Growing Future Cyber Warriors
Students improve cybersecurity capabilities through Capture the Flag events.
At conference halls throughout the year, groups of students work intensely to complete digital challenges in cyberspace, vying to win so-called Capture the Flag Contests, such as several hosted by Deloitte. The company sponsors several such educational cybersecurity competitions, including recently at AFCEA Alamo ACE in San Antonio and in Colorado Springs at the AFCEA Rocky Mountain Cyberspace Symposium.
It is a labor of love, an educational benefit to the community, Deloitte’s Tim McClellan, explained to SIGNAL Magazine. McClellan, a technology architect for Deloitte, creates the Capture the Flag challenges, organizes the participants, installs all the necessary hardware and software at the competitions, and runs the events.
Deloitte has been hosting the Capture the Flag events for the past three years, starting with Rocky Mountain Cyberspace Symposium (RMCS). The company partners with its Netherlands contingent, which runs the backend system on a cloud-based platform from across the Atlantic. “Before that, we did everything on three laptops,” McClellan laughed. On site, they have expanded their hardware to include many more laptops and built a self-contained environment to run the competition.
The Capture the Flag competition is open to interested students or individuals who want to test their offensive cyber knowledge firsthand. Teams consist of budding cybersecurity experts from high schools, colleges and industry. Competitors come in with a range of abilities, some of which depends on their school’s emphasis of STEM or on information technology. “Those are being pushed at the high school level, and at the college level, they come to these events with an increased skill level, because they have done it over a period of time,” he noted.
Each year, Deloitte is working to grow the field of entrants. At AFCEA Alamo’s ACE event, the company expanded event from five to 11 competing teams in 2019 versus 2018, McClellan reported. “For the future, I think what we are trying to do, especially for Alamo ACE, is to expand the makeup of the teams,” he continued. “At ACE, we had a college team and a high school team and a military team. The vision is to have a military participant, a college participant, an industry participant and a high school participant all on one team.”
Having that kind of team makeup is more of a logistical challenge, McClellan admitted, but the collaboration across ages and skill sets would be beneficial to all parties. Even so, he is glad to see an increased excitement to compete, wherever it comes from. “Two years ago, we had a group that was brand new, including a married couple with the baby,” he stated. “The husband was holding the baby, and taking turns with the challenges.”
For the six-hour Capture the Flag competitions at ACE and RMCS, McClellan created 15 main challenges for competitors to complete across 130 subchallenges. Each one of the main challenges tested a different skill set, he explained.
“We test all sorts of skills, from cryptography, stenography, network tracing, cross-site scripting, injecting, binary execution, all aspects of a technical environment,” McClellan offered. In scripting, the competitors use various web-related languages such as Python, Java and PHP, as well as web applications. “It tests if do you understand what something is written in various forms,” he said. “Stenography is a philosophy in how you do various acts, such as multitier obfuscation, making something look like something, but it does something else, for a different purpose.”
This year at the RMCS Capture the Flag event in early February, two teams from the U.S. Air Force Academy; a team from Brigham Young University (BYU); a team from University of Colorado, Colorado Springs; and a team from Pike’s Peak Community College all competed. Team Delogrand from the Air Force Academy took first prize.
Cadet 1st Class Sears Schulz, a senior at the academy, is the captain of the school’s cyber competition team, which consists of 25 cadets. He noted that the two teams participating at RMCS did not necessarily prepare specifically for that challenge, as their curriculum has them practicing cyber skills “all of the time.” The makeup of the competition team includes cadets majoring in computer science or cyber science who specialize in reverse engineering, digital forensics, exploiting the web, among other capabilities—although they do turn to a math major who specializes in cryptography. Most of team’s future airmen will go into cyber operations, he confirmed. Cadet Schulz, who in December took first place in the President’s Cup, the Department of Homeland Security cyber competition, is looking to attend graduate school next year in cybersecurity.
Software developer Mark Knieser, who volunteered at the RMCS competition, added that the event tests and ultimately improves how teammates cooperate. While each person may have an offensive cyber specialty that they are focused on during the challenge, they do better when they work together and speak up about the core issues they are trying to resolve, especially since the challenges increase in difficulty during the competition, and also require more time.
The way McClellan sets up platform does give every team the chance to try each challenge, a method Knieser agrees with, as it makes it more inclusive. “In some competitions, once a one team captures a particular flag, it is gone and not available to anyone else,” McClellan clarified. “I don’t believe in that. I like to give each team a chance to go for each flag to test that skill. I have found that once they have gotten a flag, they don’t usually forget that skill. Their confidence grows, and they get better.”
After the events are over, McClellan goes back through the platform to see how the competitors completed the challenges, and analyzes their processes and skills, to make changes or improvements for future competitions.
Next up McClellan is gearing up to run the Cyber Cup Challenge, which will be held during the 2020 National Cyber Summit, June 2-4 in Huntsville, Alabama. For this national-level Capture the Flag event, he will create new challenges, bring the hardware, set up the course, run the wiring, make all of the connections, and welcome new (and previous) participants. “The challenge has to be different every year,” McClellan said. “I do want it to be competitive but also successful.”
The deadline is May 8 for interested participants to register to compete in the Cyber Cup Challenge.