Risk and reward: The UK’s cyber-crime tsar believes companies should hire able programmers before they use their skills elsewhere.
It seems with each passing month to another big name is added to the growing number of organisations that have been subject to major attacks.
Last month, it was revealed that hackers gained ‘full functional control’ to mission-critical systems at NASA’s Jet Propulsion Lab, according to inspector-general Paul Martin in a report to Congress.
That followed BAE Systems admitting that computers used by engineers working on the F-35 fighter jet programme had previously been hacked, potentially compromising design and systems data.
It should come as no surprise then that engineering companies are vulnerable, both in terms of their intellectual property and their physical infrastructure (as the Stuxnet code that crippled Iran’s nuclear centrifuges in 2010 attested).
The question is what to do about it. For a sector that is notoriously technical and opaque, the solution is quaintly organic: people. Lone hackers have proved they can get into systems with little in the way of resources. The industry must therefore make sure it recruits these people before they are tempted to use their skills in altogether more sinister outlets.
That is the basic rationale behind the Cyber Security Challenge (CSC) – an initiative with some powerful backers, including Lockheed Martin, Qinetiq, HP Labs, Northrop Grumman, Cassidian, GCHQ, PWC and the UK government.
The not-for-profit company is headed up by Judy Baker, who previously helped set up the Centre for the Protection of National Infrastructure (CPNI), a government department advising on protection from electronic attack.
It all started in 2011 with a series of competitions open to any amateur cyber enthusiasts not currently working in the industry.
Students obviously feature heavily among the entrants, but the first overall winner, Dan Summers, was a working as a postman in Wakefield when he took part.
A number of top cyber-security professionals from some of the sponsor companies write the challenges, free of charge, as value-added time.
One of the competitions – dubbed ‘Secure and Control’ and designed by (ISC)2 and Qinetiq – asks candidates how to ensure the security of programmes that operate security cameras, open pipes, dams or even security gates.
‘When we started off, we thought we’ll run some competitions, we’ll excite and inspire some people through,’ said Baker. ‘But then it became very clear to us that we needed to do more than just run competitions.’
Surveying its own candidates, it found that 80-90 per cent with an interest and skill set in cyber security knew little or nothing about
learning opportunities through the private sector or university and little or nothing about jobs in cyber security or how to get one.
This contrasted with a survey by the SANS Institute, in which 90 per cent of companies said they couldn’t staff to the level of cyber skills they wanted and 60 per cent said they were going to need more people in cyber security jobs over the next five years.
‘It maps right the way back – it’s not there at school; it’s not there in careers sections. Universities have got spaces on their courses. Why have they got spaces on their courses? Well would you go for a course there if you didn’t know what the subject was and you didn’t know what the jobs were at the other end?’
Clearly there are parallels with traditional engineering in terms of skills gaps and the quality of graduates, but there are also wider issues about public perceptions.
‘Most people want to get onto their computer and do whatever they want to do. They don’t want to know anything about its internal workings. They don’t want to have anything to do with security – it’s just a bore.’
Speaking to candidates at the some of the award ceremonies, what appealed most to them about cyber security was the creative aspect.
While the impression of cyber security might simply be geeks number crunching and trying to crack passwords, most solutions actually require completely innovative thinking.
It’s not just about computer code but appreciating that systems have many different levels of vulnerability, both technological and human, and that a holistic approach is often the best way to secure them.
In terms of cyber security for companies and individuals, Baker also believes that manufacturers have a lot of catching up to do.
‘You don’t buy the car with a seatbelt in a bag and the bumper in another bag and be expected to fit them technically accurately – it’s a bit like that still in the wild west of the computer world,’ she said.
‘That’s not abdicating responsibility for the end user either, because we actually need to get the education to people from a very young age, just as when you learn to use other comparatively dangerous things in life. We don’t give people flame tools and not teach them how to wield them appropriately.’
We actually need to get the education to people from a very young age
Baker also has a rather bullish attitude about what she see as the flawed and disjointed philosophies of so-called ‘hacktivist’ groups who target corporations and institutions in the name of anti-corruption and anti-secrecy.
‘We’re all delighted by the Arab Spring and we want freedom and freedom of choice, but we don’t necessarily want to understand that actually real freedom is underpinned by security,’ she said.
Judy Baker, Director, Cyber Security Challenge
Late 2000-February 2007 National Infrastructure Security Coordination Centre (NISCC). Established NISCC as a new government department advising on protection from electronic attack. During that time, NISCC grew from three to 70 staff.
February 2007 – June 2008
Centre for the Protection of National Infrastructure (CPNI). One of the small senior management team that created CPNI to provide holistic protective secure advice. Took responsibility for strategy and policy. The National Infrastructure Security Coordination Centre (NISCC) merged into CPNI.
Director, wCyber Security Challenge
Do you think that businesses in the UK still underestimate the importance of cyber security, particularly engineering companies and manufacturers dealing in the physical world?
Physical processes that in the past were controlled directly by people and levers are now controlled by process control systems such as SCADA and are interconnected to business networks. This has meant that engineering and manufacturing companies have had to master cyber in addition to physical and personnel security issues in new, as well as traditional, parts of their businesses.
The protection of services from disruption may also be vital, not only to the company’s business but to the nation. In many cases, the services are part of the UK’s Critical National Infrastructure. And of course the research and other intellectual property that these companies often own has substantial valueand is commonly sought by attackers from criminal and other threat groups.
Clearly, the importance of cyber security has grown and companies are working hard to manage all these new issues. To do this effectively, they need to have the right talented people in place.
What makes a perfect cyber security candidate?
While the traditional view of what makes a cyber security person – a flair and passion for technology – is still much in demand, there is a need for many other skills as well and not everyone will be deeply technical. We need people who work well in teams, are leaders, understand business impact and can communicate technical messages so that hard-to-reach audiences ‘get it’ and see why it matters. What the most successful seem to have in common is a need to solve problems, an ability to think outside ofthe box and flexibility to deal with the rapid rate of change.
Why would you encourage someone to get into the cyber security industry?
Existing professionals told us in a SANS Institute survey that the jobs are well paid, very enjoyable and important. Top that with the fact that it is under-resourced and part of a sector where the number of jobs is growing. If you are good enough, why wouldn’t you aspire to a job like that? This is one of the most exciting professions. Importantly, there is a huge variety of roles you can take up, from technical to far more strategic and business focused, and the opportunities to move around or specialise in one particular area are there for you to take. In difficult times, especially for young people and graduates, where unemployment figures are so high, this is an industry crying out for more talented people.