London: With the launch of the National Cyber Security Centre, backed by £1.9 billion (Dh8.71 billion) of funding to battle online crime, the government has made a statement.
Defence experts have long warned of the growing menace of cybercrime and now they have good reason to believe the threat is being given priority treatment. Recognising the danger is one thing though, dealing with it another.
The world — and by extension the UK — is facing a shortage of people with the skills needed to mount an effective defence. The global cyberdefence industry is going to need another 1.5 million staff by 2020, according to non-profit security organisation (ISC) 2.
At the Cyber Security Challenge in London — a three-day competition designed to identify raw cybersecurity talents — recruiters are doing their best to address the shortage.
Stephanie Daman, the chief executive of Cyber Security Challenge UK, believes that the UK is slowly recognising the value of ethical hackers, also known as “white hats”, the cybertroops required to protect our increasingly connected world. “We’re beginning to build a pipeline of people. But that, by its nature, is going to take a little while to come to fruition,” says Daman, who spent 17 years working for the government on security matters.
In the meantime, events such as the Cyber Security Challenge are trying to address the skills gap. The event is sponsored by corporations such as PricewaterhouseCoopers (PwC), BT and BAE Systems, while camera-shy staff from GCHQ and the National Crime Agency look on, hoping to unearth a new generation of cyberspooks. Around half of the contestants in the challenge typically get a job out of it, while all are likely to be interviewed. Recruiters like the event because it allows people who may not shine academically to show that they can still thrive in a high-pressure, realistic scenario.
Last year’s Cyber Security Challenge was fairly fanciful. It involved a biohazard attack and a threat against a minor royal. This year, the challenge is more grounded in reality. The contestants are asked to fight an assault on a fictional energy company, Bolt Power. They are tasked with assessing and battling an attack from “hacktivism” cybercriminals, repairing a data breach and investigating the theft of £125 million.
There are good reasons to be concerned about cyberattacks on infrastructure within energy, but also in areas such as transport and telecommunications, or even hospitals. Earlier this year, Theresa May delayed a final decision on the Hinkley Point C nuclear power plant, and anxiety about the involvement of state-backed China General Nuclear was thought to be among the reasons for the delay.
These concerns have been heightened by hacks perpetrated against, among others, semiconductor firms in the US, and suggestions that designs for narrow-body aircraft have also been targeted. Understandably, few people at the Cyber Security Challenge are willing to talk about Hinkley or point the finger at Beijing. But they are clear about the nature of the threat from state-backed groups. Kris McConkey is on the front line of the war against cybercrime. His job is to make life intolerably difficult for hackers.
When the chancellor, Philip Hammond, said the UK must “strike back” against cyberattacks, it was people like Kris he surely had in mind as his infantry. “A lot of cases we get called in to are where organisations find it difficult to deal with [it] themselves,” says McConkey. “A high proportion of those are attributed to state-sponsored groups.”
There may still be a threat, he says, even where the state in question is only involved financially in a sensitive infrastructure project. Companies may try to set up a firewall between sensitive systems and foreign powers, but it does not always work.
“A lot of organisations have tried to do it and a lot of organisations have had their fingers burnt. It’s a very difficult line to walk. For the most part these things end up in some joint endeavour. There’s almost always a people aspect and that’s often where you get an insider placed there to gain information.”
He cites a recent example where a cyber-espionage group had hidden inside a company’s network for two years, helped by a contractor the unnamed firm had hired. So how to stop this? Businesses can pass information to the security services, but they are not legally allowed to “hack back” by launching cyberattacks themselves. But they can at least lay booby-traps to confuse and deter — a concept known as “active defence”.
“One way is to go and hack the bad guys, yes. The other way is to make your network a hostile place for an attacker to break into,” says McConkey. “If you’ve got a burglar coming through your door, you want them to be standing in a house of mirrors, you want them to think there are many more systems than there are.”
That may be easier said than done, but the Cyber Security Challenge is about finding out who has the requisite technical ability, as well as the decision-making and interpersonal skills needed to liaise with businesses facing a threat. Contestants are encouraged to think on their feet and a team of mischievous PwC staff sits on the sidelines, occasionally throwing cyberattacks at the contestants themselves in a bid to trip them up. The atmosphere is tense and the contestants, many barely out of school, are feeling the heat. But despite the technical expertise on show, there is something that does not add up. Of the seven competing teams — all named after famous cryptographers — four honour brilliant women, while 24-year-old Holly Rostill oversees the day’s events in the role of game master.
Lisa, 21, is a fourth-year computer science student and one of only two women competing out of 42 contestants. “This challenge is hard and it’s gradually getting harder. Some of it is more like a whodunnit. You approach it with a technical mindset, but the challenge isn’t necessarily technical.”
“It’s a real-world simulation. If something breaks then the cybercriminals don’t stop. They take advantage, they get you when you’re weak.”
The stark gender imbalance is all the more concerning when the talent pool needs to be as deep as possible. “There’s a horrible dearth of women in this space,” admits Daman.
“Because we haven’t engaged girls and women at school and kept them engaged when they make subject choices, we’ve lost a generation of women.” Lisa, who asked for her surname to be omitted, adds: “It’s well known that the tech industry is short on women, but there’s a lot of work being done to engage women into Stem subjects [science, technology, engineering and maths]. “Maybe it’s a lack of awareness, but it is improving. Girls can do it too, we’re just as good.”
— Guardian News & Media Ltd
