Post-Action Report: the Cyber 9/12 Student Challenge 2016

“Dear Mr President,

We are a team of cyber security professionals from the National Cyber Security Directorate who are asked to brief you on the current unfolding situation of a major cyber-attack on the United States of America. As of this moment, 342 persons in the greater New York Area have been injured by cars that were remotely controlled by a group of advanced hackers. We have strong confidence that this group is tied to the cyber caliphate and is working to effect even more damage on the US and its citizens.

We recommend that you…”

 

This brief, produced by a team of four students at the inaugural Cyber 9/12 Student Challenge in New York, seems to fit more into a dark science-fiction novel than an actual policy challenge for students. This was only the second round of an escalating scenario designed to challenge future policy-makers and engage them in the creation of new solutions for urgent problems.

Cyber security has been in the headlines in recent months. The alleged Russian intrusions into the DNC computer networks to interfere in the US elections is a pertinent example, but in many sectors, the question of how industries and, ultimately, societies address such issues remains a challenge. As more and more services, products and humans move online, the related safety and security issues become increasingly salient. In order to grasp the inter-connectivity of different policy fields and their intrinsic link to emerging technologies, the Atlantic Council, a think tank based in Washington, DC, developed the Cyber 9/12 Student Challenge. This high-level competition is organised in New York and Geneva. It provides students with an opportunity to focus on the real world policy implications of cyber security issues, simulate a major cyber-attack on the United States and learn from numerous experts in the field.

In 2016, two students from the Hertie School of Governance participated in different teams, with one reaching second place in the New York competition. Originally held in Washington DC, the competition was held for the first time at the Columbia University School of International and Public Affairs (SIPA) in November. This year’s competition included a diverse group of teams from a number of different universities and public policy schools, including the United States Military Academy (West Point), Tufts Fletcher School of Law and Diplomacy and the host institution, Columbia University. The competition is based on an escalating scenario, whereby participants respond to a realistic, evolving cyber-attack and analyse the threat it poses to national, international, and private sector interests. The participants were placed under time pressure to come up with a range of policy responses, including giving due consideration to the legal and economic implications of their decisions, as well as military and civilian options.

Developed by a team of computer scientists, this year’s scenario focused on the vulnerability of cars connected to the Internet. In the first round, the US was threatened by the so-called “Cyber Caliphate”, which indicated that a major attack was imminent. At the same time, the FBI found evidence that organised crime syndicates were being recruited by the Cyber Caliphate to develop hacking tools to take over cars and critical infrastructure. In the second round, the scenario included hundreds of accidents and more specifics on how cars had been hacked. Finally, the last round escalated to citizens dying from the accidents caused by these hacks, attaching even greater urgency to identifying a solution.

The scenario demonstrated the vulnerabilities of everyday technologies which enable a group of skilled attackers with sufficient financial resources to attack these systems, as well as the difficulties of developing a proportionate response. Some teams were already considering military options in the first round without even knowing if these were credible threats.

Possible solutions included patching up security holes in affected cars over-the-air. This means that a remote software update could override the hack, shutting down internet exchange points and initiating a counterattack on the attack source. Police would use horses instead of cars as primary transport.

The winning team from West Point chose a balanced approach, involving major car companies, private cyber threat intelligence firms, and government agencies, to resolve these issues. In order to prevent any further impact on financial markets, the team had the New York Stock Exchange cease operations, seconded government and private cyber security teams to assist car manufacturers, and used the NSA to launch a counter-offensive.

Over the course of the two-day competition, it became clear to the participating judges, policy pundits and the competing students that cyber security, beyond a simulated environment, involves the intricate coordination of numerous key stakeholders. It is not simply confined to manoeuvring between new and existing technologies. It requires a concerted effort to bridge the gap that currently exists between security professionals and computer engineers and the public and private sectors. Last, but by no means least, using new technology in ways that enrich, rather than threaten our lives, requires smart governance and more accessible government regulations and services.

Daniel Schnok is a class of 2017 Master of Public Policy student at the Hertie School of Governance and a dual degree candidate at Columbia University’s School of International and Public Affairs (SIPA) in New York.