The increasing number of different skills needed in cyber-security was highlighted by two very different but very similar cyber-security competitions held in London this week. Each aimed to increase the number of talented professionals pursuing a career in the world of cyber-security, one targeting the cyber-security policy makers and strategists of the future, and the other targeting hands-on tech warriors - though such warlike descriptions were being eschewed in a bid to increase the diversity of intake.
The reality is, there are adversaries out there who attack us, and we need to deal with them on a practical tech level, and we must do that within a context of informed strategy and appropriate policies.
Cyber 9/12 - Policy and strategy
On Monday and Tuesday, the Atlantic Council had its first London event, Cyber 9/12, held at BT Tower - a student challenge based on the premise that we cannot solve our future cyber-security challenges through technology alone, hence the UK's first cyber policy and strategy competition. At the other end of the spectrum, Wednesday and Thursday saw Cyberthreat 2018, run by Sans, held at the QEII conference centre opposite parliament, specifically to nurture the elite technical skills that are needed to stay at the forefront of this demanding discipline.
Fittingly, both events were supported on a practical level by the NCSC. Paul Chichester, director of operations at the NCSC, spoke at both competitions and told SC Media UK that this support formed part of NCSC's aim to encourage partnerships between public and private sectors and academia to deliver on its mission of making the UK the safest place to conduct business online. He commented how the two events help nurture and grow our national cyber-security capability and that they also showed the breadth of talent and expertise needed to cope with the threats faced.
At Cyber 9/12 Chichester explained that although there are several technical cyber-competitions that are important, these are only part of a wider challenge we face, and that: "A lot of the challenges we are presented with today encompass issues around policy, strategy, communications,” adding that the remit of this event, “resonates with us at NCSC as to how we run major incidents, as it's not just technology as there are usually policy and legal implications." He described the NCSC role in relation to WannaCry as a terrific example of where a big part of the response was about messaging and working with industry. This event was also addressed via video by Margot James MP Minister for Digital and creative industries, further emphasising government support for the initiative.
When it comes to formulating cyber-security policies, its still embryonic and there isn't clear or good enough path in for potential policy makers said Chichester, adding: “We want universities to think more in that space in other disciplines. ...Organisations want that skill set (formulating cyber-strategy) and there has always been a policy career path in government but not in wider industry.”
Chichester emphasised that the sector needs both those with traditional tech backgrounds and those with say an MBA background, but it should be no bar to working in cyber-security if you haven't got a technical background as it is rare to get people with both. Increasingly people specialise and work with partners, he said, adding: “In the NCSC we have really well developed experts in their fields who bring their knowledge and expertise - we have found those with a policy background can understand the relevant parts of cyber. It's about the team you build and the organisations you are running, understanding the sector tech and the wider policy side... effective leader development,” of the individuals that make up the team around you, adding that any CISO or leadership role needs a variety of expertise.
Peter Cooper, director of Cyber 9/12 UK explained the competition itself (which was underway, thus full details not revealed); the teams were effectively playing the role of advisor to the Prime-Minister's advisor. Scenarios entailed the start of a cyber-attack on an overseas allied nation, thus what is your advice? Come up with options, technical policy, strategy and what advice do you give as to what to do, then if spreads to impact the UK, what now, and the scenario evolves.
Teams were mostly selected from Universities included in the Academic Centres of Excellence in Cyber Security Research (ACE-CSR). All UK countries were represented, and a range of disciplines including computer studies, but also much wider such as legal and humanities subjects, to provide different perspectives and attract people who might not normally consider cyber as a specialisation - but the drive was also to get a more diverse range of students. There was also a law enforcement team with people from Europol and the NCA, and an MOD team with RAF, army, navy and civil service - and while these were not technically students, they were junior teams, eg six months in the MOD or new to cyber.
The make-up of the teams themselves varied, with some more weighted to tech or to policy. For example the team from Aberystwyth university were all International Politics masters students, while the Oxford Brookes team were IT & Technology Management and Computer Science, while Queen's Belfast, Centre for Secure Information technologies combined tech and policy, and Bournemouth students were studying cyber security management, while the MOD team included a pilot wanting to get into cyber.
Some participants were surprised how quick advice conclusions and presentations were needed (20 minutes), that the technical explanation was often not required, just what the decision maker needed to know to decide what to do next. But the point was that it should be a learning experience in which participants are willing to learn and ask ‘stupid' questions of each other
Cooper, a former Air Force pilot who has worked on air, land, sea integration between military forces said how you can have great technology but without great policy and strategy its going nowhere. “You wouldn't staff an airline entirely with pilots - you still need leadership and management, so you can have people who are great at tech, but you still need policy, strategy, communications, international relations, diplomacy and statecraft - and you need to bring the two camps together.”
Also, with so few people with the tech skills, Cooper suggest we should not be so picky about background if you have the right skills in other areas and a passion for the role. But if the policy is not linked to the technology, that also causes problems so its necessary to have multi-disciplinary teams that straddle both camps and are able to work together.
Unfortunately, some of the universities invited to participate didn't get it. “Some said, ‘that's policy and strategy, we don't do that. We just do tech.” But the aim of this competition was to contextualise the tech within geopolitics and international relations.
