Reprint from March 16, 2018
The world watches sports for thrills and bragging rights — but among the millions, a select few are watching for bots, hackers, malware and social media trolls. It turns out international sporting events are irresistible to cybercriminals, and their attacks give experts strong leads on newly engineered malware and tactics, serving as a kind of early warning system.
Now the Colorado Springs-based nonprofit Cyber Resilience Institute is launching a new type of program that uses sport to help attract, train and retain a much-needed cyber threat intelligence workforce. The c-Watch cyber workforce program can be adopted in communities across the country, according to Doug DePeppe, CRI co-founder and board president, and it uses a major international sporting event as the capstone activity after 10 weeks of training.
The “elixir of sport” is the draw, he said, but the training, skills and graduates go well beyond the sports arena. New hacking tactics used at the PyeongChang Winter Olympics, for example, didn’t end with the closing ceremony. There’ll be “a new wave of commercial attacks” that spin off from those, DePeppe said — and every cybersecurity professional in every community will need to know about them.
Communities nationwide need cybersecurity experts experienced in information-sharing environments, DePeppe said. CRI is using sports to make that happen.
“CRI has a mission of helping communities build their community capacity for cyber programs, and principal among that is cyber threat intelligence information sharing,” DePeppe explained. “We saw an opportunity a couple of years ago with the Olympics in [Rio de Janeiro] … to showcase what an information sharing environment could do, how it would operate and what the outputs would be — and to leverage the attractiveness of sport as its targeted activity.”
Sports-ISAO, which is now a program office of CRI, was set up for the Rio games. CRI ran it as “an out-of-hide demonstration project,” involving corporate partners, setting up an internship program and a pop-up security operations center, and showing how fast and responsive threat intelligence analysis could be.
ISAOs are Information Sharing and Analysis Organizations. In 2015, President Barack Obama issued an executive order directing the Department of Homeland Security to encourage the development of ISAOs.
“America’s cyber adversaries move with speed and stealth. To keep pace, all types of organizations, including those beyond traditional critical infrastructure sectors, need to be able to share and respond to cyber risk in as close to real-time as possible,” the DHS website says. “Organizations engaged in information sharing related to cybersecurity risks and incidents play an invaluable role in the collective cybersecurity of the United States.”
Even before the opening ceremony, DePeppe recalls, the worldwide hacker group Anonymous launched an ongoing series of cyber attacks in Brazil. Those were followed by attacks from the Russian-affiliated Fancy Bear cybercrime group, and attacks on the World Anti-Doping Agency and the U.S. Anti-Doping Agency.
“So a lot of things started to happen in sport afterwards,” DePeppe said. And sports organizations came knocking.
“We realized that this was even bigger than we thought [so] we put some more structure around it, brought in more partners,” he said. “Then in parallel to that, the Cyber Resilience Institute landed a contract with the Department of Homeland Security where our mission was funded to build out a business model for community capacity centers. … So we saw we had a really good opportunity with Sports-ISAO to use the magnetism of sport as part of the community buildout. We’re pursuing something that’s brand new.”
To improve their processes, Sports-ISAO provided cyber threat intelligence for the 2017 IAAF World Championships and for the Joint Operations Center at the U.S. Embassy in Seoul during the PyeongChang Olympic Winter Games.
The first official c-Watch cohort, which kicked off in April, saw participants undertake 10 weeks of skill development in cyber threat intelligence collection analysis and ISAO operations, working with mentors and collaborating with peers. That’s followed by hands-on cyber threat intelligence work during 2018 FIFA World Cup Russia.
“We’ll be running the pop-up SOC during the final week of it — that’s when it becomes most competitive and most intense,” said Jane Ginn, co-founder of Sports-ISAO and the c-Watch program, and a board member at CRI.
This will be c-Watch’s first run as a paid program, and Ginn said she expects a broad skill set among students — “from graduate to undergraduate, and from pure policy — like law students — to pure computer science,” she said.
“Some very technical students really don’t care about what the implications are of what they’re hunting for, they just really like working on the threat intel platform and engaging in the hunting exercises.”
Others will have “more analytical abilities and the writing skills to tie some of this technical material together and put it into context and roll it up in the geopolitical issues that are important in threat analysis,” also doing the critical work of creating narrative reports for decision makers with nontechnical backgrounds.
The variety of participants is one of c-Watch’s strengths, she said.
“We have students as young as 19 or 20 and we have some in their 50s. It spans several different generations and several different work ethics and mental frameworks…” she said. “Particularly in the graduate program, we have a lot of students that are mid-level career
folks that have gone back to up the game in their skill set. We really consider our cadre as trans-generational.”
The World Cup capstone gives students a chance to put everything they’ve learned into practice, to detect emerging cyber threats in the early stages and to work on solving the mysteries behind attacks. c-Watch is a successful vehicle for workforce development because people are excited by the idea of protecting athletes and teams, DePeppe said.
“[It means] we’re able to spur interest at young levels in cyber,” he said. “And what we’ve learned is that for the analytic side of it, the geopolitical side of it, you can have an interest in a career in cyber without wanting to be a cyber threat hunter.“You may be the one that is interested in political science or international relations and you want to be able to tie a cyber attack to a state actor because you can talk about the motive.”
Positive energy, competition and team loyalty are all part of the appeal, Ginn said. And the more IT staff for various teams and leagues get involved in protecting their own athletes and networks, the more students c-Watch can bring in from those communities and regions.
c-Watch works with about 30 university partners, including Regis, Mercyhurst, Case Western and Duke University, and students who complete all the course requirements can be nominated to join CrowdWatch, which DePeppe describes as “a guild or an apprenticeship program.”
“They have a level of expertise — we don’t want to lose that,” he said. “… If they want to stay with us, they enter CrowdWatch and … we’ll use them as staff augmentation or outsourced analysis. So we have a network of college students that are participating in different hunting campaigns and analysis.”
The aim is to grow that network and help communities build their own cybersecurity capacity.
“We don’t have the [cybersecurity]manpower we need as a society — there’s a gap there that exists — so we’re helping address that by keeping [c-Watch graduates] involved in this effort,” DePeppe said. “So not only are we doing this for Sports-ISAO but we’re talking to community partners and universities about creating this group. They then can provide that resource to their community as part of that community’s ISAO build-out.”
Another objective with CrowdWatch, Ginn said, “is ultimately to be able to pay them. We want to have this trained cadre of people that can be used for surge capabilities for companies.”
Within the sports world, too, the need for cybersecurity professionals is real and growing, said Kendall Utz, director of customer success for Springs-based fusesport, which provides the platform used by some of the world’s leading sports organizations and major sporting events to plan, manage and analyze their events.
“[Cyber threats] are definitely something we have to constantly be aware of,” she said, adding sensitive data has to be collected so major sports events can run effectively — “it could be in regards to health, certificates, travel logistics; an association to determine if you’re eligible. And that increases the need for cybersecurity because you really don’t want that to get out there.”
The barrage of hacking efforts surrounding events like the Winter Olympics highlights the need for better information security, Utz said.
“We’re a society that does make these athletes into superheroes, which is cool — but at the same time once they’re broadly well known and at these events, that’s when these [hackers] are going to want to attack these systems and get the information.
“We’re getting to an age that we’re a lot more aware of hacking as well as how smart those individuals are in how they can access that information,” she added.