Lessons Learned from the Cyber 9/12 Strategy Challenge
Students from Tufts University tell us their greatest lessons learned from competing in the Cyber 9/12 Strategy Challenge.
Lessons Learned from the Cyber 9/12 Strategy Challenge
Share this story
Our four-member team, comprised of Sara Mishra, Hannah Dora Patterson, Ethan Moscot, and Andrew Vu from Tufts University’s M.S. degree program in Cybersecurity and Public Policy, competed in the Cyber 9/12 Strategy Challenge competitions hosted in New York and Washington D.C. in Fall 2022 and Spring 2023. While our individual levels of technical- and policy-focused expertise varied, we were eager to put our master program’s interdisciplinary design, with coursework in Tufts University’s Department of Computer Science and the Fletcher School of Law and Diplomacy, to the test. Having all entered our graduate program at the same time, we could not find an extracurricular activity that matched the nuance and interdisciplinarity of our degree program which fused technical and policy analysis.
Sara knew of the Cyber 9/12 competition programs from her time working at the Atlantic Council, and she suggested we form a team to compete. It quickly became clear that Cyber 9/12 represented the ideal opportunity to learn and experience firsthand just how technical knowledge interacts with policymaking outside of the classroom and how to impart technical information to nontechnical audiences. Overall, what started as competition that was unfamiliar yet piqued our interest turned out to be an unrivaled experience in responding to a fictional cyberattack with high-level stakeholders and fascinating case studies.
Being able to participate in Cyber 9/12 competitions at both Columbia University and American University allowed our team members to further develop their ability to craft comprehensive public policy solutions for cybersecurity challenges. After receiving the briefing packet, our team would divide the tabs up and allow each member to leverage their background knowledge and share their thoughts on the varying topics.
Our team always began by creating a word chart associating the inject’s biggest themes with each other. From there, we would write down a list of possible policy prescriptions and rank the ideas in order of feasibility or accessibility to the judges. We then outlined our objectives, utilizing the DIME (Diplomatic, Information, Military, Economic) paradigm to ensure we incorporated these four instruments of power so as to consider the necessary dimensions and all principal stakeholders. Finally, we also devised an acronym such that our idea could be easily absorbed and represent several pathways to achieve a desired solution based upon considerations in the DIME paradigm to create the finalized decision document.
When we were developing our response to the challenges in New York, as Fletcher students, we were drawn to framing our proposal at the international level. The prompt involved tension among China, India, and Pakistan due to uncertainty in the region surrounding critical infrastructure development, as well as an Advanced Persistent Threat (APT) acting against a hydroelectric dam in New York. When we were challenged with responding to a cyberattack on that dam, it required a balancing act to make sure we addressed all of the above. Sara’s well-rounded grasp of the scenario upon its release primed her to summarize the situation at hand. Based on her overview of both our written and oral components, Ethan and Hannah were then able to identify three strategic objectives.
We presented our “3D” approach, which included deploying Cyber National Mission Forces (CNMF) and coordinating with Indian and Pakistani governments to deploy Hunt Forward Operations (HFO) teams to create malware reports, developing a diplomatic framework through a US-led Cybersecurity Partnership Conference, and delivering USAID grants that incentivize private corporate investment to India and Pakistan. These three objectives would counter adversarial aggression, safeguard US critical infrastructure, and work to ease regional tensions.
Finally, Andrew offered insight to further contextualize our proposals. In this instance, the defensive appearance of CNMF HFOs would reduce the threat of escalation, the international conference could directly challenge the People’s Republic of China’s (PRC) influence and USAID initiatives in India and Pakistan would signal US commitment to regional peace and security. This empowered us to be proactive in addressing judges’ concerns as to how the scenario may evolve, both technically and geopolitically. In terms of implementation time for our proposals, our response options contained short-term, medium-term, and long-term solutions. By using technical- and policy-focused lenses, as well as different timeframes, we recognized we could offer practical solutions, such as the deployment of CNMF HFOs, and simultaneously propose more grandiose ones, like our US-led conference.
While we made sure to tackle the geopolitical and cyber-related events unfolding, the judges in the first round still pointed out that we could have better addressed concerns that trickled down to the state and local levels. We integrated this feedback into our semi-final round approach, where we encountered opponents in this head-to-head round who presented a technically driven solution that proved successful with the judges.
For the Washington, DC competition, our team knew that we’d have to continue to leverage tried-and-true methods when consuming and responding to the scenario, while also remaining nimble to adjust to new challenges and themes presented in the prompt. When devising our response to the scenario prepared for the Washington DC competition, we sought to highlight a flaw in what we perceived to be a growing market for exploits. In this scenario, when a biometric identity verification technology company discovered a data breach in their systems used for air travel, preliminary forensic analysis uncovered a vulnerability inside a compromised subsystem allowing for possible violations of confidentiality and integrity of customer data, and also revealed the National Security Agency’s knowledge of this vulnerability. In addition to making note of a rise in tension with the European Union (EU) over data protection concerns, we returned to our practice of developing easy-to-remember proposals on a short-term, medium-term, and long-term timeframe. Specifically, we suggested designing a cyber response and attribution plan, distributing resources for sanction enforcement via the Department of Justice and Treasury, and developing a revised Vulnerabilities Equities Process (VEP).
While still making use of our best practices and presentation lineup in designing our proposals, we believed examining the management of a fundamentally technical issue, as our opponents did in New York, would be useful in demonstrating our resolve and creativity in working to prevent a repeat of the incident we now faced. Specifically, we contended that the National Security Council (NSC) should modify the VEP by placing the Office of the National Cyber Director (ONCD) in charge. The ONCD leading the role in place of the NSA, in our view, would shift the overall process away from bias toward the Department of Defense, and allow the process to address cybersecurity issues more holistically. Judges commended us for our creativity and willingness to think critically about managing oversight of technical issues beyond coordination of incident response, but we were told the specifics of doing so needed further fine-tuning.
Overall, these experiences have empowered us to face unique and dynamic scenarios and to refine our approach to very crucial skills outside of the competition environment: expertly crafting long-form briefing papers, short-form decision documents, and informed oral briefings. From first competing at Columbia University to then trying our hand again at the Cyber 9/12 competition at American University, we learned to adjust in terms of fully addressing the complexity from the fallout of a cyberattack and how to position our brief principal stakeholders in a balanced manner. The Cyber 9/12 competitions truly bring briefings to life when facing judges posing as the NSC. Our team had to contend with questions like “What exactly am I going to tell the President?” and “On a scale of one to five, with five being the most severe, how would you rate the severity of this incident?” It could not be more clear that relaying and contextualizing technical details in a succinct and easily interpretable manner is paramount. Reflecting upon our successes and areas for improvement, we will look back with pride as we embark on our future endeavors, whether they be in future Cyber 9/12 competitions or professional roles in the public and private sectors.
ACKNOWLEDGMENTS
We are incredibly thankful for Diana Park, our coach, a doctoral student of international relations at the Fletcher School. It is because of her probing, insight, and expertise that we were able to develop in-depth analysis and critically reflect upon it. In addition, we would also like to thank our advisor and program founder, Professor Susan Landau, for her active support of our team’s participation.
The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.