Cooper noted that the young talent was needed quickly as, “Some of the tech is moving so fast that by time a CISO may have moved on they can be at risk of not listening to junior tech team and doing things how they used to be done. As long as they listen and are educated enough to ask the right questions that can be overcome.”
For both tech and non-tech participants, the key is to be able to understand the problem enough to describe it, and to be able to contextualise it enough to be able to make good decisions. You need to speak to the people with the right knowledge, working together to come up with best joint blended solution. We need policy and strategy people working in cyber because when it was first pitched to strategy there wasn't the talent to make great decisions says Cooper, adding, “It's about working as a team.”
He also commented, “The proportion of people out there interested in cyber-security is higher than we think, but there is a perception, ‘I can't code or hack so I can't get in there.' But you can't be expert in everything; we need blended skills, ability to contextualise these scenarios, and work with tech friends and use your policy background to suggest what you can do. Great cyber tech solutions will die a death without great policy and strategy and vice versa.”
Summing up the rationale of the event, Cooper concluded: “If you get a tech attack, its bad but learning lessons about what's out there, and the indications of what is down the road have always been there. We need answers in all areas, not just talk but we need actions and agreement between multiple stakeholders. And we need to understand how will our adversaries perceive this? We can't keep being surprised at what our adversaries are doing."
Cyberthreat 2018, heavy tech and elite hacking
In another part of London the heavy tech was underway at the Sans event with teams ranging from The Breachy Boys and Red Hot Chili Packets to Fleetwood Hack, Stack Sabbath and One Redirection, as well as individual players among the 270 contestants competing to capture the flag, needing to hack their own delegate badges along the way.
SC Media UK spoke to organiser James Lyne, head of R&D at SANS Institute, and again caught up with Paul Chichester.
Lyne explained how the rationale of the Sans event was to overcome the fact that as a researcher, he'd consistently found it needed long flights to the US to get the types of conference that provided hands on exercises that got deep into the core of the subject. And so it struck him that to get to the next generation and foster a community of practitioners in UK, to building links and help them to push to the next level of skills, it was necessary to target the doers and present them with and agenda that combined development skills and great deal of fun. “And so far that's what we appear to be doing,” said Lyne, noting how many of the audience had their laptops out from the off, raring to participate.
Chichester agreed, saying, "Where does talent go to? Its always going overseas. We've got prolific bug hunters such as today's keynote David Litchfiled going overseas, and we want that talent in the UK.”
Hence the need to create place in the UK where talent can come and learn, and build a community. He added, “We hope people will keep in touch and collaborate. No one individually has got all the solutions, so being able to work in a collaborative way is essential and we need to create a community as the long term legacy.”
As to target audience, it is a wide spectrum. “We'd like to increase diversity more,” commented Chichester, acknowledging that this was a more typical male-centric cyber event than the policy and strategy event had been. But work was underway to attract the unsung heros doing tech work around the UK, seeking to bring in hobbyists with huge potential and academics, tying-up with cyber-first, and a cyber-schools initiative to bring in the next generation of talent. Extensive social media contact was the other route as, “You can't meet everyone.”
Lyne and Chichester agreed that there is a much bigger community, talent is out there, and the challenge was to create that pipeline, with Lyne explaining. “We want to go beyond our current audience. IT generally, and cyber especially has a diversity issue, particularly on gender, and particularly hands-on tech, ...and we are committed to solving that. Part of the answer comes with building the profile of this event, and having women on that stage, and we want more here.
“Beyond that, it's fixing in a sequential way, bringing in the next generation with the schools programme; thousands of young women are in that programme now demonstrating the right aptitude and skills so we are working to build the bottom of the pyramid.”
Chichester referred back to the Girls schools competition, saying how the organisation keeps in touch with finalists from last year, and citing the four girls, saying all wanted to do something different, with one determined to be a pen tester, but others pursuing different approaches - because there are some amazing opportunities, adding, “We've got a place for you regardless of your background.”
“There's not another event in UK like this, doing this with the community, and its a massive positive vibe, with loads more ideas coming out for version two. We want to build on it and see a lot of these faces in the next event, as well as driving on the diversity agenda with increased scale and ambition,” said Lyne.
This would include more of same, where the focus is on real things happening in industry to keep it bleeding edge. Lyne added that there had been a lot of input from the NCSC, helping to sharpen the ‘capture the flag' competition including a spectrum of things from those that you could run into in an office, to things we have not seen actors do, challenging people into thinking about what could happen next, which is deeply relevant to the current threat landscape.
“We collaborated on the programme from day one and had some amazing ideas, and tried to bring them to the scenario, led by private sector depth of experience,” with some options proving viable and others not. The challenges span over forensic, mobile, crypto-challenges, binary software bugs, some at the harder end of the spectrum too, with a good sampling of each major security discipline, and more detail will be posted after the event. Participants attend to learn by doing, but it can be frustrating to not know why it didn't work, so to ensure they understand where they got stuck, there will be a set of ‘spoilers' made available after the event, explaining how to solve them to sharpen skills for next time.
Talking about the difference between the two events and their complementary nature it was suggested that we need joined-up thinking to get these communities growing together and it was even tentatively speculated that maybe next year, it might be possible to link to Cyber UK and work across the communities.