NICE Working GroupCompetitions Subgroup

Laurin BuchananSecure DecisionsJake MihevcMohawk Valley Community College

Play Your Way to Success: Building Tomorrow's Workforce

Gamification: it’s not just for kids

Is this your training? >>

If games & competitions are not part of your plan to recruit, educate, and retain your cyber workforce –you’re behind the curve

We’re here to help!

2

NIST NICE Cybersecurity Workforce Framework (CWF)

NIST Special Publication 800-181Taxonomy and common lexicon that describes cybersecurity work:• 7 Categories• 33 Specialty areas• 52 Work roles

─Knowledge, skills and abilities to perform each work role

3

https://doi.org/10.6028/NIST.SP.800-181

Employers use framework to assess workforce and identify gaps

Training, certification and education providers now map

content to NICE CWF

NIST NICE Working Group (NICEWG)

Brings together public and private sector participants to advance cybersecurity education, training, & workforce development

Six Sub-Working Groups:• Apprenticeship• Collegiate• Competitionshttps://www.nist.gov/itl/applied-cybersecurity/nice/about/working-group

4

• K-12• Training and Certifications• Workforce Management

NICEWG Competitions Sub-Group

Vision:Promote a spectrum of competitions that advances knowledge, skills and

abilities to nurture and expand a diverse national talent pool.

Mission:Empower a public and private

competition ecosystem by providing guidelines, standards, and best

practices for players, teams, schools, sponsors and organizers.

5

6

Need to grow capability & capacity in the workforce

Technical and virtual environments are important training toolsDoctors, pilots, first responders, military, professional athletes

Brain science shows repetition is essential to knowledge retentionMuscle memory: repeating tasks

enhances neural pathwaysMultiple avenues mean more

neural pathways & stronger retention

7

Gaming changed mental models of learners

Gaming encourages players to try different keys, different paths to win

Gamification encourages repetition• Provides positive incentives, not just

negative ones >> training is “sticky”

• As skills improve, challenges should too!

Competitions and games come in all flavors

8

9

K-12 Collegiate Workforce

Benefits of competitions and gamification

10

Many map learning & skills to NICE CWF

Promotes learner engagement

Encourages ethical practice and skill development in a controlled, legal environment

Opportunity for practitioners to fail and learn what happens, how to recover without impacting business environment

Employers can identify talent inside and outside the organization

Case Study: Attracting interest in cyber careers

11

Attracting kids to cybersecurity issues and work roles

Need to create positive “first contact” with cybersecurityStudents explore branching comics on different topicsCyber ethics story about

Student Council electionFollow a real world cyber

crime investigation: meet characters with different cybersecurity work roles, see impacts of choices

12

13

Storytelling is a powerful tool

Comics engage students whodon’t want to read text or watchvideos

Words and pictures scaffold comprehension and learning of abstract concepts like cyber

Literally “see yourself” in comics Critical for developing

self-efficacy

14

15

16

17

18

19

Memorable or exaggerated endings reinforce

learning 20

Address any topic or concept with comics

Comic shows consequences of choices,

not bound by realityof time or distance

Experience consequences of bad decision in a safe environment

Scoring turns comics into challenges and competitions

Case Study: Central New York Hackathon

21

Mohawk Valley Community College (MVCC)

MVCC: CAE 2Y

Utica College: CAE-CDE

SUNY Polytechnic

Air Force Research Lab in Rome, NY

Central New York (CNY) Hackathon: 1 event/semester

22

CNY Hackathon

8 different colleges participate

Teams composed of students from each college

Competition elements• Infrastructure (CCDC)• Capture The Flag (CTF)• Wireless Challenge

23

Competition infrastructure

24

172.18.13.t

192.168.t.5Web Server

CentOS

Team RouterCentOS 7

192.168.t.1

192.168.t.0/24

172.18.0.0/16

CNY HackathonSpring 2017Blue Team

Network Topology

Yum repo172.18.0.6

ScoringEnginesInternet

192.168.t.7Shell

Ubuntu

192.168.t.8Mail

Windows

Blue TeamNetwork

TBDBackupCentOS

Hackathon Router172.18.0.1

t = team number

172.18.14.t[1-4]External Kali VMs

192.168.t.10[1-9]Internal Kali VMs

DNS172.18.0.12

CTF172.18.20.1

Bunions?

