So the week is done; it’s been yet another challenging one in your office. The usual blend of meetings, deadlines and office banter has got you through helpfully aided by coffee ,and although you really shouldn’t, an occasional chocolate digestive. You crawl though the traffic, in fact you can’t remember when you had a clear route room. Have dinner with your family and when most others would plan to relax for the evening you sit down and continue to attempt to circumvent, hack and generally find fault with the cyber defences of the Pentagon.
No, this isn’t the start of my first novel, it could actually soon become real life to a collection of crowd sourced hackers that the Pentagon is looking to recruit. They have announced a cyber bug bounty program, titled “Hack The Pentagon” where they will invite vetted hackers to test the departments cyber security. These schemes are becoming increasingly popular, but this is the first one in the history of the US Government. Launching in April, participants will be required to register and submit a background check prior to any involvement. Then they will participate in a controlled, limited duration program that will allow them to identify vulnerabilities on a predetermined department system. The news release published on the website of The US Department Of Defense did not state what rewards would be issued for any successful hackers, as similar schemes in the commercial world do provide some level of remuneration for participants who successfully identify an exploitable vulnerability. Perhaps the professional credibility of actually being successful will be payment enough for the hackers who take part. It would certainly be a unique statement to put on their CV – ‘Oh and in my spare time I have successfully hacked the Pentagon’
The other odd shaped government building that is also strongly linked to all things cyber, is the closer to home ‘doughnut’ in Cheltenham, or to give it its official title GCHQ. They have yet to follow the innovative lead of their transatlantic cohorts and this week have stated that despite spending over £1bn on cyber security at a national level, they are losing the battle. Alex Dewedney, director of cybersecurity at CESG – the information security arm of GCHQ – warned that it will take a lot more than cash to bring cybersecurity threats under control. According to the story on TechWeek “The UK Government splashed £950m on cybersecurity over the past five years and George Osborne has promised a further spend of £1.9bn in the coming five years. Combined with the money being spent on protecting IT systems, a total of £3.2bn is expected to be spent over the next half decade”. The story continues to give details on what GCHQ says has worked, and what hasn’t. Legacy IT issues, skills shortages and the IoT are all contributing to the issue, however there was one initiative that Mr Dewedney was complimentary about : Cyber Essentials. He was quoted as saying, what many have said before him, that “If companies demonstrate they meet a basic set of cyber hygiene standards they get a stamp they can use in all of their publicity,” It does seem that even at the highest levels in cyber security a recurring piece of advice is to get the basics right.
The Times published a 20-page supplement this week on the topic of cyber security, which was well worth reviewing. Alongside well researched articles extolling companies and individuals to take action there was fictitious plan on how to pull of the perfect cyber crime. Using IoT (internet of things) as a premise, the crime is stated to be a ‘prank’ on a company CTO who had been overly arrogant with his statements on how impenetrable his organisations cyber defences are. The crime takes place over 7 days and includes surveillance, penetration through to full scale panic. Although fictitious it is obviously based on what is possible today and how it is relatively easy for somebody with a level of technical skill, patience and motivation to undertake criminal activity.
Alongside the more glamorous stories relating to cyber security, training is always cropping up. Awareness training, technical training, cultural change are all key. It becomes more and more apparent that training on cyber security is needed across an organisation from the obligatory board room through to all workers no matter how manual their tasks may appear. CIO magazine reflected this with their article on how a one size doesn’t fit all when it comes to cyber security training. They state that although your role in a company is important so is your generation, with baby boomers, Xers and millennials all approach technology differently. I wonder how they would approach training for that other growing demographic within a company – the part time Pentagon hacker.
For links to all these stories and more, or to contribute with some comments join us by searching for the National Cyber Skills Centre on our social channels of FaceBook, LinkedIn and Twitter, or just click the relevant links from our website.