It’s students versus cybersecurity experts in the March Madness of Security
Have you filled out your bracket yet? Not the one for the NCAA Tournament, but for the annual National Collegiate Cyber Defense Competition (NCCDC), presented by Raytheon.
Regional championships started this month and remain ongoing until next month, when the NCCDC will host students from more than 250 universities across America. These regional winners will compete in the national challenge, trying to defend their network from hackers.
Between April 23 and 25, the winning teams from each region will convene in Orlando, Florida, where blue teams comprised of students will be challenged by red teams of all-volunteer cybersecurity experts from private sector organizations including Walmart, Uber and Raytheon, as well as government partners including the Air Force Reserve.
The collegiate teams secure, manage and maintain a small-business network while the live red teams attempt to break into those systems through user level access, root/administrator level access or even downloading a team’s entire client database with credit card numbers.
Despite the potential trepidations of going up against a team of industry experts, students actually bring more than their will to win to these challenges, according to Julian Zottl, a Raytheon cyber architect and member of the NCCDC red team.
Who’s Teaching Who?
Sure, the competitions are designed to advance the cybersecurity skills of participants, and it’s not lost on anyone that these are college students, highly motivated to both learn and win. More than winning, though, what the competitions come down to is putting the students into an environment that they will experience in the real world, Zottl said.
In the real world, security teams are constantly seeing new environments, which is a reality they leverage to expose the students to something beyond the traditional classroom. “I wish it had existed when I went to college,” he said. “It would have helped me to get into the workforce quicker.”
What experience cybersecurity professionals have learned, though, is that these challenges are also an opportunity for them to learn a lot from the students. Students bring a lot of out-of-the-box thinking when it comes to things such as attacking a SCADA network, Zottl said. It’s a win-win for both the red and blue teams in that respect.
“We are all learning a lot of new things. Last year I saw a team use a firewall in a unique way to defend their data servers,” he noted.
If competitions are held in colleges and teams only go against their peers, they see what they’ve learned in the classroom. Challenging cybersecurity professionals, though, means they are better positioned to understand the wide range of things they are going to see. “NCCDC is important because it’s not about downtime or keeping things up or tickets, but about learning why servers are down,” Zottl said.
As a result, everyone is exposed to more creative problem-solving skills. Students don’t always have access to the more advanced solutions afforded to an organization’s security team, which forces them to find more creative solutions. That creativity then challenges the traditional tactics used by the red teams.
More than a Game
Now in its 13th year—and the sixth year Raytheon has hosted the event—NCCDC is looking forward to crowning another winning team. That team will be taken on a tour around Washington, D.C., where they will learn about policy and see what types of jobs are available in the federal government and the private sector.
All of the participants are far from forgotten, though. In fact, Raytheon has hired more than 100 students since its partnership with NCCDC began five years ago. Many former participants have also been invited to join the company as interns—opportunities that have then evolved into job offers.
Traditional classes can sometimes be static, but security is constantly evolving and changing. That’s what makes these types of competitions all the more valuable for the students and the volunteers.