The U.S. government has decided that at least some participants in the President’s Cup Cybersecurity Competition cannot be awarded cash prizes, and one participant says the entire contest has been poorly organized.
The President’s Cup Cybersecurity Competition was announced earlier this year when President Donald Trump signed an executive order whose goal is to grow and strengthen the country’s cybersecurity workforce.
The competition aims to “identify, challenge, and reward the government’s best personnel supporting cybersecurity and cyber excellence.” The challenge is open to all federal employees, including DoD and uniformed service members, and it consists of a series of contests.
The DHS’s Cybersecurity and Infrastructure Security Agency (CISA) announced the launch of the first edition of the annual competition on September 16. Following two online qualification rounds, the final is taking place on December 10-12 at CISA facilities in Arlington, Virginia.
According to Federal News Network, over 1,000 federal employees representing more than 200 teams from 17 different government agencies took part in the qualification rounds.
When CISA announced the launch of the competition, it said winners would be eligible for a bonus of up to $50,000 from their agency. The second place team was promised $25,000 and the third place team $10,000. Cash awards were also mentioned in the executive order signed by President Trump.
However, one active-duty service member who is taking part in the final of the President’s Cup Cybersecurity Competition — he uses the online moniker sh0mbo and wishes to remain anonymous — revealed on Twitter that organizers informed participants roughly 26 hours before the start of the competition that service members are not eligible for a cash prize.
“We are aware the registration website indicated that all competitors were eligible to receive cash awards for the top 3 winners. After further analysis, it appears that service members are prohibited by law from receiving cash awards of this kind under these circumstances,” participants were told via email.
“We regret the confusion this has caused,” the email reads. “The Office of the Secretary of Defense will work the winners’ organizations on an appropriate form of recognition that complies with applicable law and is commensurate with your outstanding achievements.”
It’s unclear if this rule applies to all participants. However, sh0mbo told SecurityWeek that a vast majority of those who made it to the final round of the competition are active-duty service members.
He said on Twitter that the finalists are “not very happy right now.” Sh0mbo also accused the government that it “baited underpaid US military personnel with this.”
A table containing the prize structure has been removed from the competition’s page on the CISA website and replaced with a message that says, “DHS is currently collaborating with the Department of Defense on awarding the winners of the competition.”
SecurityWeek has reached out to the Department of Defense and CISA and will update this article if they provide clarifications.
“The goal of this competition was to promote and recognize infosec personnel from the USG [United States Government]. This competition is having the opposite effect and everyone here is quite pissed off and wants to share a true narrative of this competition instead of the success that’s undoubtedly going to be perpetuated,” sh0mbo told SecurityWeek.
“It’s not about the money,” sh0mbo added, “it’s about the fact that we’re being used as a propaganda piece to demonstrate the successes in cybersecurity within the USG essentially for free as government property. This is completely metaphorical for the state of ‘cyber’ at large from the perspective of an insider.”
Poorly organized competition
Sh0mbo says the President’s Cup Cybersecurity Competition was poorly organized from the start. He says the platform had a vulnerability that could have been easily exploited by any of the competitors to obtain the name, email address and organization of all the other contestants. While this might not sound like a serious issue, the researcher has pointed out, “Surely many people would like a list of all of the top cybersecurity professionals in the government.”
Sh0mbo has described the competition as “one of the worst competitions in which I’ve ever participated from both a QA/QC and technological perspective.”
In addition to technical problems, there have been some logistics issues. Contestants were told that they would need to work with their units for travel to the competition final, but units did not plan for it, leaving many to pay out of pocket in hopes of getting reimbursed via prize money.
However, that prize money is now off the table and the announcement that service members are not eligible for cash prizes was made while some of the contestants were traveling to the event.
Experts in the private sector believe this incident will not help the government attract skilled cybersecurity workers.
“I think the challenge is a great idea and the idea of up to $50,000 was a smart move,” Chris Morales, head of security analytics at Vectra, told SecurityWeek. “It is well known that the federal government struggles to attract top cybersecurity talent as they compete with the high salaries of private companies. Recognizing and rewarding that talent helps in keeping the skilled individuals around.”
“I don’t know what happened with the reward, but this is going to give bad optics and not help the problem. It is a shame that the award was pulled at the last minute after so much effort was put in by the contestants,” Morales added.