You Need a Cyber Team
Maybe you, like me, are an Olympics fan (in my case: Summer Games, track & field). Most Americans look forward eagerly for the Super Bowl, while the rest of the world (and, increasingly, many in the U.S.) are waiting for the World Cup. But too few of us are aware that next summer will be the inaugural International Cyber Security Challenge, an esports event that pits teams from multiple countries against each other in cybersecurity skills. The U.S. is sending a 25 person team.
So what, you might say? Well, if you work in healthcare (or any industry, for that matter), or use any kind of digital device, you should care. Ransomware attacks on healthcare organizations continue to proliferate, the Colonial Pipeline cyberattack this past spring illustrated the weakness of other parts of our critical infrastructure, and we’ve all almost certainly had some of our personal data exposed in data breaches.
We’re in a war, but it’s not clear that we have the right army, with the right weapons, ready to fight it. Thus the U.S. Cyber Games.
The U.S. Cyber Games was launched in April, a collaboration between “growth hacking” firm Katzcy and the National Initiative for Cybersecurity Education (NICE) program, which is part of the National Institute of Standards and Technology (NIST). Katzcy was already offering PlayCyber, an esports Cyber Games aimed to attract “the very best cybersecurity athletes,” while NIST’s mission is “to energize, promote, and coordinate a robust community working together to advance an integrated ecosystem of cybersecurity education, training, and workforce development.” A marriage made in cyberheaven.
The U.S. team was chosen through three stages. The U.S. Cyber Open allowed cyberathletes to compete in a two-week long “capture-the-flag” competition, From that, sixty of the cyberathletes were invited to the U.S. Cyber Combine, an in-depth eight week screening process. That led to the Cyber Team Draft, which resulted in the team that will represent us in the International Cyber Security Challenge.
“Practicing defenses in today’s world when all rules are changing is difficult. This helps them see what attacks look like in real life,“ Jessica Gulick, Katzcy’s founder and CEO, told The Washington Post. Head Coach TJ O’Connor, who chairs Florida State’s cybersecurity program, added:
Understanding the most likely attack is one thing you gain through Cyber Games. It’s an attack-based curriculum, and then you can plan the most appropriate strategies when they occur…It’s very important to show them how to attack, and it’s not so they become attackers, it’s because you can’t defend against an unknown boogeyman you can’t explain.
Sears Schultz, one of the team’s captains, believes: “Competitions are a great way to get people more excited about cybersecurity. These actually have a direct relation between the skills and what you can do professionally. It’s a great way for companies to identify and recruit talent.”
So, what is your organization doing to identify and recruit this now mission critical kind of talent?
Healthcare organizations have hired IT talent for decades, but are now struggling to attract people with digital expertise, much less cybersecurity skills. Mobile health apps are exploding, but — whoops — many have critical vulnerabilities that leave them open to cyberattacks. The FTC wants to require health apps to report breaches, even though the companies aren’t necessarily subject to HIPAA, but reporting breaches is far short of stopping them.
Mobile apps, IoT, and cloud computing require a host of new skills, and pose a host of new problems. Conventional IT talent isn’t going to cut it.
Not every organization is going to be able to recruit one of the Cyber Team’s members (and I’m sure the U.S. Cyber Command and Big Tech will be at the front of that line). Esports and hackathons are two other nontraditional ways to find cyberathletes.
Esports, in case you weren’t aware, is a billion dollar industry, with tens of millions of viewers. Athletes can win millions of dollars, such as in the League of Legends tournament that is going on right now, attracting teams from throughout the world. There are esports venues; universities give out esports scholarships. It is becoming mainstream.
The International Olympic Committee took a step towards including esports in the Olympics by featuring the Olympic Virtual Series shortly before the recent Tokyo Olympics, and it is widely expected that esports will eventually be added as an Olympic sport. “The Olympics need esports more than esports need the Olympics,” Rod Breslau, an esports and gaming consultant, told CNET.
Feel free to replace “the Olympics” with “healthcare,” or any other industry.
“Hacking” sometimes has a negative connotation, but the skills it requires and develops are exactly the ones needed by cyberathletes. One of the Cyber Team members admitted to WaPo: “I love it. I really like hacking things…This is definitely something I want to do as a career. I want to do something from the offensive side”
Hackathons have been around slightly longer than esports, although they haven’t been commercialized in quite the same way. They are typically conducted over a short period of time, such as a weekend, and participants are challenged to come up with software solutions to problems. The appeal is that it forces people from a variety of backgrounds/companies to solve problems quickly, often leading to unconventional solutions.
Hackathons have been used by a variety of industries for a variety of problems, including healthcare. For example, in August the VA hosted a data science hackathon on the thorny but boring problem of medical coding. The teams didn’t solve the problem but organizers believe participants came away with ideas they could use to improve it.
MIT Hacking Medicine maintains a database of health-related hackathons, and Hacking Health “fosters inclusive innovation by connecting people to solve real-world health problems…By breaking down barriers and accelerating the pace of innovation.” It also maintains a list of past and upcoming hackathon events.
So, maybe someone your healthcare organization should be paying attention to the International Cyber Security Challenge next summer, or, at least, checking out what schools/programs the athletes come from. Maybe it should sponsor an esports event or team. Certainly it should hold or participate in hackathons to address some of the many problems healthcare IT has, and build relationships with Major League Hacking (“the official student hacking league”).
Or it could just wait for the next cyberattack.