How to Find Cybersecurity Experts? Fake a Massive Cyber Terrorist Attack
The Cyber Security Challenge is the UK's largest ever simulated cyberattack.
Images: Victoria Turk
A cyber terrorist attack is underway in London. Hackers calling themselves Flag Day Associates have infiltrated systems on the HMS Belfast warship. They've taken control of its naval guns and are pointing them at City Hall, on the bank of the River Thames. There's concern they could go on to attack critical infrastructure: a water treatment plant, a smart grid, a chemical waste facility.
Fortunately, this is a drill.
Aboard the ship, a control room of 42 of the country's brightest new security talent works to wrest back control of the weapons and test infrastructure vulnerabilities in what's not actually a real attack but the country's largest cyber terrorism simulation.
This is the final of the UK Cyber Security Challenge, designed by government and industry bodies including GCHQ, the National Crime Agency, BT, and Airbus to promote cybersecurity as a profession.
The action takes place in a dark, low-ceilinged room in the ship, which was decommissioned in 1963 and is now a museum. There's ominous background music, a bunch of lights and numbers projected on the wall, and a 24-style red countdown clock (after which time, presumably, City Hall goes boom).
A GCHQ representative who said I could call him Toby accepted the scenario was "a little bit James Bond-y," but that the general idea was intended to be relatively plausible. "When you actually break it down on a technical level and you start looking at how these hackers got onto the network, how they exploited their way around the network, and the skills we want the candidates to demonstrate—all of these are fairly realistic," he said.
"The scenarios are deliberately designed to be as close to reality as they can be," Robert Nowill, the director of the Challenge, told me. The exact narrative might not be an everyday-type occurrence, "but the fact that you've got people wanting to do something bad—wanting to do something cataclysmic in this case, on a localized basis—that happens."
Today was the first day of the final. This morning, seven teams gathered around laptops to capture "flags" hidden in files that effectively let them progress to the next level of the game. Each flag was some kind of evidence or clue as to who's behind the attack and what they're doing.
"There's a virtual network for each team; they're not interconnected, so they're isolated networks with a replicated environment for each team," explained Karl Smith, BT's head of cybersecurity and part of the technical team behind the challenge. "We're giving them traffic to analyse, we're giving them problems to solve, files to look at, and they do all their analysis within that virtual environment."
The competition is a chance both to inspire participants to pursue a career in cybersecurity, and directly poach talent from the pool of eager participants.
Rob Partridge, head of BT security, said the company is "absolutely" looking to hire people based on their performance in the challenge, a sentiment echoed by the GCHQ rep, who was one of several assessors quietly observing the participants at work.
"This gives a really good vehicle to make that assessment you can't really get from an interview or a CV—actually seeing someone doing it is really valuable," he said. He added that GCHQ's involvement in the challenge goes beyond scouting future employees for themselves—it's in the government's interest, after all, to have improved cybersecurity elsewhere in the UK too.
It's a real concern: there's a cybersecurity skills gap in the UK. In its National Security Strategy, the government identified "hostile attacks upon UK cyber space by other states and large scale cyber crime" as one of the highest risks, and it reported that 81 percent of large corporations experienced a cyber breach in 2014. The Cyber Security Challenge is the most visible effort to attract potential recruits, and part of the broader educational initiatives in the government's Cyber Security Strategy.
All of the government and industry reps I spoke to emphasised the need not only for technical skills but for other qualities such as problem-solving and teamwork. There'll be a team prize as well as an individual winner at the end of the two-day contest, and the prizes will vary depend on people's age and preferences, as most are education- or career-focused. They include things like training courses, membership to professional bodies, and access to industry events.
The participants varied in age and background; some young, others looking for a career change. In her introductory presentation, Cyber Security Challenge CEO Stephanie Daman said there was a "little bit of a mix of gender." Of the 42 participants in the final, one was a woman.
They were naturally pretty busy trying to save the country from imminent attack, but I grabbed a few minutes with 36-year-old Andrew Snowball, who said he was attracted to cybersecurity after seeing recent stories on hacking in the press. He currently works in a non-technical role in IT, and took part in the Challenge as a way to keep his technical skills going and in hopes of moving into the sector. He picked his skills up, he said, using free online resources and learning through the months of challenges leading up to today's final.
As the teams tapped away, a fake newscast flashed up on screens around the room: the cyber threat was feared to have advanced to a physical threat.
Some team members moved into another room of the ship, where Airbus has set up miniature versions of infrastructure facilities. The participants must work to check for vulnerabilities in the systems that the Flag Day Associates might be able to exploit.
Adam Wedgbury, a cybersecurity researcher with Airbus Group Innovations, said the chemical plant was "kind of easy," the water treatment works was medium difficulty (analogous to the systems' real-world security level), and the smart grid was high difficulty, as it used Airbus's own security architecture. "I'm hoping today not to see anyone break into that," he said.
Some vulnerabilities were planted in the corporate-style infrastructure through which the participants could access the systems, but the mock-up industrial environments were essentially left as secure—or notoriously insecure—as they might normally be. Wedgbury said one team had tried to log in to the web interface a few times and the controller crashed—"so that's a massive vulnerability they found that wasn't planted."
Aboard the ship the atmosphere is one of stressful fun, but the simulation brings home the real threat of cyberattacks. More and more systems, from consumer smart home devices to national infrastructure, are being brought online, potentially exposing to them to the kind of threat acted out here (admittedly a little melodramatically) by the imaginary Flag Day Associates.
The Cyber Security Challenge claims at least half of last year's finalists are already in their first cybersecurity jobs, with others in training. This week's challenge might be a game, but it's also the country's future security force in the making.