Getting a head start

In an effort to tackle the growing threat of cyber terrorism and grow the incredibly small pool of qualified cyber security professionals, the US Air Force Association in 2009 coined the CyberPatriot concept, bringing together youngsters in order to teach them how to take on basic cyber threats and compete against each other in tests at a national level.

The initiative was so successful that organisers launched a UK version, dubbed CyberCenturion. Although still in its infancy, Diane Miller, of main sponsor and aerospace and defense technology company Northrop Grumman, tells EGR Technology that the response has been astounding. The contest taps into the younger generations who are increasingly able to understand complex tech developments.

CyberCenturion serves to leverage youths’ tech interests and abilities for the greater good of further expanding the cyber talent pool.

EGR Technology: What’s the premise behind the CyberCenturion competition?

Diane Miller (DM): Teams can be school students, clubs or youth groups, just as long as there is a formal protection programme. The premise is to say “you are the Information Technology department for this company, your job is to secure the networks and systems that they have while maintaining operational services that employees would need, like internet access and emails”.

Each team gets an identical virtual image of an operating system, and we plant vulnerabilities in that image. They start their competition and have six hours to find all the vulnerabilities. They will be looking at the virtual ports on their virtual machine image to ensure that extra ports aren’t open where vulnerabilities could come in through the internet. It is the basic fundamentals of cyber defence, but these teams are learning how to effectively collaborate. They are also learning effective problem solving skills, leadership and good communication skills.

EGR Technology: Where did it start?

DM: We started CyberPatriot in 2009. The programme was conceived by the Air Force Association, which is a non-profit organisation. Starting out they had eight teams of students and then the next year they had 70 teams who were participating and it appeared that this was going to really take off and be something big. As they were getting ready to go into their third year they approached Northrop Grumman and asked if we would be willing to be a sponsor and we said “this is exactly what we need globally to help build a talent pipeline with the shortage of cyber professionals”. It was a wonderful mechanism to get youth excited about science, technology, engineering and math (STEM).

EGR Technology: What’s the criteria?

DM: Teams can come from any organisation but they do have to have an adult leader, to offer supervision and generally interface with our offices for registration and data collection. Their coach could be a school teacher or scouting leader for example. That person does get vetted. The teams have access to training material to work through with their coach. It doesn’t teach them how to compete or what might be coming up in the competition.

The children compete virtually against the clock. Our scoring engine is working all the time to see what actions they have been taking and to timestamp them. The top ten teams go on to the national final and that’s the first time they compete face to face with their competitors around them. It’s aimed at ages 12–18. It was originally for those in the 15–18 year range, but we discovered that more children are gaming on the internet, some are even doing software development or coding, others are developing crypto games.

EGR Technology: What kind of training process do the teams go through then?

DM: Outside training is allowed. What we have is 10 training modules that cover these basic topics for cyber security. We encourage the use of technical advisors. Hundreds of our employees volunteer to share their technical expertise. It gets them a bit better context. We really encourage them to bring in guest speakers to keep the youth interested.

Here in the States we couldn’t figure out how teams coming from one area were all making it into the national finals, then we realised they were living in an area where major companies like Microsoft and Palo Alto Networks were based. We’ve found that teens who are geographically close together will invite in speakers to address all of them. When they are fortunate enough to qualify for the national finals they are amazed at how much they’ve learned in a relatively short amount of time.

EGR Technology: How long does each competition run for?

DM: We try and keep the competition timeline matched to the academic year, so before the school year really starts it gives the coaches time to talk to the kids. We do have online practice rounds so that the youth can become familiar with what it’s like to work on a virtual machine image and to get more comfortable with how a competition might go. Six hours goes fast believe it or not. In September we have practice rounds and then in November and December the competition rounds start. Depending on how you score in these rounds, that’s what will place you on a path to qualifying for the nationals. Then the live final is in April.

CyberCenturion 2017 winners – Team B, St. Paul’s School London

EGR Technology: Have you seen any cases whereby former competitors have gone on to take up jobs in the industry?

DM: In the UK we’ve only been running the competition for three years. In the US we frequently will hire the competition participants as paid interns with Northrop Grumman and some of the other sponsors. We hire them while they are in secondary education and once they finish school and go to university they will come back and intern with us again and we now have three employees who started when they were in school. It’s so important for building the talent pipeline.

You simply cannot wait until these children are in university because it’s too late to persuade them to pursue cyber either academically or in their careers. If we increase awareness in those earlier ages we have a better chance at sparking an interest. We’ve also found that with gender or ethnic stereotypes if you wait too late they are less inclined to go in this direction. You really need a diverse team of people looking at cyber problems. They need to come from different academic and social backgrounds.

EGR Technology: What is it exactly that Northrop Grumman does?

DM: We’re a global security corporation. We build defensive systems for the US government and our allies. Cyber is one of the four main pillars of our business. We also have autonomous systems and logistics.

We are very passionate about our STEM outreach programme and our foundation splits between programmes that directly support the youth and the teachers, because in the US we don’t have enough teachers for STEM disciplines. We understood early on how difficult it was to find highly qualified individuals in the workforce, and even more so now as the threat is more complex. We made it our mission to help fill that talent pipeline with good, qualified people.

EGR Technology: Why has the competition gathered so much interest from big tech firms and the UK government?

DM: I think that governments and the business industry have realised that the threat has evolved and we need a lot more cyber defenders. There is so much interest in programmes like this because at a younger age you can enter into learning about cyber and by the time you come finish university you have a few years of training. The biggest challenge for us globally is getting enough people interested and excited to qualify to enter the workforce and fill all the jobs. You hear about the one million plus unfilled cyber jobs over next five years and that just makes your head hurt.

EGR Technology: Can you give me an insight into the tech behind the competition?

DM: The gaming engine itself is written by the CyberPatriot programme office and what they do is really look at the basics, like firewall protection and account management. They also look at the more unusual situations that a cyber defender might run into. They try to have a real spectrum of complexity, from relatively basic rounds to more challenging ones with vulnerabilities that are more difficult to find and involve a little reverse engineering inside your image. By the time the youths make it to the national challenge they said it was really difficult. Hopefully we’re making it difficult enough that it is a reward to make it to the finals.

EGR Technology: What skills do you see in those that excel most?

DM: What we find distinguishes the good from the great is how they work together in a team. Among themselves they agree to divide up the workload between them so they can really dig deeply, carrying out additional research and becoming an in depth expert in that specific area. They are also very good at problem solving, many create a checklist for each round to get all of the basics out of the way at the beginning. They go through a routine as a team. Most teams practice once a week after school, further down the line they may up that to twice or three times a week.

EGR Technology: How do you market it?

DM: We count on our partner Cyber Security UK to market the programme. We wanted to make sure we were bringing something uniquely British, including a name that resonated. We don’t charge a registration fee in the UK as we do in the US, that’s the norm here. We really did want to ensure this was well received. I have spoken at the Cyber UK conference in Liverpool for the past two years, and that’s been an opportunity to invite youth and promote the programme.

EGR Technology: How do you hope to see the competition evolve?

DM: I’d love to see more activity within schools, looking at the programme as the way they’d like to educate the youth on cyber security. I’d love for it to be viewed as the national programme for educating youth in the UK. I would love to see government and industry make more opportunities available for youths through internships.