Bletchley Park is back. The new National College of Cybersecurity planned for the home of World War Two code breakers such as Alan Turing is good news. Any investment in the UK’s defences against cyber risks has to be.
Set up by Qufaro, a new non-profit with representatives from Cyber Security Challenge UK, the National Museum of Computing and BT Security, it’s more evidence the industry and government are facing up to the challenges of skills shortages.
It also seems to be taking a smart approach – accepting the most gifted 16-19 year olds, selected through aptitude tests or on the basis of their technology skills rather than academic qualifications. As Qufaro’s (and the Institute of Information Security Professionals’) chairman Alastair MacWilson says, it should tap into critical talent we risk otherwise losing.
But it’s not enough. For businesses, particularly, the scale and immediacy of the challenge is one that not even a new generation of Bletchley code breakers can crack alone.
For a start, the new college won’t take its first pupil until September 2018. That May, the EU’s General Data Protection Regulation will come into force. By the time Bletchley even opens its doors, businesses will already face fines up to €20 million or 4% of global revenue (whichever is higher) for data protection failures, as well as new obligations to notify authorities and customers of any breaches.
Under the GDPR, as others have calculated, Tesco Bank would face a fine of up to £1.9 billion for its recent breach of security. Today, the maximum fine the Information Commissioner’s Office can impose is £500,000.
Given the long latency period before many security failures are discovered, it’s entirely possible the first fines under the new regulatory regime will be for breaches that are happening now. Businesses can therefore hardly afford to wait for the new generation of code breakers to complete their training.
Added to that, no single college, nor even the whole the whole Cyber Security Challenge initiative, can really hope to address the scale of the skills shortage. To look just at one aspect of the GDPR, again, the International Association of Privacy Professionals’ recent study suggests businesses worldwide need to hire at least 75,000 data protection officers (DPOs) required by the regulations in the next two years.
The 500-strong cohort of pupils that makes its way to the college in 2018 is a welcome contribution to the fight. It can only go so far, however, particularly after GCHQ and other government agencies have taken the cream of the crop.
Growing in every way
The deep and broad pool of technologically savvy young people that Qufaro will draw from also supplies a steady flow of attackers motivated by money or simply boredom. The teenager responsible for the breach affecting 156,000 TalkTalk customers in 2015 was just 16 at the time and was “showing off”, he told magistrates.
These young people, the truest “digital natives” among the millennial generation, are pitted against business leaders who are, in general, far less comfortable with technology. Boardrooms in Britain and elsewhere have a dearth of deep technical knowledge. One recent review of more than 100 of the largest banks, for example, found just 6% of board members had professional backgrounds in technology.
And for many attacks, no great expertise is actually required – widespread availability of hacking tools online and the growth of cyber crime-as-a-service have seen to that. The result is increasing numbers of unsophisticated attacks that nevertheless will catch out the unprepared.
In other cases, though, as the US Presidential election campaign has apparently demonstrated, state powers are prepared to put their resources behind attacks that few businesses can hope to match.
Yet businesses are expected by regulators, customers and the media to counter all these threats.
It is not going to get any easier. As the technological sophistication and landscape develop, so does the scope of attacks. The recent assault on Dyn in October, which took down websites including Twitter, Netflix, PayPal and Spotify, was probably a watershed moment for distributed denial of service attacks, for instance.
The Mirai botnet’s ability to harness vast network of devices in the Internet of Things, means massive attacks can now be launched easily and cheaply. That’s a risk for every business.
This increased potential for disruption as well as the growth in regulatory penalties demands businesses look again at the costs and benefits of cyber security measures.
There will be no single answer. They must look carefully at the capabilities and robustness of their third-party providers – examining the bandwidth of DNS providers, for example, and the protections they have in place to defend themselves. They also do need more sophisticated, experienced people in-house.
But that begins by equipping those they already have to maintain good standards of cyber hygiene and promoting familiarity with the risks so they can avoid at least the unsophisticated but widespread threats.
What is clear is the scale of the threat businesses face – and that they face it today. No business can afford to wait for a new generation to come of age to start addressing it.
Mark Flegg, global product director of domains and security, CSC