Cyber insiders: Putting warriors on the front line against hack attacks
Cyber warfare has claimed its rightful place among the better-established battle domains of land, sea, air and space, but the widening skills gap in this specialist field risks leaving military systems vulnerable. The MoD is introducing a new scheme to uncover previously unidentified talent for tackling hackers in existing service personnel to prepare the next generation of cyber warriors.
Cyber attacks against military targets are increasing exponentially. In June 2015 Brigadier Alan Hill, then head of Operate and Defend for the British Ministry of Defence’s (MoD) Information Systems and Services division, warned that Britain’s military faces “hundreds, if not thousands” of attempted cyber-attacks each day.
The MoD can’t be accused of holding tight purse-strings when it comes to stepping up to its responsibilities. In April 2016, former Defence Secretary Michael Fallon announced £40m would be spent on a new cyber security centre designed to protect military networks and systems from “malicious actors”. The Cyber Security Operations Centre (CSOC) represents part of commitments made in the November 2015 Strategic Defence and Security Review (SDSR), which announced that the government would invest £1.9bn by 2021 in cyber security.
But however cutting-edge the facilities, the bottleneck preventing these best-laid plans from going ahead could stem simply from a lack of capable individuals to defend the cyber front line. While the skills gap also affects the civilian and corporate worlds, the barriers to recruiting from an already limited talent pool into the military are even harder to surmount.
The MoD has decided on a radical new approach to tackle this, announcing in June 2016 that it had created a new set of assessment tools to identify personnel from within the military who are suited to join a cyber unit. Developed in collaboration with IBM, the Defence Cyber Aptitude Test, or DCAT, uses cognitive challenges to test latent abilities rather than technical know-how.
Maximising talent outside of the regular recruitment process
Ewan Lawson, Senior Research Fellow at the Royal United Services Institute (RUSI), offers an insight into why the MoD chose to detect aptitude rather than recruit individuals who already have proven cyber skills.
“There is a sense that the existing military career and organisational structure can only deliver so much in terms of capability,” he says. “There are very few people with computer science degrees who want to be pilots, for example. DCAT would be aimed at younger people who have no formal IT qualifications but have previously unrecognised skills.”
Lawson has an insider’s perspective; before joining RUSI he worked for the Royal Air Force Defence Cyber Programme between 2012 and 2014. His remit now incorporates all things cyber where the MoD is at the delivery end. He says the aim of the introduction of DCAT is maximising the talent available outside of the regular recruitment process.
“In the military, the model is based on everyone growing their career from the bottom up,” he says. “It takes a long time to gain skills. The MoD needs those skills now; it can’t wait for those qualifications to come through from within. That’s why DCAT is looking for cognitive skills suited to solve cyber problems rather than IT qualifications.”
The multiple sections of DCAT aren’t designed to find people who can code, but those who can get their heads inside complex challenges, such as being able to picture how military networks are shaped.
“That’s not to say the MoD won’t recruit people who already have these skills, but they have to compete with industry for them, and there’s already a significant turnover of personnel leaving for a better offer,” explains Lawson.
The military is also competing for people specifically interested in contributing to the defence and security of the UK with security agencies such as GCHQ, which works with IT experts from industry and makes competitive offers.
“Generally it’s more interesting work and less dangerous – there’s no risk of being sent to Afghanistan,” comments Lawson.
Developing a full spectrum military cyber capability
The MoD has already recognised the need to make concessions to compete with industry in attracting cyber specialists. It has put in place special exemptions for 500-strong army of “cyber reservists”, who don’t have to pass fitness tests, carry a weapon or deploy abroad.
They are even being allowed to adopt distinctly non-military standards of grooming. The Telegraph recently reported that two Royal Signals cyber reservists had upset regulars by sporting shoulder length hair and “unkempt facial hair” with their uniforms.
Given that it is already exploring ways of tempting in experts from the corporate world, why is the MOD also adopting this new strategy of recruiting from within the ranks?
“There are two main reasons; firstly the MoD is recognising that the military’s reliance on complex networks means you need to retain a strong enough cadre in peace time, not just during times of conflict,” says Lawson.
The second centres around what former Defence Secretary Philip Hammond described in 2013 when he said the UK was “developing a full spectrum military cyber capability, including a strike capability”.
“Cyber is another way for the UK to take offensive action, and the cyber reserves have found they can’t turn round hackers into ‘white hats’ as there is difficulty getting clearance,” says Lawson.
It’s a sentiment echoed by the SDSR, which states: “We will treat a cyber attack on the UK as seriously as we would do an equivalent conventional attack, and we will defend ourselves as necessary.”
A new cyber approach
The MoD is also recognising that it can’t assemble a fully effective cyber capability from a single source. The nature of defence networks and systems requires deep skills supported by regulars, reserves, contractors and civil servants to deliver functionality.
It’s also why IBM partnered in DCAT. Having worked on similar commercial requirements, the company knows what it’s looking for in cyber personnel, and its experience offers a step-up to the public sector, which is generally a couple of years behind, presenting a grave risk to systems.
“The key thing about DCAT is it’s positive that the MoD recognise that they have to do something different. It is a significant issue they’re addressing,” says Lawson.
For now the MoD and IBM are remaining tight-lipped about further details of DCAT and the types of tests it involves, but they have promised further announcements on the project in September. Watch this cyberspace.