Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12:00 PM
Mark Flegg
Mark Flegg

A Hogwarts For Cyber Protection?

How the UK is minting a new generation of cybersecurity wizards.

Never let it be said that the British don't do things with style. In the years leading to World War II, they recognized the need to break enemy codes, and ran crossword puzzle contests to find recruits for their ultra-secret Government Code & Cipher School—also known as GC&CS, or Bletchley Park.

The resultant genius of codebreakers such as Alan Turing is believed to have shortened the war by two to four years, and to have assured its outcome. Surely the mystique of Bletchley Park led to the archetypal smooth, sophisticated 007 spy-hero archetype—as many of Bletchley Park’s cryptanalysts came from Oxford and Cambridge.  

Now there is a new war underway, and the British have been among the first to recognize it: they’ve taken the threat of cybercrime and online infringements seriously, and began a government-supported campaign to protect online rights of normal citizens while America was still revelling in the unbridled, wild west freedom of the Internet. The British have a National Museum of Computing and, modern-day equivalent of the crossword puzzle contest, a set of competitions called Cyber Security Challenge UK that presumably function as high-level testing and recruitment tools.

Now they’ve established a new school of cybersecurity wizardry — the National College of Cybersecurity is slated to open its doors  — where else? — at historic Bletchley Park. This investment in the UK’s defense against cyber risks is good news, and represents a collaborative effort between the industry and government in facing the challenge of skill shortages.

The National College of Cybersecurity also seems to be taking a smart approach to recruiting a student body by accepting the most gifted 16- to 19-year-olds, selected through aptitude testing or on the basis of their technology skills, rather than academic qualifications. Alastair MacWilson, chairman of the Institute of Information Security Professionals and also of the non-profit group Qufaro, which is setting up the new college at Bletchley Park, has said that this is a way to tap into critical talent that the UK otherwise risks losing. Smart.

Unfortunately, it’s not enough. For businesses in particular, the scale and immediacy of the cybercrime challenge is so great that not even a new generation of Bletchley code breakers can be expected to crack it alone.

And, as it so often goes with technology, the timing isn’t fast enough. The new college won’t see its first students until September 2018. By the previous May, the EU General Data Protection Regulation (GDPR) will almost certainly have come into force. By the time Bletchley can even open its doors, businesses will already face enormous fines for data protection failures—up to €20 million ($21. 2 million) or 4 per cent of their global revenue, whichever is higher—in addition to new obligations to notify authorities and their customers of any breaches.

I alluded earlier to the skills shortage in this critical field. A recent study by the International Association of Privacy Professionals’ estimated that businesses worldwide will need to hire at least 75,000 data protection officers in the next two years to be in compliance with GDPR regulations. Surely the 500 students making their way to Bletchley in 2018, even added to the recruits garnered by the Cyber Security Challenge initiative, can’t begin to address the scale of the global skills shortage.

Nothing Is as It once Was
Western culture has entered an astounding period of valuing people and attributes that would previously have been held criminal, or at best out of line by any standard of civility. In the case of training cybersecurity agents, the pool of tech-savvy young people attracted to Bletchley also represent a steady flow of cyber attackers, who may be motivated by money or simply boredom. Last year’s TalkTalk breach, which affected 156,000 of its customers, was pulled off by a 16-year-old who told officials he was "just showing off."

For many cyberattacks, no great expertise is actually required—hacking tools are widely available online, as are numerous offers of cybercrime-as-a-service. As a result, there’s an increasing number of unsophisticated attacks that can nevertheless cause widespread damage to the unprepared. In other cases, though, as the US presidential election campaign seems to have demonstrated, state powers actually put resources behind attacks that few businesses can hope to match.

It’s heavily ironic that savvy (if not particularly well trained) millennial-and-younger "digital natives" are pitted against business leaders who, in general, have much less technical knowledge. Around the world, C-level execs lack deep technical experience—for example, a recent review of 100 global banks found that only 6 per cent of their board members had professional backgrounds in technology.

Yet regulators, customers, and the media expect businesses to counter these threats, and it’s not going to get easier. If the breadth and sophistication of the technological landscape develops geometrically, the scope of attacks develops exponentially. Last October, in a watershed moment for distributed-denial-of-service (DDoS) attacks, the assault on Dyn took down Twitter, Netflix, PayPal, and Spotify. The Mirai botnet’s ability to harness a vast network of devices in the Internet of Things translates to massive IoT attacks that can now be launched easily and cheaply. This is a risk for nearly every business.

Between the ever-moving target of these disruptions and the growth in regulatory penalties, businesses need to look again at the costs and benefits of cybersecurity measures. They will need to take a layered approach, and understand that there will be no single or static answer. They’ll need to examine the capabilities and robustness of their third-party providers—for example, checking the bandwidth of DNS providers and the defenses they have in place. Of course, they also—always!—need more sophisticated, experienced people in-house. But they can begin by instilling a culture of good cyber hygiene among current staff, and educating them about the risks so they can avoid at least the most widespread, if unsophisticated threats.

Let’s not underestimate the problem: cybersecurity is a brave new world, and we need well-trained wizards to proactively navigate it. The US could take a page from the Brits, not only in taking an active hand in training its own anti-cybercrime forces, but in acknowledging the breadth and seriousness of the problem.

Mark Flegg is global product director of domains and security at Corporation Service Company (CSC). His expertise is in cybersecurity technology, focusing on DNS, SSL, and DDoS protection. CSC is a legal services organization providing matter management, corporate compliance, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
The Yellow Brick Road to Risk Management
Andrew Lowe, Senior Information Security Consultant, TalaTek,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-25
Affected versions of Atlassian Fisheye/Crucible allow remote attackers to achieve Regex Denial of Service via user-supplied regex in EyeQL. The affected versions are before version 4.8.4.
PUBLISHED: 2020-11-25
scan.c in x11vnc 0.9.16 uses IPC_CREAT|0777 in shmget calls, which allows access by actors other than the current user.
PUBLISHED: 2020-11-25
Affected versions of Atlassian Fisheye/Crucible allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the MessageBundleResource within Atlassian Gadgets. The affected versions are before version 4.8.4.
PUBLISHED: 2020-11-25
osCommerce has XSS vulnerability via the authenticated user entering the XSS payload into the title section of newsletters.
PUBLISHED: 2020-11-25
GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of ever...