During the first Gulf War, media outlets reported that US spies had installed a computer virus on a printer on its way to Iraq. The plan was for the virus to infiltrate the Iraqi forces’ computer network, where it would cause anti-aircraft guns to malfunction.
This futuristic cyber weapon’s name was something of a giveaway, though: AF/91, short for April Fool’s 1991. The virus did not exist – it was the product of a mischievous technology journalist’s imagination.
Cyber warfare has become a more concrete phenomenon since then. In 2007, Estonian authorities accused their Russian counterparts of using denial-of-service attacks on government websites. Soon after, the Indian government complained of near daily assaults on its computer networks from China.
And last year, the appearance of the Stuxnet virus at Iranian nuclear facilities seemed to shock world governments into taking cyber security very seriously.
In October 2010, the UK government raised the potential threat posed by a cyber attack to a ‘Tier 1’ security risk, ranking it alongside international terrorism, and allocated £650 million to a cyber defence fund.
But what can a government buy to defend its nation from cyber attack? There is plenty of kit on the market, of course, but like all military hardware it is useless without trained personnel to use it.
Businesses in the UK have long been aware of the country’s lack of skilled IT security professionals. With the stakes apparently escalating, it is now becoming a national security issue.
Plugging the skills deficit
According to recent research by the SANS Institute, more than 90% of IT employers in the UK are struggling to recruit staff to security roles. Worryingly, it also showed that about 60% of the same employers expected the problem to worsen over the next five years.
Kevin Streater, executive director of IT at the Open University, believes that the reason for the security skills shortfall is the way in which the topic is taught in the UK. He says that the country’s academic and educational institutions are failing to provide students with adequate expertise, and proposes a root and branch review.
Streater says that information security professionals are in high demand among employers, but that what is taught in British colleges and universities focuses disproportionately on core programming and development skills. “The education has really stayed with a very core set of knowledge, such as the principles of programming,” he explains. “It’s driven by a set of academic benchmarks, and these haven’t really developed.”
Streater believes that the current state of computing education in the UK is a hangover from the IT industry of the mid-to-late 1990s. At the time, large numbers of graduates skilled in application development were needed in anticipation of the Y2K bug. “Everyone needed to be in coding jobs or developers because people were required to re-code all the applications,” he recalls.
Next>> Reforming eduction
Page 2 of 3
Reforming the way in which computer science and information security are taught involves a cumbersome process, Streater believes. Schools, colleges and universities currently base their curricula on a set of education benchmarks set by the Quality Assurance Agency for Higher Education.
“There’s very little [related to security] in there, so universities don’t have to include it,” says Streater. He adds that IT security employers must take more responsibility in lobbying organisations such as QAA and ICT training body e-skills UK to include security-focused benchmarks.
Streater observes that as critical infrastructure becomes increasingly connected with cyberspace, the shortfall in expertise for defending these networks will only widen. “There is such a need to protect national assets, but there is nobody coming through to fill those gaps,” Streater observes. “There is no pipeline.”
Background knowledge
It would be a fallacy to suggest that this pipeline must necessarily come from computing and computer science disciplines, however.
Subjects including mathematics, physics and electrical engineering have natural affinities with information security principles. Cryptography, for example, is a key tenet of modern IT security practice, and is used to secure everything from data packets travelling across a network to credit cards. As a discipline, its basis is in pure maths, and its history stretches back to ancient Greece.
James Lyne, a senior technologist at Oxford-based IT security provider Sophos, says that vendors are employing security professionals from diverse educational backgrounds. “There’s such a wide range of roles in security that people can come from different backgrounds and slot in,” he explains. “We have people [at Sophos] who are physicists and biologists; one person was even a chef.”
He adds that an educational background in computing or mathematics “helps”, but more important is “a passion for understanding how this stuff works, as well as determination and an inquisitive mind.”
“If we limited ourselves to people with conventional qualifications, we wouldn’t be in business,” he claims.
Lyne echoes the argument that academia is too slow in matching the requirements of the security industry. “In cyber security we’re dealing with a pace of change that conventional academia can’t hope to keep up with. Cyber criminals change tack on a minute-by-minute basis, not year-by-year,” he believes. “The conventional training paths aren’t really producing what we need.”
Sophos’s approach to recruitment, Lyne explains, is to spend a year training employees using practical exercises.
