One of the most important barriers to robust global cybersecurity is the shortage of capable individuals in the workforce pipeline. By 2021, predictions suggest that the world will have more than 3.5 million unfilled cybersecurity jobs, with both the private and public sectors facing hiring shortages. While the United States has budding international relations, cybersecurity, and IT-focused academic programs, very little has been done to address the interaction between them, which will be crucial for the success of future cybersecurity professionals.
Workforce training and development is an issue that the Atlantic Council’s Cyber Statecraft Initiative has prioritized in our “Communities in Cyberspace” programming, and in the Cyber 9/12 Strategy Challenge, the world’s only cyber policy and strategy competition. Stretching across three continents and seven competitions, students from around the globe compete to respond to a simulated cyber catastrophe by developing policy recommendations for practitioners.
Each Cyber 9/12 Strategy Challenge is broken down into three unique information intelligence reports, or moves. Each intelligence report provides the students with new information that challenges their previous assertions and moves the threat towards its climactic conclusion. Move One is sent to competitors three-four weeks before the competition and presents the scenario’s background and initial developments. Move Two is disseminated at the end of the qualifying rounds on Day One and focuses on using external factors to further the effects of the cyber activity in Move One. Move Three, which is given to students right before the final round, escalates the scenario and often provoking larger geopolitical dilemmas. This post looks at three scenarios the Cyber Statecraft Initiative has built over the course of the last year, for Strategy Challenges in Lille, France; Washington, DC; and Canberra, Australia.
For the inaugural French challenge in January 2019, in partnership with the International Cybersecurity Forum, the Cyber Statecraft Initiative designed a scenario built around vulnerabilities in the energy sector, describing a hypothetical attack on the power grid aimed to cause large-scale blackouts. These blackouts exacerbated existing social tensions driven by political discontent and record heat waves to precipitate a national emergency. The initial wave of disruptions impacted the 2020 Olympics and its IoT smart village—implicating dozens of countries and their athletes in a complex incident response across borders. As the situation worsened and the effects spread to Paris, athletic competitions and national systems were increasingly disrupted, escalating the scenario to an international crisis.
Hezbollah, the adversary in the scenario, gained access to state cyber capabilities in the form of a complex IoT botnet more advanced than those typically employed by non-state actors. Students were encouraged to devise creative responses to both Hezbollah’s actions and the resulting consequences, working to mitigate the threat without inflaming diplomatic tensions. The winning team, Les Chevalier Noir of West Point, recommended a balanced approach focused on engaging allies to try and mitigate loss of life, addressing the root issues of the critical infrastructure attack, and leveraging diplomatic options to quell domestic unrest. This multifaceted approach helped address the scenario’s technical, political, and social dimensions
For the most recent Australian challenge, which took place in September 2019 in partnership with the Institute for Regional Security, the Cyber Statecraft Initiative built a scenario predicated on the country’s dependence on foreign oil and refining capacity. The issue is a major strategic challenge that prominent individuals in the Australian government have spoken out on the issue; retired Air Vice Marshal John Blackburn, a respected voice in the Australian strategic community, claimed that “Australia could be brought to its knees in a week if there is a major interruption to fuel supplies.”
The Canberra scenario involved a state-sponsored cyberattack on industrial control systems in Australian oil refining infrastructure and Australian naval deployments to the Strait of Hormuz. Given Australia’s vast territory and its reliance on fuel to transport essential goods, the scenario created a fuel shortage with significant and wide-reaching effects. By tying the shortage to the Strait of Hormuz and Australia-Iran relations, the scenario challenged competitors to consider potential “less than war” policy responses and longer-term responses to the crisis.
Several teams overreacted to the climactic ICS attack, recommending aggressive action that would only exacerbate tensions. The winning team, the Black Knights of West Point, approached the situation differently. The team recommended full deployment of Australian federal assets to address the on-going cyberattacks on critical infrastructure and presented several strong options to help de-escalate tensions with Iran, such as scaling back Australian maritime operations in the Strait, leveraging economic incentives, and engaging allies to present a unified diplomatic front.
