War games bring hackers in from cold as cybersecurity threat grows
A major shipping company is under attack. With help from a corrupt executive, an international hacking syndicate called Scorpius, has penetrated the computer networks of Fast Freight Ltd. The hackers have taken control of servers and compromised the systems that control Fast Freight's vessels and its portside machinery. The company's cybersecurity consultants have 48 hours to uncover the breach and repulse the attackers before they cripple Fast Freight's business and cause serious economic damage.
It sounds like the plot for a blockbuster thriller. But this was the fictional scenario 42 budding computer security experts faced at the annual UK Cyber Security Challenge competition earlier this week in London.
With demand for cybersecurity expertise exploding, but qualified people in short supply, war-gaming competitions like this have become key recruiting grounds for companies and government security agencies.
"We want to find untapped talent to fill roles in our own operation and in the industry as a whole," said Rob Partridge, BT's head of commercial development for penetration testing.
BT is one of a half-dozen companies, including Airbus, Cisco Systems and smaller, specialist cybersecurity firms Darktrace and CheckPoint Software Technologies, that sponsored this year's Challenge competition. The UK's National Crime Agency, the Bank of England and law firm 4 Pump Court also supported the competition.
Partridge also said he hopes the competition will help raise the profile of cybersecurity as a profession, encouraging more students to pursue a career in the field. There are about one million unfilled cybersecurity jobs globally, according to an estimate from Cisco. And computer security firm Symantec forecasts that the number of positions will grow to 1.5 million by 2019. In the UK, advertised cybersecurity roles exceed interested candidates by about 3 to 1, according to online recruitment site Indeed.
It's this gap that Cyber Security Challenge UK, a non-profit organisation set up by the British government with support from corporations and universities, is supposed to help fill. The group runs a series of online games that allow amateur cybersleuths and white-hat hackers to test their skills. Those who score well online are invited to a series of regional, in-person competitions. The top performers at these events are then invited to the annual three-day masterclass and team-based competition where they face a realistic scenario created by experts from the sponsoring companies.
About 70pc of finalists wind up being hired for cybersecurity jobs within 12 months, Nigel Harrison, co-founder and acting CEO of Cyber Security Challenge, said.
The challenge began in 2010, amid growing concern about the cyberwarfare capabilities of other countries, including China and Russia, Harrison said. It was loosely modelled on similar events in the US, such as those run by the US Department of Energy's National Laboratories and the US Department of Homeland Security.
This year's competition focused on potential cyberattacks on the shipping industry largely because it was held at Trinity House, a Georgian building that houses a 500-year-old charity empowered by the British government to maintain lighthouses and other aids to maritime navigation, Harrison said. But he added that ports and shipping are important components of critical national infrastructure which are increasingly targeted by hackers.
AP Moller-Maersk, one of the world's largest shipping companies, posted a third-quarter-loss after having its business disrupted by a cyberattack last summer.
As Sophia McCall's team struggled to repel attackers who had compromised five of its six computers, forcing the group to work on one machine, the 19-year-old student from Bournemouth University said the competition was the toughest she's ever participated in. "It's good but it's definitely been really challenging," she said.
McCall said she normally practises hacking networks, not defending them and was finding that defending was teaching her to think differently.
"But it is good to be on the flip side and see what that is like."
The push for realism also extended to requiring the competing teams to brief the board of the fictional shipping company on their investigation. They also had to present forensic evidence and the competition organisers brought in actual UK trial lawyers in their wigs and gowns to grill the competitors.
"It's not just about technical skills," Jones said. "We need people with business knowledge too, and presentation skills. It even reaches into psychology, since human factors are one of the major vulnerabilities in any network."
Jess Williams, now a cybersecurity technical consultant at BT, was talent-spotted at the competition in 2015, when she was a computer game design student. She advanced all the way through the finals, where she caught the attention of BT, which offered her a job. This year, Williams returned to help run the competition.