WannaCry: Infosec skills gap must be filled
In the wake of the WannaCry ransomware attack that began on May 12, it might be a good idea for individuals, companies and governments to get to know their enemy. Matt Carey, Head of the London Operations Team of Britain’s National Cyber Security Centre, says “Very few people are aware of the extent of the online criminal ecosystem that supports and enables cyber attacks, and the business model behind it.” The NCSC has published a guide to understanding the business models that drive criminals into cybercrime, which is considerably safer for them than real-world crime. The document is a fascinating insight into how these criminal teams work.
British Airways, Tesco Bank, Yahoo!, Amazon, T-Mobile, Telefonica, and now the NHS – Britain’s National Health Service – have all been victims of major hacking attacks. Not only businesses, but critical national infrastructures are at higher risk now than ever before. Global cyber security is a battlefield of Tolkeinian proportions; the forces of evil are smart and powerful, and frequently gain the upper hand over the forces of good, who are constantly having to shore up their defences against the continuous onslaught.
One thing about information security is that it’s not always clear who the good guys and bad guys are. The stuxnet worm that targeted Iran’s nuclear programme in 2010 is believed to have been a joint American-Israeli cyberweapon. Then there’s the Clinton emails scandal, with probable Russian involvement which may have put Donald Trump in the White House. Governments are hacking each other. Cyber is a global battlefield.
Governments are acutely aware of the shortage of skilled cyber security experts. Some have funded initiatives to produce a new generation of computer security geeks to act as our virtual bodyguards. One example is the Cybersecurity College due to open in 2018 at Bletchley, the centre of code cracking efforts in World War II. This will produce crack units of cyberspooks. But they are not enough. We need an army of them if we are to avoid cybergeddon.
This means there are assured careers for specialists in cyber security. Fortunately there are many courses dedicated to the subject. One of the leading ones is Lancaster University’s Cyber Security MSc.
Lancaster was recently named as a Centre of Excellence in Cyber Security Research by GCHQ, the British government’s spy centre, an accolade only bestowed on a handful of other institutions.
The MSc prepares graduates for qualification in three streams: CISSP (Certified Information Systems Security Professional), CEH (Certified Ethical Hacker), and CHFI (Computer Hacking Forensic Investigator). Core subjects include Penetration and Countermeasures, Risk Management, Network and Systems Security, Cybercrime, Security and Conflict in the Digital Age, as well as an introduction to IT law.
Hacking is a bit like the firearms industry. The guns themselves do no harm, but what actually happens depends on whose hands they fall into. Those working for the good side (whatever that is) must get to know their enemy if they are to defeat him.