The seventh annual DC competition, hosted at Lockheed Martin’s Global Vision Center, was held in March 2019. While the Lille and Canberra scenarios focused on attacks on critical infrastructure, DC explored the possible effects and implications of an attack on the US 2020 Census systems and the effect of such a compromise on national confidence in US democratic institutions. A profit-driven phishing scam combined with an unconnected but seemingly census-related leak of personally identifiable information (PII) data on the dark web to compromise the son of a foreign diplomat, escalating the scenario to international significance.
Students had to critically analyze the quality of the information they were presented with including how those sources interacted. Several teams jumped to the conclusion that the data dump was the result of a data breach at the Census. Others addressed the Census security issue directly, but their recommendations lacked comprehensive solutions to the public domestic and international political pressure points.
The DC competition was also the first Strategy Challenge to implement the two-track structure: a student track and a professional track for competitors, depending on their level of professional experience. The two winners, Delogrand from the United States Air Force Academy, and NDU Team 3 from the National Defense University, thought critically about the different threat vectors. Both winning teams addressed the wide-spread degradation of public trust by dispelling the assertion that the Census was connected to the phishing scam and the PII release and provided clear and straightforward public explanations of how the information ended up on the dark web.
Impact and implications
Developing a Cyber 9/12 scenario is difficult but rewarding and provides a window into the Challenge process. Students should be presented with a policy crisis that is topical and engages cyber threats unique to the event’s locale, while still remaining realistic. Each scenario must also escalate to the point of having international political implications, pushing students to utilize both domestic and international policy tools in their response. Building the narratives for these scenarios illustrates how the Cyber Statecraft Initiative provides competitors with the chance to examine pertinent geopolitical issues and demonstrates how threats can transcend both national boundaries and the cyber domain.
The demand for individuals who can speak both tech and policy is higher than ever, and Cyber 9/12 addresses this need by giving students experience in translating between the two in a challenging environment. Providing expert feedback to students and connecting job-seekers with cyber policy teams in the public and private sector, the Cyber 9/12 Strategy Challenge is working to address this skills shortage and help students build multidisciplinary careers in cyber policy.
William Loomis is a program assistant with the Atlantic Council’s Cyber Statecraft Initiative under the Scowcroft Center for Strategy and Security, focused on the nexus of geopolitics and national security with cyberspace. Follow him on Twitter @loomisoncyber.
New Atlanticist Jan 7, 2020
US-Iran in crisis: Strategic ambiguity and loud weapons in cyberspace
By Simon Handler, Katherine Wolff, Will Loomis
Iran’s government will feel the need to retaliate against the United States, but it does not wish to ignite a prolonged war with the United States. The regime’s near-term aim is to demonstrate to its domestic and regional constituencies that it has the capability and the resolve to avenge Soleimani’s killing and, more strategically, to drum up support for hardliners ahead of legislative elections next month. While Iran has a number of options available, its cyber toolkit not one to be overlooked.
Blog Post Dec 16, 2019
Cyber 9-12: A training ground for future leaders
By Ben Ballard, Melanie Barlow, Jackie Faselt, and Andrew Seligson
Given the rapidly changing threat environment, cybersecurity is both a grand puzzle and a Sisyphean task. This year’s New York Challenge, hosted at Columbia SIPA with a scenario co-developed by the Atlantic Council, SIPA, and New York City Cyber Command, was a fascinating blend of these challenges.
Issue Brief Nov 22, 2019
What do we know about cyber escalation? Observations from simulations and surveys
By Benjamin Jensen and Brandon Valeriano
Do cyber operations alter how states respond to international crises in a way that creates incentives for decision makers to cross the Rubicon and use military force to settle disputes? This question is central to current cyber strategy debates and the idea of persistent engagement and defending forward in cyberspace. The answer is surprising: no. Based on the evidence, cyber operations offer a valuable escalatory offramp.