picoCTF, the Largest K-12 Online Hacking Competition, Kicks Off Today

By Henry Kronk
March 16, 2021

For decades, there has been strong overlap between video gaming and computer science. While eSports have exploded in popularity, hacking and cybersecurity skills competitions have also attracted massive interest. The online hacking competition known as picoCTF, administered by the College of Engineering at Carnegie Mellon University, stakes a claim as the largest event of its kind. It was created for middle and high school competitors.

Capture the flag (CTF) competitions like Insomni’hack, Google CTF, DEFCON (part of the annual hacking conference in Las Vegas) have grown rapidly over the past decades. Carnegie Mellon is home to the Plaid Parliament of Pwning (PPP), one of the preeminent hacking teams in the world. PPP both competes in the top CTF competitions around the world and hosts its own, including picoCTF and the high-level Plaid CTF.

A team competes at DEF CON 2017. Image by Nate Grigg, licensed under CC BY 2.0.

picoCTF is free to join and open to everyone. But only middle school and high school students are eligible to compete for the $5,000 top prize. You can participate on your own or as a team. Last year’s competition attracted over 40,000 participants.

picoCTF 2021 and Capture the Flag Formats

First launched in 2013, the competition begins this year on March 16 and will conclude in two weeks on March 30.

picoCTF follows a capture-the-flag (CTF) format. There are two main forms of CTF hacking events: attack-defense and jeopardy. In the former, one team must defend a ‘flag’—often a piece of code, a sensitive file, or some other digital item that must be kept secret—from an attacking team that is trying to break past defenses to secure it.

Jeopardy CTF competitions, meanwhile, pose a series of questions to participants. These questions and their correct responses systematically reveal clues that guide teams solving an ultimate challenge. picoCTF is a jeopardy style competition.

To learn more about picoCTF 2021, eLearning Inside got in touch with Dr. Hanan Hibshi, who serves as the competition’s CMU faculty sponsor, to learn more.

eLearning Inside: Dr. Hanan Hibshi, I understand your own research focuses on investigating top cybersecurity experts themselves and how they gained their skills. With that in mind, what role do you see hacking and CTF competitions playing in that talent development process?

Dr. Hanan Hibshi: Hacking and CTF participation provide real, hands-on experiences. Learning about vulnerabilities, threats, and mitigations remains theoretical until practiced hands-on. picoCTF provides the hands-on learning environment. The challenges start at an easy level, and they increase in difficulty, mimicking security situations that we may encounter in real systems.

With regards to experts, cybersecurity experts are rare in general, but the number of experts becomes even smaller if we distinguish those who possess hands-on experience with deeper understanding of complex systems.

I think I understand the ‘CTF’ aspect of the competition. What does ‘pico’ refer to?

Pico means small or tiny (in the metric system it means one trillionth, 1012). picoCTF is a name that represents a CTF that is designed to be for individuals with tiny knowledge about CTFs (like middle and high school students) so they can grow their skills. Back then, the team did not envision that the game would grow to the scale that we see today!

I was previously unaware of the extent to which CTF hacking tournaments are established competitions. How did these develop? What are some benefits of organizing the competition in this manner?

The first ever CTF competition was introduced in DEFCON at Las Vegas. DEFCON is one of the largest and well-recognized security conferences that takes place in U.S. These competitions received a growing interest from industry and research. For example, CMU is recognized for its Plaid Parliament of Pwning team (PPP). It competes every year at DEFCON and has won first place five times. Researchers, educators, and industry practitioners recognized the educational benefit of these competitions. We started seeing more CTF-style competitions organized at different universities or organizations. CTFs are highly beneficial for skill-building and to apply cybersecurity skills to real systems. With the growth of the internet, CTFs became more popular as they became borderless. Many CTF events are now international and host teams from around the world.

CTFs can be attack-defend where teams attack systems of other teams, or jeopardy-style similar to the television game show. picoCTF is designed jeopardy style with a scoreboard and different categories such as web exploits, binary exploits, reverse engineering, and forensics.

It is clear that there is a significant gap between open jobs in computer science and talent that can fill them in the U.S. That gap includes cybersecurity positions. At the same time, international cyber warfare has escalated rapidly in the past few years. Russian interference in the 2016 elections mainly involved email spear phishing. That seems decidedly bush league compared to the SolarWinds breach and even more so compared to the most recent Microsoft hack linked to China. Are we mistaken in characterizing the CS skills gap as an economic issue? Would it not be more appropriate to consider it to be a national security concern? Is it an exaggeration to say that cybersecurity competitions like picoCTF are seeking to address this predicament?

Absolutely. The skills gap in CS and specifically in cybersecurity is alarming. Cybersecurity is one of the fastest-growing fields in technology. The U.S. Bureau of Labor Statistics expects we will see 56% growth in demand for security analysts by 2026. In 2018, NIST’s report to the President of the United States titled “Supporting the Growth and Sustainment of the Nation’s Cybersecurity Workforce” states that the global shortage in cybersecurity workforce is projected at 1.8 million by 2022. Even for people who do not specialize in cybersecurity, obtaining cybersecurity knowledge is essential due to the heavy reliance on digital tools in modern societies.

Addressing the national and international cybersecurity shortage is one of the major goals that picoCTF is trying to achieve. We hope to raise awareness and interest in cybersecurity at an early age by attracting young players. We also aim to attract adult players who might consider switching careers to cybersecurity.

Let’s approach this topic from the other side of the coin: It’s no secret that picoCTF received startup funding from the National Security Agency (NSA). The CMU CS undergraduate program (among others) is a primary recruiting department for various branches of the Department of Defense (DoD). Professor David Brumley remains the faculty coach of the PPP, oversees picoCTF, and also enjoys DoD security clearance related to his cybersecurity company. In the interest of generating some transparency: to what extent is picoCTF a DoD recruiting function? And should parents and teachers be concerned about that involvement?

Department of Defense and many other government agencies fund many research projects in universities around the United States. Let’s not forget that the internet that we enjoy today started as a DARPA project funded by the DoD. This project, like many other research projects, has a global benefit and a goal to increase cybersecurity workforce. Any entity, whether public or private, government or industry, is welcome to participate and become a sponsor to help fund this project that has a public benefit.

There should not be any concerns about involvement of the DoD or any other entity with the picoCTF educational project. There is no direct involvement from any sponsor with picoCTF participants. Any sponsorship that we receive is to help us maintain this platform, improve it, and run the competitions year-after-year. I want to emphasize that we do not share any of the players private data with third parties.

Featured Image by Dllu, licensed under CC BY-SA 4.0 .