Cyber Security Challenge Not Interested In Offensive Skills

Cyber Security Challenge director says the focus is on defence skills, not offensive expertise

The government-backed Cyber Security Challenge will not be looking for those with cyber attack skills, despite MPs calling on intelligence services to increase their offensive work,

Offensive capabilities include things like network penetration and malware creation, skills which are in demand from government contractors,  but the Challenge, which was launched two years ago in a bid to fill the growing skills gap in the security industry, will solely look at identifying and nurturing defensive skills, director Judy Baker told TechWeekEurope.

“Our focus is on ensuring that the talent pool for those employing cyber security experts to defend our systems is well stocked. There is an urgent need to attract more skilled professionals into the cyber security profession. A purely offensive skills set is not something the Challenge was set up to identify,” Baker said.

“We test a broad array of skills across multiple disciplines, and competitors in our informed defence stream do need to understand how attacks are perpetrated in order to defend against them.

“The  perspective of Cyber Security Challenge is to find more informed defenders. We focus on the  skills needed to spot vulnerabilities, defend networks, and extract and analyse complex forensics information.”

This week, the Challenge launched a new competition looking specifically for software developers who can spot vulnerabilities and write secure code.

Contractors keen for attack skills

Despite the Challenge’s reluctance to seek offense specialists, a number of its supporters are looking to employ people with the ability to hack into others’ networks. Government contractor Lockheed Martin, which is currently looking to expand its footprint in the UK, recently told TechWeekEurope it had an offensive section that it offers to customers.

Fellow contractor and Challenge backer Northrop Grumman has been posting jobs ads hunting for attackers. It is currently looking for a cyber software engineer, saying in the job ad that the work would involve “an Offensive Cyberspace Operation (OCO) mission.”

There is nothing to stop either of those tapping up Challenge participants if they have the right attributes, so the Challenge may be feeding that talent pool unwittingly.

The UK government is under pressure to carry out more offensive operations in cyberspace. The Intelligence and Security Committee (ISC), in its annual report for 2011-2012 to Parliament that was submitted to the Prime Minister last week,  recommended taking a more forceful approach to security.

This included “active defence” by “interfering with the systems of those trying to hack into UK networks”, as well as “exploitation” by “accessing the data or networks of targets to obtain intelligence or to cause an effect without being detected.”

Stuxnet, the worm which disrupted nuclear facilities in Iran, was cited in the ISC report and has been a big motivator for governments to initiate more attack-oriented strategies.

It is believed the US and Israel were behind Stuxnet, as well as the super-smart cyber espionage tool Flame. The UK government is also understood to be using and developing cyber attack methods.

Yet Mikko Hypponen, chief research officer at F-Secure, believes the Cyber Security Challenge is taking the right approach. “I’m glad to hear they are focusing on defense. Skills in the defense area can not be misused, while skills in the offensive area can,” Hypponen said.

“If governments think they need to do offensive cyber attacks, that should be done in a very controlled manner by a limited amount of people.

“We need much more defenders than attackers.”

Are you a security pro? Try our quiz!