In It to Win It: Understanding Cyber Policy through a Simulated Crisis
Competitors and judges from the Cape Town Cyber 9/12 Strategy Challenge share their perspectives on the competition’s impact on the African cybersecurity landscape.
In It to Win It: Understanding Cyber Policy through a Simulated Crisis
Share this story
On October 7-8, 2024 the Cyber Statecraft Initiative held its fourth annual Cyber 9/12 competition in Cape Town, South Africa in partnership with the US Department of State’s Bureau of Cyberspace and Digital Policy, the University of Cape Town, and the MITRE Corporation. The competition included teams of students representing colleges and universities from across the African continent, including South Africa, Eswatini, Namibia, Botswana, Malawi, Senegal and Ghana. In groups of three or four students, teams responded to a fictional scenario focused on an organized criminal group targeting the Port of Cape Town with a ransomware attack to slow port operations that quickly spread to other ports around the world, impacting international trade and public safety.
In recent years, governments, industry, and civil society have come to the realization that technical solutions alone are insufficient to stymie evolving cyber threats and that a capable workforce who can smoothly integrate policy and technical responses is imperative. Furthermore, there’s a recognition that Africa will be home to a significant portion of the future global workforce, highlighting a need for investment in cyber capacity building and the development of diverse skillsets that can support the protection of critical infrastructure, foster collaboration on cybersecurity issues with allies and partners, and develop policies that promote the development of more secure technologies.
When the Atlantic Council established the Cyber 9/12 Strategy Challenge in 2012, the intent was not just to train tomorrow’s cybersecurity leaders, but also to broaden the pipeline of students considering a career in cybersecurity, connect students with potential mentors and employers, and increase connectivity between the technical and policy communities.
To learn more about the ways scenario exercises can apply to African cybersecurity challenges and their impact on emerging cybersecurity policy leaders on the continent, we spoke to seven participants from the 2024 Cape Town Cyber 9/12 Strategy Challenge:
Why did your team decide to compete in the Cyber 9/12 Strategy Challenge? What did you expect when signing up to compete in a policy-focused scenario exercise?
The Cyber 9/12 Strategy Challenge challenges students to engage in crisis management and develop strategies to bolster cyber resilience and the protection of critical infrastructures after a major attack. This not only aligned with our interests but is also crucial for developing countries, especially African nations like Senegal.
While researching the competition, we noticed that many prestigious universities from the United States and Europe had competed in Cyber 9/12, which motivated us to sign up as young researchers with interests in deploying security solutions, identifying vulnerabilities, and crisis management. Some of our team members had previously participated in the initial rounds of NIST’s Post-Quantum Cryptography competitions in 2017 and 2022, but this was the first time we had the opportunity to compete in an international cybersecurity competition.
Several aspects have motivated our team’s participation, including:
- Challenging ourselves as young researchers who have exclusively studied in Senegal by competing internationally;
- Seizing the opportunity to showcase our creativity and team spirit through the challenges presented in the scenario;
- Enhancing our skills by competing against high-level teams from around the world;
- Increasing the visibility of Francophone cyber talent in the international cybersecurity community;
- Connecting with experts, professionals, entrepreneurs, and passionate young individuals from across the globe;
- Enjoying the experience of participating in a friendly competition in a field we are passionate about: cybersecurity;
- Exploring new places, such as the iconic country of South Africa;
- Gaining credibility and highlighting the need for African countries and the private sector to invest in training, research, and implementing policies and partnerships in cybersecurity, aiming to protect internet users, personal data in cyberspace, and critical infrastructure.
EagleSen Team of Cheikh Anta Diop University, Senegal
How did/does Cyber 9/12 inform your career goals in both cybersecurity and policy?
The Cyber 9/12 Strategy Challenge was an invaluable opportunity for each of us, offering more than just exposure to cybersecurity and policy. Our aim in applying was to learn as much as we could, and the experience showed us the critical role that strategy and policy play in mitigating cyber threats and highlighted the importance of understanding both the technical and policy aspects of cybersecurity. It helped align our individual career paths within these fields in meaningful ways.
