How do you make cybersecurity a competitive sport?
by Alan Martin
CyberPatriot has become a huge deal in the United States. Can the UK version follow suit?
Always Food Available is in trouble. The drone food delivery startup has become a huge target for hackers over the past 12 months, and worse, the whole network is full of entry points for hackers to infiltrate and literally steal the shareholders’ lunch.
The chances are you haven’t heard of Always Food Available, and with good reason: it doesn’t exist. It’s a dummy corporation, but rather than being created wholly for ethically dubious reasons, Always Food Available has an entirely virtuous USP: it’s the perfect environment for the cybersecurity experts of tomorrow to hone their skills.
This is the third annual CyberCenturion competition. Over a period of four hours, ten teams of four children aged 12 to 18 have to plug as many of the security gaps as possible. If they’re in the top three, they’ll win glory for their school, a handsome trophy and a very handy opening on their university covering letters.
“It would be very, very surprising if people managed to get 100%,” Nigel Harrison, chief operating officer of Cyber Security Challenge UK, tells me as we step outside the hall where the challengers are diligently closing exploit after exploit. “Achieving 80% is probably a good thing – there’s a lot of time pressure on them to achieve everything.”
“While it’s theoretically possible to track down every exploit coded into the dummy databases and servers, they’d likely need more than the four hours allocated to close them all.”
In other words, while it’s theoretically possible to track down every exploit coded into the dummy databases and servers, they’d likely need more than the four hours allocated to close them all – even with teams as strong as these. The ten in the room today have been whittled down from an initial pool of 83, with three sets of heats gradually ramping up the challenges for the fake company, charting its beginnings as a fake startup to the full gestation as a fake delivery behemoth. The challenges have been varied (the company has switched between Windows and Linux), but the skills they learned along the way are all being thoroughly tested.
Or are they? Surely in a competition that is based around exploits hackers routinely use, cheating would be something to look out for – especially in the heats, which are done privately in the school grounds. Apparently not. “There’s a sort of self-policing here,” explains Doctor Andrew Tyler, chief executive of CyberCenturion’s sponsors, Northrop Grumman. “The nature of the competition makes it something that’s very difficult to cheat at. The scenario is original each time, and they have to work together. You can’t have a situation where there’s one superstar carrying the others,” he explains.
That teamwork, he continues, is really important – in fact, the whole competition structure is designed to focus on skills that wouldn’t stereotypically be associated with cybersecurity. “We are looking at soft skills, and they’re being tested. Those that can plan, collaborate, cooperate, prioritise – those skills are needed in the workplace,” explains Harrison. “There’s a perception in the mind about hackers, you know: hoodie, 3am in a darkened bedroom on their own, but that’s not going to get you a job in the industry. We’re looking for those that have life skills, not just the technical skills, and this is the kind of game that will test that.”
Playing the long game
As the competition is only three years old, it’s perhaps a little early to tell how effective it will be in tackling the UK’s cyber skills shortage, but there are promising signs from across the pond, where the format originated. CyberPatriot has been running for seven years, and in that time the number of participating teams has risen from 200 in 2009 to 4,404 in 2017. As well as a phenomenal growth model to emulate, there are real examples of how this is making a big difference to enthusiasm for STEM subjects.
“We have come to realise that our goal here isn’t necessarily just to grow the cybersecurity workforce, but to attract young men and women to science, technology, engineering of any sort,” explains Bernie Skoch, national commissioner of CyberPatriot in the US. “If they end up being an aerospace engineer, we regard that as a success.” Skoch has been part of CyberPatriot since 2010 after an unsuccessful run for the House of Representatives in Arkansas. “On the day I lost, I was invited to this,” Skoch reminisces. “I met the incumbent in an airport the other day, and he told me he wakes up every day saying ‘you won and I lost!’,” he laughs.
It’s not hard to see why. He takes great pride in telling me one story that highlights how effective the program is: “One of our competitors, who was in a junior year [and] 17 years old. She’s sitting in her English class and her phone starts blowing up and it’s her part-time employer – ‘we need you here right away, we’ve got a security issue’.” But it’s more than just anecdotes about young people showing up the grownups: the data shows they’re on the right track as well.
“Now we have tracked those participants and in a pretty comprehensive survey, 92% of them are involved in some STEM program, so we think we’ve been very successful in achieving what we set out to do,” he explains. “Equally importantly, though, because correlation is not the same as causation, we measure how much their experience of CyberPatriot shaped their education and career choices. 50% say it somewhat affected their choices, and an additional 47% said it profoundly affected their choices.”
And that’s paying dividends for everyone. Dianne Miller, director of the operations cybersecurity group at Northrop Grumman in the US, tells me that the company has hired “hundreds of children for paid internships, working side-by-side with cyber professionals”.
“The children are learning a lot about hardware defence, but the other things they’re learning: the collaboration, the teamwork, the communication, the leadership. Every employer wants that in their future employees,” she explains. “CyberPatriots present themselves very well, they’re disciplined and they’re ready to go.”
