February 2012

By

Deborah Ritchie speaks to Duncan Hine, CEO of the Cyber Security Challenge UK

Cyber crime features among the key risks for 2012. A Symantec estimate puts the cost of e-crime at $388bn a year. With activities of cyber criminals constantly evolving, keeping up is an unceasing challenge. In November 2011, the UK government unveiled its cyber security strategy, and generally appears at least to be doing more than its European neighbours in tackling cyber crime. But, lack of talent and skill remains an issue, something the Cyber Security Challenge hopes to tackle. Less than two years after its launch, Cyber Security Challenge UK has appointed its first CEO. Duncan Hine was previously head of security, resilience and information assurance for NATS, the organisation responsible for UK air traffic services. One of the most experienced cyber security professionals in the UK, he has also been the board member for integrity and security in the Home Office’s Identity and Passport Service; chief information officer at The Post Office; and a senior director at QinetiQ.

An unprecedented skills shortage in the cyber security profession and a considerable indication of a growing need for such skills poses a significant problem for the Challenge. How do you propose to tackle that?

One thing that we all agree on is that the country does not have enough people who are skilled in cyber security, so the question is: how do we get more? Part of the solution means starting from scratch, including reaching out to younger members of society through career development. While this is a very immature profession, we know in the UK that we have latent capability and lots of hidden talent.

Cyber security seems complex and inaccessible to many people but by offering a better structure, greater access and a lot more opportunity, I believe many more people across the country will quickly realise that they can play a role in securing the UK online. We need to be asking where the people are who could transform into cyber security professional. Who are they? Where are they now? Are they in IT? That would help, of course; and there is another group in the risk industry, business continuity professionals, because although they might not understand the technical side, they understand the key concepts. Then there is a wider group who are good at the human aspects – psychology, social engineering, counter fraud. The key message from our point of view is that the challenge is the greatest way of helping people make the transition to this vital profession. The Cyber Security Challenge UK and its supporters from industry, government and academia, run a series of national online games and competitions each year to identify new talent that can meet the urgent need to attract more skilled professionals into the cyber security sector. Challenge competitions look for the skills and aptitude that employers require and entrants include sixth form students, undergraduates, post graduates, unemployed and those employed outside of the cyber security industry.

Successful candidates are rewarded with a host of career enabling prizes to help them turn their talent into a future career. Informally, many sponsors and competitors meet up through the process and like one another. The challenges reflect current risk trends, and the evolving nature of that risk means that among the challenges for next year will be social media scenarios.

Thousands of people register online to attempt a challenge... encrypting ciphers, and solving puzzles, searching for malware, and then at the final they involve business oriented challenges. There is a concentration in late school, post graduate age; and there are older people and younger people who show an interest in the challenges. These are people with latent or self-propelled ability, and it’s our goal to help them to advance, to get people working together for the good of the profession, which is a key emphasis of the UK cyber security strategy as outlined by the Cabinet Office.

How is the Challenge funded?

The Challenge is sponsored by OSCIA and GCHQ as part of a government’s strategy and effort to get things moving in the cyber world. We have a small handful of people at the centre, some part time, but the real power of the challenge comes from the sponsor organisations, of which we are heading towards 50 – including HP, Casidian, Sophos, BT and PwC, for instance. It is they who give us the capacity to mount the challenges, the national final of which takes place in March.

Does the Challenge get involved in policy, regulation or standards debates?

Not at present, but, over time, I think we will see a shift towards this. We are currently focusing solely on the career aspect.

As we connect up larger groups of sponsoring organisations, it becomes possible for us to ask questions like qualifications, monitoring and registering risks in this area.

In the commercial world, there are some very well established processes for managing certain types of risks. Commercial organisations have developed management systems to help them deal with these risks. They know what they are doing. They know what their risk appetite is and how they are dealing with it.

How do you ward against the risk of students using the knowledge for ill? How can they be incentivised to do the right thing, if they are in the ‘at risk’ category?

Whilst knowing how to attack a site is part of the requirement for the defensive responsibilities that make up a career in cyber security, this is only part of what you need to succeed in this industry. I think the real concern is less about accidently training hackers, and more about young people falling into the world of crime because they are completely unaware that there is a job out there which can utilise their talent, develop them in other areas and earn them a very competitive wage.

Are the efforts of government-backed groups and agencies a strong enough force against the crime, said to be costing some at $388bn a year?

You are right to say that the challenge facing those tasked with defending from cyber attacks is significant and will grow even more so in the future. Whilst the people the Challenge will uncover will not solve this issue on their own, the combination of a reinforced army of defenders and the greater public and commercial awareness of the importance of cyber security and safe online practice we hope to raise is a potent one, and I believe the most realistic approach to maintaining our nation’s online security.