What is Cyber Boot Camp? Every June, a select group of students from high schools and middle schools in San Diego County, California, get five days of intense education in the art of defending computer systems, organized by the unique community-wide security awareness non-profit, Securing Our eCity, and sponsored by a variety of organizations, including security solutions-provider, ESET. This year some 50 students will experience a week of hands-on instruction, plus lectures from leading cyber security experts from San Diego companies as well as local and national law enforcement. The 2015 Cyber Boot Camp starts Monday, June 22.
Why Cyber Boot Camp?
Right now, there is a critical shortage of people with the skills and training required to defend computer systems against the growing ranks of criminals who range from data thieves to terrorists, plus a complex mix of state and non-state players. A report released at this year’s RSA Security Conference, predicted a global shortfall of 1.5 million suitably qualified information security professionals by 2020.
In a large-scale survey 62% of hiring managers said their organizations “have too few information security professionals” and 45% are “struggling to support additional hiring needs”. This shortage is already thought to be undermining security in many organizations and addressing this problem, through improvements in education and career guidance, is vital to the future health of our digital economy.
As one of the world’s leading centers for cyber security, San Diego has pioneered exciting new ways to engage young people in the vital effort to protect the data and systems upon which so much of modern life depends. In March, the cyber competition known as the San Diego Mayor’s Cyber Cup marked its sixth year, with more than 50 teams competing, with six to eight students on each team. In previous years, the winning team was invited to Cyber Boot Camp, but this year was different: the top eight were invited. (more…)
The 2014-2015 San Diego Mayors’ Cyber Cup competition came to a dramatic conclusion last Saturday when the eight finalists battled it out at the San Diego Super Computer Center at UCSD for top honors. In case you missed the headline in the Ramona Sentinel, here is the result:
The team and its mentors and supporters deserve a huge round of applause. While Ramona is a lovely town, it is not exactly the kind of bustling metropolis you normally associate with all things techie. But during its six years, the Mayors’ Cyber Cup competition has done an amazing job of raising awareness of cybersecurity as both a great career choice and a vital part of life in every corner of San Diego County, and beyond.
Communities really get behind their teams, as you can see from this local headline: Del Norte High students learn cybersecurity, vie for Mayor’s Cup. The eight finalists were teams from the following schools, listed here in the order they finished in this year’s competition: Ramona High School; Mira Mesa High School; Westview High School; Robert F. Kennedy Middle School; Troy High School; Canyon Crest Academy; Robert F. Kennedy High School; Del Norte High School. (more…)
Every year IT security professionals gather at the RSA Conference in California, a chance to take stock, meet with peers, and explore new developments in IT security. Two themes stood out at RSA this year:
- 1. There’s more and more information technology to defend, but
- 2. The stock of people who have the skills to secure it is dangerously low.
These themes were echoed in a lot of this week’s conference sessions as well as in the many conversations that took place in the corridors and meeting places around San Francisco’s Moscone Center. Adding to the discussion were two new surveys that put some numbers to these themes.
I have included links to PDF versions of the reports here:
For me, the headline findings from the State of Cybersecurity survey were that 76% of respondents said their enterprise had experienced an increase in security attacks in 2014 compared to 2013; and 82% thought it was either likely or very likely that their organization would experience a cyberattack in 2015 (likely = 44%, very likely = 38%). In other words, attacks are on the rise and most organizations realize their systems are likely to be attacked. (more…)
Computer crime, online crime, cybercrime: however you name it or define, most people can agree on two things: there is too much of it, and we need to do more to deter it. With the President of the United States now making frequent references to “doing more about cybercrime” this is a good time to look at what steps need to be taken. You can go directly to the steps but first a little context would be helpful.
For the definition of cybercrime let’s use this one: “crimes in which computer networks are the target or a substantial tool” (Koops, 2011). That neatly covers the long and growing list of high profile incidents that have come to light over the last 18 months, including the illegal hacking into, theft of data from, and/or denial of service attacks against: Target, Home Depot, JPMorgan Chase, Sony Pictures, Microsoft Xbox Live, Sony PSN, eBay, NSA, Adobe, Apple iCloud, and Community Health Systems.
