Is it time for a Cyber Olympics?

Whilst the closing ceremony of the 2024 Paris Olympics has already begun fading into history, the sporting achievements of the event should not be forgotten.

In the middle of a winter packed with an endless barrage of bad news, there was a shimmering ray of light for sports fans and the wider country when it was proclaimed that "New Zealand does really well" and had vaulted leaps and bounds up the medal table on a per capita basis .

Kiwi computer scientist Craig Nevill-Manning has been nurturing the analytics platform beloved by small nations since 2008 and the 'Olympic Glory in Proportion' chart was a reminder of NZ's sporting prowess:

What if this energy and drive could be harnessed for securing the nation too?

Back in June 2021, following the publication of the ITU's latest update to the Global Cybersecurity Index (GCI), we were told that New Zealand’s cyber-resilience was failing with our standing "plunging from 19 in 2017 down to 48 in 2021" and that "nations like Nigeria, Kazakhstan, Ghana, Tunisia and Azerbaijan" were rising up the rankings table.

The next (5th) Edition of the GCI is due out in mid-September and it will be interesting to see where NZ stands this time round.

If cyber was a team sport

Ahead of publication I asked my robot assistant/overlord ChatGPT for some ideas for sporting cyber events, something that could inspire a generation of STEM-hungry students to train for war in the 5th domain and see us take glory like we did in Paris.

For existing CTF fans, here are a few things to ponder this wet weekend as you practice your Python scripting, hone your risk assessments or ready some updated policies for the Cyber Olympics:

"The Cyber Olympics* could be an exciting and dynamic event that brings together companies from various industries to showcase their cybersecurity maturity and expertise. It would celebrate the achievements of organizations that have made significant strides in securing their digital assets, while also fostering a competitive and collaborative spirit."

Event Structure:

• Theme: "Celebrating Cybersecurity Excellence and Innovation"
• Participants: Companies from various sectors, cybersecurity firms, government agencies, and academic institutions.
• Venue: A large tech conference center or virtual platform with multiple "arenas" for different competitions.
• Format: Multi-day event featuring individual and team-based challenges, workshops, keynote speeches, and networking opportunities.

Competitions:

1. Capture the Flag (CTF)

• Description: Traditional CTF competitions where teams solve security-related challenges, such as finding vulnerabilities, decoding encrypted messages, or hacking into simulated environments.
• Categories: Offensive security (attacking), defensive security (protecting systems), and mixed-mode (red vs. blue team challenges).
• Goal: Demonstrate technical skills in real-world cybersecurity scenarios.

2. Incident Response Challenge

• Description: Teams are given a simulated cyberattack scenario (e.g., ransomware attack, data breach) and must respond in real-time, demonstrating their ability to detect, mitigate, and recover from the incident.
• Scoring: Based on speed, accuracy, and the effectiveness of the response plan.
• Goal: Showcase incident handling, communication, and crisis management skills.

3. Security Architecture Design

• Description: Participants are tasked with designing a secure network architecture or security strategy for a hypothetical company. They must consider various factors, such as scalability, regulatory compliance, and potential threats.
• Scoring: Based on innovation, robustness, and practicality of the design.
• Goal: Highlight strategic thinking and design capabilities.

4. Penetration Testing Arena

• Description: Teams conduct a penetration test on a simulated corporate environment, attempting to find and exploit vulnerabilities while documenting their findings.
• Categories: Web application security, network security, IoT security.
• Goal: Demonstrate offensive security skills and the ability to identify and report vulnerabilities.

5. Security Awareness Campaigns

• Description: Participants create and present a security awareness campaign aimed at educating employees or the public about cybersecurity best practices.
• Scoring: Based on creativity, effectiveness, and the ability to engage and inform the target audience.
• Goal: Emphasize the importance of human factors in cybersecurity and the role of education in preventing attacks.

6. Threat Hunting and Intelligence Analysis

• Description: Teams analyze real-time threat data to identify potential security incidents or vulnerabilities within a network. They must generate reports and provide actionable intelligence.
• Scoring: Based on the accuracy of threat identification, the quality of analysis, and the relevance of recommendations.
• Goal: Showcase advanced analytics, pattern recognition, and intelligence-gathering capabilities.

7. Supply Chain Security Simulation

• Description: Participants address a supply chain attack scenario, where they must identify vulnerabilities in third-party software or services and implement measures to secure the supply chain.
• Scoring: Based on the thoroughness of the analysis and the effectiveness of the security measures proposed.
• Goal: Highlight the importance of securing the extended enterprise ecosystem.

8. Cyber Defense Simulation

• Description: Teams are placed in a live simulation where they must defend a network against a series of cyberattacks over a fixed period. The attacks escalate in complexity and intensity.
• Scoring: Based on uptime, resilience, and the ability to maintain service continuity.
• Goal: Test defensive strategies, teamwork, and real-time decision-making.

9. Compliance and Risk Management

• Description: Participants develop and present a comprehensive risk management and compliance plan for a fictional organization facing specific regulatory requirements (e.g., GDPR, HIPAA).
• Scoring: Based on the plan's comprehensiveness, alignment with regulations, and risk mitigation effectiveness.
• Goal: Demonstrate knowledge of regulatory frameworks and risk management practices.

10. Innovation in Security Technology

• Description: Companies present cutting-edge security technologies or solutions they have developed. This could include AI-driven threat detection tools, blockchain for cybersecurity, or novel encryption methods.
• Scoring: Based on innovation, impact, and practical application.
• Goal: Encourage innovation and highlight the latest advancements in cybersecurity.

Not bad, eh?

I have to say my AI assistant did a beautiful job on the concept and I'll be looking for funding from the International Olympic Committe soon to progress the event. With breakdancing now bumped from 2028, why not a new tech-based event for the global audience?

There's no doubt for me that it could foster collaboration and innovation, potentially contributing to a more secure digital world. Yes there may be a few APT-led rivalries but that could certainly spice up some of the competitions listed out above and provide some much needed tension for desk-dwellers!

No sporting event is complete without an Awards Ceremony that recognises the top-performing teams and individuals across a range of categories. Think: Best Incident Response Team, Most Innovative Security Technology, Best Security Awareness Campaign and more.

For now, we have local security awards that may entice your entry: iSANZ. The closing date is 6th September so get going with your application and I hope to see you standing on the podium at the Gala Dinner soon!

Disclosure: *The Cyber Olympic categories were co-created with ChatGPT, there's something to be said for this AI stuff for ideating!