SkillsUSA Cybersecurity 2022 Nationals: Reflection

Written By Titus Green

Introduction

I was reintroduced to SkillsUSA Cybersecurity back in 2022 after taking a break from competing in the SkillsUSA competitions since my first cybersecurity event back in 2019. This competition is a straight-to-state, team-based event. We achieved first place at the state event, which means that we automatically qualify for the national event in Atlanta, Georgia.  

Important Disclaimer ⚠️

This post isn't to fully bash the SkillsUSA organization, as I truly stand for everything that it represents, but this is just awareness of what I have experienced during my time at the 2022 nationals event, and I wanted to set the record straight. These views are my own, based on personal experience.

Competition Format Overview

The state event is different per individual state, while the national competition was formatted in one single way. It is set up in a station format where each team is given a number value and told to compete at a certain station at a certain time. You were given instructions that you must follow, and you were scored based on what you achieved based on the instructional guide.

Initial Concerns with Technical Standards

Looking at the technical standards before the competition provided a large set of issues.

  • Two Choices of Exams: CompTIA Security+ and ETA ITS Exam

    • What if someone were to complete one of these exams within a short time period before the competition without looking at the materials? Would this provide some sort of advantage?

  • Networking Section

    • There was no specific networking provider listed, just that it's enterprise gear. You can't just guess that it's going to be Cisco gear every time since not every company uses this type of enterprise gear when they could be potentially using HP or Ubiquiti, for example.

Concerning Gaps in Competition Integrity

When competing, there were multiple issues that we faced was difficult to understand given the competition’s standards.

  • Machines were so slow that you couldn't even move the mouse cursor, leaving time wasted for some teams compared to others.

  • Machines were frequently not reset between teams, allowing teams to receive an advantage if one machine wasn't reset over another.

  • Machines were broken, and we were told that "You will be scored an average of what everyone else completed on that station."

  • They didn't time any of the stations properly, resulting in some teams receiving more time on machines than others.

Firsthand Challenges During the Event

Upon arrival, we were informed that no internet access would be available — a critical detail that had not been included in the Technical Standards, leaving teams unprepared for certain tasks. The stations of the competition itself felt like networking was the priority and not cybersecurity when seeing how the competition was formatted and structured.

We had multiple stations that were completely broken and were directly told that we would be given an average on those stations, which felt completely unfair to us since we couldn't attempt to achieve a better score than others, leaving them to potentially receive a higher place due to this. (Ex. Pentesting station—Metasploit Machine)

The goal of the Windows Server station was to harden the machine. Other teams were able to use the machine completely fine, but for some reason we were not able to use the machine at that time, and a judge came over and asked us specific questions for a specific Windows Server version. If we didn't know the answer to that version directly, we would essentially miss the question. Which for me, since I knew a newer version and answered the questions correctly based on that newer version, we missed all of the answers.

As stated in "Initial Concerns with Technical Standards" we were never directly told what networking provider we would be using. This ended up being Cisco, which at the time our team had mainly focused on studying the HP enterprise provider. Since we had no internet connection and had zero knowledge of any Cisco networking gear at the time, we told the judge we had to forfeit this specific station since we couldn't complete any of the instructions.

There were multiple machines that our team experienced where they weren't fully reset. This included a home router, which, when telling the judges, they tried to reset it and couldn't even do it; they eventually got it after someone helped.

Our final result of the competition itself was 14th place.

Reflections and Professional Impact

When looking back at this competition, I don't really think about even including it anywhere professionally and didn't gain any valuable insight. Looking at competitions, I try to find some type of objective out of it, and this event didn't fit that compared to others. This event felt like a major setback after everything I had worked toward throughout my high school competition journey. However, I always wanted to find the best way to fix this competition.

Recommendations for Improvement

When looking at this event, I always began to wonder how this competition could be improved for people using this as a way to understand the industry.

Listed below are the options and general improvements that I've discovered and discussed with other competitors during the competition.

  • Removing certification exams entirely.

  • Allowing internet access.

Option 1 (Station Setup)

Red Team

  • You can incorporate the pentesting station used in the competition but format it in a way where you are given a scope and find the vulnerabilities and make a report and score based on the findings.

Blue Team

  • You could do this multiple ways: SOC Simulation, LOG Reporting (find potential attack vectors based on a set of logs), etc.

Professional Station

  • This was perfectly fine during the competition and should remain the same.

Option 2 (Capture-the-Flag)

Run a CTF challenge and incorporate challenges in specific sectors and add the professional station as assigned points.

You can easily decide if you want everyone to see the status of the competition or easily hide it.

Final Thoughts

SkillsUSA has provided me so much in my career and has the opportunity to provide an exploratory pathway for cybersecurity. If they fix the competition structure, this could provide a good learning opportunity for students. If someone asked me today if they should try this event, I would probably say "Yes" due to the fact that we will never know how they will format the competition.

Titus Green
Next

How to approach a CTF competition as a High Schooler.