Cybercrime prevention, deterrence, and cost
Note that this article is mainly about cybercrime deterrence, not cybercrime prevention. The latter encompasses the things that we do to protect our systems and data from criminals, things like strong authentication, encryption, and measures to detect and defeat malware. Crime deterrence is about making crime less appealing by: increasing the risk (of detection, identification, apprehension, prosecution and punishment); reducing the benefits (making it harder to profit from criminal activity); and deepening the social disdain and moral sanction that criminal activity should elicit. In terms of policy and strategy, the general idea is that combining crime prevention with crime deterrence results in crime reduction. (more…)
A new report from Deloitte and the National Association of State Chief Information Officers (NASCIO) points to state governments facing serious risk of pilfered electronic records.
The survey of state chief information security officers named a variety of risks facing state officials, including hackers attempting financial fraud, “hactivism, (hacking aimed at making a political statement), stolen laptops, and foreign state-sponsored espionage. The study found that less than a quarter of state CIOs (24 percent) are “very confident” that their state assets are protected against external threats, while only about a third (32 percent) report that their staff have the required cyber security competency.
Deloit says that government agencies have lost more than 94 million citizen records since 2009. The average cost per lost or breached record is $194. “The states have the most comprehensive information about citizens from birth to death, from doctor visits to tax information and benefits information,” said Srini Subramanian, leader of Deloitte’s security and privacy practice to state governments, and one of the report’s authors. “States have the most comprehensive information compared to any private sector organization.”
To read more, visit Report: States Face Growing Cybersecurity Threats.
High school students from the top three teams in the 2014 Mayors’ Cyber Cup spent this week at Cyber Boot Camp, hosted in the ESET building in Little Italy (the tall dark blue one with the ESET logo on top).
The Cyber Boot Camp format combines classroom presentations and discussions with hands-on work in the custom-built computer lab, seen here:
This year’s lab consists of 20 workstations running Linux and/or Windows, a big Cisco switch, various servers, and a variety of wireless access points, all of which become potential targets and a test of cyber defense skills. While the servers and networking infrastructure were put together by ESET researchers using gear supplied by the company as part of its sponsorship of the event, the workstations were loaned by Computers 2 San Diego Kids, to which they will be returned after the boot camp. (Every city should have an organization like C2SDK, a wonderful non-profit organization that recycles computers into the community.)
The lectures include security experts from around the San Diego area, including several members of the FBI’s cyber task force. We can’t show their pictures for security reasons, but here is Andrew Lee, CEO of ESET North America, discussing careers in cyber security with students.
The event would not be possible without the support of volunteers from the community. This year we got some great help from UCSD graduate students, all experienced “Capture the Flag” participants who clearly found that lending a hand at the boot camp was a very rewarding experience.
One of the great joys of this year’s boot camp was seeing students from different high schools working together to solve security problems, with these grad students offering suggestions and guidance as needed, acting as a form of learning accelerant. For next year’s boot camp we will be looking for more students from area colleges and universities to assist with the program.
The boot camp is such an intense experience that documenting it in real time is a real challenge. However, we did make sure that plenty of photos were taken and more will be posted here as time permits. The event was also documented by local and national media. For those who speak the language of Marketing and PR here is a number you might find interesting: combined national reach of the boot camp coverage is currently nearly 195 million unique monthly site visitors. Here are just some of the reports:
- Times of San Diego: “High School Students Attend Boot Camp to Fight Cyber Crime,” by Chris Jennewein on June 18, 2014
- KPBS: “San Diego Teens Learn How To Be ‘Cyber Defenders’” by Dwane Brown, Emily Burns on June 19, 2014 http://www.kpbs.org/news/2014/jun/18/san-diego-teens-learn-how-be-cyber-defenders/
- San Diego Technology Examiner: “ESET Cyber Boot Camp for tomorrow’s defense,” by Victoria Wagner Ross, June 20, 2014 http://www.examiner.com/article/eset-cyber-boot-camp-for-tomorrow-s-defense
- San Diego Technology Examiner: “Bitcoin used for extortion demands,” by Victoria Wagner Ross, June 20, 2014 http://www.examiner.com/article/bitcoin-used-for-extortion-demands
- Yahoo News: “‘Good Guy’ Hackers Are Cracking Codes for Change, and Profit,” by Joseph Williams, June 18, 2014 http://news.yahoo.com/good-guy-hackers-cracking-codes-change-profit-194830102.html
Today, this space will be filled with 20 high school students from the greater San Diego area. The students are taking part in something we call Cyber Boot Camp, five days of hands-on education in the art of cyber offense and defense, hosted by ESET North America and Securing Our eCity.