For Emmanuella, Ama, and Eli—with our backgrounds in Computer Science—the challenge emphasized how critical it is to design secure systems that are both resilient and adaptable to evolving cyber threats. We’ve become more committed to exploring careers where we can bridge the gap between technical security solutions and policy implementation. For Jessica, as an AI student, the competition underscored the growing intersection between artificial intelligence and cybersecurity; how AI can be leveraged for threat detection, and even support policy decisions. This has encouraged Jessica to explore roles where AI can be applied to bolster cybersecurity measures and support data-driven policymaking.
Throughout the competition, combining our unique backgrounds in AI and Computer Science gave us a durable foundation for tackling complex cybersecurity challenges from different perspectives. This collaboration proved invaluable and reinforced our belief that working at the intersection of these disciplines is key to developing innovative solutions and robust cybersecurity strategies.
Cyber Legends of the Academic City University College, Ghana
Who evaluated your scenario response and what kinds of questions did they pose for you to respond to? What feedback did you take from the experience?
On the first day, Dr. Kester Quist-Aphetsi, Adam Hantman, Rachel Adams, and Dr. Tendani Chimboza evaluated our team’s briefing and policy recommendations. On the second day, Jo Gill, Dr, Kester Quist-Aphetsi, Aisha Kamara, and Adam Hantman evaluated our updated briefing and policy recommendations. The judges’ questions focused on how the cybersecurity recommendations our team had developed may affect other sectors. More specifically, we were challenged to consider the socio-economic ramifications of our suggested responses, among other things. Their feedback really helped us hone our approach to incident response. The feedback underscored how crucial it is to think multi-dimensionally, not being restricted to technicalities, as cybersecurity is intersectional.
Cryptic Crusaders of the Malawi University of science and Technology, Malawi
How did your team decide to approach this year’s scenario and balance your responses to the different issues presented?
Our team’s approach to this year’s competition began with an in-depth analysis of the scenario, aiming to identify both prominent and subtle issues that could shape the incident’s trajectory. This comprehensive view helped us grasp the full scope of the challenge. Each member then focused on researching specific aspects of the scenario, concentrating on solutions that would meet both the immediate needs of the incident and support sustainable, long-term mitigations. This two-pronged approach enabled us to propose solutions that balanced both immediate action with preventative strategies.
To develop well-rounded responses, we emphasized a holistic perspective, examining the problem from multiple angles to address the technical, operational, economic, and policy facets. This approach involved accounting for resource allocation, system vulnerabilities, and the impact of proposed solutions on operational efficiency, state security, and diplomacy in assessing the incident to provide effective recommendations. By considering these factors, we aimed to ensure our recommendations were feasible, adaptable, and capable.
Our team’s adaptability played a critical role in addressing the dynamic nature of the challenge. By encouraging each team member to analyze the scenario through their specific lens, we were able to identify gaps in each other’s findings, allowing us to refine our solutions collaboratively. Time management was crucial to our approach, and our focus on efficiency allowed us to implement our strategy effectively within the limited timeframe. This collaborative, time-sensitive approach strengthened our team’s responses and contributed to our overall success in tackling the challenge.
Trojan Turtles of Namibia University of science and Technology, Namibia
Some of your team members have competed in other Cyber 9/12 competitions—how did you leverage those past experiences to inform how you wanted to prepare for the Cape Town competition?
Drawing from our experience at previous Cyber 9/12 competitions, we’ve refined our approach by understanding the competition’s structure and timing, allowing us to manage our resources more effectively. These experiences have also emphasized the importance of assigning clear team roles, ensuring that each member contributes based on their strengths in policy analysis or technical problem-solving.
While past experiences have been highly informative and prepared us to be agile in responding to a wide range of cyber scenarios, the unique perspectives of different judges can still make it challenging for a team to anticipate their responses. It can be discouraging when a judge disagrees with our recommended approach. After each competition, our post-mortem analysis helps us assess our performance, as well as sharpen our decision-making and teamwork, helping us make strategic choices and maintain composure under pressure—essential lessons that guide our preparation for upcoming competitions.
