Closing the cyber skills gap: Nine perspectives on Cyber 9/12

Participants meet before the Cyber 9/12 competition in 2017.

On March 20-21, 2020, the Atlantic Council Scowcroft Center for Strategy and Security’s Cyber Statecraft Initiative executed its first-ever virtual Cyber 9/12 Strategy Challenge. Our scenario examined how state and non-stage actors could exploit maritime cybersecurity vulnerabilities to sow chaos by slowing global shipping, clogging key maritime travel chokepoints, and disrupting key maritime systems such as the Automatic Identification System (AIS). The scenario pushed competitors to their limits and challenged them to think critically about a complex cyber and geopolitical dilemma with major economic implications. The full scenario can be found online here.

The competition was a resounding success, with twenty-two teams, over forty-five judges, and six keynote speakers participating virtually from across the United States. We asked nine individuals who contributed to Cyber 9/12 DC in different ways to share their insights, experiences, and takeaways from the event.

Question 1: What is the role of the Cyber 9/12 Strategy Challenge?

Safa Shahwan Edwards, associate director and Cyber 9/12 program director, Cyber Statecraft Initiative, Scowcroft Center for Strategy and Security, Atlantic Council

“The role of the Cyber 9/12 program is to close the cyber skills gap and increase diversity in the cybersecurity workforce.

“We are confronting a global shortage of skilled cyber talent running to millions of people. Academic programs are working to develop cybersecurity curricula and turn out graduates to enter the cyber talent pipeline, but this has not been enough. While technical events like hackathons and capture the flag competitions play an important role in training the next generation of cyber defenders and penetration testers, what about those who will be responsible for developing policy responses to problems rooted in international relations and public policy, building communication strategies around cybersecurity, regulating technology, and analyzing the legal implications of cyber incidents?

“We have seen that cyberspace is so much more than ones and zeroes and it requires more than purely technical solutions. Cyberattacks and incidents have physical implications and can impact society, politics, economics, and national security. Cyber 9/12 provides students from across academic disciplines—not just technical backgrounds—with the opportunity to respond to a realistic cyber crisis scenario, analyzing and presenting the technical, legal, security, political, and economic implications it may have to a panel of expert judges. Through this experience, students gain an improved understanding of cybersecurity, policy analysis, and presentation. Students also have a unique opportunity to meet and network with potential mentors and employers, helping not only close the cyber skills gap, but to also create a more robust and multidisciplinary global cyber workforce.”

Question 2: You continue to come to Cyber 9/12—what brings you back?

Jocelyn Murray, undergraduate student, Lewis University; member of Student Track Semi-Finalist TeamLewis University Flyers, 2020 Cyber 9/12 DC

“My first competition was back in New York City in Fall 2019, and our team subsequently attended the Austin 2020 and virtual DC 2020 competitions. Initially for our team, the New York City competition emphasized the importance of bridging the gap between the technical and policy side of cyber. Ever since then we’ve developed almost an addiction to crafting geopolitical responses to cyberattacks. While responding to these scenarios, it provides our team a way to explore modern-day issues with large scale impacts. Whether it be critical infrastructure vulnerabilities or international disputes, there is always a deep rabbit hole to investigate and something new to learn.

“Developing policy responses to these attacks has resulted in some incredibly stressful times, but more importantly, it has promoted meaningful cooperation and collaboration among our team members. I am currently a freshman studying Computer Science with a concentration in Cyber Security, and Cyber 9/12 introduced me to the strategy and policy side. After the competition, I even added a Public Policy minor because I was so interested in bridging the policy and technical sides. Overall, I originally signed up for Cyber 9/12 due to a curiosity about the field as a whole. I plan on continuing to compete in Cyber 9/12 competitions during my undergraduate years due to the insight that the competitions have provided, as well as an undying curiosity about what will happen next.”

To read more about Jocelyn’s experiences with Cyber 9/12, look here!

Question 3: How did this differ from a normal Cyber 9/12?

Will Loomis, program assistant and Cyber 9/12 DC Lead, Cyber Statecraft Initiative, Scowcroft Center for Strategy and Security, Atlantic Council

“This year’s competition was entirely virtual. With widespread school shutdowns and increased restrictions on public gatherings and travel due to COVID-19, the Cyber Statecraft team decided to conduct the entire competition via Zoom. With approximately forty competition rounds, four keynote addresses, three networking sessions, and a panel event, Cyber 9/12 DC was in many ways the same as it would have been in person. However, with students now briefing remotely, teams were challenged to adjust their presentations on the fly and shift their teams’ briefing styles to reflect the new format.”

Question 4: How do you think the competition’s format and requirements are preparing students for policy challenges and crises to come?

