Not capture-the-flag, but convince-the-executive
The Atlantic Council and its partners held their Cyber 9/12 competition on Friday and Saturday, March 17th and 18th, 2017, at the American University in Washington, DC. Cyber 9/12 is a contest for student teams that differs from the more familiar capture-the-flag competitions in that its focus is on technically informed policy recommendations.
Each four-person team was assigned the role of junior staffers briefing the US National Security Council with policy recommendations developed in response to an ambiguous (yet clearly serious) crisis in Sino-American relations.
The scenario went roughly as follows: Set in 2018, and notionally occurring between August 29th and September 5th of that year, the fictional situation described rising tensions between the US and China, already somewhat elevated by Chinese fears that US public statements hinted at a retreat from the longstanding "One China" policy. A major Chinese bank has come under successful distributed denial-of-service attack, and there are news reports that the botnets involved exploited deliberately induced bugs in open-source software—and there's speculation US intelligence services caused vendors to leave those vulnerabilities in place.
US investigation suggests the probability that Chinese criminal organizations and (maybe) North Korean Dark Seoul actors were involved in the attack. The attack, however, seems to be spreading to US financial institutions, one of which has informed the Department of Homeland Security of its intent to hack back against the botnets. (The bank will do this under authorities granted private sector actors by "The Cyber Marque and Reprisal Act of 2018.)
Unfortunately the hacking back may have affected devices—including medical devices—that use the BusyBox open-source code, and there are reports that this may have caused at least some medical crises (perhaps a few actual deaths) in China. Such problems are likely to spread. China has communicated its strong outrage both privately and publicly, blaming the US for, in effect, an attempted assassination as part of a larger aggression. And, finally, a US Navy unit, USS Blue Ridge, operating in the Western Pacific, has come under cyberattack, with its C4ISR systems at least temporarily degraded.
Of course, the National Security Council needs to present the President with some options, and doing so was each team's task. They gave a series of ten-minute briefings to panels of judges playing the role of the National Security Council.
Their proposals, developed under realistic conditions of limited time and limited information, were varied and interesting. Those teams that had clear, multidisciplinary capabilities appeared to fare best.
The students represented a variety of backgrounds, disciplines, and levels of experience, with more political science and law students than one usually sees at such events. Forty-five teams came from thirty-three institutions:
Arizona State University
Daniel Morgan Graduate School of National Security
The George Washington University
Indiana University, Maurer School of Law
The Johns Hopkins University
Middlebury Institute of International Studies at Monterey
National Defense University
National University of Intelligence
Texas A&M University
United States Air Force Academy
United States Military Academy
United States Naval Academy
United States Naval War College
University of Maine
University of Maryland
University of South Alabama
University of South Carolina
University of Texas, Austin
University of Texas, El Paso
University of Virginia
The winner at the end of the two-day competition was a team from the US Naval War College. We'll have more on Cyber 9/12 and the events surrounding it over the course of the week.