What it takes to qualify for the US Cyber Games team
Study and formal education in cybersecurity play a key role in creating the professionals of tomorrow. But just as necessary are hands-on training and experience. This is where people apply what they learned and see others in action and the tools and tactics that produce results. The US Cyber Games team provides the perfect environment to do just that.
Now entering season two, the U.S. Cyber Games features a group of young cybersecurity students and professionals that compete in challenges involving cybersecurity, pentesting, red teaming and a series of related problems and puzzles. Ken Jenkins, head coach of the US Cyber Games, describes it as a traveling team of young adults competing in Jeopardy-style Capture-the-Flag (CTF) events, focusing on cryptography and binary exploitation.
“They have forensics challenges, they have web application security challenges, and they must deal with reverse engineering as well as malware,” said Jenkins.
ChatGPT training built for everyone
Selection process
With the competition’s growing popularity, many people are interested in being part of the team. So, what does it take to qualify? Team members are selected from high schools, colleges and are sometimes recent graduates. The U.S. team management keeps the average age low to make it an avenue for youth development.
The selection process consists of multiple steps. This year so far, there has already been an open event where people came to compete (known as athletes). Several more phases gradually whittle down the numbers, culminating in a draft of 30 athletes. They represent the best of the best.
The team captain, head coach, assistant coaches and technical mentors are all volunteers, many of them teaching at some of the most prestigious schools in the U.S. Assistant coach Dr. Dane Brown, for example, is a professor at the Naval Academy in Maryland.
As this is season two, the new team has significantly benefited from the groundwork and success of season one. Jenkins has big plans to expand on the work of his predecessors.
“We’re taking it to the next level and are being more programmatic on how we operate,” he said.
Developing fluid tactics and strategies
On the day of an event, the team rallies behind the team captain and collaborates on how best to address their problems. Like in the military, they have a strategy set by command. But team members are free to originate and adjust tactics on the fly and work out problems amongst each other. The coaches and technical mentors prepare them, get them to the events, and help them during time outs, but they’re led by themselves in competition, according to Jenkins.
On CTF events, for example, the challenges are often released all at once for the teams to solve in the order they prefer or simultaneously as they decide. There are members on the team with definite specialties, and they work on specific challenges while others take on other tasks.
ChatGPT training built for everyone
“There is a lot of real-time collaboration going on, and a massive amount of discipline is required to complete some of the challenges,” said Jenkins.
Many of those involved are seasoned veterans competing in similar events for years. For example, university computer science and computer engineering departments often have capture-the-flag teams. The most capable members of these teams are now part of the U.S. squad, having already enjoyed success in CTFs or Red vs. Blue challenges in academia and at conferences such as DevCon and BlackHat.
How to win
The games and events are varied. Some have multiple steps and are scored based on different levels of accomplishment when dealing with various scenarios. Certain flags and objectives are given a points value. In one case, it might be a vulnerable application that needs to be defended. It is up to the team to keep that application up while facing a determined adversary trying to take it down. If they succeed, the team loses points.
Meanwhile, the U.S. team is attacking its opponents, intent on crashing their systems.
“Based on complexity and difficulty, event elements have different scoring values,” said Jenkins. “You’ll see different strategies where maybe your team has more skills in cryptography, so they go after the very challenging cryptography challenges to get points quickly.”
Some events last a few hours, while others can take several days and have several phases. Before the games kick-off, the rules of engagements are made very clear. Standard rules include attacks that fall outside the scope of the challenges; for example, competitors cannot block the scoring bot from keeping track of points or hack the infrastructure that hosts the challenges.
Criteria for acceptance
Such is the popularity of the US Cyber Games that many people want to get involved. So, what are the criteria for acceptance, either as athletes, coaches or mentors? The US Cyber Games website provides plenty of information on the process and how to participate. Those wishing to join the team as athletes must be drafted through the competitive selection process. Those that miss the draft but are strong candidates are added to the training and development pipeline to prepare for the forthcoming season three.
“We are always investing in talent for the next season,” said Jenkins.
Coaches are nominated and go through committee interviews before selection. Technical mentors are volunteers with lots of experience in either CTF events, Red vs. Blue or specific technologies or types of technology such as cryptography, forensics or web application security.
