• 
• 

 1 of 2

Gallery

How to become a cyberspy

Posted on 4 May 2012 at 12:40

“At one single American company, SAIC, which is private and isn’t even listed, if you go to the job listings and search for a position that requires top security clearance, and where the job description contains both the words ‘exploit’ and ‘vulnerability’, you’ll find 168 openings right now,” says Mikko Hypponen, security analyst at F-Secure.

Finding replacements for poached staff isn’t easy, especially given the strict rules on who can apply. The desperate shortage of applicants with the right skills was highlighted recently when GCHQ turned to Facebook to set a challenge for wannabe cybersecurity specialists, with eligible candidates pushed along the recruitment process if they managed to break the “can you crack it?” challenge.

The puzzle, designed to reflect real-life challenges, presented potential candidates for 35 available jobs with a grid featuring 160 pairs of letters and numbers that required a three-stage solution to crack.

Applicants first had to appreciate that the grid was code that could be run by an Intel x86-compatible processor, with the code relying on the RC4 algorithm to decrypt a block of data hidden in the PNG file of the grid itself.

Applicants then had to demonstrate JavaScript programming skills to create a virtual processor that would reveal within the data a location of an executable file to download. The last challenge was to reverse-engineer the executable to generate a licence file to show the mission had been accomplished.

GCHQ said there were various ways of solving the problem, which would demonstrate the way applicants’ minds worked, and that it was representative of challenges faced on a daily basis.

“GCHQ cybersecurity specialists spend time analysing executable code from many sources,” GCHQ says. “Sometimes it can be from malware that’s been discovered, to work out what it does, and where it comes from. On other occasions it can be to assist in the assessment of a security product, to ensure that what the developer has intended to do is actually what they’ve achieved in practice.”

Arm-wrestling with China

But the roles aren’t restricted to analysts working on code vulnerabilities or “arm-wrestling” with adversaries in China or Russia, who are widely believed to be actively targeting the UK’s systems on a daily basis.

Working alongside the coders and hackers are teams assessing the data, feeding it into risk assessment profiles, and co-ordinating resources, sometimes across departments.

“People think of security as being only a technical discipline, but there are a lot of other skills; risk assessment and the training of awareness and security management, which is about assessing things and advising people,” says Amanda Finch, general manager of the Institute of Information Security Professionals. “A lot of people are technical and enjoy getting into how to make things work or create technical controls, and they might be the penetration testers, working out how they can break into things. Then you have people designing firewalls and crypto codes, which is sexy to others – for me, the risk management side is very interesting.”

Despite the intriguing nature of the work, with echoes of Ian Fleming characters, many of the roles have more in common with The Office than James Bond.

There are many routine jobs that are crucial but monotonous: spotting a link in a database could make the difference between locating a potential terror plot or network breach, for example.

“There’s a lot of number crunching involved, purely because of the amount of info that’s available; part of the skill is trying to figure out what’s relevant,” says Thilthorpe. “It requires excellent technical skills to start with, then they’re developed through to a broader and greater understanding.”