They certainly are disciplined. As I watch the countdown timer go from ten to one to trigger the start of the competition, I’m expecting a mad rush of energy as each team rushes to outpace their opponents, but it’s slow, methodical and collaborative. “They know that method and being deliberate is far more important in the end than being fast,” Skoch observes.
“Every team will approach it differently,” Miller tells me. “They might be looking at open ports, they might be looking at administrator accounts with too many privileges, they might be looking at password policy protection. They all have a different way of approaching the competition.”
Stopping the white hat turning black
Talk of open ports and password policy might be enough to trigger alarm bells for a couple of reasons. The first of which is hacking. Aren’t CyberPatriot and CyberCenturion teaching children the skills they need to be become black-hat cybercriminals? “It’s a comment we often hear,” concedes Skoch. “We do several things to mitigate that. Firstly, we only teach defensive skills, though we’re smart enough to know that if someone becomes a good defender, they may inferentially learn how to penetrate.
“Aren’t CyberPatriot and CyberCenturion teaching children the skills they need to be become black-hat cybercriminals?”
“But the other thing is that with every programme we do, the first module of instruction is always cyberethics. They don’t get past day one without passing it. We don’t want them to do something foolish when they’re 15 years old that may affect them the rest of their life.”
Harrison agrees. “There is a generation of young people who are developing those sort of skills anyway, and if you don’t give them a good outlet on the right side of the law, then there’s a risk they’ll be influenced by cybercriminals on the wrong side of the law.” In some ways, this feels a bit like the argument about removing sex education in schools, as if not talking about hacking would prevent children becoming hackers. When I think of it in those terms, it does seem a tad fatuous. Not only that, but there’s a feeling that the children are more attached to the internet than past generations – this is their world, and they want to protect it, rather than see it vandalised.
The second reason adults may be uncomfortable with children discussing vulnerabilities and open ports is a practical one: somebody has to teach them, and it’s an exploratory field where, in most cases, the students will quickly know more than their supervisors. “Some of that causes anxiety, because this isn’t a traditional school course,” agrees Skoch. This leads to some unorthodox competition entrants: “We’ve had cadet teams competing, and we had one team last year made up of kids who gamed together online,” Tyler recounts. “One of their mums was their sponsor, and I thought that was fantastic.”
The diversity dilemma
Unfortunately, that’s one of only a handful of females I hear namechecked that day. The playing field is overwhelmingly male, and I only spot one female team member in the competition – though, in their defence, I have apparently caught it in a bad year. “Oh god, it’s dreadful,” Tyler says when I mention this. “Next year we’re having a massive offensive. We’ve tried hard, but clearly not hard enough – it’s gone backwards from last year.
“I feel that cyber, perhaps more so than some of the more hard engineering parts of the business, ought to have more of a balance,” he continues. “The girls are fantastic at it – they’ve got exactly the right brains for it. This is what’s so incredibly frustrating – you see when we have girls here, you just have to watch the dynamics of the team, to see how their leadership and the way they contribute… you can see they’re the best of the breed, and it’s frustrating that we can’t attract them.”
Last year, the competition field was around 10% female: “Still pitiful, but some representation,” Tyler comments. “To be missing out on half the potential workforce is so dumb.”
I imagine they’ll be looking back to the original CyberPatriot competition for inspiration of how to correct this. Miller tells me that in the US, participation is up to 23% female – an improvement on the gender averages for STEM in the nation. “We’ve made a real focus in the US in increasing the female participation in CyberPatriot. We actively seek professional organisations that can help promote the programme.” The Society of Women Engineers, the National Association of Women in Technology, Women in Computing and Women in Cybersecurity all get duly namechecked.
“So working within their organisations we can increase the awareness for girls, and influence female practitioners to pass on their passion for the piece to other girls. It’s now about 23% female participation, so we’re comfortable that we’ve solidly reached across, but we’re always looking to increase,” she adds.
And this definitely matters. “The UK businesses and government, they’re going to want the best and brightest talent to fix their cyber problems and build up better defences,” Miller continues. “You can’t leave out any part of the population, you really need to reach out to everyone.”
“Any team has just a 0.6% chance of making the finals: if you make it that far, your CV or resume will never look healthier”
Competition certainly is fierce now. With 4,404 teams taking part in CyberPatriot this year, Skoch points out that any team has just a 0.6% chance of making the finals: if you make it that far, your CV or resume will never look healthier. “The competition has stayed the same level of challenge and deviousness as in previous years, but the ability of the young people to do the competition has got better,” Harrison concludes.
Ultimately, the big honours went to St Paul’s School in Barnes, London. The school had two teams in the final, and both nabbed first and second place on Tuesday. If you think you know a team that could challenge their dominance, they can enter the 2017/2018 competition here. If they’re up to the fight, a promising career awaits.