Federal Employees News Digest

Feds vie for top prize in cybersecurity contest

The federal government spent about $15.9 billion on its publicly disclosed cybersecurity needs in FY 2019—an increase of more than half a billion over the previous year. Maintaining the security of agency computer networks and databases is a rapidly moving target, and responsibility for protecting those resources rests with everyone in the federal community. But this year, with hundreds of thousands of feds newly teleworking because of the pandemic, the sheer volume of change and number of newcomers to remote work has created additional vulnerabilities.

The agency at the heart of managing defense is the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, now working full-tilt to secure new teleworkers. “The COVID-19 pandemic has resulted in noticeable shifts in cyber risk calculations for organizations of all sizes," CISA Director Christopher Krebs said recently. "The hardware, software, and services that underpin our connected infrastructure have absolutely been tested and stressed in this telework-heavy environment.”

One way CISA is meeting the security challenge is surfacing more talent, and right now it’s gearing up for its second annual President’s Cup Cybersecurity Competition that rewards cybersecurity skills among federal employees. This week, Nathan Abse interviews Harry Mourtos, IT specialist and lead at CISA on the President’s Cup.

This interview has been edited for length and clarity.

What is the President's Cup Cybersecurity Competition, and how did it get started?

Mourtos: This our second year of the competition. It was brought about by Executive Order 13870, or the “America’s Cybersecurity Workforce” executive order. Under it, the Department of Homeland Security was tasked with developing a plan to hold a competition, to be called the President’s Cup, and the aim of that was to identify, recognize and reward the best cybersecurity talent in the federal government.

How do feds register, and when is the deadline?

Mourtos: Registration opened July 27, and will remain open, staggered, through the first week of the qualifying event scheduled for each competition. So, registration for the teams competition closes on Aug. 14. Registration for the individual competition closes on Aug. 20.

What was the impetus for creating one big federal cybersecurity competition?

Mourtos: The cyber workforce is a very big priority for the federal government. At any given time, across the country—according to one source, cyberseek.org—there are over 500,000 vacant cybersecurity positions, across government, private sector and the rest. So bringing in more talent into the federal cybersecurity community is key. So too is recognizing properly the talent that already exists within the federal government.

The competition is new—having started just last year. How is it going, scaling it up?

Mourtos: We had an interesting time with it last year. The executive order was signed and, suddenly, we had about 90 days to deliver a plan to the White House—that’s all—before we could move out, go ahead and hold the first President’s Cup. And it had to be held before Dec. 31, 2019. So, we operated as quickly as we could. We got that first qualifying round up and running within 45 days. And, in the end, we got the final round done just in time—on Dec. 8, 2019.

Can you outline how the competition works?

Mourtos: Literally, any federal employee can participate and compete—anyone with a .mil or .gov email address can register and participate in Round 1. Then, we do a down-select  based on scores. In the end, the top five individuals on two main tracks and, separately, the top five teams move on to a final round. This year, we decided to break the individual competitions down into these two tracks: Track A is focused on incident response and cyber forensics, while Track B is based on location analysis and vulnerability analysis. We learned from last year, it’s better to not span across the whole broad subject area. We created more focused individual competitions.

Last year, the competition was held partly online and partly in-person, right?

Mourtos: We held the qualifying rounds in a remote format; that was to maximize our reach to the whole federal workforce. But then we held an in-person final round. The final competitors came to our facility in Arlington, Va., where they participated in an in-person competition. For the individual events, it was done in just one day: 10 challenges and whoever solved the most became the winner of the President’s Cup for individuals.

The team competition, on the other hand, was a two-day event. We wanted to make sure we really got the best team, not the best five individuals who happen to decide to work together. It’s tough to do this, to really reinforce teamwork, when you’re using a remote format, as we were. So, to judge this, we put together a novel challenge concept: We put them together in a 3-D virtual “escape room.” We tested their problem-solving skills, their ability to work together and of course their cybersecurity skills. We live-streamed it. It’s eight hours long—a bit long, but it worked—and watching it will give you a really good feel for what we are doing here.

With COVID this year, won’t it all be remote?

Mourtos: Not as of now. So, last year we brought people for the final events to our facility. And, currently, we are planning to hold our final round at the facility in Arlington. However, we are planning for contingencies and keeping a close eye on government recommendations—and other appropriate sources—to determine our actions.

What are the prizes for the winners?

Mourtos: That is an interesting question. Ultimately the awards are the responsibility of the employing agency of the winners of each competition. Having said that, we do have our President’s Cup, an actual trophy that we maintain and update every year with the names of that year’s new winners.

What can the average fed do to improve their security defenses?

Mourtos: Some great things people can do to do to maintain cybersecurity can be found on the FedVTE Federal Cybersecurity Training website. It’s a great resource for cybersecurity knowledge. It has a ton of videos and materials for federal employees, veterans and uniformed service military—and actually also for state, local and territorial government employees. We also are proud of the materials used for the competition—once we expose them, we can’t reuse them in the competition, but they are great open-source educational materials for our community. Along with the competition videos, we provide walk-throughs you can click on if you have trouble understanding. We encourage people to check all these out. You can learn a lot here—these are great resources.

So, following the competition can help feds avoid cybersecurity errors?

Mourtos: Right. I mean, these challenges are as real-world as we can make them. We scoped out the work the federal government employees really do and used that for the materials.  The challenges are as real as possible. We feature challenges you just don’t see in other “capture the flag” or any other cybersecurity competitions out there.  

Finally, where can we find cybersecurity resources beyond the President’s Cup materials?

Mourtos: Some resources that might be most useful for federal employees can be found in the CISA/National Security Agency tip sheet. And, given the increase in remote work and learning, there are these additional CISA cybersecurity resources at https://www.cisa.gov/telework.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above