“We are doing the high touch and personal approach to educate and attract students. Through the Codebreaker Challenges, we are using a non-traditional approach, which also teaches good fundamental skills for NSA as well as the nation,” Hutson said on Ask the CIO. “In our new employee orientation class, we started to poll all of our new employees as far as how they became interested in NSA. Among the new employees at a recent orientation class, one woman identified that she came to NSA through the GenCyber camps, which NSA hosts, and what sealed the deal for her was participating in the Codebreaker Challenge.”
NSA launched the Codebreaker Challenge in 2013 as a way to further connect with students and professors, who are focused on technology and cyber issues.
Over the last six years, the annual initiative has become a much-anticipated challenge with professors making it a part of their classes and students testing their mettle against NSA’s cyber experts.
“There is quite a bit of enthusiasm and excitement when I go to campus. In the early fall I gave a tech talk where I walk through the previous year’s challenge and new one that’s coming up. The crowd seems to grow each year,” said Eric Bryant, a technical director in the crypto analysis organization at the NSA. “We’ve also seen the emergence of additional groups like student clubs, which focus on these types of smaller, capture the flag challenges.”
2018 challenge focused on blockchain
The initiative provides students, professors and anyone else who is interested “with a hands-on opportunity to develop their reverse-engineering /low-level code analysis skills while working on a realistic problem set centered around the NSA’s mission.”
The 2018 challenge focused on ransomware and blockchain, requiring participants to solve eight separate, but related challenges.
“We structure the challenge so that the beginning tasks are easier and more accessible to the students. Most students don’t have prior experience in areas like reverse engineering, vulnerability analysis and crypto-analysis,” Bryant said. “We structure the problem so there is a progression of tasks and they are working toward an ultimate goal. In the case of the most recent challenge, ultimately they were trying to unlock the ransomware without having to pay the ransom and go a step further to recover all the funds victims had paid in and pay them back by exploiting the logic in the attacker’s contract.”
Bryant said a group of NSA cyber experts develop the challenge each year on top of their regular duties. He said they try to focus on areas that are either up-and-coming or current cyber threats and attack vectors.
For the 2019 Codebreaker Challenge, Bryant said it likely will focus on mobile security threats, probably using an Android operating system.
1 of the 20 to solve the challenge
Adam Merrill, a computer science student at the New Mexico Institute of Mining and Technology, participated in the 2018 Codebreaker Challenge. He said the experience of solving the challenge gave him the confidence to make cybersecurity a main focus area of his major.
“I’ve done similar things like the Codebreaker Challenge before but not to that scale. I figured I’d give it a shot and see what’s it all about,” he said. “It was a very steep learning curve. I am a computer science major and I know how to research topics to learn and try them out.”
Merrill said he spent about 80 hours over three or four months, and he estimates one-third to one-half of that time was spent researching online to understand how things like blockchain or distributed ledger works.
“Going into this, I had no intentions of finishing this. My initial goal was just get to task three or four, but after I finished tasks three and four and I got to the blockchain part, I took a break and then one day I had some free time and looked into it,” he said. “I was able to get enough information and figured it was feasible. I spent a lot of time on task six. I came up with what I thought was a reasonable approach to solve that part of the challenge, but I realized it didn’t solve the task. That bummed me out. But later when I was sharing that approach with a friend, it turned out I was missing some small detail and once I added that in, it gave me a boost to finish.”
Bryant said NSA keeps a leader board showing the rankings of the schools. Oregon State University had over 100 students participating, and there were 20 other students, including for the first time ever a freshman in college, who made it through all eight tasks.
“There is one person who is a PhD student who has been involved in all the Codebreaker Challenges and he is usually one of the first to solve. He was first again this year, pretty shortly after the competition began. We had people who were working up to the end, including submissions on New Year’s Eve. Even now after the competition ended, we’ve left the site up and there are people who are working and submitting solutions.”
Bryant said he reaches out to all of the students who solve the challenge and NSA sends them letters of recognition and a memento for participating.
“We reach out to these students to figure out what year they are in, how could they come here to do internships or hire them full-time, so we are definitely on that from a hiring and recruitment perspective,” Hutson said.
As for Merrill, the Codebreaker Challenge success led him down the path of applying for and being accepted into the Cybersecurity Scholarship for Service program, which provides up to three years of scholarships in exchange for working for the government after they are finished with school.