Students from the UK’s top cyber security universities will compete in Cambridge this weekend, in part to address the country’s looming cyber security skills gap.

We have a huge cyber security skills gap looming in the UK, and we need to close it.

Frank Stajano

The best student hackers in the UK will take place in a cyber security competition this weekend, in order to demonstrate and improve their skills both as attackers and defenders in scenarios similar to the TalkTalk hack and the leak of the Panama Papers.

The event, hosted by the University of Cambridge Computer Laboratory in partnership with Facebook, will bring together 10 of the UK’s Academic Centres of Excellence in Cyber Security Research – the first time they have taken part in such an event together. The hacking event will take place on Saturday, 23 April.

Cyber security is considered one of the biggest threats facing our economy and infrastructure today, and talented hackers are being recruited by government and other agencies to fight cyber criminals. This hacking event will showcase the best student hackers in the country.

The students will be working on challenges which require them to exploit some common vulnerabilities - the very type that underpinned recent high-profile hacking incidents.

Each of the 10 universities is sending a team of four students to this ‘Capture the Flag’-themed event. Throughout the afternoon, the hackers will attempt to solve a series of puzzles, with the winners gaining points; and compete in a series of challenges by attempting to hack the other teams.

An example of the type of challenges the hackers may face is to hack into a server and attempt to keep the other teams from getting in for as long as they can. The Panama Papers hack likely involved exploiting vulnerabilities in Wordpress and Drupal and the competitors may be tasked with finding similar holes in other software.

Facebook has chosen to visualise the progress of the game on a board loosely based on the classic game Risk. The goal is to conquer the world, with points awarded for each country that is captured. Each country has a couple of challenges based on different areas of cyber security, and students must be able to extract the ‘flag’ to claim the points for that country.

In addition to the teams taking part in the event in Cambridge, other students from the participating universities will also be able to take part in the event remotely, in order that additional students can polish their hacking skills.

“We have a huge cyber security skills gap looming in the UK, and we need to close it,” said Dr Frank Stajano of Cambridge’s Computer Laboratory, Head of the Cambridge Academic Centre of Excellence in Cyber Security Research. “Training our students for those challenges closes the gap between theory and practice in cyber security education. With any type of security, you can’t develop a strong defence against these types of attacks if you’re not a good attacker yourself – you need to stay one step ahead of the criminals.”

These hacking events also help highlight the different challenges involved in attack and defence. “Attacking is more difficult in general because there is no guaranteed recipe for finding a vulnerability, but in many ways it’s actually easier,” he said. “If you’re defending something, you have to keep absolutely everything safe all the time, but if you’re attacking, all you’ve got to do is find the one weak point and then you’re in – like finding the one weak point in the Death Star that allowed it to be destroyed. When attackers and defenders run on similar platforms it is also the case that, if you attack your opponents, they may reverse-engineer your attack and reuse it against you.”

In a meeting last year, Prime Minister Cameron and President Obama agreed to strengthen the ties between the UK and the US, and to cooperate on matters of cyber security affecting both countries.

A ‘Cambridge 2 Cambridge’ cyber security competition, held last month at MIT, was one of the outcomes of the meeting between the two leaders, who also expressed a desire that part of this cooperation should include an improvement in cyber security teaching and training for students.

From next year, some of the exercises prepared for these events will be part of the undergraduate teaching programme at Cambridge.

“Our team was able to gel well together, and that feeling of being ‘in the zone’ and working seamlessly together in attacking other teams, scripting our exploits and rushing to patch our services was fantastic,” said computer science undergraduate Daniel Wong, following last month’s Cambridge 2 Cambridge event.

“Maybe somewhat surprisingly for a computer hacking competition, the Cambridge 2 Cambridge event was also an exercise in interpersonal skills, since effectively collaborating with people you have just met under significant time pressure in a generally stressful environment does not come naturally, but I was very fortunate to have had teammates that really made this aspect feel like a walk in the park,” said fellow computer science undergraduate Gábor Szarka, a co-winner of the $15,000 top team prize at the Cambridge 2 Cambridge event.

The Academic Centres of Excellence in Cyber Security Research (ACE-CSR) scheme is sponsored by the Department for Business, Innovation and Skills, the Centre for the Protection of National Infrastructure, Government Communications Headquarters, the Office of Cyber Security and Information Assurance and Research Councils UK.

The 10 universities sending a team to Saturday’s event are: Imperial College London, Queens University Belfast, Royal Holloway University of London, University College London, University of Birmingham, University of Cambridge, University of Kent, University of Oxford, University of Southampton, and University of Surrey. 

Creative Commons License
The text in this work is licensed under a Creative Commons Attribution 4.0 International License. For image use please see separate credits above.