Why the UK Is Simulating a Cyber Terrorist Attack in London
Team Platinum try to stop the attack. Image: Victoria Turk/Motherboard


This story is over 5 years old.

Why the UK Is Simulating a Cyber Terrorist Attack in London

The fake attack hopes to attract real talent to address Britain's cybersecurity skills shortage.
November 20, 2015, 5:30pm

There's a suspected data breach at ZSB Formulas, a company that makes chemicals such as those used in nerve gases. Clues in the firm's network reveal a plan of Church House, an old building in the shadow of Westminster Abbey. A date is uncovered; a bioattack is imminent, its target the Royal Family.

It's entirely fictitious.In light of recent events, organisers of the Cyber Security Challenge UK are anxious to reassure that the "terrorist attack" they've orchestrated bears no resemblance to real-life events. ZSB Formulas is completely fabricated, the people walking around in biohazard suits are play-acting, and no one is really at risk when the countdown clock reaches zero. But the skills candidates will need to beat the challenge are real.

The Challenge on Friday is the latest effort to help identify prospective British cybersecurity experts. Forty-two applicants, from university students to those seeking a career change, are taking part after qualifying through a series of online challenges. After (hopefully) averting the biological weapon, some will walk away from the experience with offers from industry and government to help start a career in the sector, and help to fill in the cybersecurity skills gap in the UK.

The attack might be fake, but the challenge raises the issue of a serious lack of capability to cope with real-world cyberattacks. One recent study suggested that by 2020, there will be a shortfall of 1.5 million cybersecurity professionals worldwide.

Image: Victoria Turk/Motherboard

In a spookily-darkened room in Church House, contestants work in teams named after chemical elements to locate and disarm the fake bio-bomb. Assessors from government agencies such as GCHQ and the National Crime Agency, as well as businesses such as sponsors QinetiQ, track their progress.

Darren Green, in red, assessing Team Platinum. Image: Victoria Turk/Motherboard

Assessor Darren Green is a security principal at Hewlett Packard who works with the Ministry of Defence. He said he was keen to spot new talent at the Challenge. "We know cyber skills are very short in our industry," he said. "If you listen to the Cabinet Office, they'll tell you there's a global shortage of about a million vacancies, so it's important that we try and encourage the best we can into our organisation and develop our own."

Image: Victoria Turk/Motherboard

For the first time in the Challenge, applicants not only have to fend off the simulated cyberattack, but do so without breaking the law. If they want to do anything that might be considered an offense against regulations such as the Computer Misuse Act or the Regulation of Investigatory Powers Act (RIPA), they have to ask for permission. "Otherwise they could be deemed as being one of the bad guys—this is white hat hacking rather than black hat hacking," said Green. "The technology and the knowhow is very similar, but we work within the law."

Image: Victoria Turk/Motherboard

At some point a bunch of people in biohazard suits came around and shone lights on people's computers, rather inexplicably accompanied by some military robots from QinetiQ. Budgie Dhanda, head of sales at QinetiQ, echoed the need to address a shortage of cybersecurity skills. "We can't actually meet the needs of our customers at the moment, so we've got to try to increase the number of people who are interested in taking this up as a career," he said.

Jessica Williams. Image: Victoria Turk/Motherboard

Twenty-two-year-old Jessica Williams was the only woman to take part in the Masterclass this time. Currently studying computer games programming at De Montfort University in Leicester, she was inspired to take part after doing a year in industry and meeting someone who had got a job through the Challenge. "I love programming, but I'm really interested in cybersecurity—penetration testing and stuff," she said. "The thing is with games programming, you're always going to be a little cog in a big system, whereas in security your personality's very important as well."

Image: Victoria Turk/Motherboard

The Challenge doesn't just attract white hats. John Blamire of Falanx, a security company which provides security for the Cybersecurity Challenge itself, said the government-backed competition held a certain appeal for more anti-establishment types. "You're effectively asking people to hack competitions, so you're attracting hackers," he said of the online games candidates had to complete to get to this stage. "We've effectively created a global honeypot here."

The exterior of Church House in London. Image: Victoria Turk/Motherboard

The Cyber Security Challenge UK says half of its previous participants have ended up at British security employers. It notes that 50 percent of the current applicants are "gamers," a demographic it has recently been trying to attract into the industry to meet that skills deficit. Blamire said the main attribute they were looking for was not necessarily specific technical knowledge, but a general aptitude for problem-solving. "One of the best analysts we found was an amateur magician," he said.