Cyber 9/12 Geneva Competition – Deep State Machine 5
Jun 7, 2021 | Cybersecurity
The Atlantic Council’s Cyber 9/12 Strategy Challenge is a simulation-based competition in which student teams collaborate to provide policy analysis and recommendations in response to an evolving, fictional fact-pattern relating to cyber crisis and conflict. Over each academic year, several regional competitions take place around the world, including the latest in Geneva from May 11-12, 2021.
The University of Texas at Austin was represented at the Geneva competition by team Deep State Machine 5, featuring Strauss Center Cybersecurity Fellows Gabriel Cajiga and Reginald Evans and our Brumley Fellows Alex Rose and Willy Vazquez. The team was coached throughout the Cyber 9/12 2020-21 season by Ryan Cunningham, Strauss Center Cyber Fellow and Visiting Professor at Texas Law. After a superb virtual showing in the wee hours of the morning on May 12, DSM5 finished 5th overall and 1st among U.S. teams! The team talks about their experiences in the competition here:
Tell us about the simulated cyberattack in the prompt:
The scenario is set in May 2022, focusing on the fictional country of Nistria, the newest member of the EU. While COVID-22 begins to ravage the world, Nistria suffers a technical failure at their central hospital while connecting to DigiSantEU, the fictional EU-wide medical health record system. This failure, combined with ICUs quickly filling up due to COVID-22, leads to a meeting of the EU Political and Security Committee (PSC) to come up with a plan to curtail escalation, to which we have to present our policy recommendations each round after learning new information.
Mixed into this crisis are also concerns about environmental extremists, EcoEarthNow!, threatening Nistria due to their support of coal mines, misinformation on social media about the cause of hospital failures, and overall uncertainty about what role the Kingdom of Mustelus, a fictional country of which Nistria was previously a member, has in what is going on.
In the first round, we learn that the technical failure occurred while Nistria was performing a final update to connect to DigiSantEU. After systems malfunctioned, Nistria hired CyberSec Systems to perform an analysis, to which they claim to have found similarities to a previous hack attributed to agents working on behalf of the Mustelan government, though they were not confident in their results. Meanwhile, posts on social media share a general concern about COVID-22 and the inability to schedule hospital appointments, along with some support for EcoEarthNow!.
As the situation develops in the second round, the situation at Nistrian hospitals has gotten worse, and similar technical failures are popping up across EU member states. This leads some to speculate that some malware may be spreading through DigiSantEU, causing a murmur about disconnecting hospitals from this system. Meanwhile, NATO Intelligence has noticed dark web chatter about EcoEarthNow! communicating with the Mustelan agents, along with discussions about malware targeting Nistrian critical infrastructure, though the connection between the two is not made.
In the final round, we learn the cause of the technical failure is actually a system malfunction – the system was not prepared to handle a surge of appointments, as was the case with COVID-22, thus causing a failure of one system which dominoed to others. Contrary to CyberSec Systems’ report, which turned out to be biased towards stirring geopolitical trouble, no malware was found. Reliance on their report though led to other countries planning to disconnect from DigiSantEU to prevent potential malware spread to their own systems. All the while, large-scale coordinated anti-government protests are planned in Nistria’s capital consisting of people tired about the hospitals not working, EcoEarthNow! not a fan of the coal mines, and the Nistrian government’s poor response to COVID-22.
We decided to challenge the validity of the incident response report indirectly. It was a tough decision because they always say not to fight the scenario, so what we did was limit our doubts of the report by proposing to hire another company. It is always good to double check and the judges commended us on that proposal! Consequently, we were right to challenge the initial report because in the final round we learned that there was no nefarious actions whatsoever during the DigiSantEU.
What are some cool things you learned in your preparation for the competition?
- The EU has so many committees!
- Even among the EU members, there are many differences in how to define and approach an issue. It was interesting learning about how that dynamic plays during a cyber incident, and how they still attempt to solve the problem despite conceptual differences.
- How the US has different concerns while dealing with a cyber incident in comparison with the EU. For example, national security vs data privacy.
- Be wary of incident reports that have an over-reliance on intrusion detection systems.
What advice do y’all have for future competitors in Cyber 9/12 competitions?
- The most important thing is having a great supporting team. Communicate what personal issues you are having and try to understand that just learning and having a good time are great mindsets.
- Having a coach with you can feel honest, comfortable, and able to send messages even at midnight! (Thanks, Ryan!)
- Talk with as many domain experts as you can – this competition is a great excuse to pick their brain, and they’ll provide real world policy recommendations.
- Try to avoid silence during the Q&A – have a team leader who will capture the questions and either answer or direct them to someone else. Don’t be afraid to answer with “Thank you for that question – we will have to get back to you”.
Coach Ryan Cunningham was extremely proud of his team:
These folks made for a truly impressive team across multiple competitions. Their cooperation and camaraderie (even late into the night and during busy times) was inspiring. All of them were competing for the right reasons. They wanted to learn and have fun. Being their coach was a pleasure.
The judges in Geneva were highly impressed by the “practicality” of their recommendations. That is a genuine compliment I think they should all take to heart. In fact, I think they should take it as a measure of their growth and maturity in cybersecurity policy. Experts working in a very different system could all see that the team’s recommendations were pragmatic and grounded.
Another huge congratulations to Deep State Machine 5!