A team from Germany has won this years European Cyber Security Challenge (ECSC). It beat teams from 17 other countries across Europe in what, eventually, turned out to be a comfortable win. The teams battled for two days in a competition that tested a wide range of skills.
By the end of day one the UK had a narrow 100 point lead over Germany. It was unable to maintain that. As day two unfolded, Germany and France overtook the UK. Germany finished over 2,000 points clear of France with the UK over 700 points further back.
The winners get tickets to a Black Hat conference anywhere in the world that they choose.
What did they have to do?
There were a number of challenges to overcome, not all of them coding. This is important. Cyber security is not just about coding geeks.
The story line from the organisers was:
“Each team will be taking on the persona of a security consultancy, brought into a company after they’ve noticed a spike in unusual activity and they have to piece together what’s been happening and how to defend the systems. The competition will be played capture-the-flag style, so there will be around 50 challenges that they could attempt, but won’t be able to do all of them and each has different rewards attached to them, so they have to have a strategy of which to do first.
“The mini tasks are based on a range of themes, from forensic analysis, reverse engineering, network analysis, steganography, cryptography and social engineering. There will also be a physical challenge – a reverse ‘escape room’, which is a physical structure they will need to break their way into.”
There is a lot that this doesn’t say. Some of the challenges required unethical approaches. Those teams choosing those were guaranteed to lose points. Early on, one unnamed team was warned for its suggested approach to a problem. It would have caused problems for other teams and was ruled out by the organisers.
Another challenge required them to defuse a bomb. This required opening a padlock which, amusingly, meant everyone focused on picking it rather than looking for the key. The next phase was reminiscent of the old game, Mastermind. To get access to the instructions to defuse the bomb the teams had to get four LEDs to light up. None of the teams I watched recorded what happened and a lot of time was wasted.
Cultural and other differences on show
I visited the competition room several times over the two days. The level of communication within each team varied by country. Some were more vocal and inclined to cluster around one or two screens. Others resorted to using instant messenger or chat services to communicate. At times, some teams even looked a little lost and not sure what to do next.
What was evident was the lack of diversity in the room. This is an issue that has to be addressed and urgently. The challenge has tried to widen this from just being about writing code and to introduce other options. More needs to be done to find wider challenges that reflect the real world.
One way to do this would be to have the names of the competitors on a closed system. This would allow for some social engineering and other pre-game tasks to take place. This could include a controlled degree of phishing or some other common form of attack that would gain points for teams. It would also give them the chance to work on their own defence skills.
What does this mean
The ECSC goes from strength to strength. It is not many years ago that it consisted of just a few teams. Now there are 17 and ENISA, who oversees this competition is having to rethink how it works. We may see changes as soon as next year as pressure rises to increase the number of countries participating. How this will be resolved is not yet certain. One solution could be to look at how sports have dealt with expansion.
For example, imagine a series of cyber tournaments around Europe. Countries are split into pools and the final is contested by the winners of the pools. This would open up the competition to wider group of people and perhaps allow countries to enter more than one team. It would also mean that the competitions could be spread across Europe. With more competitions taking place in different countries there is also more scope for sponsorship and wider awareness.
Anything that can increase the awareness of cyber security is good news. The competition needs to widen participation and not just from a gender perspective. There is a educational and socio-economic divide here when it comes to recruitment. Giving people access to high profile competitions may just increase participation in the field. It could even offer those companies offering cyber security apprenticeships to enter their own teams.
The first prize of tickets to attend a Black Hat Conference might seem small. However, with employers keen to add to their cyber security staff, there are bigger prizes out there for the winners.