Cybertrons of the University of Cape Town, South Africa
What kinds of lessons might you apply from your Cyber 9/12 experience if you found yourself in a real cyber crisis? How so?
What I learned from listening to and critiquing students’ briefings and policy responses:
- Leverage multidisciplinary teams to analyze and solve cyber issues;
- Structure the problem to ensure that all aspects are addressed (e.g. the scenario presented challenges in regional relations, legal, policy, cybersecurity, logistical, and data management issues);
- Analyze risks and prioritize solutions to address the highest risk issues first, such as the restoration of port operations, neutralization of internal threats, cooperation with affected regional partners, and responsible public communication, in addition to the usual cybersecurity response of discover, isolate, replace and/or repair, restore, defend, and deter;
- Ensure that, beyond the solution of the immediate challenges, long-term lessons are also learned, and local and regional policies, strategies, cybersecurity, Information and Communications Technology (ICT), institutional arrangements, and capacity-building activities are identified, designed and implemented;
- Implement cooperation and communication frameworks to ensure that related institutions adequately resolve aspects of the cyber issue that fall within their mandate, whether it be law enforcement, data regulators, ICT (software, hardware etc.) manufacturers, vendors, and integrators;
- For developing countries, the ICT sector may have gaps, where legacy systems which are inadequately secured and poorly upgraded to align with the emerging ICT context, persist in various sectors. Regulators should keep tabs on such products and motivate their manufacturers to harden their products against emerging threats.
– Dr. Kate Getao, Senior Advisor at Diplo Foundation
After seeing teams from across the region respond to the scenario presented to them, what do you see stakeholders doing well when it comes to cyber education and workforce development? Where do we have room to improve?
My impression as a judge in the Cape Town Cyber 9/12 Strategy Challenge is that stakeholders are doing a great job at developing analytical and presentation skills on cybersecurity issues and mitigation. Stakeholders are also doing a good job developing the cyber workforce to translate cyber incidents into policy and strategic responses.
My observation at the Cape Town competition is that the focus for most of the teams was on the identification of technical issues in the scenario and less on the the policy and strategy issues presented. There’s an opportunity here to increase our support for teams in developing their understanding cyber policy and strategy, and how to translate technical issues or occurrences into policy options to avert future crises.
Eric Akumiah, Africa Regional Liaison at Forum of Incident Response and Security Teams
As a former competitor and now, a judge, of the Cyber 9/12 Strategy Challenge, in what ways do you think the competition prepares students for careers in cybersecurity? As a practitioner in the field yourself, are there any specific skills that have translated well to your professional career?
At every Cyber 9/12 competition I’ve attended, whether as a competitor or a judge, teams arrive ready to dive deep into technical responses to the scenario designed by the Atlantic Council. There’s talk of patch rollouts, potential exploits, and remediation plans. As the competitors are grilled on their responses, they begin to realize that Cyber 9/12 is, in fact, a cyber policy and strategy challenge. Their lens cracks and their assumptions crumble as they begin to understand that the landscape of cybersecurity is much vaster than they realized; that cybersecurity impacts and is impacted by a host of different issues. It’s profound seeing that epiphany come in real time and it’s amazing how quickly the best competitors can change their approach. I can’t overemphasize the importance of that lesson in the practice of cybersecurity; and it’s one every Cyber 9/12 competitor walks away with.
Ben Ballard, Cybersecurity Engineer at MITRE
Safa Shahwan Edwards (she/her) is the director of Capacity Building and Communities within the Cyber Statecraft Initiative, part of the the Atlantic Council Tech Programs.
Emerson Johnston (she/her) is a young global professional with the Cyber Statecraft Initiative, part of the Atlantic Council Tech Programs.
The Cyber 9/12 Strategy Challenge is a one-of-a-kind cyber competition designed to provide students from across academic disciplines with a deeper understanding of the policy and strategy challenges associated with management of tradeoffs during a cyber crisis.
The Cyber Statecraft Initiative, part of the Atlantic Council Tech Programs, works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.
