By Andreas Haggman
Cyber 9/12 Student Challenge
20-21 April 2017
The Cyber 9/12 Challenge is a scenario-driven policy competition for teams of students, organised by the Atlantic Council and hosted at the Geneva Centre for Security Policy. This year the challenge involved an evolving ransomware event and its critical impact on healthcare systems across several nations (somewhat ironic given the recent WannaCry attack that hit the NHS in the UK). Teams were required to respond to ever-changing situations and offer strategic policy recommendations for government leaders and senior officials.
The Royal Holloway Centre for Doctoral Training was represented by the appropriately-named Team CDT Mavericks, comprising Ela Berners-Lee, Andreas Haggman, Rory Hopcraft and Pip Thornton.
A week before the event we had been issued a briefing pack containing intelligence reports and news stories about an unfolding threat of ransomware against medical devices. We were required to digest this information into a short, written summary and construct a Decision Document containing four proposed policy options to tackle the situation.
On the first day of the competition we were put before a panel of six judges to present our policy alternatives, including our recommended option. The judges were given two minutes to read our Decision Document after which we had ten minutes to give an oral presentation, followed by ten minutes of rigorous questions and answers from the judges.
After presenting in the morning, the team faced a long wait until the evening to find out the results. When the time finally arrived, we were pleasantly surprised to hear that we had won the award for the Most Creative Policy Response. We are still not sure exactly what merited this, but suspect it was either our policy to insert human intelligence agents into the attackers’ organisations, or our advocacy of a Robin Hood model for security updates. The imaginative titling of our options may also have played a role (including ‘Continuation of Policy by Other Means’, ‘Four Legs Good’, and ‘A Disturbance in the Force’).
In addition to the award, we also found out that we had made it through to the semi-final round the next day. This was a mixed blessing, however, as it involved receiving another briefing pack moving the scenario forward, which needed to be analysed overnight. The whole team stayed up until 03:30 working out brand new policy options, which we had to be ready to present by 08:00 the next day.
Although our presentation went well, with the judges particularly praiseworthy of our teamwork – “The best teamwork I have seen in the whole competition”, according to one – we were not one of the four teams to advance to the final. This would have involved just 15 minutes to analyse another briefing pack and come up with policy recommendations to address what became a crisis situation, with mass casualties and terrorist attacks.
Despite not going all the way, we were extremely pleased with our efforts and results. None of us had any experience of such events, but all found it hugely rewarding both in terms of the skills we developed and the exposure it gave us to a high-pressure policymaking environment. As a testament to the CDT-ethos, we felt the breadth of backgrounds and knowledge of our team members served us very well as everyone was able to contribute in a different way.
The event was sponsored by an array of companies and organisations, including Microsoft, MDISS, Gryphon, Claned, the European Cyber Security Organisation, and the European External Action Service. There were ample opportunities to network with representatives from these, as well as other attendees, and we all came away with valuable additions to our business card collections.
We can only wholeheartedly recommend this competition to other students. Although we may have set the bar high with an award-winning Royal Holloway debut, our performance is not unbeatable. Watch out for announcements about a UK-version later this year.
And most importantly, we did better than all three Oxford CDT teams! Beers well-earned.
Andreas, Rory, Pip and Ela are all PhD students in the Centre for Doctoral Training (CDT) in Cyber Security. Andreas, Rory and Pip are all co-supervised in the Geography department.