What has the WannaCry ransomware attack in common with the student competition? First, let’s see what this contest is about.
Cyber 9/12 Student Challenge
The Cyber 9/12 Student Challenge is an annual cyber policy competition for students across the globe to compete in developing national security policy recommendations tackling a fictional cyber catastrophe. It was hosted by GCSP and Atlantic Council in Geneva. I participated in this year’s edition. Together with my doctoral student and two officers candidates, we formed a team called “Zombie“. We were led by PhD Rafał Kasprzyk from Military University of Technology.
Each team is expected to play the role of cyber security specialists. The first step was to analyze materials. We were given reports from intelligence, police, EU and NATO units. There was one newspaper article and a few tweets. Then we had to describe the situation and propose 4 solutions to the problem. Each solution was supported by a SWOT analysis. The solutions are addressed to decision makers such as prime ministers of EU countries, ministers of national defense, etc.
For a person like me, a programmer, it was a challenge and valuable experience. The competition required a look at the situation in a multi-criteria manner. There were no bad or good solutions. It was necessary to justify given recommendation and be politically correct.
You are probably wondering why the title of this article is the name of the ransomware attack. WannaCry has wreaked havoc all around the world since May 12 and paralyzed the British National Health Service, Telefonica, FedEx, Deutsche Bahn, and LATAM Airlines.
The Contest contained a fictitious course of action. Attackers were terrorist groups and hackers. They used ransomware as a way to raise funds. Main target was healthcare facilities. In the background of these events there were protests. There was a likelihood of riots. According to reports, there were outdated, unsupported programs, devices and operating systems in hospitals. That have caused ransomware threat. There was also a lack of security policy. That concerns the isolation of critical local networks from the internet.
WannaCry attacked healthcare facilities . It turns out that issues related to cyber security in hospitals, especially the HL7 protocol and health monitoring devices, were presented at the Hack In The Box conference in Amsterdam this year.
I think that competitions in style Cyber 9/12 are valuable sources of experience. There were people from all over the world who represented many fields. One could exchange experiences. Even if you are a programmer, I think getting up from the desk and approaching cyber security from a strategic level can bring a new perspective to your work.
Unfortunately, topics related to cyber security raised at conferences or competitions do not reach all decision makers, especially those responsible for critical infrastructure. We need to change our approach from reactive to proactive and raise public awareness of cyber security.