Throw the cyber skills rulebook in the bin and teach trainees to think like hackers

 
James Hadley
Chaos Computer Club 28th Congress
Criminals don’t follow the rules and are always looking for new vulnerabilities (Source: Getty)

How should businesses train the nation’s next generation of digital defenders?


With the national cyber security strategy due to be updated this year, this should be a pressing issue for the UK government.

As the cyber threat grows, so too must our capabilities to defend against it. But at the moment, the industry is fighting a losing battle.

A recent government report, entitled Cyber Security Skills and the UK’s Critical National Infrastructure, acknowledged: “during our ongoing inquiry into the cyber security of the UK’s critical national infrastructure, we heard that although the UK has one of the most vibrant digital economies in the world, there is not currently the cyber security skills base to match”.

Given that cyber is not only the most important battlefield of the future but also one where war is actively being waged, cyber training should warrant the same kind of attention as the building of the Queen Elizabeth Aircraft Carrier, or the decision to buy the interceptors which fly off its deck.


However, if the government’s own research is right, cyber skills – like the F35 – seem to be flying under the radar.

The problem is that current training is based on an approach founded back in the early 90s. It typically involves people in classrooms, learning in a static environment.

This has largely been made obsolete by the pace and volume of attacks, and it’s one of the reasons why so many security teams are caught napping. As soon as people leave the classroom, what they have learned is outdated.

Meanwhile, cyber threats and the criminals behind them are pervasive, fast-moving, and constantly adapting. Cyber skills training needs to be the same.

For the UK’s strategy to be successful, the government needs to throw the existing skills development manual in the dustbin and begin to advise businesses in a new way, based on three key changes.

The first is a shift towards an environment that teaches people to think like hackers. Criminals don’t follow the rules and are always looking for new vulnerabilities.

We need to encourage our next generation of cyber talent to do the same. It’s no good studying breaches that are months old, when the bad guys have already moved onto the next big thing.

We must also encourage a culture of curiosity, where those working in cyber defence are taught to break things in order to put them back together again. Problem solving is a huge part of cyber security, and it’s crucial that trainees are comfortable getting under the hood of the networks that they will be defending.

Finally, we must move towards training schemes that are as close to real-time as possible. Simulations based on the latest real-world threats will help cyber teams to keep their skills sharp, and be comfortable with dealing with the scenarios that will come their way.

You simply cannot do this with a biannual classroom refresher session that looks at the theory behind an attack that happened four months ago.

The government has an opportunity to set these high standards as the norm. Failure to do so could put the country’s businesses and infrastructure at risk. It’s time to play the hackers at their own game.

City A.M.'s opinion pages are a place for thought-provoking views and debate. These views are not necessarily shared by City A.M.