This weekend saw nine teams of three battle it out in a mock cyber attack in London, as they tried to progress to the finals of this year’s Cyber Security Challenge.
For the ten individuals who made it through to the Masterclass this November, it marked a huge personal victory that will certainly boost each contestant’s CV. But for the UK as a whole, it marked a small, but important step in tackling the chronic skills shortage that affects the cyber security industry.
Skills shortage
“It’s about trying to encourage people to come in who are not already cyber security professionals,” Bob Nowill, chairman of the Cyber Security Challenge UK, said.
“We’ve all seen the headlines about the skills gap in the STEM subjects – Science, Technology, Engineering, Maths – and in cyber security in particular. However you count the number, either in the world or in the UK, it is a big number.
”The gaps are there, the salaries are good, the job interest is high, the sort of public or private sector jobs you can get are with some of the biggest names, as well as some of the niche companies.”
The challenge pits people against the clock after having completed online tests and games that qualified them for the ‘Face-to-Face’ round. Arranged in randomized groups of three, teams must overcome a series of challenges while assessors watch and grade them, scoring them both as a team, and as individuals.
Initially, teams must work out what has happened, if there’s been a breach, whether any data has been lost, etc. A side challenge involves trying to intercept some communications while a countdown clock is ticking.
“You get given a bunch of core competencies that you see demonstrated over the day, and you basically just need to gauge the level of each of the contestants in each of the areas,” said ’Locard’, an assessor who was previously a contestant, making it to last year’s Masterclass before getting a job at defense contractor Raytheon.
“They try to rank it against the Skills Framework for the Information Age (SFIA) system. You’re only seeing a very limited snapshot of someone, but we try to make it as realistic as possible.”
Locard sees the challenge as a way to entice those talented with computers, no matter their background: “One thing that I think most hackers agree upon is that they all like a challenge, and it’s a really engaging challenge. The thing you’re seeing today, it’s a really nicely put together puzzle. It’s difficult to find a safe place to play, as it were.”
These safe places have a double benefit of not only drawing people in who would not have been active in the cyber field, but also in drawing people away from more nefarious actions. “A lot of people have been convicted over the Computer Misuse Act, and from what we can see, they’re amateurs, they’re kids, who are just curious,” Locard said.
“If we had more safe places to play in, this wouldn’t happen, we wouldn’t have to put them in prison and stuff. They’re not trying to cause damage, they’re just curious about how things work.”
Oscar O’Connor, Head of Assessment for the CSC, said: “Ultimately these guys end up being ethical hackers, we hope. What they do is illegal, unless they have permission. So one of the big criteria we ask for is ‘do they ask for permission to do what they’re going to do?’”
This message did not fully resonate with everyone in attendance, with one team committing an egregious error. “So the bollocking I am about to do is over a public WiFi, which one of the teams has accessed and started sniffing to see who is on it,” O’Connor said.
“That’s illegal. We could actually bring in the police and have them arrested for doing that kind of thing, but they score minus two out of five for ethics.”
Instead of an overeagerness to check out someone else’s Internet, O’Connor said that “we’re looking for analytical skills and for creativity, because the bad guys never think in straight lines. You’ve got to put yourself in the mind of the bad guy, but while the bad guy works one way down the killchain, with a problem that might have taken a year to create, and you have to do the reverse in a much shorter time.”
While the challenge sounds hard, people have risen to meet it. “Some of the people we’ve seen are bona fide geniuses. To be able to think in code is kind of weird, but some of them can do that. They look at a problem and instinctively go about knowing how to crack it. I don’t know how they do it, but it’s extraordinary. Because they are dedicated amateurs and not professionals, they haven’t been corporatized, they all think slightly differently, they use their creativity.”
One of the contestants was Andy Snowball, who has been doing the challenges online since about 2014. This is the fourth or fifth face-to-face round he has attended. Snowball said: “They’ve all been completely different, so you learn something new each time you come along as well.”
His team, the Red Team, went on to win the team competition. The individual prize went to Lisa, who asked for her surname to remain anonymous due to her sensitive career path. She said: “I feel fantastic, it’s been a brilliant experience and everyone involved because they did a fantastic job. I love the variety of activities and I’ve learned a lot of new skills, and hopefully I will learn a lot more at Masterclass.”
The event was held at the London offices of BAE Systems, the multinational defense, security and aerospace company who sponsored the event and designed the challenge.
Kayla Garland, technical project manager for BAE, told DCD: “We paired up with co-sponsor Her Majesty’s Government Communications Centre to come up with something that we thought would be a challenge to people who were hoping to join this profession. Obviously there is a massive skills shortage, and to get people involved in cyber and experience a bit more of the defensive side of things, which is what this game is oriented around is a really good way of getting people into the industry, hopefully.
“This area as a whole, cyber is the buzzword around and what we’re trying to do is defend and protect and it’s an interesting area for people to come into. This is a perfect example, you can see everybody and how they’re working, and BAE should be a really good place for that.”
She continued: “The whole point of the CSC is that it’s people that want to get into this industry, but might not know how to, or they’re hobbyists and they’re trying to enter the industry from a different area. We’re not asking everybody to do your computer science degree. What we want is people interested, with an analytical mindset that want to join a business such as BAE to do the stuff they actually have a passion for, and that’s what we really want – people who are passionate for what they do.”
But the CSC is just the start to tackling the shortage, Nowill said. “That whole challenge is wider than us, wider than the CSC, and is a governmental priority. Obviously the Department of Culture, Media and Sport and Department for Education are pushing forward on the big stage, of which we are a piece of the jigsaw.”
“There have been some shift of personalities in government due to Brexit, but the general direction for cyber security was set previously, which is why we expect the release of the new UK cyber security strategy – which was a little bit delayed because of the vote – this Autumn.”
He added: “Coupled with other initiatives that the government set out before Brexit, such as the creation of the National Cyber Security Centre and these things are showing a demonstrable commitment to pushing forward in this area and investing significant funding behind it.”
But in addition to the overall skills problem, a greater issue lies in diversity. “Gender diversity in STEM, and cyber security in particular, is not great. It’s certainly not 50 percent. Contestants here, we have a much smaller number of women than men. In terms of doing something about that, it will take some time,” Nowill said.
Garland believes that while this is true, things are heading in the right direction: “I think five years ago, we weren’t seeing anywhere near this level of recruitment. There are people who are becoming more and more aware of this industry.
“Definitely for women, we’ve got a couple here, and it’s definitely good to see that they’re hearing about this sort of thing. Personally, I go into schools and try to raise the awareness of cyber and technology and computer science and things like that, and this is a perfect example – in 10 years time, they might be competing here in the future.”