More than 400 young hackers are waking from their first decent sleep in two days after four teams from the University of NSW (UNSW) beat out the competition to dominate this year’s Cybersecurity Challenge Australia (CySCA) 2018.
Yet as skills-hungry employers descend with internship and job offers for the cohort of future cybersecurity specialists, industry sponsors were breathing a sigh of relief that, once again, the 103 hacking challenges they contrived proved hard enough to sustain 24 hours of continuous probing by some of Australia’s sharpest minds.
Each sponsor designs and prepares challenges in their area of expertise. For major sponsor Telstra – which hosted the CySCA servers and monitored the nationwide event from its Melbourne headquarters – preparing for the event takes a full-time team of seven people, and a support team of 15 more, over seven months.
“It’s a fairly big investment in people, time, and money,” Telstra CISO Berin Lautenbach told CSO Australia. “But it’s also great for my team – as they say, you learn the most when you teach – and it just grabs people because it’s a practical application of the skills they are learning in university. It’s puzzle-solving at scale.”
CySCA is well-sponsored – sponsors include the Australian Cyber Security Centre (ACSC), Australian Information Security Association (AISA), BAE Systems, Commonwealth Bank of Australia, Microsoft, Splunk, AustCyber, Cisco, HackLabs, PwC, and Telstra – and the interest is more than academic, so to speak.
“We want the entire industry to have good people,” Lautenbach said. “It’s in everyone’s interest for all the companies around Australia to have good security people.”
Hard enough but not too hard
Lyn Moore, first assistant director-general for Engagement, Operations and Intelligence with the ACSC, highlighted the value of the competition for students in launching the event on Tuesday.
“This is a great way for you to get real-world experience and establish yourself in our community,” she said while noting the “fantastic” inclusion of two all-female teams at the first-ever CySCA meetup, at AISA’s national conference.
“We need people who can drive forward the cybersecurity message and work out ways to do that more efficiently,” Moore told CSO Australia. “If we can encourage people to see that this is a viable option for them, and that there are always plenty of jobs out there, they’re never going to be wanting for work in cybersecurity.”
Recognising the diversity of skilled people now coming to cybersecurity, organisers walk a fine line between making the challenge hard enough that it tests even the most talented entrants – and making it easy enough that the increasingly diverse range of entrants.
One student, for example, has only been studying cybersecurity for 8 weeks and many others come from non-technical backgrounds. This breadth of skills must be accommodated in designing the challenges: “You want a bit of everything,” Lautenbach said.
David Stocks knows the importance of delivering a finely balanced competition. A competitor in the first-ever CySCA competition while he was a student at Monash University, Stocks now works as a senior manager for cyber security consulting with PwC Australia.
“It’s quite hard to design these things,” Stocks told CSO Australia. “You have to make sure the thing you’re making is broken in only one way, and that people will be able to find it, and that it’s the thing you intended.”
“The worst fear is of a team finishing very quickly, if someone is able to circumvent your challenge and do this not-very-hard thing to get in. But people do come up with ways of breaking things you intended to break, but in completely different ways – and that can be a challenge.”