Saleela Khanum Salahuddin, Cybersecurity Policy Lead, Facebook

“The Cyber 9/12 Strategy Challenge offers students the unique opportunity to stress test real-world cyber scenarios with global national security implications, exploring both traditional and evolving threat landscapes. What is particularly impactful about the challenge is the way the scenarios spark critical and informed thinking about the intersection of cybersecurity threats with geopolitical and economic realities. The format and requirements call on the students to take on the role of advisors to decisionmakers in crisis scenarios in a way that tracks reality closely. From having had the privilege to participate as a judge, it is extremely rewarding to see the way students can interact directly with an expert community of academics, government officials, and private and public sector professionals from various and diverse backgrounds to develop solutions to problem sets inspired by real world events—the challenge is no esoteric exercise, but immersion in situational roles that bring theory and global complexities to life for the emerging thought leaders of the future, offering prime preparation for careers in cybersecurity and national security.”

Question 5: What made this year’s scenario challenging? How does one approach a scenario like this?

Sasha Cohen O’Connell, executive in residence & director, Terrorism and Homeland Security Masters Program, American University

“This year’s scenario was fun and challenging because it took place in the context of international ports and shipping. This is a highly relevant but perhaps under-studied context that pushed competitors to draw from their research, studies, and practical experience in challenging and dynamic ways.  For this scenario, it was important to review the legal, political, technical, and managerial frames one would apply to any cyber response scenario, then think creatively about how all of these pieces can and would apply in this context which is likely new to teams. Equally important of course for this, as any scenario, is for the teams to spend time working together on their briefing structure and organization to ensure they are showcasing each team member and working collaboratively, particularly in the Q&A round.”

To learn more about how Sasha’s team fared during the competition, read here!

Question 6: What was the one thing that surprised you the most about the Cyber 9/12 DC Competition?

Anca Agachi, assistant director, Foresight, Strategy, and Risks Initiative, Scowcroft Center for Strategy and Security, Atlantic Council

“There is no right response to a crisis. I think what Cyber 9/12 brought home for me was the idea that as a decision maker, one is always faced with imperfect decisions, picking the best of many bad options. Cyber 9/12 does a great job at simulating that reality and forcing participants to make clear-eyed, and intentional, assessments of risks and benefits.”

Question 7: How did students adjust and fare giving virtual briefs?

Virpratap Vikram Singh, Masters Student, School of International and Public Affairs, Columbia University; Member of Professional Track Champion Team–Couldn’t Hack It 2.0, 2020 Cyber 9/12 DC

“Practicing the delivery of the oral brief is a key part of preparation for the Cyber 9/12. With the competition going virtual, we as a team knew we had to improve not only our delivery but our timing to ensure that small mistakes like a muted microphone did not result in us going over time. There was certainly a learning curve due to the pandemic—our team only met in person once—meaning that we had to learn to work with each other remotely, in different time zones, schedules, and communication styles. We elected to divide the brief so that everyone would speak, and that allowed people to focus on key elements of the brief. In our first round we noticeably hesitated in answering questions, something the judges commented on—despite all our prep work, we’d forgotten to discuss how we’d handle questions. Needless to say, we quickly figured out a solution and were able to implement it in subsequent rounds. Confidence in our team and our analysis made it possible for us to succeed.”

Question 8: You’ve experienced Cyber 9/12 in different roles—first as a competitor in 2017 and now as a judge and mentor in 2020. What about Cyber 9/12’s mission and format keeps you coming back?

Winnona DeSombre, security engineer, Google

“I believe that Cyber 9/12 allows students to grapple with scenarios that require an understanding not just of cyber policy, but also of technical subjects and current geopolitical tensions. Many problems presented in Cyber 9/12 are also relevant, with no current policy answer or precedent: we likely cannot predict how states will react if a truly decentralized non-state actor conducts a destructive attack on major shipping companies, as played out in round one of this year’s scenario. However, seeing how energized the contestants are about finding a solution to the scenario, and the ingenuity behind their ideas, makes me excited about the future of cyber policy. It is this environment—a great mixture of plausible but difficult cyber policy issues, alongside an excited and passionate group of contestants, that keeps me coming back to support Cyber 9/12.”

Question 9: What is your biggest takeaway from this year’s Cyber 9/12 DC Competition?

Dr. Trey Herr, director, Cyber Statecraft Initiative, Scowcroft Center for Strategy and Security, Atlantic Council

“There is an intense desire to compete amongst the Cyber 9/12 community. Teams come in fired up, with innovative decision documents, and different approaches to the same complex scenario. This year, at the DC event, competitors worked through Zoom to brief judges and this same zeal showed as teams built custom backgrounds and generated memes that had Atlantic Council staff laughing out loud in the war room. This wasn’t a typical Cyber 9/12 DC, conducted entirely online, but it showed the resilience of this community and the passion competitors bring to the table each year. Mixing the high politics of an international crisis with the technical intricacies of a rapidly spreading cyber-attack is not straightforward. Teams that were successful in doing so impressed us all. I know it is what keeps many of our judges returning year after year to make this event happen and it has been a stark reminder of just how much talent and potential there is in the Challenge Series.”

William Loomis is a program assistant with the Atlantic Council’s Cyber Statecraft Initiative under the Scowcroft Center for Strategy and Security, focused on the nexus of geopolitics and national security with cyberspace. Follow him on Twitter @loomisoncyber.

Further reading: