The 5×5—Alumni perspectives on Cyber 9/12 Strategy Challenge
Alumni of Cyber 9/12 Strategy Challenge share their experiences, and discuss the impact of such simulated exercises to prepare for real life cyber attacks.
The 5×5—Alumni perspectives on Cyber 9/12 Strategy Challenge
BANNER: Cyber 9/12 Strategy Challenge Washington, DC 2023
Cyber 9/12 Strategy Challenge is a global cybersecurity skills and policy crisis simulation from the Atlantic Council’s Cyber Statecraft Initiative. It is designed to challenge students to respond to a realistic simulation of international cyber crisis, analyze the threat it poses to national, international, and private-sector interests, and provide recommendations on the best course of action to mitigate the crisis. It was launched in Washington, DC in 2012, and has since expanded its reach nationally and globally, with competitions across the United States, as well as in London, Dundee, Geneva, Paris, Santo Domingo, Tashkent, and Cape Town.
Entering its twelfth year, the Challenge provides mentorship, recruiting, and networking opportunities for thousands of students a year. For this month’s 5×5 edition, we invited five Cyber 9/12 alumni to share their experiences, and discuss the impact of such simulated exercises to prepare for real life incident response in case of cyber attacks and the necessity to strike the right balance between government and private sector actions to tackle cyber crisis. Our alumni have also shared advice for prospective competitors, and their insight into different aspects of the competition.
Find out more about the Cyber 9/12 Strategy Challenge at our website here.
1. Why did you choose to participate in Atlantic Council’s Cyber 9/12 Strategy Challenge, and if you could do it again, given your current work or research experience, would you and why?
Tionge Mughogho (she/her/hers), Cyber Security Specialist, National Computer Emergency Response Team, Malawi Communications Regulatory Authority; Winner, 2021 and 2022 Cape Town Cyber 9/12 Strategy Challenge
“The Cyber 9/12 strategy challenge was my first experience with cybersecurity competitions, and I decided to participate because I saw great potential for my professional growth through enhanced critical thinking, creativity as well as networking opportunities. If I could, I would participate in the competition again as given my current position working with the National CERT, I have more experience and knowledge on how the simulations in the competition are handled in real life.”
Grant Versfeld (he/him/his), Security Engineer, Cloud Threat Intelligence, Google; Winner, 2021 ATX Cyber 9/12 Strategy Challenge
“I participated because I wanted to develop my policy knowledge and strengthen my ability to communicate technical topics to all audiences. As someone who now does research in the cybersecurity industry, I would definitely compete again because the Cyber 9/12 challenge offers participants a unique opportunity to learn from leaders across the policy and security industries. Whether it’s someone’s first time joining, or they are a frequent competitor, I think everyone can benefit from briefing a panel of experts and then receiving feedback in such a supportive setting.
Frances Schroeder (she/her/hers), Congressional Innovation Fellow, TechCongress; Winner, 2023 DC Cyber 9/12 Strategy Challenge
“I initially participated in Cyber 9/12 because the format of the simulated national security crisis was incredibly intriguing to me. In my final year at Stanford, I was deep into the post-grad job application mindset, so I viewed the competition as a valuable opportunity to stress test whether I wanted to pursue national security and tech policy. I similarly viewed it as a chance to meet experts in the cyber and national security world to form valuable mentor relationships. If I were still in school, I would definitely participate in Cyber 9/12 again. I’d especially love to be able to participate in new versions of the competition around the world, including the new Trust and Safety-focused competition.”
Gabriel Cajiga (he/him/his), Associate Attorney, Cajigas & Co.; Vice President, Panamerican Institute of Law and Technology (IPANDETEC); Semi-finalist, 2021 ATX and 2021 Geneva Cyber 9/12 Strategy Challenge
“I would definitely do it again! I chose to participate because I wanted to put into motion what I was learning in cybersecurity law with Prof. Chesney at Texas Law School. I ended up in an incredible multidisciplinary team and I ended up even learning about the military, public policy, public relations, and tech aspects during a cyber crisis. Shout out to the DSM-5 team!”
Nitansha Bansal (she/her/hers), Assistant Director, Cyber Statecraft Initiative, Atlantic Council; Semi-finalist, 2021 NYC and 2022 DC Cyber 9/12 Strategy Challenge
“There were multiple factors which led to my decision to participate in my first Cyber 9/12- the 2021 NYC Cyber 9/12 Strategy Challenge. As a first-year policy student at Columbia University, I was eager to learn about cybersecurity and tech policy but had little to no idea of the subjects. The Digital and Cyber Group at Columbia SIPA was a well-known student group on campus, and helped to organize the NYC Cyber 9/12. This is how I had my rendezvous with the competition, and decided to participate as a litmus test of a career in the field. It was a way for me to understand what a cybersecurity expert does, who the stakeholders in case of a crisis are, what role an individual with a background in policy can play, and what is the skillset I must strive to build for this career. Even after three years since my first Cyber 9/12 and as a working professional, I would like to participate in the competition to challenge my understanding of different topics related to cybersecurity, and test my briefing, research, and writing skills.”
2. How did your team balance the role of government intervention and private sector action in your policy recommendations? Would you strike the same balance knowing what you do today?
Tionge Mughogho
“In my team’s recommendations, we balanced the role of government intervention and private sector action by keeping collaboration, coordination and communication lines open between the two sectors. Of course, the extent of the intervention and action from the government and private sector respectively was dependent on the severity and evidenced impact of the cyber attack at hand on both sectors. Yes, with the knowledge I have today I would suggest the same method with a greater emphasis on collaborations and coordination even before a cyberattack (prevention) rather than only when a cyberattack has occurred.”
Grant Versfeld
“Our recommendations called for government agencies to lead response actions while working alongside industry partners to implement those plans. Having seen first-hand how government and organizations can work together to mitigate vulnerabilities, I would strike a similar balance because it’s important for stakeholders on both sides to work together to take advantage of each other’s expertise.”
Frances Schroeder
“In our preparation for each competition, we mapped out the actors involved in the crisis and the entities available and well-suited to respond. This included exploring the ways in which we could leverage both public and private sector action to respond to the crisis. Based in Silicon Valley, my team was especially interested in these public-private partnerships. Throughout each competition, as the crisis escalated and more immediate actions were necessary, we focused more on government intervention. In briefing the ‘National Security Council,’ we viewed government action as the most immediate lever of action available to our principals to respond to the crisis. I would not necessarily change this approach, but I think the importance of public-private partnerships in this space cannot be overstated.”
Gabriel Cajiga
“This is still a challenge that is highlighted more when you realize there are clear differences in how the US, the EU, and Latin America approach a crisis– the regions where I competed. At the time, we tried to balance the role of government and private sector by always promoting collaborative policies among those two, and on the international stage.”
Nitansha Bansal
“As a policy student, I was taught the importance of governments while as an economist, the first thing I learnt was the self-correcting mechanism of markets. For Cyber 9/12, I had to bring both aspects of my being together, and understand the significance of public-private partnerships and collaboration. It was not easy to navigate what channels of communication exist between the government and the private entities involved so we sometimes suggested the establishment of new channels, and at other times, recommended the re-activation of the existing ones. After working in the industry for some time, I think I would now assign a larger role to the private sector including more responsibilities and accountability. I say this mostly because I understand the ownership of infrastructure better. However, my response could vary based on the region/nation.”
3. Some critics argue that simulations and/or tabletop exercises don’t accurately replicate real time urgency. What do you think, and how did your team perform well under pressure?
Tionge Mughogho
“I believe simulations and tabletop exercises offer valuable preparedness and skill development opportunities, and to address the real-world urgency factor the Cyber 9/12 challenge uniquely incorporates escalation with a limited time of response in its second part of the challenge, simulating real-life pressure and urgency. My team and I, participating three times, dedicated sleepless nights to addressing the escalated scenario, relying on quick decision-making, collective expertise, and adaptive strategies to navigate the challenge and achieve our objectives effectively. With this, our team performed well under the pressure of the escalated scenario in the second day of the competition.”
Grant Versfeld
“While it is difficult to fully capture the stakes that might be at play in real life, I think the increasingly short timeframes that teams are given simulate some of the urgency of a real-life incident. My team performed well even as the pressure mounted by staying calm and focusing on the task at hand – this was crucial for the finals when we had only 15 minutes to prepare our briefing. We attributed this strategy’s success to our preparation, helpful mentors, and trust in one another that each person would execute on their focus area in the final briefing.”
Frances Schroeder
“Throughout my experience competing in Cyber 9/12, the simulated national security crises felt incredibly urgent and high pressure. With a massive amount of intelligence injected throughout the weekend with short turnaround periods, the stakes felt high. By participating in the competitions, I honed valuable skills — briefing principals, outlining courses of action, and making specific recommendations based on your expertise — that I exercise daily in my career now. These are tangible skills that few academic experiences prepare students for and that illustrate the value of simulations and tabletop exercises.”
Gabriel Cajiga
“I understand the critique that it’s easy to not ponder upon the actual stakes (real feedback from a judge), but simulations help prepare and put to test your ‘first-aid kit.’ For a student with probably no crisis management experience, this is a great way to level up the sense of urgency a crisis brings and know how to work as a team in challenging hours (at 5 AM). As for the team, we kept in mind not having all of us research the same topic. Time and resource management is essential.”
Nitansha Bansal
“I believe simulations are a wonderful way of preparing our brains to perform systematically under pressure- when everything becomes chaotic, and nothing seems to make sense. If my brain has dealt with a problem earlier, my muscle memory will help me deal with that problem later in a more efficient way. I mean, what better way to deal with a crisis than to deal with it without losing all your money, crashing your stock value, or breaking the entire infrastructure! And I believe the escalatory nature and structure of a Cyber 9/12 scenario compels competitors to think swiftly but systematically- which is the most important skill when faced with a real cybersecurity crisis. In our case, my team and I held extensive discussions about our strengths to understand how we can contribute to the team, and accordingly divided our tasks throughout the competition. This helped us capitalize on each other’s skillsets, and perform better under pressure, especially during the Q&A sessions.”
4. Did your team come from diverse backgrounds? How did that contribute to the way you approached the competition?
Tionge Mughogho
“Our team consisted of members from the same field but with diverse specializations such as cybersecurity, networking, and forensics. While this diversity greatly aided us in formulating technical cybersecurity recommendations, we encountered challenges in areas relating to law, politics, and the military. However, these challenges provided valuable learning opportunities, fostering a deeper understanding of cyber laws and the impact of political and diplomatic considerations on cyber attack response strategies.”
Grant Versfeld
“Yes, we built our team with members from a variety of academic and social backgrounds to expand the types of knowledge that each team member brought to the competition. This encouraged us to be up front about our strengths and weaknesses so that we could best support each other, and it also helped us build meaningful friendships with like-minded peers who we might not have otherwise met. As we approached the competition, we spent time teaching one another about our areas of expertise, which proved useful during the Q&A since everyone had a stronger knowledge base to rely upon.”
Frances Schroeder
“As an all-female group, my team, the Cyber Super Girls, approached the competition with our own unique perspectives and experiences. We were the first team to participate from our university in many years. As a result, we were all new to the competitions, which meant that we had no preconceived notions about how we were supposed to approach Cyber 9/12. I believe this allowed us to be creative and offered us a unique approach based on each of our individual previous experiences.”
Gabriel Cajiga
“This might be one of the most important takeaways of the competition. I fortunately had a very diverse team (see my answer to question 1), and if we felt we were missing knowledge on a topic the challenge was bringing we sought advice from experts from our network! It is essential to understand how other professions contribute to solving a crisis.”
Nitansha Bansal
“Yes, during both the competitions, my teams had representation from different educational and professional backgrounds, nationality, and sex. This allowed us to look at the scenario holistically- from different angles, and hence provide policy recommendations which covered diplomatic, technical, regional, and national level, and short term and long term actions. This also meant that we excelled at different skills- reading lengthy government documents, drafting written statements, designing team logo and decision documents, writing presentation speech, and answering questions confidently- so we could effectively adopt the ‘divide and conquer strategy’ to our team’s benefit.”
5. What is one piece of advice you wish you knew before you competed in your first Cyber 9/12? What is the advice you would give to future competitors?
Tionge Mughogho
“Before competing in my first Cyber 9/12, I wish I had realized that as much as the competition is centered on cybersecurity issues simulations, every aspect of the scenario is important for an effective policy recommendation brief and response. For future competitors, I advise prioritizing a holistic understanding of policy, legal, and geopolitical implications alongside technical aspects of the scenario, as they profoundly influence crisis response strategies. Additionally, practicing time management and maintaining composure under pressure are essential for effectively navigating the challenges presented during the competition.”
Grant Versfeld
“As a first-time competitor, I remember worrying that our policy recommendations were off the mark, but they proved to be rather strong. That feeling went away over the next few times I competed, helping me gain confidence to the point where my teams routinely made it to the semi-finals or finals. My advice is to have faith in the preparation you and your teammates did prior to and during Cyber 9/12, especially when you’re giving the oral briefing. Given the amount of research that goes into writing a written brief and decision doc, everyone should feel confident presenting their work since the hard part is arguably over. Most importantly, have fun!”
Frances Schroeder
“Go all in. Opportunities like Cyber 9/12 are few and far between, especially for students. Competitors should take full advantage of the rare opportunity to gain tangible analytic and briefing skills, develop their professional network, and explore whether this is a field that they want to pursue. Due to Stanford’s academic schedule of the quarter system, the national competition fell on the weekend right before finals. As stressful as that was for me academically, once the competition began, I made a significant effort to put a pause on worrying about my finals. Instead of trying to cram studying into the few free moments during the competition, I spent the free time I had meeting as many other competitors and judges as I could. As much as you can, put your outside responsibilities on hold for the duration of the competition, so that you can dive in and gain as much as possible from such a valuable opportunity.”
Gabriel Cajiga
“On the competition side, know your judges and ask for feedback always! Also, it’s important to sleep. On the teamwork side, be communicative on what you don’t know, what you can provide, and how much time you can compromise.”
Nitansha Bansal
“It would have been good to know that we were enough even if we had never participated in a Cyber 9/12 earlier or had any professional experience of working in the field of cybersecurity. Oh, and also that everyone in the room was feeling the imposter syndrome (but no one had to)! To the future competitors, I would say – don’t wait for the next Cyber 9/12 because you have an exam (they come every semester), don’t try to build the perfect team (that’s not how the real world works, anyway) but make sure you know each other’s strengths and weaknesses, and pick an interesting team name (first impression is the last impression, after all, but mostly because it is fun reading them!).”
The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.