Student Security Competitions Help Lock Down Careers
To woo young people to the field of cyber security, local, regional, and global competitions give students a chance to test their knowledge and skills in front of the experts.
- By Dian Schaffhauser
- 08/05/13
Before these 14 students from 13 different universities around the world could take on their Dragon's CyberDen elevator pitches or answer questions in the CyberWar Game challenges, they had other matters to attend to, like settling on team names, learning how to set the table properly for a queen's banquet, and hearing about the birth of machine cryptanalysis at Bletchley Park, the famous British site where German war codes were broken during World War II. All in a day's work for participants in a recent student cyber security competition — any activity of which could also inspire them to settle on security for future careers.
Student competitions such as CyberSecurity for the Next Generation, recently held at the University of London's Royal Holloway campus and run by security vendor Kaspersky Lab, make the work of security fun and interesting, according to Nasir Memon, professor in the Department of Computer Science and Engineering at the Polytechnic Institute of New York University in Brooklyn. "There is a tremendous shortage of highly skilled security professionals," Memon said. "These competitions tend to attract students to security."
High Demand
The need to bolster the ranks of security experts is voracious, according to a February study compiled by security certification organization (ISC)2, analyst firm Frost & Sullivan, and Booz Allen Hamilton (yes, the same firm that employed National Security Agency leaker Edward Snowden for a short but perilous period). A survey of 12,000 information security professionals found that job openings in cyber security are expected to grow more than 11 percent annually over the next five years. Fifty six percent of respondents said they believe there's a workforce shortage in their field.
The work of achieving secure computing is only getting tougher. In 1994 one new virus was created every hour; by 2012 that rate had exploded to one new virus every second, an amount that's expected to double in 2013. In the last year, leaks of secret data have poured down from the cloud; LinkedIn, Dropbox, and AP Twitter have all been victims of data breaches. Mobile malware is on the rise; in 2012 nearly 45,000 malicious files for mobiles surfaced — almost all of them intended for devices running Google Android.
Memon, who acted as an advisor for the United Kingdom event, also runs Cyber Security Awareness Week (CSAW), one of the largest student security competitions in the world. Last year's event drew more than 10,000 people from around the world to compete in just one of its security challenges.
By putting students through "interesting problems," Memon noted, they figure out "that, hey, maybe security is a cool thing and maybe I should think about security as a career."
But getting a taste of one's future career isn't the only benefit of participating in security competitions, he said. They also "hone people's skills [and] allow them to become better security professionals. We've interviewed students, and they felt they learned a lot from these competitions."
The learning comes in two flavors, he added. "One is self learning where the challenge makes them look at something, read something, pursue it. The other is implicit learning — how you do battle with an enemy, how you deal with situations where it's all unknown? Security is about the unknown. You're not sure how the adversary will really come at you. That cannot be taught in textbooks. The more you do, the better you become."
Security Competition Hurdles
Participants in the Next Generation event were selected through regional rounds. Students submitted papers online that explored a security topic; the winners of those rounds were brought together to make presentations. From those contestants, finalists were selected to attend the global event in England, which tested them in multiple ways.
One of the trials at the U.K. conference — the Dragon's CyberDen challenge — called for each student to deliver a two-minute "elevator pitch" that summarized the focus of his or her paper to persuade the audience on the importance of the theme. Topics were diverse: using on-chip monitors to verify the integrity of programs, encrypting files on the fly on Android devices, teaching elementary school children the basics of information security with a custom version of the game Snakes and Ladders, and managing security of near field communication applications to protect e-payment and e-identity data.
Before arriving in London, these finalists were also expected to produce a mock video newscast exploring a security concern that might be important in the year 2020. Ivan Dominic Baguio with the University of the Philippines predicted a "massive outbreak of malware" in "Oogle Glasses." Iwan Gulenko, a student at Technical University of Munich foresaw the problems inherent in "smart" homes where malware in Chinese-made shavers connected to coffeemakers ("so your coffee will be ready after you're done shaving") spread to every other connected device in the home.
