Thoughts on CyberPatriot
Table of Contents
"CyberPatriot is the National Youth Cyber Education Program created by the Air Force Association to inspire K-12 students toward careers in cybersecurity or other science, technology, engineering, and mathematics (STEM) disciplines critical to our nation's future. At the core of the program is the National Youth Cyber Defense Competition, the nation's largest cyber defense competition that puts high school and middle school students in charge of securing virtual networks." (via uscyberpatriot.org)
tldr; CyberPatriot was a ton of fun and was the perfect blend of competitiveness and difficulty to capture my interest. I think it's a smart way to introduce 'the youths' to cyber security or even just computers. I’m ecstatic that we won first place (in the All Service category, CPXI), it feels like all our effort paid off :)
Experience
CyberPatriot was one of the most enjoyable and fulfilling experiences of my time in high school.
It was fun because of the wonderful people on my team, the other competitors I was able to talk to, and the rich playground set up by the CyberPatriot organizers. Any of the program’s flaws are far outweighed by its positive influence.
What is CyberPatriot?
Imagine you are given a virtual machine (essentially, another computer you can run on top of yours). You follow the instructions to open it, and told to make it more secure. It's something called "Linux." You feel like you should set up a firewall, because you've heard about that in movies. You look it up, and find some random sketchy site:
You follow the instructions, open a terminal by clicking the little black box, and type:
# ufw enable
And a couple seconds later you hear the stage clear music from the original Super Mario, and see this:
You click on the thing that says "Scoring Report", and you see:
Firewall has been enabled - 3 points
Wow, neat. You click on the thing that says "Scoreboard", and you see a huge list of teams. You CTRL+f search for your number, and find your three points.
You get some more points, and slowly climb the scoreboard. When you feel the joy of taking an abstract concept, applying it, and being rewarded, along with the compulsion to find as many points as possible and to qualify for the next round, or even Nationals, then you understand the program and its simple but effective appeal.
I'm going to talk about how I got into the competition, how it influenced me, and how I think it could be better.
Induction
Going into high school, I thought I wanted to be a software engineer. All I knew was that I liked computers, and programming is what those type of people did for a living. I also enjoyed physical security (locks, lock picking, and taking things apart), but that mindset isn't applicable in a computer-related field. Although I had looked at job postings for a few security positions, I had never considered them to be desirable. My mental image of these positions were stressed out people on call, stuck in dark and stuffy data centers, rapidly replacing faulty hard drives for hours on end.
I saw a CyberPatriot poster at my school and figured I would try out, thinking I would be decent at it. I wasn't able to do much in my first year. I was a competitor on one of our 'freshmen teams', and we had no clue what we were doing. It was very unorganized, and decidedly an uncompelling experience.
However, this was due mostly to our school’s poor administration of the program at the time. Although CyberPatriot could have made it easier to get started, in the end, it is a "knowledge competition." Using the tiny bit of information they did release would have at least given us a foothold.
In May of 2018, myself and several other competitors sent a document of proposed changes to the CyberPatriot office, which would remedy the grievances laid out in the latter part of this post. They acted on some of the suggestions in the following year (as mentioned in the post), but since then, they have implemented (in some form) all of our suggestions-- so many of the complaints may be no longer valid.
We were in the All Service category, which is only open to JROTC programs. This means the competition was easier than if we competed the Open Division (open to any high schools), but IMO, not drastically enough to meaningfully change the experience.
In any case, despite the lackluster experience, I was interested in trying again.
Luck
My second year, I spent a bunch of time in the summer learning about the mythical "Linux." Armed with the knowledge from OverTheWire wargames, I built a very basic script to help get onto our varsity team (and having experience with Python, from trying to automate games, made learning Bash much easier).
At our school, a new student transferred in, and I was very lucky to have him (Frank) as a team captain; he was persistent and knowledgeable enough to help teach me (or better yet, encourage self-study).
This was a cosmic stroke of luck. Crazy plot-developing transfer students usually only show up in anime. I didn’t do anything to deserve having a Frank.
