This is the fifth article in a series of blog posts that describe how Cisco enables nonprofits to maximize technology for greater scale and impact. Our introduction to the series is available here. To read more articles in the series, click here. Stay tuned for next week’s post on how a nonprofit that focuses on critical human needs uses technology to scale.

picoCTF logoWe live in a world that is more connected than ever before. Connectivity leads to many benefits, such as being able to share ideas and collaborate, access educational content, purchase products online, and access banking more easily. It also makes our data more vulnerable to security threats. At the same time, there is a shortage of cybersecurity professionals. According to The 2019 (ISC)² Cybersecurity Workforce Study, 4.07 million cybersecurity professionals are needed to close the skills gap in the United States. Because of this skills gap, we are beginning to see unique ways of attracting cybersecurity talent. One of these solutions is picoCTF – an online computer hacking game that challenges beginners and experts alike to solve real-life cybersecurity problems. You don’t need any special equipment to participate, just an internet connection. Anyone may register to play in the free online competition, but only US students in grades 6-12 are eligible for prizes.

The game consists of a series of challenges centered around a unique story line where participants must reverse engineer, break, hack, decrypt, or do whatever it takes to solve the problem. picoCTF is an initiative of the CyLab Institute at Carnegie Mellon University (CMU). Daniel Tkacik, Ph.D., is the communications manager for the College of Engineering/CyLab at Carnegie Mellon University. He shared,“In terms of using tech to scale, since PicoCTF is free and online, it allows tens of thousands of people to participate each year. In 2019 they had 40,000 people in 160 different countries in the competition. Not only does it draw in the best of the best in computer security, but it is also a learning tool for complete beginners.”

In 2012, CMU faculty member David Brumley, Ph.D., and his students applied for a National Science Foundation grant to create a competition for middle and high school students. The name picoCTF comes from “pico,” which means very small in Spanish and “Capture the Flag” or CTF. CTF competitions are popular among the cybersecurity community:  a set of challenges test contestant’s creativity, technical skills, and problem-solving abilities. CTFs allow security enthusiasts to test their skills against one another. picoCTF is not small anymore, as 65,000 students have competed since the first competition launched in 2013.

An exciting part of the competition is that it helps students discover they have a passion for cybersecurity. “There are kids out there who don’t even know that they have these skills that can be extremely valuable and lucrative someday, and participating in a competition like this suggests maybe they should study computer security someday,” said Daniel. “We need everyone we can reach, as the deficit is only going to grow. It is important to reach out to people as young as 13 and let them know this is a field you can go into.”

Tim Becker’s life changed after he participated in a picoCTF competition as a high school student at Thomas Jefferson High School in Pittsburgh, Penn. Before picoCTF, he was mildly interested in computer science and hacking, but his main interest was astrophysics. He heard about the contest from a teacher and decided to form a team with his friends.

Tim Becker“We thought it sounded fun, so we decided to give it a try, but we had no expectation of performing especially well,” Tim said. By the end of the competition, Tim’s team finished in third place. This experience sparked an interest in cybersecurity, and after visiting campus and meeting the team behind picoCTF, Tim officially set his heart on attending CMU. While an undergraduate student, he went on to lead the Plaid Parliament of Pwning, or PPP, a hacking club, during his junior and senior years. They are known as one of the best teams in the world, winning what is informally known as the “Super Bowl of Hacking” three times in the past four years. Now working at a computer security company founded by the founders of PPP, Tim shared how picoCTF’s continues to impact his life, “Playing picoCTF taught me more in one week than I had learned that entire school year. I understood on a much deeper level how software systems operated, and more importantly, how they can be manipulated. But beyond the technical skills, picoCTF showed me that learning difficult concepts is easiest when you’re having fun doing it, and that’s something I continue to take advantage of to this day.”

Another issue that picoCTF is tackling is the low number of women who work in the cybersecurity field. The U.S. Bureau of Labor Statistics (BLS) reports that positions in cybersecurity are expected to grow at 32 percent. Yet this profession predominately employs men. Research indicates that entering middle school girls and boys at almost equal rates have an interest in computing and computer science, and yet, some estimate that only 19 percent of seniors who sit for the AP Computer Science exam are female.

According to Kyle Thornton, manager of the education investment portfolio for Cisco and the Cisco Foundation, one reason that picoCTF was a compelling partner for Cisco was its mission to introduce cybersecurity to middle school girls. In 2019, more than 5,400 girls participated in the picoCTF competition. Megan Kearns, project manager at CyLab at CMU, said that the female participation rate has steadily grown since 2013. They are hoping to see even more girls enter the competition in the future.

picoCTF is halfway through the first year of its partnership with Cisco. “Cisco is helping us expand our resources,” said Megan. “By connecting us with middle and high school teachers, we can create better content.” She explained how picoCTF has taken off with students and industry members. Still, teachers are unable to be as proactive with their students as they would like to be because they didn’t have the tools, content, and software to teach cybersecurity throughout the year. Kyle elaborated on the importance of teachers in helping the program scale, “Many edtech solutions available in the market today disintermediate the teacher from their students or students from their parents. Carnegie Mellon University’s approach with picoCTF has been to be inclusive of the teacher and the teacher’s role as a mentor and guide for students learning cyber-skills. Our team sees this approach as key to replicating and sustaining their program throughout the United States and overtime in select countries globally.”

Megan noted that with Cisco’s help, they want to help teachers be more active in picoCTF, thus increasing their impact on students. Cisco is investing in picoCTF’s platform to create lesson guides, build teacher collaboration areas, and develop content to teach middle and secondary students year-round. Kearns shared that ideally, they would like to implement picoCTF in the classroom permanently. “We want to build an ecosystem. There is room for a lot of different ideas and programs. picoCTF isn’t the answer to everything, but I am hoping that someday cybersecurity education will be along the lines of algebra, where everyone will take it,” Megan said.

picoCTF participants take a survey at the end of every competition. For the last three years, more than two-thirds of participants said they are more interested in pursuing cybersecurity as a career as a result of playing picoCTF. “We hope that translates to pursuing cybersecurity as a career,” Daniel said.

Want more? Here are the other pieces in this series: 



Stacey Faucett

Manager, Sustainability Communications Governance and Compliance

Chief Sustainability Office