The Cyber 9/12 Strategy Challenge, hosted by the Atlantic Council’s Cyber Statecraft Initiative, is a global cyber policy and strategy competition where students compete in developing policy recommendations tackling a fictional cyber catastrophe. The competition is divided into three sequential rounds, wherein teams are presented with intelligence reports of escalating severity and complexity and must brief their recommendations to panels of expert judges. The 2019 Cyber 9/12 Strategy Challenge in New York, co-hosted by the Digital and Cyber Group at Columbia University, was won by FSociety, representing Tufts University’s Fletcher School of Law and Diplomacy. FSociety, coached by Dr. Josephine Wolff, was comprised of Ben Ballard, Melanie Barlow, Jackie Faselt, and Andrew Seligson. They shared their competition experience with the Atlantic Council:
Given the rapidly changing threat environment, cybersecurity is both a grand puzzle and a Sisyphean task. This year’s New York Challenge, hosted at Columbia SIPA with a scenario co-developed by the Atlantic Council, SIPA, and New York City Cyber Command, was a fascinating blend of these challenges.
As Cyber 9/12 participants, we are all fascinated by the dynamics of emerging technologies and were excited about the opportunity to hone our crisis management scenario skills. Cybersecurity crisis management intersects with national security and intelligence as well as policy and law; therefore, we can approach and learn from the scenario in a variety of ways. We all received extensive feedback on our performance and policy recommendations and also had great opportunities to engage with high-level professionals and experts in the field.
Cyber 9/12 strives to bridge the gap between the technical, policy, and legal elements of cybersecurity, so we intentionally created a team with experience spanning across each area. We were able to draw upon our different academic specializations at the Fletcher School and highly diversified pre-graduate school career paths to create a well-rounded team. Ben was a Google public policy fellow at the Electronic Frontier Foundation, Jackie worked at the National Defense University and at a tech startup, Melanie was employed at Booz Allen Hamilton and FireEye, and Andrew worked at the United Nations Fifth Committee and Security Council. In approaching each of the intelligence reports, we tried to ensure that everyone’s expertise was reflected in our responses, documents, and oral briefs. Our guiding principle in establishing this balance was based on the real crises we studied at Fletcher.
The scenario we grappled with in New York this year had plenty of twists and turns. The first intelligence report covered three distinct threats: a potential biometric data breach impacting New York City airports, issues with New York City election infrastructure, and an identified vulnerability in the city Wi-Fi kiosk network. Our methodology was to take a cautious approach to our threat assessment. We did not want to connect the incidents or attribute activity to a particular threat actor without some evidentiary support, which we did not observe in the initial scenario. We offered four policy options in our brief to the Mayor’s office which were increasingly escalatory. Given the clear knowledge gaps, we ultimately recommended an approach that included some technical remediations, a public relations component, and a multi-faceted investigation that included a mix of city and federal stakeholders and was coordinated under New York City Cyber Command.
We began round two by talking through some of the feedback we received from the judges in order to incorporate the advice into our next decision document. We were complimented on the format of our first decision document and our presentation of the threat scenario, so we decided to recycle this framework. Additionally, we noted that the judges appreciated our competitor’s approach to public relations strategy and decided to incorporate a more specific public opinion recommendation in our next briefing. After reading through the specifics of the second intelligence report, we noted a focus on additional elements that were not highlighted in the first scenario, such as questions of legality. Although the new factors were only lightly sprinkled into the scenario document, we assessed that this inject was escalating the level of scenario complexity and our policy recommendations needed to reflect that.
Our team came up with eight primary threats for decision makers to consider and grouped them into three digestible categories: threats to individuals, national security, and society (business elements, etc.). Unlike the first inject, we were given far more specific information on how the data captured in the biometrics system breach was being used. Consequently, our policy recommendations included specific law enforcement and technical courses of action to stop further dissemination of the biometrics information. Based on the feedback we received, our ability to synthesize and organize without losing nuance seemed to be a deciding factor in our round two success.
The third installment of the competition’s intelligence briefs included a further escalation of the threat scenario. Public dissatisfaction with the election situation had dramatically increased, information was released that could severely damage international alliances, and the primary perpetrator behind the release of biometrics data was found in Hong Kong and was set to be extracted by Chinese security services in three days. With only fifteen minutes to read the brief and craft a response, our team had to trust each other, think on our feet, and rely heavily on the framework we had used during the previous injects. We assessed that the most difficult decision was figuring out what to do with the US perpetrator of the biometrics data attacks and decided that our primary objective should be to keep this individual from sharing his information with the Chinese government.
Thus, our recommendations were even more escalatory and action-oriented than in the previous inject—we advised covert action to extract the perpetrator before he was taken by the Chinese People’s Liberation Army. The judges focused their questioning and discussion on this element of our decision and we made sure to convey our assessment of the potential repercussions that would arise. We did not sugar coat the likely consequences, but justified our recommendation through considering the possible alternative outcomes of failing to act. The final briefing was intense and made even more challenging by the large crowd looking on as we strove to coherently answer questions from industry professionals whose careers we deeply admire. However, we deferred to each other’s expertise well and felt that our ability to directly and efficiently answer probing questions contributed significantly to our ultimate success.
Even though Cyber 9/12 is a competition, we were impressed by the collaborative, friendly environment established by the organizers. Throughout the weekend, we were able to learn a lot from our fellow teammates as well as the other competitors. Having to think on our feet and produce quality analysis under serious time constraints was a great opportunity to practice staying calm under pressure. Receiving immediate feedback from the judges, who have such an impressive range of professional experiences, was invaluable. As cyber becomes an even more critical element of national security decision-making in high-stakes environments, the experience of Cyber 9/12 will hopefully help us manage crises as future leaders in the field.