For an academic who can foresee the potentially catastrophic consequences on society of a sustained cyber security attack, Professor Frank Stajano is surprisingly upbeat.
Always on his mind as Head of the Academic Centre of Excellence in Cyber Security Research at the Department of Computer Science and Technology at Cambridge is the need to train enough cyber security professionals to prevent cyber-attack scenarios that could range from the annoying to the apocalyptic.
He is far from a lone voice. A recent study found that currently 2.8 million people work in cyber security worldwide – but another four million are needed to close the skills gap. And demand is increasing. Professor Stajano says:
Our society has grown to be totally dependent on digital infrastructure – to the point that, if you hypothetically imagined switching off all the computers in the world, essentially no services would work: no communications, no transportation, no logistics, no business, no food. It would be almost as catastrophic as global war.
While that alarming prospect is ‘pretty unlikely’, says Professor Stajano, it does help people understand why protecting digital infrastructure is essential at all levels, whether it’s your home computer, the electronic devices of big organisations or government systems.
Who threatens the digital world we all take for granted (except when broadband messes up working from home)?
‘There is no shortage of adversaries at all levels: against nation states we have politically and ideologically motivated enemies; against corporations we have the industrial spies; and then, against you and me, we have crooks who are simply motivated by criminal profit,’ explains Professor Stajano. ‘In 2017 the WannaCry ransomware gave you a brief glimpse of the NHS being brought to its knees by a cyber-attack. It was purely profit driven, and not aimed specifically at the NHS, but the patients who needed an operation that day were the collateral damage.’
With ‘everyone and everything’ a target of malign forces, the shortage of trained ‘cyber defenders’ is unsurprising. Professor Stajano says:
A Professor of Security and Privacy like me can teach a classroom worth of them per year, but we need other initiatives to attract many more people to a career in cyber security.
Computer security is a thrilling and fascinating subject, a mental chess game in which you must always be one step ahead of a devious adversary. Becoming a cyber defender is a career path that is intellectually rewarding (outsmarting devious adversaries), financially lucrative (these jobs are well paid) and socially responsible (defending your company and your country against ‘the bad guys’).
To encourage more young people to consider studying Computer Science and a cyber career, in 2015, with MIT’s Dr Howie Shrobe, Professor Stajano founded the ‘Cambridge to Cambridge’ (C2C) cyber security challenge – an ethical hacking competition designed to test the knowledge, skills and collaborative capacities of students.
The international C2C and the UK-wide Inter-ACE events, held from 2016 to 2018, also helped forge friendships between students that could be important in their future careers fighting those intent on hacking systems for their own nefarious ends.
For 2020 there has been a step change in the competition. It’s now a Country-to-Country Capture the Flag (C2C CTF) quest and a consortium of universities has committed to run it for at least five years, with a different host university each year. The C2C Co-Founders from MIT deserve much of the credit for putting the competition on a longer term and more secure financial basis, says Professor Stajano, who has now stepped back to an advisory role.
Current supporters include the UK’s Department for Digital, Culture, Media and Sport and the National Cyber Security Centre, alongside companies such as Gemserv and RSA, and the organising consortium established at Keio, the International Cyber Security Centre of Excellence (INCS-CoE).
This year Royal Holloway in London are the hosts (although the competition is held online), with Technion Israel Institute of Technology next year, MIT in Cambridge (MA) 2022, Keio University in Tokyo in 2023, and Australia’s Edith Cowan University in 2024. Any student from a university affiliated with INCS-CoE can apply to compete.
In 2020, more than 250 students from around the world applied and, on Sunday 6 December, more than 150 students in five-person teams will work on a set of challenges set by Australia’s Fifth Domain.
Cambridge has the highest number of students of all the participating universities, among them 10 Trinity undergraduates. One of those is second-year Computer Science student Viktor Mirjanić, who said:
I’ve had some minor experience with CTFs in the past, and I thought that this would be an excellent activity for the end of term. I hope to improve my experience in security and have a lot of fun in the meantime! I’ve always liked computers and programming, so studying CompSci was an easy decision.
During the competition, participants will apply many of the skills they are learning during their studies, including reverse engineering and exploitation.
‘For example, taking apart your favourite web browser and finding a flaw in it, and then building a website that takes over your computer when you visit it, so that from then onwards it records everything you type, including your emails and your banking passwords,’ says Professor Stajano. ‘This is what the bad guys routinely do, so the good guys must be skilled at it as well, otherwise they’ll never be able to outsmart them.’
Teams will be made up of five students, each team mixing different universities, countries, genders and skill levels so that participants must get to know each in order to collaborate on a problem.
‘This experience of working together, figuring things out, and finding solutions is a key part of the C2C CTF ethos,’ says Professor Stajano. ‘In future these students may well end up in senior positions defending their country or their organisation against organised cyber criminals. Their ability to cooperate, call up old friends, and work collaboratively will be vital.’
Trinity alumnus, Chris Underhill, who graduated in Physics this summer, and now works for Goldman Sachs as a Global Markets Strategist, agreed: ‘They are also a brilliant way of meeting like-minded people, and I’m still great friends with people I met at various CTFs.’
For other Trinity alumni, the cyber-challenge experience opened up new vistas that Stella Lau, now at MIT, is pursuing as part of her PhD.
I had very little exposure to security before I was encouraged to participate in CTFs by Professor Stajano and my peers. They, along with the competitions, piqued my interest in security, which is now one of my research interests, and I am grateful to them for having introduced me to such a fascinating area and community.
And veteran CTF competitor, Dimitrije Erdeljan, who was on several winning teams, had a similar experience. ‘These events got me interested in security, and that’s what I’m doing my PhD in, at King’s College, Cambridge, right now.’
The competitions I took part in were definitely a great motivation to learn about many topics I wouldn’t otherwise be exposed to, and a chance to apply theoretical knowledge. For example, exploiting an error in a protocol myself made me understand the cryptography course much better than just reading and solving example sheets.
Teamwork is, of course, useful everywhere, but it’s particularly important for this type of event – computer security is a large area connected to practically every topic in computer science, and having an organised team (even if you have only met them yesterday) means that everyone can help out in the area they are experienced in.
Dimitrije is looking forward to this year’s event despite the COVID-related constraints. ‘It’s great to see that the organisers have managed to host a competition with the constraints they have, where the participants are scattered all over the world. It is, of course, unfortunate that we will not meet others in person, but the organisers have done a great job ensuring that we still meet online: giving us contacts of teammates well in advance and setting up online chatrooms for participants.’
You can watch the C2C CTF video produced by MIT. Organised by Royal Holloway University of London, C2C CTF 2020, takes place over 24 hours on Sunday 6 December.
You can read ‘Some cyber security challenges feel like a treasure hunt‘ Q&A with alumnus Chris Underhill