Industry insights

What it takes to qualify for the US Cyber Games team

Drew Robb
August 25, 2023 by
Drew Robb

Study and formal education in cybersecurity play a key role in creating the professionals of tomorrow. But just as necessary are hands-on training and experience. This is where people apply what they learned and see others in action and the tools and tactics that produce results. The US Cyber Games team provides the perfect environment to do just that. 

Now entering season two, the U.S. Cyber Games features a group of young cybersecurity students and professionals that compete in challenges involving cybersecurity, pentesting, red teaming and a series of related problems and puzzles. Ken Jenkins, head coach of the US Cyber Games, describes it as a traveling team of young adults competing in Jeopardy-style Capture-the-Flag (CTF) events, focusing on cryptography and binary exploitation.

“They have forensics challenges, they have web application security challenges, and they must deal with reverse engineering as well as malware,” said Jenkins.

Should you pay the ransom?

Should you pay the ransom?

Download The Ransomware Paper for real-world ransomware examples, mistakes and lessons learned.

Selection process

With the competition’s growing popularity, many people are interested in being part of the team. So, what does it take to qualify? Team members are selected from high schools, colleges and are sometimes recent graduates. The U.S. team management keeps the average age low to make it an avenue for youth development.

The selection process consists of multiple steps. This year so far, there has already been an open event where people came to compete (known as athletes). Several more phases gradually whittle down the numbers, culminating in a draft of 30 athletes. They represent the best of the best.

The team captain, head coach, assistant coaches and technical mentors are all volunteers, many of them teaching at some of the most prestigious schools in the U.S. Assistant coach Dr. Dane Brown, for example, is a professor at the Naval Academy in Maryland.

As this is season two, the new team has significantly benefited from the groundwork and success of season one. Jenkins has big plans to expand on the work of his predecessors.

“We’re taking it to the next level and are being more programmatic on how we operate,” he said.

Developing fluid tactics and strategies

On the day of an event, the team rallies behind the team captain and collaborates on how best to address their problems. Like in the military, they have a strategy set by command. But team members are free to originate and adjust tactics on the fly and work out problems amongst each other. The coaches and technical mentors prepare them, get them to the events, and help them during time outs, but they’re led by themselves in competition, according to Jenkins.

On CTF events, for example, the challenges are often released all at once for the teams to solve in the order they prefer or simultaneously as they decide. There are members on the team with definite specialties, and they work on specific challenges while others take on other tasks.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

“There is a lot of real-time collaboration going on, and a massive amount of discipline is required to complete some of the challenges,” said Jenkins.

Many of those involved are seasoned veterans competing in similar events for years. For example, university computer science and computer engineering departments often have capture-the-flag teams. The most capable members of these teams are now part of the U.S. squad, having already enjoyed success in CTFs or Red vs. Blue challenges in academia and at conferences such as DevCon and BlackHat.

How to win

The games and events are varied. Some have multiple steps and are scored based on different levels of accomplishment when dealing with various scenarios. Certain flags and objectives are given a points value. In one case, it might be a vulnerable application that needs to be defended. It is up to the team to keep that application up while facing a determined adversary trying to take it down. If they succeed, the team loses points. 

Meanwhile, the U.S. team is attacking its opponents, intent on crashing their systems.

“Based on complexity and difficulty, event elements have different scoring values,” said Jenkins. “You’ll see different strategies where maybe your team has more skills in cryptography, so they go after the very challenging cryptography challenges to get points quickly.”

Some events last a few hours, while others can take several days and have several phases. Before the games kick-off, the rules of engagements are made very clear. Standard rules include attacks that fall outside the scope of the challenges; for example, competitors cannot block the scoring bot from keeping track of points or hack the infrastructure that hosts the challenges.

Criteria for acceptance

Such is the popularity of the US Cyber Games that many people want to get involved. So, what are the criteria for acceptance, either as athletes, coaches or mentors? The US Cyber Games website provides plenty of information on the process and how to participate. Those wishing to join the team as athletes must be drafted through the competitive selection process. Those that miss the draft but are strong candidates are added to the training and development pipeline to prepare for the forthcoming season three.

“We are always investing in talent for the next season,” said Jenkins.

Coaches are nominated and go through committee interviews before selection. Technical mentors are volunteers with lots of experience in either CTF events, Red vs. Blue or specific technologies or types of technology such as cryptography, forensics or web application security.

“We’re looking for technical mentors with great depth in those categories or specialties,” said Jenkins.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

Real-world parallels

While the events are extremely fun, they also have real-world applicability. Those taking part are learning to solve the types of problems that they might see in their future careers. They are resolving actual challenges being faced by businesses and government agencies today.

“Since cybersecurity is ever evolving, what we were doing last year or the year before is substantially different from what is being done in cybersecurity this month,” said Jenkins. “Being able to continuously hone your skills through competition and a team of events breeds confidence in dealing with adversaries during incident response. That closes a big gap compared to classroom learning.”

Go behind the scenes with the U.S. Cyber Games and Ken Jenkins on the Cyber Work podcast.

Drew Robb
Drew Robb

Drew Robb has been writing about IT, engineering and cybersecurity for more than 25 years. He's been published in numerous outlets and resides in Florida.