I believe that this is the jump that would make CyberPatriot more fulfilling for a majority of the teams: a competent and dedicated mentor. CyberPatriot currently offers a mentor program that, in my opinion, misses the mark-- either the mentors are out of touch, incredibly busy, specialized in something unrelated, or just extremely unfamiliar with the competition’s material. This is no fault of the mentors themselves, of course. They are real people in real careers that in no way should be expected to bend over backwards for a high school competition. So, unfortunately, there’s no way that I know of to accurately replicate my experience, to incite passion through mentorship. I can try to Be The Change I Want to See and mentor a team-- and I will-- but I'm only one person. It really is luck. Competitors can teach themselves, but without any community or role model, it's easy to get discouraged.
Sidenote: The Appeal of the Competition
It would be impossible to be excited at all about this competition, mentor or not, if it wasn't so well designed. CyberPatriot is a dull, distilled image of "cyber security," which makes it all the more exceptional. There is no threat or malicious actor (besides the competitor themselves), yet the competition is exciting and adrenaline-fueled. Being able to receive gamified validation for self study in this field gave me enough motivation to continue to pursue it, and realize that it was immensely interesting, beyond anything I had expected. It was like computer science, but... real. In no other field could I read about how something worked, type something into a terminal and have practical experience with it in ten minutes, then walk outside my room and have a new view of the appliances that affect our lives.
I'm uncertain whether the unassuming design of the competition was intended to have this effect, an exciting, low-stakes playground for incremental gratification at a large scale, but it works very well. It also doesn't hurt that it's easy to promote the program. The public image of jobs in information security are conventionally made out to be needed, practical, and lucrative (which is often enough to get people to try out the program, but not enough to keep participating if they don't enjoy it).
I also can’t ignore the strong social aspect of the competition. Especially with middle and high schoolers, who have limited agency, sharing a common goal and interest with your friends outside of school, or even students across the country, can amplify the program's appeal considerably.
Qualifying for Nationals
Back to my anecdotal experience, we were able to qualify for Nationals in CyberPatriot IX (thanks to Frank). Going to Nationals in my sophomore year was incredibly fun, fresh, and perspective-broadening. It solidified the abstract world that I had been interacting with through VMs and the internet. It’s real, it’s applicable (there’s a red team trying to get into your vulnerable machines!), and they're giving me free food. The CyberPatriot organizers did a fantastic job of encouraging and rewarding the Finalists. The trip was completely free, the rooms were nice (although they did attempt to put four people in one room with two small beds), and the experience was polished. For example, that year the theme was "AFA: Always Food Available," a food drone delivery service. After orientation, they dropped off a box of candy and goodies by our hotel door (as if it were delivered by drone). The competition also allowed students to interact with each other, not to mention the 'industry professionals', and revealed what appeared to be Northrop Grumman burning piles of money by the shovelful.
Although we didn’t place in the top three (or even close, probably), in my mind, getting to go there was winning. That lack of ambition or confidence may have contributed to the next year's outcome. But it was fun, much more fun than it would have been if I was dead-set on winning... so it's definitely a trade off, one which I would recommend hanging on the 'fun' side of.
Independence
The next year brought us CyberPatriot X, and I was lucky to be chosen as team captain after Frank graduated. My team made it to Nationals once more, and this time by a huge margin above the next team in our category. This year was exciting, since I was able to assume more responsibility. But I felt that merely making to Nationals would be winning, while secretly expecting that we would happen to win top three without trying. Up to this point, I had enjoyed great outcomes without putting in much work.
We placed fifth at Nationals, which warrants no award, and we did fairly poorly on the largest section of the competition (Network Security Master Challenge), with a solid -400 points from SLA violations. It illuminated my lack of experience and practical ability.
In addition to this absence of practical knowledge, I also had a very unproductive mindset for 'winning' the competition, in which I thought I could just carry the team myself and I didn’t need to work with or care for any of my teammates. Obviously I couldn't even carry myself, and expecting to carry four other people single-handedly is foolish.
CyberPatriot XI
I started this year with a single goal, having learnt from my previous mistakes: place first (in All Service) at Nationals. I had the experience to know what I did wrong, and to know what kind of challenges were at Nationals (they're really not the same as the online rounds). Over the summer I spent a lot of time on HackTheBox, rewrote our checklists with a focus on 'active defense,' and most importantly, I spent a ton of time practicing, actually doing things, with and without my teammates.
The previous year I put together, with a friend from another team, a list of changes for CyberPatriot (17 suggestions) and emailed them to the CyberPatriot Office. Although they didn't respond, I saw a lot of the changes we suggested put into place, which was really neat. They were listening, and more human than I previously thought.
