A challenge for students: How to manage a cyber catastrophe

Teams comprising nearly a hundred students, from twenty-four universities as far afield as Turkey and Estonia, gathered in Washington this month to compete at solving this challenge: Imagine that you are cyber-security specialists summoned to advise the US National Intelligence Council on policies that the American president should adopt in response to a massive cyber catastrophe. Your initial recommendations must fit in five printed pages, and you have 10 minutes to explain them to senior national security officials, and then face 10 minutes of direct questions from experts in the field.

The competition, called the Cyber 9/12 Student Challenge was designed to bridge a critical problem in governments’ responses to real emergencies – making sure that the makers of cyber policies and the technical specialists who implement them understand each other. In the real world of cyber security, these policy makers and technical operators too often fail to see each others’ halves of the problem they are trying to solve.

“Policy makers often see actions in cyber as mystic and complex, requiring technical expertise to understand,” said Jason Healey, director of the Atlantic Council’s Cyber Statecraft Initiative, which sponsored the competition. “And technical operators concentrate on tactical concerns, ignoring the broader implications of action or inaction,” he said.

This gap in understanding will become more dangerous whenever the nation faces a catastrophic cyber incident. Closing the gap, and better preparing the responses of decision makers to such a disaster is an important goal of the Cyber Statecraft Initiative, and it led to the student competition, which was held February 7-8 at American University.

The Cyber 9/12 Student Challenge is not the only competition in which university teams practice solving cyber emergencies. But it is unique in requiring students to stretch beyond technical solutions to grapple with broader questions that arise in actually implementing policy. These include issues of domestic interagency cooperation, interactions of public and private actors, and the need to calibrate responses to the international community.

In the contest, students were forced to make decisions based on incomplete information, as policy makers must do in real life. As teams advanced through the contest’s several rounds, the fictional scenario they faced evolved, requiring them to think creatively and adjust their responses.

Teams in the qualifying round were scored on a five-page policy brief submitted in advance of the competition, plus a ten-minute presentation to judges followed by ten minutes of judges’ questions. The four-judge panels were composed of cybersecurity experts from industry, academic institutions, and government. In the final round, the four top-scoring teams were sequestered and given fifteen minutes each to prepare a response to the last version of the catastrophe scenario.

Taking the stage one at a time, each team faced a final panel of prominent figures in the cyber community:

  • Bobbie Stempfly, the Department of Homeland Security’s acting assistant secretary of the Office of Cybersecurity and Communications;
  • Dmitri Alperovitch, the chief technology officer of CrowdStrike, the security technology company he co-founded after his years uncovering Chinese and other cyber-espionage at McAfee, Inc.;
  • Julie Taylor, senior vice president of cybersecurity solutions at Leidos, the security, health and engineering firm;
  • Jason Healey, director of the Atlantic Council’s Cyber Statecraft Initiative.

In addition to competing, the students heard a keynote address by Suzanne Spaulding, the Department of Homeland Security’s acting deputy under secretary for the National Protection and Programs Directorate. Spaulding explained the work of her department and the importance of working in conjunction with the private sector. She highlighted the significance of having young people interested in the field.

Students also heard from a panel of young professionals working on cyber policy, who underscored the importance for policy specialists of learning foreign languages and computer programming, and discussed how to get security clearances.

At the competition’s end, four teams shared more than $4,000 in cash prizes:

First Place – Team Phoenix (Georgetown University, National Intelligence University, Eastern Michigan University)
Second Place – ECIR. (Explorations in Cyber International Relations is a collaborative program of Harvard University and the Massachusetts Institute of Technology.)
Third Place – Tartans (Carnegie Mellon University)
Fourth Place – Cyber Strategists (Johns Hopkins University)

Top-performing teams also received individual awards for advanced achievement in the following categories.

Best Oral Presentation – Team Phoenix (Georgetown University, National Intelligence University, Eastern Michigan University)
Best Written Presentation – ECIR (Harvard University, Massachusetts Institute of Technology)
Best Teamwork – Brown Secure (Brown University)
Best Decision Document – NetYet (Galatasaray / USAK, Tallinn Technical University, Bogazici University, Tubitak)
Most Creative Policy Response Alternative – Cyber Saints (Marymount University)

The Cyber Statecraft Initiative team would like to thank all of our judges, volunteers, and participants for making this event a great success. We hope to see you all next year!

Related Experts: Jason Healey

Image: The First Place team – Team Phoenix (Georgetown University, National Intelligence University, Eastern Michigan University) pose with the final session judges