On July 22-23, 2024, the Cyber Statecraft Initiative held its inaugural Cyber 9/12 competition in San José, Costa Rica in partnership with the US Department of State’s Bureau of Cyberspace and Digital Policy, Universidad Fidélitas, MITRE Corporation, LAC4, and the Organization of American States. The competition included teams of students representing colleges and universities from across Latin America and the Caribbean, including Argentina, Chile, Colombia, Costa Rica, Dominican Republic, Ecuador, Mexico, Panama, Peru, Paraguay, and Uruguay. In groups of 3-4 students, teams responded to a fictional scenario focused on a compromise of airside data at Juan Santamaría International Airport, including the personally identifiable information of airport staff and several diplomatic delegations in town for a presidential summit focused on trade and technology. The incident was exacerbated by a separate baggage system error at the airport that contributed to delays in luggage collection and confusion for both passengers and airport staff.

Now more than ever, governments are realizing that technical solutions alone are insufficient to stymie evolving cyber threats and that a capable workforce alongside leaders that can smoothly integrate policy and technical response are imperative. This realization comes alongside a growing willingness to embrace the diverse pathways that can lead to a career in cybersecurity, as well as the varied skillsets and experiences that can support the protection of critical infrastructure, foster collaboration on cybersecurity issues with allies and partners, or develop policies that promote the development of more secure technologies.

That’s why the Atlantic Council established the Cyber 9/12 Strategy Challenge—not just to train tomorrow’s cybersecurity leaders, but also to broaden the pipeline of students considering a career in cybersecurity and offer an immersive learning experience combining technically informed policy challenges where they can try their hand at developing novel solutions during a crisis.

To learn more about the ways scenario exercises can apply to Latin American cybersecurity challenges and their impact on emerging cybersecurity policy leaders in the region, we spoke to seven participants from the 2024 San José Cyber 9/12 Strategy Challenge:

We saw it as an amazing opportunity to experience what dealing with a real-world crisis is like, something we were very excited about as we hadn’t done that before in our lives. We expected it to serve as an opportunity to improve our skills in cybersecurity policy, communication, and team collaboration—and it sure was! The competition challenged us in ways we really hadn’t expected and gave us a chance to grow both individually and as a team.

ZeroDayMayDay of Monterrey Institute of Technology and Higher Education in Mexico

Cyber 9/12 opened our eyes to the importance of cybersecurity regulations and their impact on one of our teammate’s legal career. The experience allowed us to understand how laws and regulations in this field are key to addressing cyber threats, which has strengthened our interest in the creation and analysis of cyber policies. This focus provided us with the opportunity to combine legal knowledge with the need to enhance digital security through robust legal frameworks.

If we could describe Cyber 9/12 in one sentence, it would be: An experience that adapts challenges to inform a strategic vision for building the future of global cybersecurity. Being chosen to represent our country, the Dominican Republic, and our university in this competition not only filled us with pride but also ignited a deeper sense of responsibility towards digital protection and policy formulation. This experience reinforced our commitment to creating innovative solutions and offered a broader understanding of the challenges we face in the cyber and diplomatic spheres. Moreover, it was crucial in expanding our professional goals and opening up a world where cybersecurity is not only about technology but coordinated strategies that ensure a safer future for our countries.

We also loved meeting new people and learning about them through networking. It was an enriching experience as we shared ideas and perspectives on the future of cybersecurity. Additionally, Costa Rica was the perfect setting—a beautiful country that complemented the experience.

UNAPEC Strategic Team of University APEC in Dominican Republic

On Day 1, we were evaluated by a panel of judges drawn from government, industry, and academia. These judges asked us questions regarding legislative aspects of the scenario that our team had struggled to address, as well as questions about the security certification process we recommended.

On Day 2, we were evaluated by a panel of judges representing more industry perspectives and academia. That time, we were much better prepared, and judges only asked us one question regarding which US agencies we had identified for the Costa Rican government to collaborate with following the incident. We were able to identify and recommend several agencies for collaboration, such as the US Federal Bureau of Investigation and the US Department of the Treasury.

