A strong cybersecurity team is multidisciplinary: our experience of the Cyber 9/12 Strategy Challenge

The Cyber 9/12 Strategy Challenge is a cyber policy competition run by the Atlantic Council for students on both sides of the pond, with an annual competition event dedicated to UK universities and supported by the UK government. This year the competition took place virtually and we were lucky to be one of the 20 teams selected to take part.

Our team, Cyberchase.ox.ac.uk, included three MPP students – Frédérique St-Jean, Thomas Klein, Laila Ujayli – and James Pavur, a brilliant DPhil student at Oxford’s Department of Computer Science. The Cyber 9/12 competition has been designed to provide student competitors across disciplines a deeper understanding of the strategy challenges associated with cyber security, crisis and conflict.

A few weeks before the competition, we were sent a 50-page scenario pack detailing some fictional but quite realistic emerging cyber threats to the UK. In our case, the scenario was centred around oxygen-supply machinery in hospitals becoming vulnerable to known malwares in the hands of malicious non-state actors, potentially linked to states, in addition to a rise in COVID dis/misinformation on social media platforms.

Before the start of the competition, we submitted a policy brief detailing our assessment of the events as well as a two-page decision document outlining both our assessment and three possible policy responses. While we definitely had to think about solutions to fix the cyber threat itself, we also had to think about ways to prepare the UK hospitals for a disruption of their oxygen systems in the middle of the pandemic and maintain trust in the NHS at a sensitive time. We also had to collaborate with the UK’s international partners to gather intelligence on the potential attackers.    

On the first day, the judging panels (comprised of experienced industry, academic and government cyber security experts) were given two minutes to read our policy brief; we then had to present our recommendations in just 10-minutes, before being questioned by the judges. Later that day, we were thrilled to hear that not only were we one of 10 teams selected to advance to the semi-final round, but we had also won an award for Best Oral Presentation.

At the end of the first day, semi-finalist teams had to quickly get up to speed with scenario developments. We were given an updated 40-page intelligence pack at 7pm and asked to submit another two-page policy recommendation document by 8am the next morning and give a 10-minute oral briefing at 10am. In this scenario, the crisis escalated: oxygen machines were disrupted at a hospital in Manchester, generating panic in the city; an escalating disinformation crisis worsened the panic and threatened a potential attack on the vaccine supply chain; and stronger indication was given that these non-state actors were linked to Russia. At this stage, we were in full crisis management mode. We knew we had to: 1) find ways to reassure the British public; 2) reorganise the allocation of oxygen canisters in Manchester and other hospitals likely to be the next targets; and 3) decide how to deal with Russia who was supporting and funding these malicious groups, without risking escalation into an international conflict.    

We worked all evening preparing our response. The following day, after briefing the judges in the morning, we were quite satisfied with our performance, though we were definitely less confident than in the first round since the questions asked by the judges were significantly more challenging. But by midday, we heard we were one of three teams competing in the final round.

We immediately started brainstorming ways in which the scenario could escalate in the final round. Suddenly, we were asked to jump on a call. From that moment, we were given just 20 minutes to read a final 10-page intelligence pack – featuring reports of a potential cyber attack on vaccine manufacturing plants, on top of all the other crises – and we had to quickly assess the situation, simultaneously preparing for another 10-minute oral briefing to provide policy recommendations for the Prime Minister.

The final round was a big challenge: problems were hitting from every side, and pressure was high as we were judged and questioned by people like Pete Cooper, the Deputy Director for Cyber Defence at the UK Cabinet Office. Nevertheless, we did our best, and after the initial adrenaline and shock of that final sprint, we were truly proud of our work.  

We were so happy when we were told we had won second place. We put up a great fight in the face of some incredibly strong teams, especially considering most of us had a limited background in cyber security. We used all the skills we learned in the MPP’s Policy Challenge I and we’ve all learned great lessons for future crisis management.

Tom and James are the only two people with some technical knowledge. But Tom doesn’t consider himself to be a cyber expert. He had some broad experience in cyber investigations and intelligence analysis and is the one who put together the team. He’s now more committed than ever to pursue a career in cyber national security policy after his MPP.

Laila and Frede had no experience in cyber security. Laila’s previous use of storytelling to break down complex issues related to US security policy ways that are relatively easy to understand helped to inform our communications strategy. Frede, who practiced as a lawyer for a few years before joining the MPP, shored up the legality of our recommendations, while Tom spearheaded our intelligence analysis and James responded to the technical threats. Each of us offered a different perspective, which helped us develop a well-rounded response, demonstrating how responses to crises must be interdisciplinary and multifaceted.

This is something echoed by Ciaran Martin, who we were lucky to have as our coach. Ciaran – who was the founding Chief Executive of GCHQ’s National Cyber Security Centre before joining the School – provided invaluable expert advice on how to approach the challenge. Perhaps even more importantly, he gave us the encouragement and confidence we needed to forge forward, especially since most of us were novices in cyber policy and we were four North Americans trying to respond to a cyber crisis in the UK.

As Ciaran said: “Broadly based skills are needed: that’s what the Blavatnik School teaches and that’s what cyber security requires.”

The fourth annual UK Cyber 9 / 12 Strategy Challenge took place online on 16-17 February. Ciaran Martin also delivered the final remarks at the end of the competition.

Frédérique St-Jean, Thomas Klein, Laila Ujayli (MPP 2020) and James Pavur represented the University of Oxford as team Cyberchase at the challenge.