More than one hundred of the brightest computing sparks from 25 of the top universities in Britain and the United States took part in a sophisticated simulation in which teams competed to thwart a North Korea-style nuclear-armed rogue state from achieving a catastrophic military victory over the West.
The scary simulation was devised to give students practical experience of a scenario, which was described by organisers as “highly realistic”. Talent spotters from several major technology engineering companies and cybersecurity agencies were in attendance at the event at the University of Cambridge yesterday to suss out potential recruits.
2017 is only the second successive year in which the annual transatlantic competition, which was the brainchild of Barack Obama and David Cameron, is taking place. Ahead of the three-day event’s conclusion today, key players involved in planning it were unable to say for sure whether or not it would return next year for a third time.
Professor Frank Stajano, who got a call from the UK’s Cabinet Office two years ago asking him to organise an initiative of this nature – an idea that led to the inaugural Cambridge2Cambridge (C2C) challenge taking place in the US in 2016 – said he hoped it would inspire youngsters to pursue a career in computing and cybersecurity.
“There are a lot of scare stories in the media but there isn’t very much that would suggest to a school kid, hey, you could be the one that fixes this,” he said. “If you take the right options when you go to university, you could be the one solving this problem. I don’t see much of that in the media.”
Instances of alleged state-sponsored hacking have prompted Nato to agree that a cyber attack could trigger the military alliance’s mutual defence clause, but the norms and protocols associated with cyber warfare are much less advanced than those linked to conventional types of battles.
As part of the competition, C2C participants were faced with an imagined scenario in which an unnamed rogue state – covertly developing and caching weapons of mass destruction in a series of secret facilities buried deep underground – was locked into a military face-off with the UK and US.
With extreme weather having halted troop advances as part of a conventional military confrontation, the teams were tasked with instead using their computers to gain control of and subdue the apocalyptic weapons facility from afar using any means they could devise.
Stajano acknowledged there were people who might “raise eyebrows” about the “element of encouraging cyberattacks” that was inherent in the exercise, but he added: “It must be realised that attack and defence go hand-in-hand and you have no chance against the bad guys unless you are more skilled than the bad guys.
“If the bad guys can do things that you can’t do, they’re always going to win. You have to be at least as good as the bad guys in order to be able to stop them.”
Later, in a discussion about future challenges, panellists was asked by one student what they thought about the idea of retaliatory hacking attacks, incidents which the questioner referred to as “hacking back” and compared them to a situation in which “someone shoots you and you shoot them”.
Technologist Dr Jessica Barker described such hypothetical retaliatory operations as a “terrible idea”. She said: “If we can’t attribute who’s hacking, how can we hack back?
“Also, we can’t defend ourselves 100 per cent. What makes us think we can attack, and that that’s a good idea? From my point of view it is better to focus on defence, focus on mitigations, focus on securing ourselves, and that’s where our energy and our resources should lie, rather than going off on the wild goose chase of hacking back.”
Asked by E&T whether the changes at the top in the White House and in Downing Street could lead to the US and UK government-backed event being shelved in future years, representatives from tech firm Leidos, which designed the platform used during the cyberwar simulation, would only say that they hoped the competition would be brought back for the third year running.
Chris Ensor, who is in charge of cyber skills development at the UK’s National Cyber Security Centre, said: “Next year’s a long way away.”
He told E&T he had “every anticipation” that there would be a third incarnation of the competition, which is known as Cambridge2Cambridge because it is a collaboration between the University of Cambridge and Massachusetts Institute of Technology in Cambridge, Massachusetts.
Asked directly whether there had been any confirmation that C2C would happen again next year, Ensor replied: “No. But there’s always the mechanics to make this happen. There’s lots of things that need to happen. We really hope we can keep it going for the next few years.”
Referring to reports of the UK’s first rehab bootcamp for cyber crooks, Nigel Harrison, acting chief executive of Cyber Security Challenge UK, highlighted the importance of diversion to channel budding cyber criminals into well remunerated jobs where they could put their skills to use for the purposes of protecting people and infrastructure.
He told C2C participants: “We’ve just started a programme. There was an announcement about it today. We’ve been working with the National Crime Agency here in the UK on a pilot scheme to offer interventions to young people who have found themselves verging on the wrong side of the law.
“They’ve been spotted by law enforcement as being in a vulnerable position or they’ve just received some warning or cease and desist notice, and we’re trying to take them and tell them about ethics, trying to tell them there are well-paid jobs on the right side of the law.”
He added that there was a danger that, if the right authorities did not intervene early in such cases, skilled hackers and malware developers would be “talent spotted by cybercriminals as being somebody who is nicely vulnerable, the right sort of age and doesn’t understand right from wrong, and they’ll use them as a mule”.