Not capture-the-flag, but convince-the-executive
Judges weigh the options a team is presenting. Nuri Jeon for the Atlantic Council
By The CyberWire Staff
Apr 2, 2017

Not capture-the-flag, but convince-the-executive

The Atlantic Council and its partners held their Cyber 9/12 competition on Friday and Saturday, March 17th and 18th, 2017, at the American University in Washington, DC. Cyber 9/12 is a contest for student teams that differs from the more familiar capture-the-flag competitions in that its focus is on technically informed policy recommendations. 

Each four-person team was assigned the role of junior staffers briefing the US National Security Council with policy recommendations developed in response to an ambiguous (yet clearly serious) crisis in Sino-American relations. 

The scenario went roughly as follows: Set in 2018, and notionally occurring between August 29th and September 5th of that year, the fictional situation described rising tensions between the US and China, already somewhat elevated by Chinese fears that US public statements hinted at a retreat from the longstanding "One China" policy. A major Chinese bank has come under successful distributed denial-of-service attack, and there are news reports that the botnets involved exploited deliberately induced bugs in open-source software—and there's speculation US intelligence services caused vendors to leave those vulnerabilities in place.

US investigation suggests the probability that Chinese criminal organizations and (maybe) North Korean Dark Seoul actors were involved in the attack. The attack, however, seems to be spreading to US financial institutions, one of which has informed the Department of Homeland Security of its intent to hack back against the botnets. (The bank will do this under authorities granted private sector actors by "The Cyber Marque and Reprisal Act of 2018.)

Unfortunately the hacking back may have affected devices—including medical devices—that use the BusyBox open-source code, and there are reports that this may have caused at least some medical crises (perhaps a few actual deaths) in China. Such problems are likely to spread. China has communicated its strong outrage both privately and publicly, blaming the US for, in effect, an attempted assassination as part of a larger aggression. And, finally, a US Navy unit, USS Blue Ridge, operating in the Western Pacific, has come under cyberattack, with its C4ISR systems at least temporarily degraded. 

Of course, the National Security Council needs to present the President with some options, and doing so was each team's task. They gave a series of ten-minute briefings to panels of judges playing the role of the National Security Council.

Their proposals, developed under realistic conditions of limited time and limited information, were varied and interesting. Those teams that had clear, multidisciplinary capabilities appeared to fare best.

The students represented a variety of backgrounds, disciplines, and levels of experience, with more political science and law students than one usually sees at such events. Forty-five teams came from thirty-three institutions:

Air University

American University

Arizona State University

Brown University

Carnegie-Mellon University

Columbia University

Daniel Morgan Graduate School of National Security

Duke University

The George Washington University

Georgetown University

Indiana University

Indiana University, Maurer School of Law

The Johns Hopkins University

Lewis University

Marymount University

Middlebury Institute of International Studies at Monterey

National Defense University

National University of Intelligence

Stanford University

Texas A&M University

Tufts University

United States Air Force Academy

United States Military Academy

United States Naval Academy

United States Naval War College

University of Maine

University of Maryland

University of South Alabama

University of South Carolina

University of Texas, Austin

University of Texas, El Paso

University of Virginia

Yale University

The winner at the end of the two-day competition was a team from the US Naval War College. We'll have more on Cyber 9/12 and the events surrounding it over the course of the week.