There's a suspected data breach at ZSB Formulas, a company that makes chemicals such as those used in nerve gases. Clues in the firm's network reveal a plan of Church House, an old building in the shadow of Westminster Abbey. A date is uncovered; a bioattack is imminent, its target the Royal Family.It's entirely fictitious.In light of recent events, organisers of the Cyber Security Challenge UK are anxious to reassure that the "terrorist attack" they've orchestrated bears no resemblance to real-life events. ZSB Formulas is completely fabricated, the people walking around in biohazard suits are play-acting, and no one is really at risk when the countdown clock reaches zero. But the skills candidates will need to beat the challenge are real.
Advertisement
The Challenge on Friday is the latest effort to help identify prospective British cybersecurity experts. Forty-two applicants, from university students to those seeking a career change, are taking part after qualifying through a series of online challenges. After (hopefully) averting the biological weapon, some will walk away from the experience with offers from industry and government to help start a career in the sector, and help to fill in the cybersecurity skills gap in the UK.The attack might be fake, but the challenge raises the issue of a serious lack of capability to cope with real-world cyberattacks. One recent study suggested that by 2020, there will be a shortfall of 1.5 million cybersecurity professionals worldwide.
In a spookily-darkened room in Church House, contestants work in teams named after chemical elements to locate and disarm the fake bio-bomb. Assessors from government agencies such as GCHQ and the National Crime Agency, as well as businesses such as sponsors QinetiQ, track their progress.
Assessor Darren Green is a security principal at Hewlett Packard who works with the Ministry of Defence. He said he was keen to spot new talent at the Challenge. "We know cyber skills are very short in our industry," he said. "If you listen to the Cabinet Office, they'll tell you there's a global shortage of about a million vacancies, so it's important that we try and encourage the best we can into our organisation and develop our own."
Advertisement
For the first time in the Challenge, applicants not only have to fend off the simulated cyberattack, but do so without breaking the law. If they want to do anything that might be considered an offense against regulations such as the Computer Misuse Act or the Regulation of Investigatory Powers Act (RIPA), they have to ask for permission. "Otherwise they could be deemed as being one of the bad guys—this is white hat hacking rather than black hat hacking," said Green. "The technology and the knowhow is very similar, but we work within the law."
At some point a bunch of people in biohazard suits came around and shone lights on people's computers, rather inexplicably accompanied by some military robots from QinetiQ. Budgie Dhanda, head of sales at QinetiQ, echoed the need to address a shortage of cybersecurity skills. "We can't actually meet the needs of our customers at the moment, so we've got to try to increase the number of people who are interested in taking this up as a career," he said.
Twenty-two-year-old Jessica Williams was the only woman to take part in the Masterclass this time. Currently studying computer games programming at De Montfort University in Leicester, she was inspired to take part after doing a year in industry and meeting someone who had got a job through the Challenge. "I love programming, but I'm really interested in cybersecurity—penetration testing and stuff," she said. "The thing is with games programming, you're always going to be a little cog in a big system, whereas in security your personality's very important as well."
The Challenge doesn't just attract white hats. John Blamire of Falanx, a security company which provides security for the Cybersecurity Challenge itself, said the government-backed competition held a certain appeal for more anti-establishment types. "You're effectively asking people to hack competitions, so you're attracting hackers," he said of the online games candidates had to complete to get to this stage. "We've effectively created a global honeypot here."
The Cyber Security Challenge UK says half of its previous participants have ended up at British security employers. It notes that 50 percent of the current applicants are "gamers," a demographic it has recently been trying to attract into the industry to meet that skills deficit. Blamire said the main attribute they were looking for was not necessarily specific technical knowledge, but a general aptitude for problem-solving. "One of the best analysts we found was an amateur magician," he said.