The Cyber Security Challenge UK recently held its latest face-to-face competition at Roke Manor. Competitors had to defend an Internet of Things (IOT) connected manor house from attackers. There was a lot at stake for the competitors who had to learn how to work in teams with people they had only met the night before.
Over the course of the day assessors monitored all the competitors. This allowed them to identify those who will take part in the end of year Cyber Security Challenge Masterclass. Others will represent the UK in the Europe Cyber Security Challenge. There is also the opportunity to show off skills that have the potential to lead to a job in the cyber security industry.
What did they have to do?
The participants had to defend Roke Manor from a hacker. IOT devices inside the manor had already begun to behave strangely and they had to find out why this was and how it was happening. The number of attacks was also increased and were systematically allowing the attacker to disable security and take control of devices.
The competitors had to quickly get an understanding of the various IOT devices and how they communicated. They then had to use that knowledge to capture information sent to and from the devices. This was important as it would expose attempts by the hacker to connect.
To help the competitors they had an interactive digital board with a plan of the house and its connected systems and devices.
What were competitors not allowed to do?
Break the law! The rules for the competition put some fairly strict controls on how they could investigate the attacks. They were given an NDA that they had to agree to in order to access certain data. This was an interesting step. The ultimate goal here is to get them to think about a commercial scenario. By requiring them to work with an NDA and to stay within the law it limited some of what they could do.
Competitors were banned from downloading tools or utilities from the Internet. There was also a ban on the use of personal devices during the period of the competition. The limited access they had to the outside world also restricted their research for similar attacks on IOT devices.
This required team members to share information with each other. For some teams this worked really well and they were able to identify key items of data quickly. They also put together plans to attack the problem as a whole. Others seemed to struggle not only with the difference in individual skills but also in how to effectively share data. This meant they were slow to get started and to overcome the tasks they were set.
Who are the Cyber Security Challenge UK
The Cyber Security Challenge UK programme is approaching this from a different perspective. A few weeks ago it lost CEO Stephanie Daman to cancer. Daman was very focused on removing barriers to getting people into the industry. Age, religion, gender and even educational qualifications were barriers that Daman believed the organisation could help overcome.
Looking around a room of 40 people aged between 16 and 30 the Cyber Security Challenge UK is getting there. One disappointment was that the competitors are still predominately male but that is changing. The organisation is pushing hard with its CyberCenturion programme. This year it has four tracks dedicated to teams that are all female, all male, mixed and military cadets. They hope that the Girl Guides and Scouts will also join in but that is proving a difficult thing to overcome.
There is also an online competition CyPhinx where anyone can log in and play games to test their cyber skills.
Why does this matter?
The shortage of cyber security skills across organisations is severe. Much of the focus is on fast-tracking people through university and getting them qualified before they enter the workplace. This is having a detrimental impact on solving the wider problem.
Companies need to do more to help increase the number of people involved in the cyber security industry. Some organisations have set up apprenticeship schemes. Others are beginning to sponsor organisations such as the Cyber Security Challenge UK.
The question every CISO, CIO and even CEO should be asking is: “What are we doing to help educate the next generation of cyber security personnel?”