Every year, teams of students gather in Washington, DC, to participate in the annual Cyber 9/12 Strategy Challenge—a public policy competition hosted by the Atlantic Council that is designed to put students in the driver’s seat of a simulated cybersecurity incident, becoming advisors to senior policymakers. During the competition, students across 31 schools and 7 countries are tasked with analyzing threats to national, international, and private-sector interests, and providing recommendations on how to respond to the cyber incident.

This year, a team of SIS students pursuing a master's in United States Foreign Policy and National Security joined together to compete in the challenge. Diana Morillo (SIS/MA '27), Daniel Chavez (SIS/MA '27), Noah Harshbarger (SIS/MA '27), and Jared Aguilera (SIS/MA '27) represented American University in this year's competition. Morillo, Chavez, and Harshbarger offered us a few reflections on their experiences.

What motivated you to participate in this challenge?

Diana Morillo: I wanted to pivot into learning more about cybersecurity policy and saw Cyber 9/12 as a valuable opportunity to expand my experience within the sector. It was a competitive and interactive learning challenge that allowed me to work in a team and see for myself how working in cybersecurity policy can have real-world impacts on the communities I hope to serve in the future.

Daniel Chavez: I wanted to gain more hands-on experience in cybersecurity policy. My main focus with this master's is emerging technology policy and governance, but I wanted to supplement that with cybersecurity since none of these new technologies are sustainable without proper cybersecurity measures and systems in place. For example: AI systems, cloud infrastructure, digital payment platforms. All of it rests on a cybersecurity foundation. When I saw that AU didn't have a team registered, I connected with cybersecurity professors across SIS and even Washington College of Law, recruited teammates from my classes, and put a team together because I didn't want us to miss this amazing opportunity.

What was your favorite part of the competition?

Noah Harshbarger: My favorite part of the competition was presenting in front of a wide range of judges from CYBERCOM, the Department of Treasury, the U.S. Cybersecurity and Infrastructure Security Agency, former FI, and OpenAI. Getting to explain our research and decision document in front of the actual experts was truly a great experience as well as gave huge confidence in the depth of the work our whole team did.

Daniel Chavez: My favorite part of the competition was all the prep work that went into it. As team lead, I helped coordinate our meetings, mock judge panels, and logistics with AU's Foreign Policy & Global Security department. Beyond that, there were many late nights of deep research on how interagency cooperation for major cyber incidents works, what legal frameworks exist to activate a large-scale incident response, and what differentiates the financial crimes the U.S. Secret Service handles versus what the FBI handles. It all felt like a natural extension of our Cybersecurity Policy class. We were also very fortunate to have a team of coaches, featuring AU alumni, faculty, and students, and supporters who helped us think hard and fully analyze the spectrum of policy levers, legal frameworks, and agencies available to us. A huge thanks to Joe Walton, Alex Neubecker, Christian Ohanian, Eric Novotny, Regan Dolezal, and Pearce Buxton for sharing their time, mentorship, and expansive domain expertise.

How does this experience connect to your academic interests at AU?

Daniel Chavez: This experience connected strongly with the core of what I'm studying at AU. The scenario involved a North Korean state-linked cyber operation with implications that spanned critical infrastructure protection, international diplomacy, financial crime, and public communications. It gave me the opportunity to apply frameworks I've been studying in class to a realistic and time-pressured scenario rather than analyzing them in the abstract. It reminded me of war games I've done in the past, but much more policy-heavy. Instead of playing the decision-maker, we were advisors briefing the NSC Principals Committee.

How did Cyber 9/12 shape your understanding of the professional cyber environment?

Diana Morillo: Before, I tended to think of cyber primarily in terms of technical skills like coding, network defense, or threat detection. However, the competition highlighted how real-world cyber challenges require coordination across multiple domains, including government, private sector stakeholders, and international partners. It emphasized that cybersecurity professionals often operate in high-pressure environments where they must balance technical realities with political considerations, legal constraints, and communication strategies. The experience also showed me that effective responses depend on collaboration, adaptability, and the ability to think critically under uncertainty

Noah Harshbarger: Cyber 9/12 shaped my understanding of the professional cyber environment by changing my view on how involved the private sector can be in solving immediate and long-term issues posed to systems. It also strengthened my view based on my experience that the government and military still seem to be the most well-positioned actors in the area to respond, coordinate, and mitigate cyber threats.

What broader insights did you gain and which lessons from the competition are most applicable to what you hope to do professionally in the future?

Diana Morillo: One of the biggest insights I gained is that in real-world cyber incidents, there is rarely a perfect or immediate answer. Instead, professionals have to make decisions with incomplete information, weighing risks, trade-offs, and second-order consequences. A key lesson for me was preparation and structured thinking in creating a response. In the future, I hope to work within cybersecurity policy or national security more generally, and the consistency of being in experiences like Cyber 9/12 prepares me for that career.

Noah Harshbarger: I gained some broader insights to never let your viewpoint on a vague piece of intelligence create a mental block/picture that can constrain your options. While hashing out the intelligence reports we were provided I found myself in some mental blocks, but working as a team and with amazing mentors/coaches I was able to see and explore other avenues that made more sense to the scenario than I originally thought. Further, I gained more insight beyond the technical world of cybersecurity, finding that how agencies and organizations respond to cybersecurity really can be changed based on technical capabilities, and coordination with others to respond can be the biggest challenge. I aim to use these broader insights to advance my military career in the Air Force either as an intelligence or cyber defense officer, and further a career in the public sector whether it is continuing to do technical cybersecurity work or some sort of cyber threat intelligence.