‘Argh!’ The shout of frustration rises above the sound of furiously tapping keys. ‘It feels like we’re so close but then so far away,’ says the middle-aged man hunched over the laptop as his immaculately dressed team mate peers over his shoulder. Then comes a cry from the young woman across the room: ‘Holy crap!’ She may have made a breakthrough but immediately clamps her hand over her mouth, worried she has disturbed the deep concentration of the rest of the team.
This is the UK’s first civilian cyber security camp. As part of a wider industry-driven campaign to promote careers in the sector, 50 participants are spending this weekend at the MoD Defence Academy near Swindon and Glasgow Caledonian University to take part in a series of challenges that will test their hacking skills and show them how they might put those skills to use in a new career.
As with many other areas of the UK’s technological economy, the cyber security sector is facing a skills shortage, both current and impending. So for the fourth year running, a group of private companies, trade bodies, government organisations and universities have come together to run a series of events they hope will attract new talent, which for the first time includes these four-day camps delivered by IT security firm C3IA.
Though the new events have a competitive edge – the participants will be ranked against one another for a place in a national final and the weekend will culminate in an England versus Scotland challenge between the two camps – their primary aim isn’t to find specific new recruits for the organising companies but rather to encourage more people to seriously consider the industry and to give them relevant experience.
‘We’re trying to broaden the talent pool,’ says Nigel Harrison from the board of Cyber Security Challenge UK, the not-for-profit company that runs the events on behalf of nearly 80 sponsors including BT, Microsoft, the Cabinet Office and a host of SMEs. ‘We do get repeat customers but we’ve deliberately targeted people we’ve not seen before who might not have the confidence or don’t think they’ve got the skills to work in the industry.’
It’s an important point. My ignorant idea of cyber security is rows of GCHQ operatives relentlessly fending off attacks from Chinese cyber spies. But after taking part in one of the more basic challenges at the camp, I’ve learned cyber security can often be more about better website design, learning to spot holes and applying problem solving skills to programming. And that the demand for expertise is coming from a range of technology-related companies.
The sector doesn’t need to take the country’s top graduates and put them through months of security service-style training; it needs people who can think laterally and manage risk, with an understanding of how coding works but not necessarily the knowledge to hack into a government mainframe. So companies believe that convincing people they might already have the skills for a cyber security career and giving them a way to build experience for their CV will help create a pipeline of new employees.
Most of the participants at the Swindon camp seem to fall into the categories you might expect: twenty- and thirty-something men with careers or at least degrees in IT who are looking for a new challenge. But they certainly don’t fit the hacker cliché of social outcasts living in their mothers’ basements (and I count only two spotty teenagers among them). And there are plenty of exceptions.
Tasha Godwin left the RAF to have a family and is now studying forensic computing (focusing mostly on data retrieval for organisations such as the police) but likes the idea of moving into cyber security for the private sector. Outgoing and smartly dressed, she’s visibly excited about the day’s events, although she admits she knows little of what to expect and is a bit nervous.
‘I wanted to practice techniques but I was worried about the legalities [of trying to find security flaws in professional websites],’ she says. ‘A military background is very different to this and I need a civilian entrance way. But a lot of companies don’t know about forensics: they just proxy it out.’
After watching the participants battling with encrypted passwords, puzzling over mysterious sound recordings and staring at screens of code that could be taken from The Matrix, I realise this camp isn’t just for anyone who thinks cyber security sounds cool. And it helps if you have the personality that gets a huge kick out of solving puzzles – a thrill that was described to me as ‘addictive’ at several points.
But recent maths graduate James Arden tells me he’s had little formal training in the skills he’s putting to use in the challenge and has instead picked things up largely from the internet or from other events he’s been to. ‘Some of the challenges were very difficult and they’ve highlighted a lot of knowledge gaps for me,’ he says. ‘But we had all the skills we needed within the team. My personal skillset is critical thinking.’
So what can the wider engineering industry learn from the cyber security sector’s attempt to address its skills problem? Firstly it’s a reminder that professional expertise has to build on a certain degree of basic knowledge and existing interest in the field. But it also shows how convincing people they can do something is sometimes as important as making sure they have the right skills.
Giving people a chance to take part in technical activities, even though they might not have much technical knowledge or experience, can help people realise they have other qualities that would be welcomed by the industry. Not everyone can be an engineer and boosting the status of the profession is important, but demystifying what engineers do might also help lure a wider range of candidates.