The September 11, 2001 attack on America was noteworthy for a myriad of reasons, ranging from the inclusion of the term “9/11” to colloquial parlance, to a complete revamp of our nation’s security posture. Nearly twenty five years later, as the homeland security paradigm continually evolves to account for cyber and infrastructure security, so too does the demand for innovative policy and resilience solutions.
To meet this challenge, more than twenty collegiate teams from across the United States convened (virtually, anchored in New York City) earlier this month to face a cyber catastrophe of the Atlantic Council’s own design. The Cyber 9/12 Strategy Challenge, hosted in partnership with Columbia University’s School of International and Public Affairs, gave these aspiring cyber policymakers a high-stakes scenario: develop and defend policy prescriptions to manage a fictional but plausible national security–scale cyber crisis.
Now in its fourteenth year, the Cyber 9/12 competition is a signature initiative of the Atlantic Council’s Cyber Statecraft Initiative. By combining interactive scenario play with rigorous policy analysis and public presentation, it challenges students to think through trade-offs, attribution dilemmas, interagency coordination, and the role of the private sector.
Over the course of two intensive days, participating teams were presented with an escalating cyber incident targeting critical infrastructure and national assets. Teams assumed roles spanning government, intelligence, and industry, and wrestled with questions such as: When should a president publicly attribute blame? How should response and retaliation be calibrated? When must private-sector obligations be enforced? How do you preserve public confidence while acting quickly under uncertainty?
Teams developed written policy briefs and live presentations, then defended their recommendations before a panel of expert judges drawn from government, industry, academia, and civil society. Judges evaluated proposals on clarity, feasibility, strategic coherence, and innovation.
Presentations were scored by a diverse group of experts with decades of experience in various homeland security-focused disciplines, including policy formulation, critical infrastructure security management, cyber security, intelligence operations, emergency management and disaster recovery. Throughout the competition, team presentations presented a myriad of creative response options centered around several common security and policy themes:
- Resilience through public–private collaboration: Many teams pushed for stronger alignment between government and infrastructure operators via joint protocols, mandatory resilience standards, and shared real-time information systems.
- Flexible and scalable escalation framework: Rather than binary “attack / no-attack” choices, some proposals often employed modular escalation paths depending on actor attribution, intensity, and collateral risks to U.S. interests.
- Legal and normative innovation: Several teams recommended updating U.S. law or multilateral norms within the cyber domain to more clearly define permissible retaliatory thresholds, while engaging allies in a shared deterrence posture.
- Transparency and public trust: Recognizing that public confidence is a strategic asset during crises, some teams advocated for calibrated disclosure policies, balancing transparency with the need not to reveal sensitive intelligence.
The presentations were incredibly insightful, offering outside-the-box solutions to highly complex scenarios. The scenario itself was realistic in the context of how nation states and their proxies are increasingly turning to malicious, nefarious and sometimes reckless activities in the cyber domain with the intent of pushing traditional norms to support strategic objectives. Each presentation addressed the urgent need for continued public and private sector intelligence sharing, a cohesive but malleable federal strategy for securing critical infrastructure networks before, during and in response to systemic or specific threats and a push to establish global standards for how disruptive or destructive cyber attacks are managed outside of declared conflict.
The Atlantic Council’s next Cyber 9/12 iteration is scheduled to take place on November 7th and 8th in Monterey, California, where it will be co-hosted in partnership with the Middlebury Institute of International Studies.
