Cyber Statecraft Initiative will host the third European Cyber 9/12 Student Challenge in Geneva, Switzerland in partnerships with the Geneva Centre for Security Policy (GCSP) on April 20-21, gathering 27 teams from Europe, the United States, and China. Additionally, the Council in partnership with the University of Sydney will host the first-ever Indo-Pacific competition in Sydney, Australia on September 27-28, 2017.