After qualifying and doing really well in the online rounds again, the actual Nationals experience started poorly because our flight got canceled (thanks Southwest). Our coach and one of my teammate’s parents were nice enough to drive us two hours up to LAX to catch a flight to Dulles (when the competition was in Baltimore). Somehow we made it, practiced with the services they would probably give us, and one nervous night later, competed in the NSMC and Cisco challenge. Another stress-filled day of waiting and a nerve-wracking dinner later, we won first place in our division.
I don't really know what insight to glean from this, except that the major barrier to achieving my goal was myself, and after remedying that, I found an incredible motivation to work on it. And in doing so, acquired a great appreciation for the value of practice.
I'm sorry if that isn't helpful to other competitors reading this, and maybe having no idea how to improve or learn despite having the passion required-- to be truthful, it felt like I was navigating blindfolded, having no idea how to teach myself something without knowing anything about it (the unknown unknowns). And I've come to realize that’s completely normal when you’re new to something! Just keep learning what you think is best, and eventually (whether that was best to learn or not), you’ll achieve a greater understanding of the field and its content, which itself lends a greater ability to learn new things.
Criticisms
I've sung the program's praises, so I'd like to discuss what I think can be done better.
There is not enough technical information or resources provided for new teams or competitors. This could be easily remediated by providing a longer list of 'suggested readings' or articles. It's very difficult to get an accurate scope of vulnerabilities or study material with the modules provided by CyberPatriot without prior knowledge.
CyberPatriot has some technical slideshows (which are helpful), but the subsection of the possible vulnerabilities that CyberPatriot chooses to use must be enumerated through trial and error, and personal research. In a way, this is a fantastic way to encourage the self-study and rigorous research of securing an operating system, but not if the same subsection is repeatedly reused. With reusing >80% of vulnerabilities, CyberPatriot provides a strong advantage to teams who have competed before. A stronger supply of technical information provided on behalf of CyberPatriot and greater variance of vulnerabilities from year to year would enhance the practical fairness of the program to newer competitors, and raise the accuracy of assessing the competence of older competitors. (EDIT: They have provided more information for new teams, but I think they could stand to add more).
The rule in and of itself that it is not permitted to store or share vulnerabilities hurts the potential of the program as a larger learning experience. Of course, with this system, this rule is required to preserve the integrity of their testing system (which is infrequently modified at its core, as previously mentioned). If they were to release a small subsection of vulnerabilities, and vary their vulnerabilities from year to year and round to round, it might be a good compromise.
Also, the rule that people can’t publicize anything (resources, guides, scripts, software) related to CyberPatriot seems counter-intuitive to generating more interest in the program. I understand preventing sharing of scripts, but guides and resources should be permitted to be publicly accessible, since it's commonplace for teams to 'pass down' knowledge in exactly the same form from one year to another, especially at schools with large CyberPatriot programs. (EDIT: It looks like this restriction has been loosened, or at least, not enforced).
Another suggestion/criticism involves the qualification for Nationals with the two categories. As it stands, there are two tiers (ignoring Middle School): Open division (any high school, non-JROTC) and All Service division (AFJROTC, NJROTC, AJROTC, MCJROTC, CAP, Naval Sea Cadets). Two teams from each category in All Service go to Nationals (plus one wildcard), and the twelve top teams in the Open Division. CyberPatriot began primarily as a military program and only allowed open high school teams beginning in CPIII, and I don’t think that CyberPatriot should remove this division of categories. However, for a more skill-based competition, CyberPatriot should allow six of the highest Open division teams, and six from All Service (one for each category), and the remaining 12 slots should be reserved for whichever team has the highest score (Open or All Service). This would be a decent compromise between a purely skill-based competition and the way it is currently (given that Open often outperforms All Service by a large margin). Or, perhaps, increase the number of teams at nationals, although this may be tough logistically.
My final criticism is that many schools have mentors that have previous knowledge of most of the vulns, and, due to the first point, have multiple high-scoring teams. This year, CPX in 2018, all the Open division National finalists are from five schools (sending up to three teams each). In order to foster a diversity of competitors and reduce coach advantage, allowing only one or two teams per school would be a good decision. (EDIT: A version of this has been implemented).
Moving Forward
The people running the CyberPatriot program are fantastic and I thank them for their commitment and efforts. CyberPatriot was an invaluable experience. For anyone on the fence for participating, you never know if you’ll love it if you don’t try.