Team Ireland gets ready to capture title at European Cyber Security Challenge
A team from Ireland will be competing at the annual European Cyber Security Challenge in Turin from 7-11 October.
The event brings together teams of 10 from 31 countries from European and six invited nations to compete in on-site in Capture The Flag (CTF) style competitions. Each team’s players are aged under 25, and at least half must be aged 20 or under.
Team manager and lecturer in cyber security at TU Dublin Mark Lane spoke to TechCentral about the process of putting the team together.
How was the team assembled?
It’s a long and varied process in fact and continues to evolve as we grow interest in CTFs/Team Ireland and grow the number of participants. For this year’s competition we actually started the process last year as soon as we returned from the 2023 European Cyber Security Challenge in Hamar, Norway. We held large CTF events for schools with UCD’s Cyberwise, and with TU Dublin late last year. We also ran several smaller CTFs for colleges and companies earlier this year, and our flagship CTF, ZeroDays CTF was held in Croke Park in March. Any students who engaged in these events and scored well were invited to try out more CTF challenges at our website.
That website is up and running year-round so anyone that does well there can be invited to join us for some online CTFs and training. If they engage online and show promise they are invited to join our squad of candidates for the Irish CTF team. From this process we emerged with around 35 candidates in May. Over the summer we held several in-person bootcamps and training sessions for the squad and eventually picked the final 10 players (plus two reserves) in late August.
Next year we will tweak the process again as we’re hoping to have more regional CTFs as part of a national CTF competition for schools and colleges.
Was there any concern about how you would work as a team over having individual skills?
We are very conscious of the team dynamic and making sure we have a harmonious camp, where everyone feels included and part of something. Because we meet in-person regularly over the summer, we do get to know the candidates well. We have an excellent team spirit, and one of the things I love to see is the players becoming friends outside of the CTFs. We are very inclusive and recognise that diversity is really important to a strong team. Also, most CTFs are team-based, and feature challenges across a range of fairly standard categories these days. As the ECSC continues to mature, we know the categories involved, so we can choose the final team based on having a balance of skills to compliment the categories of the challenges.
Is it important to be an all-island team?
Absolutely. If we look at sport as an example, most sports are now all-island teams, and that has obviously been beneficial in terms of success and in terms of cross-community bridge building too. We are a small island, and we are competing against some European powerhouses in terms of population bases and resourcing. So, the bigger the base of players we can have the better. It would be a shame to miss out on all of those potential players, and a shame to not give them the opportunity to participate in what has become a massive annual event, in terms of scope, size and importance. This year two of our 10 are from Belfast, and hopefully they are just the first of many from the North.
This year we truly are an all-island team with players from Dublin, Belfast, Cork and Donegal, and everywhere in between. We’re also a very diverse team in terms of different ethnic and cultural backgrounds, gender, LGBTQ+ and neurodiversity. We are a team for everyone, and that diversity really does make us stronger in terms of skills, outlook and team spirit. Players want to stay involved afterwards, and it’s great to be able to draw on their experience now to help coach the next generation. In fact, our previous two captains, Emmet Leahy and Daniel Cahill, are now coaching the team.
How does the competition work?
The ECSC has been running since 2016 in it’s current guise. We actually took part that year along with nine other teams, in Dusseldorf, Germany. It has grown year-on-year (apart from two years when it didn’t run due to Covid).
This year is the biggest so far, with 31 EU/EFTA (European Free Trade Agreement) countries competing, along with six guest countries including Australia, Kosovo and Singapore.
The two days of competition are gruelling. The first day is a traditional ‘jeopardy’ style CTF, where teams will complete challenges across a range of categories such as cryptography (crypto), binary exploitation (pwn), web exploitation (web), reverse engineering (rev), forensics, hardware and miscellaneous (misc, which basically covers everything else including OSINT). As the teams solve challenges they find flags, which they submit to earn points on the scoreboard.
The second day of competition is an attack/defence (A/D) CTF. In this type of CTF each team is given a bunch (usually between six and eight) deliberately vulnerable servers/services. They have to keep their services running to gain points, patch their own vulnerabilities and exploit those of other teams. The points across the two days are averaged to decide the winners.
To make things more exciting the scoreboard is made invisible for the final two hours each day, so the teams don’t know who’s leading. This makes the awards quite tense and exciting.
Germany are the current holders, and hosts Italy are favoured, though every year there are dark horses that surprise everyone.
Another evolution of this competition is the International Cybersecurity Challenge (ICC) which is in it’s third year, to be held in Chile at the end of October. It’s a pan-continental CTF, which Team Europe has won for the first two years. This year our Irish team captain Cillian Collins became the first Irish player to make Team Europe, so that’s a sign of the progress we are making.
Our team is run entirely by volunteers, and we have made significant progress with very little resources. Resourcing is an ongoing issue; if we want to keep growing and building we really need drastic increases in resourcing and full-time staffing. This year we received grant funding from the NCSC, which was a big help. We also received sponsorship from hot Irish threat-intelligence start-up Cytidel and security service provider ReliaQuest, as well as support from ZeroDays and TU Dublin. We wouldn’t be able to do it without that support, and we’re really hoping to increase the funding substantially going forward. It’s good for everyone from the players, to industry, to government, academia and the country for us to continue to build on what we have achieved so far.
As a lecturer how important do you think events like this are for fostering young talent?
Incredibly important, to be honest. There are lost of cyber security initiatives happening aimed at young people. However, most of them are more focussed on cyber security awareness. I genuinely believe that CTFs are the best way of finding, encouraging and fostering young talent.
I have been running ZeroDays CTF since 2015, but it was only in 2022 that we had our first schools section in the competition. Having the schools involved was amazing right from the start. Firstly we had 50% girls taking part, which was way about the norm for STEM related activities. Secondly we found some incredible raw talent. 2023 was our second year with schools taking part in ZeroDays Cyber Schools category, and two 16-year-old participants from that ended up making the Irish team for the ECSC in Norway last year.
This year we had players as young as 14 making our squad of candidates, with three under-18s (one as a reserve) making the team for Turin. This has been from a still relatively small number of schools participating.
In TU Dublin we have seen record numbers of first year students choose cyber security on the CAO, and a substantial percentage of them chose the course only after participating in our ZeroDays schools CTFs.
We have also seen a related increase in the number of female students joining. We have around 25% female cyber security students in the past two years, which I’m told is (by a fair margin) the highest percentage in the country.
Next year we are hoping to announce a new all-Ireland CTF competition for schools and colleges, as well as an accompanying course and online resources. Still a lot of work to do on that, but it’s something my team is passionate about making happen, and we are currently in talks to make it happen.
TechCentral Reporters
Subscribers 0
Fans 0
Followers 0
Followers