Use Proxmox virtual environment

Competitors develop more than technical skills

Soft skills:• Leadership

Team Leaders – HANDS OFF• Teamwork

Teams created by script

Students learn WHY they need to learn networking, operating systems and coding so well

25

Students learn where they stand -need to work harder?

26

Students are engaged

Students WANT to come back better next year

Failure at CNY Hackathon?

Failure to work as a team

Failure to learn anything

Failure to be ethical

Success at CNY Hackathon:

• Great team comes together

• Epic failure leads to lessons learned!

27

CNY Hackathon Lessons Learned

28

Challenges need to be incrementalAvoid “rounds”Visual scoreboard >> engagementRed Team professionalism is criticalManage the competitive elementPrizes oriented towards the goals of the event:

• Most Valuable Teammate (MVT) • Most Improved (MI)

Benefit to MVCC goes beyond enrollment

Industry develops CNY exercises • Provides DIRECT alignment with

workforce needs • Faculty update curriculum 2x year!

Students see path:

29

0

20

40

60

80

100

120

140

160

180

1 2 3 4 5 6

Cybersecurity student enrollment over time

Strong performer Employment Red Team

Years of competition

Benefit to student’s next stage of development

Cyber is such an APPLIED discipline — it is uniquely geared toward competency-based education

Competitions map to career credentials: CompTIA Security+ and Certified Ethical Hacker “scenarios”

30

Case Study #3: Practice, training and education for the cyber workforce

31

Emerald Down: regional exercise

Pacific NorthWest Economic Region

Began in 2012 with IT teams from various organizations

Organizations had to reach out & cooperate• Learned what other organizations could do• Developed new partnerships and contacts• Cyber Incident Response Coalition and Analysis

Sharing (CIRCAS): public-private cyber resilience coalition

32

33

Emerald Down V: Board game simulation

https://vimeo.com/207705607

Different levels of government and military had access to varying levels of response

Game incorporated elements of luck, timing, relative power, etc.

Developed Cyber Annex to WA State’s Comprehensive Emergency Response Plan

Repeated exercisesfind gaps in plans

& what needs updates

34

Benefits of advanced exercise

Organizations explore how their Cyber Plans

integrate with WA State’s Cyber Annex

to Emergency Response Plan

Builds trust among technology and security practitioners

35

Raises awareness: public gains understanding and connects personally with cybersecurity

2018 global competition in Las Vegas: 2 hour LIVE broadcast

The future has arrived: cyber competitions as e-sports

“Shall we play a game?”

36

NICE WG Competitions Subgroup Resources

https://www.nist.gov/itl/applied-cybersecurity/nice/about/working-group/competitions-sub-working-group

• One-Pager on competitions

• “Cybersecurity Games” white paper

• Letter: “Ten Things Parents Need to Know about Competitions”

• Podcast interviews with cyber competition community members

• Coming soon: Competition Guides 37

Additional resources

Cybercompex.org

CTF-time.org

Academic competitionsNCCDC: http://www.nccdc.org/National Cyber League: https://www.nationalcyberleague.org/

GirlsGo Cyberstart & CyberStart from SANSWhy is NY State not participating?

38

National Cyber League

39

National Cyber League

California Mayor’s Cyber Cup

Regional competitions all across CaliforniaHigh school cyber teams compete for their city

Cities, mayors, business and parents see first hand the importance of cybersecurity

Focused on awareness and fun

Vision for New York?

Questions?

40

Join NICEWG Competitions Subgroup!• nicewg.competitions@nist.gov• Subject line: Competitions Subscribe• Include your full name and email

address in body of message

Laurin Buchanan laurin.buchanan@securedecisions.com

Jake Mihevcjmihevc@mvcc.edu