A cyber-detonated terrorist attack on the UK's critical infrastructure targeting key landmarks in London will be at the heart of the 2015 Cyber Security Challenge UK Masterclass, with some 42 of the country's most talented amateur cyber-defenders seeking to thwart the attack in real time.
Companies supporting what has been described as the ‘largest and most ambitious Challenge event ever' include BT, GCHQ, NCA, Lockheed Martin, Juniper and Airbus Group.
The challenge final is the culmination of almost a year's worth of nationwide competitions to identify new talent for the cyber security profession and address a critical skills shortage that affects government bodies, businesses and citizens alike.
Sarb Sembhi CISM, director, Storm Guidance, commented to SCMagazineUK.com, “It's important to get a variety of backgrounds (coming into the industry). We need to be giving exposure to the demand, and attract more people into the industry who may not have a security background. Past winners have shown that people from all sorts of backgrounds are good candidates. This event lets people without a security background try out in a safe environment and test what they can do and find out what's going on.”
Minister for Cabinet Office, Francis Maude, said in a statement to press: “We are funding the Cyber Security Challenge to help potential experts hone their skills through an exciting and stretching series of scenarios. I would encourage all budding cyber experts to get involved and test their skills.”
Stephanie Daman, CEO, Cyber Security Challenge UK, told SCMagazineUK.com: “We've put together as realistic a scenario as we can.” She added, “This year's finalists will face a Masterclass that will excite and challenge in equal measure. This is the largest collection of cyber-expertise we have ever pulled together to put our candidates through their paces. (For anyone considering entering, from any background) I would definitely encourage them to enter – its enormous fun, its a great career and there are lots more jobs coming up in the sector – what have you got to lose?”
Sembhi went on to note that there would be different groups, with different skills competing, including those coming from the dark side of hacking: “There will be people who know what to look out for because they have been attackers. And also those with a good business background, good decision-making experience and business understanding which not all security people will have.”
While Sembhi recognises some people wouldn't employ a former hacker, he commented to SC: “If we believe in rehabilitation as a society, then depending on circumstances, why would we keep out skilled people and push them to hacking? Black Hat in the US has seen the FBI going in to try and get people with good skills.”
Bob Tarzey, analyst and director, Quocirca Ltd agreed, telling SC: “There is a lot of talent in the criminal fraternity. Banks have already hired former attackers. Criminals often have a better knowledge of how to hack systems.” But he also noted that public bodies like GCHQ may need to up their remuneration to attract former criminals used to higher returns on their efforts.
Robert Partridge, Head of BT Security Academy told SCMagazineUK.com that while he did not know of any instance of recruiting a black hat hacker at BT, and that any staff would need to get security clearance meeting the company's criteria, they would not absolutely disregard such a candidate. He explained that the main reason for sponsoring the challenge was that: “We are making sure the industry in general attracts new blood – we don't feel there is enough coming through. There are a number of reasons, including that its not a widely publicised career option in schools, universities and colleges. The industry demand for skills is growing quickly while the talent pool remains the same size – so we want to raise awareness. Yes, we are interested in participants, but its more about the bigger picture, promoting the profession and show there are really viable exciting careers – and if a bit of theatre, a bit of Hollywood to dramatise the issue with terrorism gets mass media attention, that's good. We've raised the bar in terms of the intellectual challenge, the scenarios, the way they are delivered and what's expected of participants.”
Although the full details will remain top secret right up until the final in March, the Challenge has revealed that the two day competition will focus on investigating and preventing attacks by a fictional cyber-terrorist group, Flag Day Associates, who aim to cause real world damage that could bring physical harm to citizens in central London.
SC asked Daman, why a terrorist attack when there have been no actual cyber-terrorist attacks on infrastructure (unless you include the assumed state attack of Stuxnet)? Daman told SC: “It is an obvious attack vector and while we haven't had things reported using the word terrorist, you could argue that activists defacing websites is included – so we have used terrorist in the widest sense – someone not bound by rules.”
Regarding the scenario of defence from terrorist attacks on what may essentially be critical infrastructure, Tarzey said: ”It's interesting that the focus appears to be on (critical infrastructure) as there is surprisingly little evidence of it having been undertaken by terrorists. It may be that such attacks are not as easy as people might think, or that it's easier to inflict physical damage. Also, critical national infrastructures (CNI) are not always linked up to the internet in a straightforward way. Stuxnet was an incredibly sophisticated piece of malware, and it was very hard to get it in place.”
Nonetheless, Tarzey says: “It is good that Cyber Security Challenenge is addressing CNI – though CNI perhaps needs a broader definition (than utilities) and you could argue that things such as the Tesco supply chain is critical or rephasing of traffic lights is another form of kinetic attack.” Tarzey suggests that the current industry interest in IoT has been hyped up as it is something that is coming, but adds: “While there are security aspects, its' not just about to start on 1st January 2015.”
In the challenge final, the best candidates will face an evolving role playing scenario, comprising both technical challenges and more business-focused risk analysis and policy tasks. Finalists will be asked to show off the potential for a career in cyber-security within a highly pressurised operation room environment by solving the sorts of problems cyber security professionals encounter every day.
Whilst primarily a team based exercise, each of the 42 finalists will also be assessed individually on technical, interpersonal and decision making skills. This will allow a panel of expert judges from across UK industry and government to select winners, including the new Cyber Security Challenge UK champion.
Regarding the non-technical aspects of decision-making, Tarzey comments: “Response policies includes identifying if it's a distraction attack, like a DDoS attack used to disguise a more targeted attack. It will need clear priorities, so you don't drop your focus and concentrate on a general attack when you need to prioritise what is needed to keep going. Priorities depend on the nature of the organisation attacked and the nature of the attack. So an attack on physical assets could come via a focus on disrupting the communications networks rather than Scada systems.”
Daman was keen not to give too much away but did note that: “We'll be testing the same technical skills as always. (However) teamwork will be an important part and they will need to translate the technology to something a non-technical layman would understand, using people skills to do that. There will also be some critical decision making that needs to be made at the right moment, so its also about what would have been described in a business context as resilience and business continuity.”
The winners share of a pot of ‘career enabling prizes' including university bursaries, professional accreditation, access to industry events and professional internships.
Mark Hughes, CEO, BT Security, said in a public statement: “Getting security right and protecting businesses, government and the general public against cyber attacks is vitally important. However, as the UK faces a worrying shortage of cyber security talent, every new reported threat raises our susceptibility to being attacked. As a result it is a critical matter of national security as well as economic prosperity that we ensure the right people are found, trained and ready to take on key roles in the cyber security profession. This is why BT is taking a leading role in developing and running the forthcoming Cyber Security Challenge Masterclass which will be the largest, most exciting and realistic test of new cyber security skills ever run in the UK!"
The challenge is open to anyone of EU nationality, resident in the UK, not currently working as a cyber-security professional. Candidates can register here and prove their skills through an upcoming virtual qualifier competition.