The classes will be led by ESET security researchers Cameron Camp and Lysa Myers, supported by other members of the ESET research team including Stephen Cobb and Aryeh Goretsy. In addition to the lab sessions, the students will meet experts from ESET and other organizations in the local community, such as Bridgepoint Education, San Diego Gas & Electric, San Diego Police Department, Verizon, C.A.T.C.H., the FBI and more.
New for Cyber Boot camp this year is a field trip to Federal Court to hear from a judge and former cybercrime prosecutor. These experiences enable students to consider the skills they are developing and where they want to apply them in the future. And it seems to work. One boot camp alumni, Vineel Adusumilli, a Westview High graduate now studying at MIT, was recently quoted in the UT San Diego as saying “Cyber Boot Camp was a terrific learning experience, combining lab work using the latest tools with insights from experienced security professionals.”
The goal of the boot camp, attendance of which was offered to the top three teams in the fifth annual Mayors’ Cyber Cup, is to provide the right learning environment to interest more students in cyber security as a career. As ESET security researcher Lysa Myers has pointed out: America needs to do a lot more to promote STEM education in general. At Securing Our eCity we think that cyber security is one of the coolest ways to apply Science, Technology, Engineering, and Mathematics in the real world.
As we reported previously, the 2014 winners were, in first place, Canyon Crest Academy. In second place was the team from Westview High School, the school that won last year. In third place was Mira Mesa High School. The other teams that made it to the final round were La Jolla Country Day School, Patrick Henry High School, Ramona High School, and 2012 cup winners, Troy High School.
Cyber Boot Camp lead instructor Cameron Camp, a security researcher with ESET, describes the week ahead to students before they head to the lab.
Of course, the Cyber Boot Camp would not be possible without the support of the community, so a big hat tip to the sponsors who made this year’s event possible, including ESET, SDG&E, California Coast Credit Union, Higgs Fletcher & Mack LLP, Hughes Marino and Mendez Strategy Group. A special thanks is due to Computers 2 San Diego Kids or C2SDK, who provided those racks of machines for the week, and do a great job supplying schools and families in San Diego with recycled computer gear.
The winners will be announced in just a moment, but first the news…
That’s right, the fifth annual running of the San Diego Mayor’s Cyber Cup was covered on television by Channel 10 ABC News who really seem to get how important this event is as a motivator for young people to consider a career in cyber security, one of the hottest job markets today and into the foreseeable future.
For those not yet familiar with the San Diego Mayor’s Cyber Cup, this annual competition, established in 2010, seeks to find and encourage the best cyber security talent in California’s high schools. The competition starts with a practice round, which this year took place in late January. There were over 50 teams participating from more than a dozen schools! The practice round was quickly followed by qualification rounds in February, all conducted over the Internet. Then the top seven qualifying teams came together on March 15 in San Diego for live, head-to-head competition.
And the winners of the 2014 San Diego Mayor’s Cyber Cup are: Canyon Crest Academy!
Well Done Canyon Crest!
The top team received a check for $2,500, presented by former Interim Mayor and City Council Member Todd Gloria, accompanied by fellow City Council Member, Sherri Lightner. Canyon Crest Academy is part of the San Dieguito Union High School District.
And well done to the runners up! In second place was the team from Westview High School, the school that won last year. In third place was Mira Mesa High School. The other teams that made it to the final round were La Jolla Country Day School, Patrick Henry High School, Ramona High School, and 2012 cup winners, Troy High School.
The winning team not only won the title and a year of hosting the very impressive cup that goes with that title, there was also a check. And there were checks for second and third place as well ($1,500 and $1,000 respectively).
But wait, there’s more….The top three teams this year will also be treated to a week of Cyber Boot Camp! Hosted in San Diego by the Internet security company ESET, the Cyber Boot Camp is a lively mix of practical, instructor-led cyber security exercises, plus classroom presentations by experts in a wide range of related fields, from law enforcement to computer forensics, malware research, and career advice. The event will take place during summer recess. Here’s a peek at a past session of Cyber Boot Camp:
Beyond winning great prizes in the Mayor’s Cup, there is a sense in which we all win from this competition. Right now, our country faces a critical shortage of cyber security expertise. One of the main goals of the project is to address that problem. Through the event and the publicity surrounding it we hope to encourage students of all ages, from all schools, to learn more about information assurance and computer security. Hopefully this will lead many more students to consider these and related STEM fields as possible career paths or courses of study in higher education.
Thanks to All!
