The bright sparks who fight off cyber attack

The Cyber Security Challenge aims to find ordinary people with extraordinary IT skills. By Jerome Taylor
Click to follow
The Independent Online

Lee Nichol is getting anxious. With one hand rested on an increasingly furrowed brow he stares intently at a computer screen which – to the uninitiated – appears to display little more than a headache-inducing array of jumbled numbers and letters.

But Mr Nichol thinks he's spotted something. "We have something on the web server," he tells his colleagues. "I think someone's got in."

A few clicks later his mouse cursor rests on a file that shouldn't be where it is. As he opens it a message pops up: "<IHackedYouLOLZ>". Nervous laughter ripples around the room.

Mr Nichols and his team are manning a desk of laptops that is being bombarded with cyber attacks. Some of the attacks have been spotted and quarantined. But a number have got through and – unbeknown to the team – are wreaking havoc, secretly locating confidential data, chopping it up into bite-sized chunks and then haemorrhaging it out on to the web.

Fortunately it's not real. Instead this is the dramatic final of the Cyber Security Challenge, an annual competition held on an industrial estate on the outskirts of Bristol to find seemingly ordinary people with extraordinary IT skills.

More than 4,000 amateurs entered this year and over the months they have been whittled down through a series of fiendishly difficult challenges to just 30.

This weekend they gathered for the final, the climax of which is an intense 50-minute session where teams of five must defend a computer network from an onslaught of cyber attacks.

No one doubts the need for such people. Now in its second year, the competition is a response to the widespread recognition that Britain and British businesses are woefully under-equipped when it comes to defending themselves against criminal hackers.

Only this weekend it emerged that BAE Systems may have been compromised by Chinese hackers to steal data on the F-35 Joint Strike Fighter.

"And it's only going to get worse," explains Martin Sadler, director of Hewlett Packard's cloud and security lab, which helps to host the final. "Around 30 per cent of the world's population is online. By 2020 there will be four billion internet users, roughly 50 per cent of the world's population."

More people online means more computers connected to the internet – which means more security holes to exploit for those intent on doing harm. That is why many companies are desperately looking for young blood to defend them.

Those who do well at the final will earn themselves potentially lucrative internships or even jobs. The vast majority of the finalists are men in their late twenties who already work in IT but practice cyber security on the side. Most of their skills are self-taught.

Matthew Pettitt, one of Lee Nichols' teammates, is a good example. The 30-year-old works for a company in Manchester and practices cyber security in his spare time. "You just read up about it and get fascinated," he explains.

His team – named "Stuxnet" after a fiendishly clever virus that temporarily crippled Iran's nuclear programme – have never met before but over a morning coffee they have a small window of opportunity to asses each other's skills and work out who is needed where.

As they battle away on a simulator that is used by the Brazilian and Finnish militaries to train their cyber defenders, Roy Matthews from the cyber security giant Cassidian explains what they look for. "People who are enthusiastic and have great ideas," he says. "Some of the best people do not have professional qualifications, their skills are self-taught. It's about how they use those skills in a real environment."

After a gruelling day's competition, Jonathan Millican, a first year student at Cambridge from Harrogate, emerged victorious, beating Russ Taylor, a technician with the Royal Air Force. "It feels pretty bewildering," 19-year-old Mr Millican said. "It's a bit too early to say whether I'll go for a career in cyber security but it's definitely something I'll now consider." That's exactly what British companies want to hear.