Cultivating future security professionals for a resilient infrastructure
Security Contest for Students "SANS NetWars"
Mar. 11, 2019
On August 17, 2018, a security contest called "SANS NetWars Tournament 2018" was held in Akihabara, Tokyo. NRI SecureTechnologies Ltd. (NRI Secure), a cybersecurity company, has been hosting the contest for youths annually since 2014, as part of an effort to increase the pool of cybersecurity professionals.
Rising security demands due to cybercrime and the human resources shortage
Cybercrime is rising globally, accounting for an estimated total loss of approximately 600 billion U.S. dollars (approximately 63 trillion yen) in the world economy. This is equivalent to 0.8% of the global GDP. The United Nations lists "building a resilient infrastructure" as the ninth Sustainable Development Goal (SDG), and cybercrime is an important social problem that must be solved.
Dealing with cybercrime requires a solid pool of professionals in the field of cybersecurity. However, Japan has been facing a shortage of IT human resources for many years, and it is particularly serious in the field of cybersecurity. According to a report by the Ministry of Economy, Trade and Industry, as of 2016, the number of workers in Japan's cybersecurity field was 280,000, which means there was a shortage of over 130,000 workers. The number of workers is estimated to increase to 370,000 by 2020, but it will not catch up to the shortage, which is estimated to be 190,000 by then.
According to "NRI Secure Insight 2018," a survey NRI Secure conducts yearly, "nearly 90% of companies say they have a shortage of security workers." Ken Sato, General Manager of the Cyber Security Educational Services Department at NRI Secure, has been engaged in security education since the company's establishment. "The security field needs professionals in a variety of specialty areas, like cybersecurity engineers, network analysts and consultants. There is a shortage across the board," he says. "Even in companies that specialize in security and offer services and products, there is a shortage of people who have advanced expertise, who can manage risks related to information systems, and who can manage cybersecurity with a managerial perspective. This shortage is much more severe in non-cybersecurity companies."
Ken Sato, General Manager, Cyber Security Educational Services Department, NRI SecureTechnologies Ltd.
Offering a world-class security education program
In response to this problem, NRI Secure began hosting the annual security contest for students "SANS NetWars Tournament" in 2014. The aim is to give young people leading-edge experience in the field of cybersecurity and generate more interest in it. Kengo Ueda, member of the Cyber Security Educational Services Department and part of the contest administration team, says, "Our aim was to increase the pool of security professionals."
Kengo Ueda, Cyber Security Educational Services Department, NRI SecureTechnologies Ltd.
NRI Secure noticed the demand for more security professionals from an early stage and has offered security education services. One is the SANS Security Training. This is a program developed by the U.S. world-class security research and education center, SANS Institute. It is a one- to six-day intensive program with practical skills training. The length of the program varies depending on the level and scope of the content.NRI Secure offers the program to cybersecurity personnel, system managers, and other professionals who want to acquire more security knowledge and experience.
The program is long and can be expensive, and is not something that students can do casually, so SANS Institute developed the CTF* format security contest "SANS NetWars Tournament" for the purpose of education. It gives students an opportunity to experience the front-line of the cybersecurity field and learn what kinds of knowledge and skills are in demand. The students are tested on their knowledge but also have to solve cybersecurity obstacles, which gives them practical experience. NRI Secure offers the contest for free.
This time, as a first-time experiment, it was held as a one-day event only featuring the contest. From 2014 to 2017 it was a two-day event: a SANS certified trainer provided lectures on security-related technologies and diagnostic methods on the first day, and the contest was held on the second day.
|1||Participants are tested security knowledge in question format.||Questions|
|2||Participants log into a computer as a regular user, seize administrative authorization, operate as an administrator and answer the questions.||Questions|
|3||Participants intrude into the online server and find a hidden file (flag).||CTF*|
|4||Participants intrude into the intranet via server.||CTF*|
|5||Participants play a game of attack and defense.||Attack/defense|
* Capture The Flag. Originally designed as an outdoor game for two teams, where each team tries to capture the other team's flag. In the field of cybersecurity, there are mainly two branches: the CTF format in which teams try to steal data by cracking (intruding into) the computer, and the attack/defense style in which players separate into two teams and try to intrude into the enemy computer while defending their own
Learning the fundamentals of security
Many of the participants are undergraduate, graduate and vocational school students from across the country, but there are some high school students as well. Generally NRI Secure takes applications from early July to mid-August then puts on the contest in late August. They advertise by Twitter, Facebook and security-related community mailing lists. Despite the minimal advertising, "In 2014, the first year we put it on, we reached the limit of 100 spots within the first few days after advertising," says Ueda.
Participants come from diverse backgrounds, from complete novices to enthusiasts who compete in multiple security contests across the country. "I do not know the purpose of participation for every individual, but according to the questionnaire, it seems the value of the contest is in the opportunity to learn the fundamentals of cybersecurity," says Sato. "Many come back every year, and some say they would recommend it to friends and acquaintances. I believe the contest is achieving its purpose of increasing the pool of security professionals."
Special agents from the Metropolitan Police Department also attended
Before the contest started, two special agents from the Metropolitan Police Department Cyber Crimes Division came on stage to talk about recent trends in cybercrime and what kinds of acts are considered cybercrime. They told participants that professionals in the security field will be increasingly valuable going forward.
Sato stresses, "Cybercrime is becoming more advanced, and areas that traditionally did not require cybersecurity now do, like blockchain technology itself, smartphones, IoT control technology and more. I think it will be necessary to have comprehensive and in-depth knowledge in diverse security fields."
NRI Secure will continue to offer education for security professionals with a broad outlook and contribute to building a resilient infrastructure for society.