Lyne says that his own entrance into IT security was down to “luck”, and is by no means atypical. Lyne recalls that he was “one of these kids who knew a bit about IT” during school, but had never seriously considered IT, let alone information security, as a serious career path. “At no point in my academic career did anyone turn around and say to me, ‘Have you ever thought about security as a path?’” he says. His first experience in the industry came after a teacher’s husband, who worked at a defence contractor, asked him to help out at weekends.
Lyne accepts though that the security industry’s current approach to hiring is not particularly efficient, and that part of the blame for this lies with employers, who he says are not doing enough to market the profession. “There are lots of people who could be excellent cyber security professionals, but they’re not even getting the sales pitch on why security is an interesting profession they should pursue.”
Next>> The UK’s Cyber Security Challenge
Page 3 of 3
In order to better advertise the profession, the UK’s security industry aligned with academia and government for the Cyber Security Challenge event, hosted in early 2011. Organisers included the Cabinet Office, the Open University and University College London, as well as vendors such as Sophos.
Throughout the competition’s duration, entrants were set of a range of IT security-themed challenges, such as defending simulated home and office networks from cyber attackers in real-time. Competitors ranged from secondary-school nerds to university drop-outs and 30-something hobbyists (see box).
The organisers insist that the competition serves to publicise the dearth of security talent in the UK. “The UK has a skills shortage in cyber security,” said the competition’s director, Judy Baker, during a press event in January 2011. “We need to be exciting and inspiring people, and helping put them through to these careers.” More than 4,000 people entered the competition, organisers say.
The Cyber Security Challenge verified Sophos’s James Lyne’s assertion that a computing, or even technical, background is not a prerequisite for entering the security business. The Challenge’s overall winner, Dan Summers, is a former postman. Paul Laverack, who won one of the earlier stages of the competition, earns his crust as an actor in TV soap operas.
Prior to entering the challenge, Laverack had no previous background in IT. He says his expertise in the field is the product of his own curiosity and the breadth of information available on the Internet.
The Challenge’s organisers say the competition is about bolstering the pipeline of IT security talent specifically in the UK, and so restricted entrants to British passport holders only. Sceptics might argue that this helped avoid the embarrassment of the competition being dominated by entrants from abroad.
Us against them
Whether or not the UK can afford to hold on to its global military standing is a matter of ongoing political debate. But in cyber security, the country pales in comparison to the likes of China, the US and Russia.
Kaspersky Lab is a Russian vendor of enterprise-grade IT security software, which, despite doing most of its business abroad, has kept its headquarters and main security research facilities in Moscow.
Eugene Kaspersky, the company’s founder and CEO, says that remaining in Russia has given his company access to skills and talent that would not be available in the US or other parts of Europe. Kaspersky himself is a product of the highly technical education system that is Russia’s legacy from the Soviet era.
He believes that even the UK’s most prestigious academic environments are failing to incubate enough skilled security professionals. “Oxford doesn’t have enough engineers, and neither does Cambridge,” he insists. “There aren’t enough engineers in the UK – that is the reality.”
This is a familiar diagnosis – commentators often point to the UK’s education system as the root of its technological shortcomings.
At least in the case of cyber security, both government and industry are doing something about those shortcomings. The £650 million cyber security fund promises an as yet undetailed education scheme and the Cyber Security Challenge aims to engage youngsters and hobbyists with the industry.
And more broadly, the UK government is making encouraging noises when it comes to meeting the cyber security threat.
“We are entering an age of uncertainty,” it said in its National Security Strategy, published in October 2010. “As a government, we have inherited a defence and security structure that is woefully unsuitable for the world we live in today. We are determined to learn from those mistakes and make the changes needed.”
Unfit education
Modern IT and computing lessons leave youngsters bored and uninformed, at least according to some of the entrants in this year’s Cyber Security Challenge.
At a press event held to mark the final of the Challenge, entrants recounted how their secondary school and college educations provided little impetus for pursuing a career in information security.
Tim Dobson, a 20-year-old university student, does not remember his IT A-level course fondly. “In one lesson, our teacher asked us how to find the YouTube website,” he recalled.
Dobson added that he had always been interested in pursuing an IT career, but it “would have helped if the course was not such a failure”. He dropped out of his course before completing it.
Alexander McDonald, 25, who recently completed a computer science degree at King’s College London, says that his course “focused too hard on technologies like Java programming”.
“That specifically is dangerous,” he said. “There’s no point learning a language if the [popular programming] language is going to change.”