Not capture-the-flag, but convince-the-executive.
The Atlantic Council and its partners held their Cyber 9/12 competition on Friday and Saturday, March 17th and 18th, 2017, at the American University in Washington, DC. Cyber 9/12 is a contest for student teams that differs from the more familiar capture-the-flag competitions in that its focus is on technically informed policy recommendations.
Each four-person team was assigned the role of junior staffers briefing the US National Security Council with policy recommendations developed in response to an ambiguous (yet clearly serious) crisis in Sino-American relations.
The scenario went roughly as follows: Set in 2018, and notionally occurring between August 29th and September 5th of that year, the fictional situation described rising tensions between the US and China, already somewhat elevated by Chinese fears that US public statements hinted at a retreat from the longstanding "One China" policy. A major Chinese bank has come under successful distributed denial-of-service attack, and there are news reports that the botnets involved exploited deliberately induced bugs in open-source software—and there's speculation US intelligence services caused vendors to leave those vulnerabilities in place.
US investigation suggests the probability that Chinese criminal organizations and (maybe) North Korean Dark Seoul actors were involved in the attack. The attack, however, seems to be spreading to US financial institutions, one of which has informed the Department of Homeland Security of its intent to hack back against the botnets. (The bank will do this under authorities granted private sector actors by "The Cyber Marque and Reprisal Act of 2018.)
Unfortunately the hacking back may have affected devices—including medical devices—that use the BusyBox open-source code, and there are reports that this may have caused at least some medical crises (perhaps a few actual deaths) in China. Such problems are likely to spread. China has communicated its strong outrage both privately and publicly, blaming the US for, in effect, an attempted assassination as part of a larger aggression. And, finally, a US Navy unit, USS Blue Ridge, operating in the Western Pacific, has come under cyberattack, with its C4ISR systems at least temporarily degraded.
Of course, the National Security Council needs to present the President with some options, and doing so was each team's task. They gave a series of ten-minute briefings to panels of judges playing the role of the National Security Council.
Their proposals, developed under realistic conditions of limited time and limited information, were varied and interesting. Those teams that had clear, multidisciplinary capabilities appeared to fare best.
The students represented a variety of backgrounds, disciplines, and levels of experience, with more political science and law students than one usually sees at such events. Forty-five teams came from thirty-three institutions:
- Air University
- American University
- Arizona State University
- Brown University
- Carnegie-Mellon University
- Columbia University
- Daniel Morgan Graduate School of National Security
- Duke University
- The George Washington University
- Georgetown University
- Indiana University
- Indiana University, Maurer School of Law
- The Johns Hopkins University
- Lewis University
- Marymount University
- Middlebury Institute of International Studies at Monterey
- National Defense University
- National University of Intelligence
- Stanford University
- Texas A&M University
- Tufts University
- United States Air Force Academy
- United States Military Academy
- United States Naval Academy
- United States Naval War College
- University of Maine
- University of Maryland
- University of South Alabama
- University of South Carolina
- University of Texas, Austin
- University of Texas, El Paso
- University of Virginia
- Yale University
The winner at the end of the two-day competition was a team from the US Naval War College. We'll have more on Cyber 9/12 and the events surrounding it over the course of the week.