Hey, Aaron here. Glad you could make it.
Like many college students, I had to make a key decision about where I wanted to attend college. At the time I made my decision, I was already decently set on Cybersecurity, so it came as a surprise to many that I decided to attend UC San Diego (UCSD)of all places.
Now don’t take this the wrong way, UC San Diego is an amazing school, but in a lot of ways, they don’t really have a substantial cybersecurity presence. There were plenty of similar schools that I could have gone to with established cybersecurity departments. So why didn’t I?
Truth is, I realized early on that going to a school for cybersecurity and joining a cyber club wouldn’t actually fulfill me in the ways I was looking for. My passion is and has always been teaching and mentoring others. If I wanted to make a big impact in my field, I needed to go where cybersecurity wasn’t, not where it was.
Also, it’s San Diego. So that played a decent role too.
This blog is about starting a cybersecurity organization on a campus where one doesn’t exist, and using the National Cyber League (NCL) Games to create a new generation of cyber enthusiasts.
Getting The Message Out
There were a lot of important decisions I made when trying to formulate the organization. Here were the biggest three.
Firstly, I created specialized cybersecurity presentations in collaboration with general computer science organizations. Fortunately, I found one such organization,the Association for Computing Machinery at UC San Diego, and quickly fell in love with the quality of people. They are my family at UCSD, and I’m glad I found them when I did.
Anyways, you’re probably wondering, what was the interest like?
Actually, once we got the word out, quite high! We managed to shove 70 people into a room with a 50 person capacity (but don’t tell the fire marshal that!).
At the end of these workshops, I provided an exit poll of sorts to allow the audience to communicate their specific interests in the realm of cybersecurity. From the responses to this form, we were able to get the contact info of people who were interested in participating in a Capture-the-Flag (CTF) Competition.
That’s Phase One: complete!
Secondly, when advertising the opportunity to participate in a CTF, I choose to market it as a specialized training program in cybersecurity, a natural extension of my workshops, which is something that everybody was familiar with.
You see, I found that the number one obstacle to getting people wholly unfamiliar with cybersecurity to participate in CTFs, is simply fear. There’s an irrational, widespread misconception that cybersecurity is reserved for the great intellects and the eccentric geniuses, and most people believe they have no shot at accomplishing in the field. It is one of many unfortunate factors that leads to a shortage of cybersecurity talent in industry.
Many of the talented, but uninitiated, are intimidated greatly by the prospects of “competing” in a cybersecurity “competition”. So instead, I made the decision to offer the NCL Games not as a challenge to prove yourself in, but as a way to train people who want to learn more.
This proved to be a very valuable way of characterizing the NCL Games to the unacquainted audience of UCSD. We went from having zero cybersecurity teams at the entire school to having two full teams of 7 people each in the competition, all of which were first-time, volunteer participants.
Granted, if you come from a community where cybersecurity is popular, downplaying the competitive side of CTFs may play against you, but for our purposes, it got us started.
Thirdly, the people who signed up for the competition were engaged immediately and thoroughly. We reached out promptly and with high energy. But our most important decision was to do everything we could to be the primary interface for the players.
By this, I mean we handled signups via our own systems before setting the players up on the Cyber Skyline website. We set our own deadlines for RSVPs long before the ones that the NCL set occurs. We even set our own pricing and payment system.
We were actually surprised to get approved by the school to help pay for NCL signup fees, but we decided to not eliminate the price tag entirely, because of the general reasoning that being financially invested in the NCL raises the probability of participation. We were able to use the funding to bring the price per person down to a less prohibitive (to some students), $9.
People who paid were immediately given access and told when training sessions would be leading up to the Games. Rather than call these training sessions, however, we wanted them to feel like a proper workshop. Fortunately, the NCL is actually structured in a way that facilitates this kind of presentation quite well.
The NCL as Training
In this section, I’ll talk a little about how we used the structure of the NCL Games to create a workshop series that brought complete novices up to speed on the NCL topics in a short span of weeks. Fun fact: the NCL Games are actually made up of four, clearly-separate games.
