Learning on the fly through Cyber 9/12

The Lewis University team at the Cyber 9/12 competition in Austin, Texas on January 17, 2020.

During the 2019-2020 academic year, the Lewis University Cyber Defense Club was granted the opportunity to assemble a team to send to the Atlantic Council’s Cyber 9/12 Strategy Challenge in both Austin, Texas and New York City. For many club members, the prospect of a paper-based cyber policy competition was daunting because of the gap in understanding between the technical and policy sides of cybersecurity. The four of us applied for a spot on the team due to curiosity about the role that policy and strategy take within the field of cybersecurity today.

Looking at the final roster, our team was balanced in favor of the technical side, as opposed to a policy or legal side. Freshman Jocelyn Murray and senior David Mendez are both seeking undergraduate degrees in Computer Science with a concentration in Cyber Security. Our sole graduate student, Puneet Singh, is pursuing an MS in Data Science. Perhaps most unlikely, Andrew Milligan is pursuing an undergraduate degree in Business Administration as a sophomore at Lewis. Our coach, Matt Kwiatkowski, is an adjunct professor at Lewis University and the deputy chief information security officer of Argonne National Laboratory.

For what our team lacked in policy or legal expertise, we counterbalanced with determination, passion, and willingness to take time to delve into a completely new field of study. When there were any unclear issues to us in the scenario briefs, we invested time in researching and asking questions in order to truly understand the impacts and implications at hand. Regarding our lack of policy expertise, we dedicated time to breaking down the scenario with our coach and meeting with members of Lewis University’s Political Science Department—Dr. Laurette Liesen, Dr. Steven Nawara, and Dr. Justin Delacour—to seek advice on topics regarding policy, public response, and international relations relevant to Cyber 9/12 and beyond. Our end goal was to have a deeper understanding of the legal and policy side of cybersecurity.

One of the goals of Cyber 9/12 is to bridge the gap between the legal and technical sides of cybersecurity and having a largely technical team did pose some challenges. We were able to draw from our technical experiences to try and predict escalations in the scenario as well as formulate proper mitigative responses while keeping imminent cyber risks in mind. Mostly, this involved breaking down the technicalities of the attack, and discussing what details tied events together, as well as what future actions an attacker might have taken given the information provided. Recognizing what kinds of actions are possible with a specific vulnerability, as well as first and second order effects, allowed us to prioritize our responses accordingly.

The New York City Cyber 9/12 competition was our first foray into the policy side, which helped us develop our methods in approaching policy option proposals and showed us the value of a multi-faceted response to large-scale cyberattacks. In addition to proposing technical solutions, we put an emphasis on both interagency communication and public relations to rebuild trust. We made it to the semi-finals, but because of a structural change after implementing feedback, we lost nuance within the organization of our brief. Taking the knowledge gained from our experience in New York, we revamped our approach for Austin.

The Austin scenario this year was comprehensive but ambiguous. The first intelligence inject detailed a widespread power outage during crucial voting times on Election Day 2020. Emails and chat logs pointed to a critical vulnerability allowing for remote code execution in a set of industrial programmable logic controllers. On the international side, the inject introduced us to   the ever-growing issue of cyber mercenaries. With the ambiguous nature of the reports, we took a restrained approach and did not want to place attribution too early. Offering four policy options of escalating risk, we suggested taking immediate cross-agency actions to mitigate damage, as well as conduct further information gathering accompanied by public reassurance.

Moving into the second round, there was a definite shift in focus from the national to the international arena, which was a challenge for the team. One of the most interesting topics we explored was the normative challenge of deterrence according to the National Cyber Strategy. As well as the international response, we made sure to also include long term actions that domestic agencies would have to take to improve protection of US critical infrastructure. Implementing the feedback we received from the first round allowed us to improve upon the graphs within our decision document, as well as outline a detailed response plan. During feedback from the second round, it seemed that our approach to the international arena was a strong foundation to work with, especially going into finals.

Combining the fifteen-minute deadline with the nature of a public briefing in front of industry professionals and other teams, the final round was one of the most intense times we shared as a team. In the third round, the scenario had evolved internationally, and it was reported that infrastructure within Venezuela was the source of the attack. Unable to consult any other resources than what we had established in the previous round, our response as a technical-oriented team became much more difficult. Unfortunately, our resulting recommendations were restrained in comparison to options explored in hindsight. The Austin finals taught us a lesson regarding group coordination, as well as the fast-paced decision making that occurs in strategic operations, an element we will further explore and practice within preparation for the Washington, DC Cyber 9/12.

In the rapidly changing climate of cybersecurity today, the field is about far more than technical lessons and education. For our team, Cyber 9/12 opened brand new doors in the cyber policy and strategy space. Team member Mendez has taken a Security Analyst intern position at The Joint Commission. Murray added a minor in public policy, while Milligan added a second major in Information Security Management. Murray and Milligan are both exploring opportunities to conduct either an interdisciplinary study or workshop to continue the delve into cyber policy and strategy formation.

Jocelyn Murray, Andrew Milligan, David Mendez, and Puneet Singh were participants in the Cyberstatecraft Initiative’s Cyber 9/12 Challenge from Lewis University.

Further reading: