Cyber Challenge 2025 Reflection

In February, I attended this year’s iteration of the Swedish Defense University’s Cyber Challenge - a competition in which student teams must analyze, and formulate a response to, a fictional scenario centered around a wave of cyber attacks in Sweden. This post discusses my thoughts regarding the event, and the wider cyber-landscape as a whole.

The Who/Where/When

The Swedish Defense University (FHS) is, as the name suggests, a public university in Sweden with several bachelor and master-level programs within military, defense, and politics (to mention a few). These programs are, for the most part, offered to both military service members, and civilians. Of more relevance to this blog post, they’re also the organizers and hosts of the yearly Cyber Challenge.

I attended as part of a 4-man team composed of ChaGU members, and supervised by the venerable Klondike. As a side-note, ChaGU is a student CTF team run by and for students from Chalmers and Göteborg University.

Our competition, meanwhile, was made up of over 20 teams from a range of universities in Sweden - a range made up of not just geography, but also academic-focus. This presented a unique challenge, as we found ourselves competing with teams who had a wide range of backgrounds - some being from technical schools, and some being from schools that offered social science programs (not to mention the four teams FHS sent)!

“But what exactly does the challenge entail?”, you may wonder.

Policy Writing

About two months prior to the ‘day of’, we received our first “Intelligence Report”, a hefty booklet which not only pushed our printers to the brink of failure, but also contained everything from fictional news reports, government documents, opinion pieces, and social media posts. Whilst I don’t want to spoil the challenge for anyone else in the future, and thus won’t go into details, it suffices to say that in the scenario, Sweden finds itself the victim of cyberattacks perpetrated by several foreign-state-sponsored APTs.

Our first task prior to the competition-day was to create a policy-response paper, outlining four policies (and relevant responses) which we believed Sweden should implement to counter, or in any other way, deal with the fictional situation at hand. Already, this was an interesting process (involving several long work days for our team), due to a number of factors.

For one, being from an all IT background, it was difficult at the start for our team to think “outside of the box”, and identify policies that were not inherently IT-focused. Ultimately however, the time spent on this was well worth it, as we developed a very balanced range of policies.

Secondly, the very small word-limit imposed on the submission meant that every word had to serve a specific purpose, and we truly had to distil our policies down to their essences (a matter far more difficult than rambling in a personal blog is).

Thirdly, we spent a lot of time debating, and tweaking, our views on what constitutes a policy, as opposed to a response, to ensure we had the best possible paper.

Whilst challenging, the process of first reviewing the provided documentation, then identifying the key points (and filtering out irrelevant information), and finally planning and writing the report was very interesting. Not only did it give us a greater appreciation of the work that policy writers do, but it was a very useful exercise in creating (effective) policies which we not only believed could be implemented, but also impactful.

Policy Presentation Practice

With our policy-response paper submitted and accepted, we could then turn our attention to preparing for what is, in many ways, the cornerstone of the competition - two 10-minute long verbal presentations. These presentations, which are centered around explaining the policies and responses, are given to a panel of judges composed of volunteers from a wide range of both private and governmental organizations. The judges not only provide feedback and grading on the presentation, but also have the opportunity to ask questions at the end.

To be as prepared as possible, our team had two practice rounds prior to the challenge. To increase the realism of our practice rounds, and get feedback on what to improve on, we had our own panel of judges that were found by our supervisor. This worked out very well, as we not only felt more comfortable presenting on the day of the event, but it also allowed us to refine our presentation, and prepare for possible questions.

Challenge Day

Showing up bright and early to FHS on an overcast day, wearing our best suits, we found ourselves surrounded by security and governmental policy professionals, other anxious competitors, and of course the regular FHS students - who seemed just a tad annoyed that we were taking up their study spaces. Following an opening ceremony, we had time to do some last minute preparations, before the first of our presentations!

Our first presentation, well polished by that point, went very well. After nearly no questions from the judges, we had a short break before the organizers announced which teams had qualified for the next round in the afternoon. Luckily, we were one of those teams!

For the next part, we received another Intelligence Report, for which we again would have to draft a set of policy-responses, and present to a (new) panel of judges. As luck would have it, our time spent preparing paid dividends, and we found that we didn’t have to adjust our policies at all!

Sadly, reader, this is the most that I will share about the competition day. As mentioned earlier in this post, I don’t wish to affect future runs of the challenge, so I feel it better not to spoil anything that may happen. Instead, I’ll leave you with the sad fact that our team, despite our valiant efforts, did not win.

Reflection

Firstly, I must say that the Cyber Challenge is fantastic. For one, it’s a great opportunity to network both with fellow students, and persons from the industry (in particular seeing as FHS also hosts an industry day/employment fair at the same time). Secondly, it’s a great way to engage in policy writing, and gain first hand experience at both the process, and the challenges that it presents.

Beyond this, the perhaps greatest benefit of the Cyber Challenge is that it allows one to go on a deep dive into the current state of cyber policy, and the far reaching consequences that APTs and cyber actors can have on not just companies and individuals, but nation states as a whole. With the current global political climate being as it is, this is a field which is growing increasingly important, and which more and more attention is being diverted to - on both a public and private level. In researching for the event, I found myself learning about new cyber initiatives, standards, and agencies that were previously unknown to me.

My only complaint about the challenge is the manner in which presentation grading is done. Neither the grading criteria nor process is transparent, which means that not only does the possibility exist (though I doubt it) for favouritism amongst judges, but it also leaves teams without a good idea of what they could improve on. I hope this is something on which FHS can improve, as not only did the three winning teams all come from FHS, but I have heard this sentiment echoed by other participants from past years.

However, I do not wish to end this post on a negative note. The Cyber Challenge is a fantastic event, and I thoroughly enjoyed it. I’d also like to thank my ChaGU team, our supervisor Klondike, and naturally the organizers.