This year’s competition would not have been possible without the volunteer work and financial support of many organizations. We will mention some here, but this list is by no means exhaustive. Thanks to Leidos for the use of CyberNEXS, the competition engine used in the event. The Mayor’s Cup is sponsored by the National Defense Industrial Association (NDIA), in cooperation with the University of California, San Diego (UCSD). With additional support from National University, SDG&E, DTI, TSG Solutions, Blue Pyramid, Minuteman Press, ISSA, TechFlow, DCS Corp, La Jolla Logic, Major Motion Pixels, Bridgepoint Education. Additional sponsors and supporters include Securing Our eCity Foundation, Computers 2 San Diego Kids, ESET, and The Ranger Group. With further assistance from Mr. & Mrs. Kurt Worden and Mr. & Mrs. Dwayne Junker.
We leave you with a photo of the very happy, and decidely cool, third place finishers, Mira Mesa High School:
Educating people about the challenges of cyber security is at the heart of what Securing Our eCity is all about, so it was only natural that, when the Electronic Verification Network held it’s tenth annual meeting in San Diego last week, SOeC would be involved. For ten years now, the folks at EVN have been dedicated to making sure that every vote cast in U.S. elections counts, and they are particularly concerned with electronic voting, where verification can be challenging. The SOeC foundation was happy to assist with sponsorship and speakers.
Using digital technology to process votes might sound like a good idea, but it raises a lot of security questions. These were addressed in several sessions over the two-day conference, starting with the “Fireside (Firewall) Chat” with SOeC board member Howard Schmid who was White House Chief Advisor on Cyber Security to Presidents George H.W. Bush and Barack Obama. Mr. Schmidt is now a principal of Ridge Schmidt Cyber, LLC. Although on a tight schedule with a plane to catch, he graciously found time for a quick snapshot with myself and SOeC executive director, Liz Fraumann.
Mr. Schmidt set the scene for later discussions by reviewing the current cyber security threatscape in conversation with Jeremy Epstein, Senior Computer Scientist, SRI International, and a member of the EVN Coordinating Committee.
Later in the day, I was privileged to participate in a panel titled “Cyber Security Crossover: Leveraging Cyber Security Best Practices in the Realm of Elections”. Fellow panelists included David Dill, Professor of Computer Science at Stanford University, and Gary Hayslip, the CISO of the City of San Diego. The moderator was Pamela Smith, President of Verified Voting Foundation.
Two points became clear to me during these two days of great content and conversation. First, America is very lucky to have EVN keeping an eye on electronic voting. Second, as one expert put it, when it comes to Internet voting, “there is no way to guarantee that the security, privacy, and transparency requirements for elections can all be met with any practical technology.” Not now and not in the foreseeable future.
Recent discovery of longstanding flaws in Internet encryption protocols like SSL and TLS are a stark reminder of the practical impossibility of ensuring secure Internet interactions of the type required for a secret ballot, not to mention the widespread distribution of state-sponsored malware.
In 2008, Verified Voting founder and co-panelist, David Dill, organized the creation of a document that spells out the unique nature of secure voting: the Computer Technologists’ Statement on Internet Voting. The document warns against “pilot” Internet voting projects, which already exist in some states in the form of email ballot submissions, and describes “the severe challenges that must be met if an Internet voting system is to justify public confidence.”
I was very grateful to have the chance to participate in this tenth anniversary meeting of EVN, and proud that my employer, ESET, was a sponsor. It’s not every day that you get to hang out with esteemed experts such as David Jefferson, the author of the one paper on Internet voting that everyone should read: If I Can Shop and Bank Online, Why Can’t I Vote Online? David is a Computer Scientist at Lawrence Livermore National Laboratory, a member of the Verified Voting Foundation Board, and serves on the board of the California Voter Foundation.
If you are still wondering “what could possibly go wrong?” when it comes to Internet voting, consider the following slide. It comes from the very interesting presentation on Internet voting experiences outside the U.S. by former Technical University of Denmark professor Joseph Kiniry, now Principal Investigator at Galois. He highlighted actual code from an Internet voting program that was used in national elections in one European country.
If you are familiar with computer programming, this slide speaks for itself, and apparently it speaks volumes. When I tweeted the above photo it was re-tweeted almost 200 times, reaching over 220,000 Twitter accounts!
In this year of mid-term elections in the U.S. there will be renewed interest in electronic voting and Internet voting in particular. Hopefully the warnings from technology and cyber security experts will be heeded.