Another part of the competition required teams to perform security tasks such as cryptography, hacking, and decryption. For example, said competitor Rayne Reid, an information technology PhD student at Nelson Mandela Metropolitan University in Port Elizabeth, South Africa, "We were given a message and we had to decrypt the message to figure out what the password was." Her team, the Green Tigers, tracked down a code breaker online and used that to come up with the password. For other parts of the contest — specifically, tracking down a vulnerability on a virtual machine — the Green Tigers weren't so lucky. "We didn't finish that one," she noted.
The teams also went through an oral security quiz run by Lorenzo Cavallaro, an assistant professor of information security at Royal Holloway. Aside from a few "gimmes" ("Which pill did Neo take in the Matrix, the red pill or the blue pill?"), the questions could only be described as an academician's delight: "What is an 'opaque predicate'?" "What is domain flux and how does it work?" "Consider the following C code snippet... What's the name of the program vulnerability? Is it exploitable on an x86 architecture? Explain."
Expanding the Demographics
A continual challenge for student security competitions is getting participation from female students. Somewhere between 100 and 200 students land at NYU-Poly for the finals, but out of those, often just a couple are women students, Memon said.
To address that gender gap, this year, the university is hosting a two-week summer day camp specifically for young women. The effort is being funded by the National Security Agency and is drawing from a "commutable distance."
Security contests aren't always limited to higher ed. CSAW has a cyber forensics competition specifically for high schoolers. As Memon noted, "We do K-12 stuff too, because we believe we're losing the battle in high schools. People decide they're going to become doctors or lawyers before they think about getting into security."
Last year's contest drew about 1,500 students, he said. "We gave them a murder mystery and we gave them some evidence and they solved it online," he explained. "Then we picked the top 10 high school teams, brought them [to New York], and they were given additional clues, and they have about eight hours to solve it."
Kaspersky's Education Initiatives Manager Ram Herkanaidu said his company is also seeking new ways to reach young people. A recent outreach effort with the U.K.'s Plymouth University resulted in development of an interactive password manager game specifically to encourage young children to create strong passwords.
"Children will put something like their cat's name in, and we'll say, 'OK, that didn't really register high on the program.' And they'll say, 'But nobody knows my cat's name,'" Herkanaidu explained. As the child is guided through the addition of capital letters and numbers or symbols, the score goes up. As a reward they earn more pieces of candy.
"It's a mindset change," he said. "We try to get this mindset from a younger age."
Winner's Booty
It's a lure for participants that many student security competitions cover travel and related expenses for the winners — and they're frequently held in locations that people want to go to, such as London and New York. Plus, there are the lectures put on by experts, people who have uncovered security malfeasance, written books, or been on the front lines in major security cases.
Providing plane tickets, hotel nights, and meals for dozens or hundreds of people isn't inexpensive. Add onto that entertainment: Next Gen included a training session in royal etiquette, a ride on the Eye of London, and a boat trip on the Thames.
While the bills for Next Gen were covered by a single company, Kaspersky, NYU-Poly's CSAW also pays travel expenses for its winners — at least those residing in the United States. "We get industry sponsorship," explained Memon, "and we get some United States government money, like from Homeland Security. That money has to be spent on U.S. students." Organizations support security contests, he said, because "they find it a good source of talent. They come and recruit."
Understanding the Final Impact of Security Competitions
While security competitions for students are growing — Memon says dozens exist — what's not well known is their ultimate impact on a person's decision to pursue security as a career field. The evidence is really only anecdotal at this point.
For example, Next Gen winner Firman Azhari, an electrical engineering student at Indonesia's Bandung Institute of Technology, said he knows security is the direction he'll go. "This conference has been a really a great opportunity, and it makes me more determined than ever to continue my studies and build a career in IT security," he said.
But Memon would like to see a deeper effort made to understand the effect of student security competitions on career decisions. "What we are lacking is more of a longitudinal study where we can track them and see where they go. We plan to do that," he said. And while he's at it, he also hopes to reverse engineer the "DNA" of people drawn to the security professions — "to study whether there's something special about these kids who have an aptitude for security. Can we spot their aptitude early?"