“We’re looking for technical mentors with great depth in those categories or specialties,” said Jenkins.
ChatGPT training built for everyone
Real-world parallels
While the events are extremely fun, they also have real-world applicability. Those taking part are learning to solve the types of problems that they might see in their future careers. They are resolving actual challenges being faced by businesses and government agencies today.
“Since cybersecurity is ever evolving, what we were doing last year or the year before is substantially different from what is being done in cybersecurity this month,” said Jenkins. “Being able to continuously hone your skills through competition and a team of events breeds confidence in dealing with adversaries during incident response. That closes a big gap compared to classroom learning.”
Go behind the scenes with the U.S. Cyber Games and Ken Jenkins on the Cyber Work podcast.
In this Series
- What it takes to qualify for the US Cyber Games team
- Digital identity management: Balancing usability, security and privacy
- Why aren’t more women in cybersecurity, and how can we fix it?
- ChatGPT and the strengths and limitations of cognitive AI
- Cybersecurity automation: Tips to do it right in your organization
- Advancements in online safety: Combating cyberbullying and protecting vulnerable communities
- How small and medium businesses (SMBs) can fast-track a disaster recovery plan
- The changing role of a ransomware negotiator
- Protecting K-12 schools from cyber threats: The case of Vice Society
- A deep dive into GitHub's security strategies
- Data storage security isn't working: Here are 5 ways to improve
- Protect your data with zero-trust networks
- 3 cybersecurity automation tools that your IT department needs now
- One phishing attack could expose your entire hospitality network
- Privacy compliance and security: Are you collecting too much data?
- API security best practices: What you need to know
- Considerations when using open source to build an identity system
- Security as a service: 11 categories you should know
- The impact of open source on cybersecurity
- Cybersecurity jobs are in demand. C-level IT executives needed!
- 6 cybersecurity truisms the industry needs to rethink
- 2022 cybersecurity spending trends: Where are organizations investing?
- Will corporate support for Fast ID Online [FIDO] mean mass adoption? If so, what does that mean for security and identity?
- Twitter’s cybersecurity whistleblower: What it means for the community
- Top 5 cybersecurity questions for small businesses answered
- What Is zero-trust security, and should your business adopt it?
- What’s next in cybersecurity: Predictions from Andrew Howard
- How training employees about ransomware can mitigate cyber risk
- Today’s IT job market: Beyond fear, uncertainty and doubt
- Third-party authentication (OAuth): Good or bad for security?
- Two basic actions that reduce enterprise cyber risk by 60%
- 4 key takeaways from the 2022 Verizon DBIR report
- Four examples of human error in cybersecurity — and how to fix them
- Five ethical decisions cybersecurity pros face: What would you do?
- How to become an ethical hacker: Tips from Offensive Security CEO Ning Wang
- Shaking up security awareness: How one organization is building a culture of security
- Security Culture: TikTok CISO says this trend is here to stay
- IT skills advice from IDC's IT education and certifications expert
- Managing a security awareness program: Carrots, sticks, and repeat offenders
- Reducing IT’s carbon footprint: Good for business as well as the environment
- How Booz Allen Hamilton keeps their security team secure and compliant in a hybrid world
- 5 tactics to improve cybersecurity hiring results
- Top 9 effective vulnerability management tips and tricks
- SOC integration: Creating a well-built portfolio vs. a frankenstack
- Cybersecurity hiring: Why employer and higher ed collaboration is key
- After certification: Investing in employees' cybersecurity career pathways
- Where do ransomware, cyber education and cyber insurance intersect?
- Could psychology be the key to cybersecurity awareness? Research points to yes
- How IT pros can keep their organization on the cutting edge
- Cyber talent diversity: It's time to redefine the face of security
- Cybersecurity and Windows 11: What you need to know
Get free resources in your inbox!
Sign up for our newsletter and get free cybersecurity resources in your inbox every week. Prepare for your next cert, learn new skills, increase your salary and more!
Industry insights
Digital identity management: Balancing usability, security and privacy
Industry insights
Why aren’t more women in cybersecurity, and how can we fix it?
Industry insights
Industry insights
Cybersecurity automation: Tips to do it right in your organization