On Day 1, the feedback we received from judges recommended that we be more specific regarding our contingency plans and to manage our time for the ten-minute briefing better. Just 24 hours later, we impressed the panel of judges with our performance, as we had successfully implemented all the feedback shared with us on Day 1 and demonstrated the most improvement of any team at the competition.

UPTP Task Force of Polytechnic University Taiwan – Paraguay

At the start of our preparations for the competition, our team agreed that this was a new challenge we’d be facing for the first time, but we agreed that the first step to tackling this challenge would be to try to better understand Costa Rican cyber legislation and regulatory frameworks, and to take advantage of any available international cooperation resources.

Once we had a grasp of the scenario, we decided to focus on developing strategies that would empower decisionmakers to manage the incident in the best possible way. We took this approach knowing that even with limited time and information , we needed to lay the groundwork to mitigate the damages caused by the incident, minimize operational and reputational impact, and identify and remediate the exploited vulnerabilities.

As four young students in the second year of the Bachelor’s in Cybersecurity program at the Technological University of Panama, with little experience in incident management, disaster response, and even less in cyber policy, we made the decision to appoint a leader for our team. This leader, in conjunction with guidance from our coach and input from all team members, defined the path we would follow to create the most comprehensive plan possible, serving as a solid starting point when facing the Intelligence Report II.

Panama Cybersecurity Warriors of the Technological University of Panama

The participation of one team member in previous competitions was a beacon for our team’s strategy, as those experiences provided us with valuable lessons that we used to define our preparation for the competition in Costa Rica. The main benefit was being able to leverage our understanding of the scoring rubric and past judge feedback from two previous events to identify areas for improvement. We reviewed past tactics that worked well for our team, as well as those that posed challenges, which enabled us to adjust our approach.

Additionally, we discussed the importance of teamwork, collaboration, and effective communication—key elements that helped us design a study and practice plan better suited to this new competition. Last, our coach made a point to identify each student’s strengths to strategically assign them to different areas that needed to be covered during the competition, such as technical aspects, political analysis, financial analysis, and social analysis of the scenario, among others.

Prime Team of National Polytechnic School in Ecuador

If I were to face a real cyber crisis, I could apply several lessons learned from Cyber 9/12:

Last, I would like to emphasize the importance of preparation. The best way to face a crisis is to be prepared for it. This involves developing incident response plans, conducting drills and training exercises, and staying up to date on the latest threats and vulnerabilities. Cyber 9/12 truly contributes to this readiness.

Fabiana Santellán of Uruguay Agency for Electronic Government and the Information and Knowledge Society

The commitment demonstrated by the fourteen teams from eleven Latin American countries in the Cyber 9/12 Strategy Challenge reflects significant progress in cybersecurity education and workforce development in the region. Stakeholders, including governments and educational institutions, are implementing national cybersecurity strategies that incorporate training and awareness programs, which is essential for strengthening regional capabilities. Collaboration between the public, private, and academic sectors is generating valuable opportunities for developing practical cybersecurity skills, as demonstrated by this competition.

However, there is still a need to improve the alignment of educational programs with the real needs of the job market, increase investment in specialized training, and promote greater diversity in the field of cybersecurity. To advance this, it is crucial to strengthen regional cooperation, share best practices and educational resources, and replicate initiatives such as the Cyber 9/12 Strategy Challenge to prepare the next generation of cybersecurity professionals in Latin America and the Caribbean.

Orlando Garces Organization of American States Cybersecurity Policy Officer

Safa Shahwan Edwards is the director of Capacity Building and Communities within the Cyber Statecraft Initiative, part of the the Atlantic Council Tech Programs.

Emerson Johnston (she/her) is a young global professional with the Cyber Statecraft Initiative, part of the Atlantic Council Tech Programs.