ANCHORAGE, Alaska (KTUU) — Eight members of the UAA Cybersecurity Team are preparing their defenses against a team of elite hackers at the National Collegiate Cyber Defense Competition in Orlando, FL.
There, the UAA students will compete against collegiate teams from Standford, University of Washington, Rochester Institute of Technology, and six other teams, all of which rose to the top 10 from a series of regional qualifiers.
The purpose of the competition is to demonstrate the ability of the team to "operate, secure, manage, and maintain a corporate network," according to the NCCDC website.
Teams earn points by completing business tasks, referred to as injects — maintaining critical services like websites, databases holding sensitive data, and writing complex security policies on-the-fly — and lose points when the red team — cyber security experts volunteering at the competition who play the role of malicious hackers — are successful in breaching the team's defenses.
The scenario the UAA team will be encountering is geared toward experiences team members may encounter in the real world. At the start of the competition, teams will 'inherit’ the pre-existing infrastructure of a hypothetical business or industry.
"We're going to walk into a room and there will be computers sitting there, and the assumption that we make is that they're hacked, they're misconfigured," said team captain David Counts.
Previous NCCDC competitions have simulated critical infrastructure environments like electric utilities. In a qualifying regional competition this year, the UAA club was tasked with operating a fictional pharmaceutical company. In that round, the team had to secure and defend e-commerce websites and HIPAA-compliant databases where sensitive patient information would ordinarily be stored.
"We had credit card numbers there, an HR server, so we had social security numbers there, and that's all valuable information to hackers that businesses need to protect," Counts said. "That's the stuff the red team is going after. If they can steal that database, then they take points away from us."
Counts, a Management Information Systems major at UAA, helps bridge the gap between the business side and the technical side of the competition.
On the technical side, computer science student Rayce Toms is one of the team members with a depth of specialized technical knowledge in networking, system architecture, operating systems, and cryptography — techniques used to keep information like passwords secret.
In the fictional pharmaceutical company scenario, Toms, the team's Primary Windows System Administrator, says the attackers were quick to exploit any weakness in the system to wreak havoc.
"They start changing prices on things, they start deleting user accounts," Toms said. "PII is one of the most significant things we have to protect in the company."
PII, or Personally Identifiable Information, includes any vital information that can be used to compromise a persons identity — things like social security numbers, dates of birth, credit card and banking information — the loss of which can result in huge fines for companies that fail to protect user data, and catastrophic consequences for the people whose data is lost.
"Hackers don't cause breaches, people cause breaches," Toms said, quoting the famed con-man turned security consultant Frank Abagnale Jr., the subject of the 2002 film Catch Me If You Can. "It's either someone does something they weren't supposed to do, or someone failed to do something they were supposed to do."
At the start of one of the team’s final practice sessions before heading to Orlando, the work begins with the start of a stopwatch followed by a flurry of activity, much of which gets carried out in silence.
Each team member works to complete an assigned series of tasks, the success of which rely on the accuracy and thoroughness of the other members’ work. Despite all the preparations, the team knows to expect the unexpected, and has worked to develop the flexibility to respond to the unknown.
"I know the attack is coming. What can I do to get them out as soon as possible? If we mess up in any way, red team can get in our networks, and once that happens on one machine, it creates a pivot," Toms said of the team's preparations. "Now you have a compromised machine on your network, how can this compromised machine affect all the other ones?"
Competitions like NCCDC exist in part to address a growing skills gap in the cybersecurity industry.
Recent estimates suggest a shortage of nearly three million workers in the cybersecurity field globally, with nearly 500,000 unfilled jobs in the United States. Other estimates offer a more bleak assessment of the skills gap, and at a time with no signs of cyber attacks slowing.
And while tech companies, government agencies and contractors use competitions like NCCDC to recruit new generations of top talent, at least some members of the UAA team plan to keep their talents closer to home.
"I want to be able to protect my company one day when red team is there," Toms said. "I would hope that I am employed one day by some reputable company here in Alaska. I really want to help them protect their environments. I'm here for them to be honest. I want to help."