At the time we were purchasing tickets for people, the Gymnasium was actually already open and immediately available for play. This is a low-stress environment for players due to the lack of time commitment, the length of the period of availability, and the fact that walk-through solutions are provided for every challenge.
For this section of the games, since this would be the first exposure to the game format before the competition, we organized meetups and get-togethers every week to go over challenges and strategies for various categories.
This was a great casual way for us to hang out, eat food, and get our first practice for the games. Never underestimate how vitally important it is to just get to know each other. The NCL Games should be games among friends!
This part of the competition is individual only, so you have to make sure that people are prepared going in. If they aren’t ready just yet, you can give them the usual “make sure you answer at least one question” and then leave them alone. Otherwise, its still a great warm-up for the games to come.
In our case, we encouraged all our players to play as hard as they could, while also emphasizing that they would be on their own: Just give it your best!
Some players competed hard and placed in Gold in their first CTF ever. Some weren’t able to find the time to do more than log in and take the survey. Either way, don’t be afraid to take advantage of the Preseason as more than just a qualifying round. Have some friendly competition between team members!
The Individual Games
Whoa whoa slow down, there’s about a week between the Preseason and the Individual Games! Don’t let that time go to waste!
Now is the time to regroup and evaluate what everybody thought about their first real taste of the competition. Go over confusing topics and have everybody discuss their strategies together. Once the Individual Games start, they’re not going to be able to do that anymore. You want them to go into the Individual Games with as much prerequisite knowledge as possible. After it starts, they’ll be on their own.
For us, we didn’t want the inexperienced members of our team to get too discouraged by the “solo competition” of the Individual Games, so we treated the Individual Games as a way for those players to sort of train themselves further, with no help from outside. This is where we noticed a lot of substantial growth spurts among the members of the team. Being forced outside their comfort zone and not being able to rely on me or the other leaders as a resource allowed them to pick up those skills in a much more substantial way.
And all of this “training” and preparing let us to the main event… (at least for us!)
The Team Games
That’s right, for the purposes of these new recruits, we wanted their primary experience in the NCL Games and with CTFs in general to be one of both growth and collaboration. Hence, the Team Games allowed us to finally get everybody in the same room together competing in a welcoming environment. This is the essence of the cybersecurity presence I wanted to give to the budding enthusiasts of UC San Diego. This is exactly the kind of growth I wanted to work towards. (CryptoKait‘s heart exploded with happiness when she read this!)
Now it’s still important, especially with players as new as these, that you reinforce the progress they do make, rather than hold them to win it all. In our case, we were lucky in that we had two teams of NCL participants of similar skill level that we could essentially pitch against one another in some friendly competition. This lets us keep the competitive edge of the NCL Team Games, while also keeping the competition light and friendly.
We prepared our teams for the Team Games by making it the main event of the entire affair, an amalgamation of everything they had learned and been training for. We also used the games previous to the Team Games to identify topics that each student found difficult or excelled in. That way, once the games started, the captains of each team were able to delegate categories and work together smoothly.
Our competitive teams both made a great showing in the 2020 Spring Games despite the extenuating circumstances of quarantine and we look forward to holding a more rigorous and engaging competition in the Fall.
Experience Breeds Confidence
The NCL Games are an ideal way to get interested people’s feet wet in the cybersecurity space and help certain people discover a hidden passion for cybersecurity. At the conclusion of these games, we stand ready to create a cybersecurity organization right here on campus filled from the ground up with passionate people. Starting in the Fall, we will be an established cybersecurity organization with deep connections to other orgs, the first of its kind on campus in the last 2 years. We will be managing multiple competitive teams, hosting weekly instructional workshops, hosting our own on-campus, large scale CTF, and otherwise bringing cybersecurity back to UCSD in a big way.
The amazing people here that I came for put in the hard work, but the NCL Games made it all possible.
If you have any questions about using the National Cyber League to jump-start a cybersecurity organization on your campus, just leave a comment below!