Wary of looming shortages of digital security specialists, the federal government hopes to unearth the next generation of cyber warriors with its upcoming Cyber Security Challenge.
While the challenge looks on the surface like a bit of fun with a nice little earner for the winning team, its real goal is muscling up Australia’s cyber security ranks.
This is a deadly serious challenge for Malcolm Turnbull’s government. The problem is that worldwide demand for cyber security smarts is high and training and retaining local talent, as well as recruiting cyber security troops offshore will take time and effort.
A report put out last year by the Australian Information Security Association (AISA) said 78 percent of its members believed there was a cyber security skills shortage.
A 2016 survey by US think tank the Centre for Strategic and International Studies and Intel Security, estimated that the global cybersecurity workforce shortfall would range from one to two million unfilled positions by 2019. In the US in 2015, about 209,000 cybersecurity jobs went unfilled.
The survey, which canvassed IT professionals in Australia, France, Germany Israel, Japan, Mexico, the UK, and the US, found a high proportion of alarm over cyber security skill shortages. Australia had 88 percent of respondents believing there was a shortage here, on par with Mexico but higher than the other six countries surveyed.
Australian respondents to the CSIS report believed that about 17 percent of open cyber security positions in their companies would go unfilled by 2020.
Cyber Security Challenge Australia 2017 has the imprimatur of Prime Minister & Cabinet and fits into the government’s $230 million Cyber Security Strategy launched last year.
The action plan in the strategy called for business, education providers and researchers to join a national effort to develop cyber security skills. Among a range of initiatives designed to grow the cyber security skill base, the strategy said it would ‘expand the Government’s annual Cyber Security Challenge Australia to a broader program of competitions and skills development.’
The challenge is a joint venture between industry, academia and government and sponsors include Telstra, Cisco, the Commonwealth Bank, PricewaterhouseCoopers, Splunk, Facebook, Hacklabs, and Microsoft.
It’s a cyber feel good event that provides a foil to the disastrous lapses in government cyber security presided over by the Coalition government such as last year’s online Census failure.
The challenge will see teams of four full-time students from Australian unis or TAFEs compete for a prize pool that includes trips to the DEFCON 2017 cybersecurity trade show in Las Vegas.
This year the event wants more first year student teams to participate and has included a new prize in the form of a trip to the Ruxcon security conference in Melbourne as an incentive.
The event also encourages participation from women to help break the stereotype of the typical cyber security warrior as described in the AISA report which said its average member was male, aged 35 and over, had ten years of cyber security experience, was based in Sydney, Melbourne or Brisbane and most likely worked in a bank, government agency or consultancy.
The white-hat hack fest goes for 24 hours, with the next one scheduled for May 10-11. Registrations are open now and this year’s event will be the fifth since the challenge kicked off in 2012.
It’s a mix of competition between the teams and a showcase for potential employers. As the website blurb for the event says: “CySCA will show you what it’s like to work in cyber security and will get your name in front of some of Australia’s most dynamic employers.”
Hacking the game itself is severely discouraged. On pain of disqualification, rule 9 of the challenge says teams cannot squirrel into the game’s infrastructure nor mess with the scoring application and monitoring system.
Denial of service attacks are off limits. One has to wonder though, about the real world merits of a team that could successfully muck around with the prohibitions undetected and win.
In the game, the teams will intrude on a fictitious organisation tech infrastructure and score points by finding flags scattered throughout the target’s cyber innards.
When a team submits a correct flag to the scoring website, they will be required to describe how they did it and provide advice on the vulnerabilities discovered.