Never let it be said that the British don't do things with style. In the years leading to World War II, they recognized the need to break enemy codes, and ran crossword puzzle contests to find recruits for their ultra-secret Government Code & Cipher School—also known as GC&CS, or Bletchley Park.
The resultant genius of codebreakers such as Alan Turing is believed to have shortened the war by two to four years, and to have assured its outcome. Surely the mystique of Bletchley Park led to the archetypal smooth, sophisticated 007 spy-hero archetype—as many of Bletchley Park’s cryptanalysts came from Oxford and Cambridge.
Now there is a new war underway, and the British have been among the first to recognize it: they’ve taken the threat of cybercrime and online infringements seriously, and began a government-supported campaign to protect online rights of normal citizens while America was still revelling in the unbridled, wild west freedom of the Internet. The British have a National Museum of Computing and, modern-day equivalent of the crossword puzzle contest, a set of competitions called Cyber Security Challenge UK that presumably function as high-level testing and recruitment tools.
Now they’ve established a new school of cybersecurity wizardry — the National College of Cybersecurity is slated to open its doors — where else? — at historic Bletchley Park. This investment in the UK’s defense against cyber risks is good news, and represents a collaborative effort between the industry and government in facing the challenge of skill shortages.
The National College of Cybersecurity also seems to be taking a smart approach to recruiting a student body by accepting the most gifted 16- to 19-year-olds, selected through aptitude testing or on the basis of their technology skills, rather than academic qualifications. Alastair MacWilson, chairman of the Institute of Information Security Professionals and also of the non-profit group Qufaro, which is setting up the new college at Bletchley Park, has said that this is a way to tap into critical talent that the UK otherwise risks losing. Smart.
Unfortunately, it’s not enough. For businesses in particular, the scale and immediacy of the cybercrime challenge is so great that not even a new generation of Bletchley code breakers can be expected to crack it alone.
And, as it so often goes with technology, the timing isn’t fast enough. The new college won’t see its first students until September 2018. By the previous May, the EU General Data Protection Regulation (GDPR) will almost certainly have come into force. By the time Bletchley can even open its doors, businesses will already face enormous fines for data protection failures—up to €20 million ($21. 2 million) or 4 per cent of their global revenue, whichever is higher—in addition to new obligations to notify authorities and their customers of any breaches.
I alluded earlier to the skills shortage in this critical field. A recent study by the International Association of Privacy Professionals’ estimated that businesses worldwide will need to hire at least 75,000 data protection officers in the next two years to be in compliance with GDPR regulations. Surely the 500 students making their way to Bletchley in 2018, even added to the recruits garnered by the Cyber Security Challenge initiative, can’t begin to address the scale of the global skills shortage.
Nothing Is as It once Was
Western culture has entered an astounding period of valuing people and attributes that would previously have been held criminal, or at best out of line by any standard of civility. In the case of training cybersecurity agents, the pool of tech-savvy young people attracted to Bletchley also represent a steady flow of cyber attackers, who may be motivated by money or simply boredom. Last year’s TalkTalk breach, which affected 156,000 of its customers, was pulled off by a 16-year-old who told officials he was "just showing off."
For many cyberattacks, no great expertise is actually required—hacking tools are widely available online, as are numerous offers of cybercrime-as-a-service. As a result, there’s an increasing number of unsophisticated attacks that can nevertheless cause widespread damage to the unprepared. In other cases, though, as the US presidential election campaign seems to have demonstrated, state powers actually put resources behind attacks that few businesses can hope to match.
It’s heavily ironic that savvy (if not particularly well trained) millennial-and-younger "digital natives" are pitted against business leaders who, in general, have much less technical knowledge. Around the world, C-level execs lack deep technical experience—for example, a recent review of 100 global banks found that only 6 per cent of their board members had professional backgrounds in technology.
Yet regulators, customers, and the media expect businesses to counter these threats, and it’s not going to get easier. If the breadth and sophistication of the technological landscape develops geometrically, the scope of attacks develops exponentially. Last October, in a watershed moment for distributed-denial-of-service (DDoS) attacks, the assault on Dyn took down Twitter, Netflix, PayPal, and Spotify. The Mirai botnet’s ability to harness a vast network of devices in the Internet of Things translates to massive IoT attacks that can now be launched easily and cheaply. This is a risk for nearly every business.
Between the ever-moving target of these disruptions and the growth in regulatory penalties, businesses need to look again at the costs and benefits of cybersecurity measures. They will need to take a layered approach, and understand that there will be no single or static answer. They’ll need to examine the capabilities and robustness of their third-party providers—for example, checking the bandwidth of DNS providers and the defenses they have in place. Of course, they also—always!—need more sophisticated, experienced people in-house. But they can begin by instilling a culture of good cyber hygiene among current staff, and educating them about the risks so they can avoid at least the most widespread, if unsophisticated threats.
Let’s not underestimate the problem: cybersecurity is a brave new world, and we need well-trained wizards to proactively navigate it. The US could take a page from the Brits, not only in taking an active hand in training its own anti-cybercrime forces, but in acknowledging the breadth and seriousness of the problem.