Threat Intelligence
2/2/2017
12:00 PM
Mark Flegg
Mark Flegg
Commentary
100%
0%

A Hogwarts For Cyber Protection?

How the UK is minting a new generation of cybersecurity wizards.

Never let it be said that the British don't do things with style. In the years leading to World War II, they recognized the need to break enemy codes, and ran crossword puzzle contests to find recruits for their ultra-secret Government Code & Cipher School—also known as GC&CS, or Bletchley Park.

The resultant genius of codebreakers such as Alan Turing is believed to have shortened the war by two to four years, and to have assured its outcome. Surely the mystique of Bletchley Park led to the archetypal smooth, sophisticated 007 spy-hero archetype—as many of Bletchley Park’s cryptanalysts came from Oxford and Cambridge.  

Now there is a new war underway, and the British have been among the first to recognize it: they’ve taken the threat of cybercrime and online infringements seriously, and began a government-supported campaign to protect online rights of normal citizens while America was still revelling in the unbridled, wild west freedom of the Internet. The British have a National Museum of Computing and, modern-day equivalent of the crossword puzzle contest, a set of competitions called Cyber Security Challenge UK that presumably function as high-level testing and recruitment tools.

Now they’ve established a new school of cybersecurity wizardry — the National College of Cybersecurity is slated to open its doors  — where else? — at historic Bletchley Park. This investment in the UK’s defense against cyber risks is good news, and represents a collaborative effort between the industry and government in facing the challenge of skill shortages.

Image Credit: Ingus Kruklitis via Shutterstock
Image Credit: Ingus Kruklitis via Shutterstock

The National College of Cybersecurity also seems to be taking a smart approach to recruiting a student body by accepting the most gifted 16- to 19-year-olds, selected through aptitude testing or on the basis of their technology skills, rather than academic qualifications. Alastair MacWilson, chairman of the Institute of Information Security Professionals and also of the non-profit group Qufaro, which is setting up the new college at Bletchley Park, has said that this is a way to tap into critical talent that the UK otherwise risks losing. Smart.

Unfortunately, it’s not enough. For businesses in particular, the scale and immediacy of the cybercrime challenge is so great that not even a new generation of Bletchley code breakers can be expected to crack it alone.

And, as it so often goes with technology, the timing isn’t fast enough. The new college won’t see its first students until September 2018. By the previous May, the EU General Data Protection Regulation (GDPR) will almost certainly have come into force. By the time Bletchley can even open its doors, businesses will already face enormous fines for data protection failures—up to €20 million ($21. 2 million) or 4 per cent of their global revenue, whichever is higher—in addition to new obligations to notify authorities and their customers of any breaches.

I alluded earlier to the skills shortage in this critical field. A recent study by the International Association of Privacy Professionals’ estimated that businesses worldwide will need to hire at least 75,000 data protection officers in the next two years to be in compliance with GDPR regulations. Surely the 500 students making their way to Bletchley in 2018, even added to the recruits garnered by the Cyber Security Challenge initiative, can’t begin to address the scale of the global skills shortage.

Nothing Is as It once Was
Western culture has entered an astounding period of valuing people and attributes that would previously have been held criminal, or at best out of line by any standard of civility. In the case of training cybersecurity agents, the pool of tech-savvy young people attracted to Bletchley also represent a steady flow of cyber attackers, who may be motivated by money or simply boredom. Last year’s TalkTalk breach, which affected 156,000 of its customers, was pulled off by a 16-year-old who told officials he was "just showing off."

For many cyberattacks, no great expertise is actually required—hacking tools are widely available online, as are numerous offers of cybercrime-as-a-service. As a result, there’s an increasing number of unsophisticated attacks that can nevertheless cause widespread damage to the unprepared. In other cases, though, as the US presidential election campaign seems to have demonstrated, state powers actually put resources behind attacks that few businesses can hope to match.

It’s heavily ironic that savvy (if not particularly well trained) millennial-and-younger "digital natives" are pitted against business leaders who, in general, have much less technical knowledge. Around the world, C-level execs lack deep technical experience—for example, a recent review of 100 global banks found that only 6 per cent of their board members had professional backgrounds in technology.

Yet regulators, customers, and the media expect businesses to counter these threats, and it’s not going to get easier. If the breadth and sophistication of the technological landscape develops geometrically, the scope of attacks develops exponentially. Last October, in a watershed moment for distributed-denial-of-service (DDoS) attacks, the assault on Dyn took down Twitter, Netflix, PayPal, and Spotify. The Mirai botnet’s ability to harness a vast network of devices in the Internet of Things translates to massive IoT attacks that can now be launched easily and cheaply. This is a risk for nearly every business.

Between the ever-moving target of these disruptions and the growth in regulatory penalties, businesses need to look again at the costs and benefits of cybersecurity measures. They will need to take a layered approach, and understand that there will be no single or static answer. They’ll need to examine the capabilities and robustness of their third-party providers—for example, checking the bandwidth of DNS providers and the defenses they have in place. Of course, they also—always!—need more sophisticated, experienced people in-house. But they can begin by instilling a culture of good cyber hygiene among current staff, and educating them about the risks so they can avoid at least the most widespread, if unsophisticated threats.

Let’s not underestimate the problem: cybersecurity is a brave new world, and we need well-trained wizards to proactively navigate it. The US could take a page from the Brits, not only in taking an active hand in training its own anti-cybercrime forces, but in acknowledging the breadth and seriousness of the problem.

Mark Flegg is global product director of domains and security at Corporation Service Company (CSC). His expertise is in cybersecurity technology, focusing on DNS, SSL, and DDoS protection. CSC is a legal services organization providing matter management, corporate compliance, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, no, no! Have a Unix CRON do the pop-up reminders!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.