• 
• 

 1 of 2

Gallery

How to become a cyberspy

Posted on 4 May 2012 at 12:40

The secret services are recruiting cyberspies. Stewart Mitchell reveals how you get in - and what you'll be doing when you get there

The cyberspy has been a stalwart of thrillers ever since the birth of the web, but never before has there been such a demand for professionals to defend the nation’s networks.

Amid a wave of attacks from foreign states and unknown hackers, the Government last year committed an additional £650 million to cybersecurity – part of which will be spent hiring new recruits.

Le Carré-esque positions are opening up (see boxouts) at the very heart of the security services, from contractors that supply the Ministry of Defence, to staffers within GCHQ, MI5 and MI6.

They’ll be part of a global cyberwar in which adversaries probe other sovereign states looking for information, network topographies and vulnerabilities – with the West pointing the finger at China and Russia for the escalated threat level. GCHQ claims it receives more than 20,000 malicious emails every month.

But what challenges will the next-generation spooks face? And what type of skill set are the security services looking for? We’ve talked to people close to the security services to find out.

Career opportunities

The injection of government funding at a time when almost all other services are being cut reflects the importance placed on British cyber-intelligence, and both national security services and private contractors are crying out for skilled staff.

In the UK and elsewhere, opportunity is knocking for people who can identify vulnerabilities, analyse data streams or develop sniffing tools. At the time of writing, the Secret Intelligence Service (MI6) was looking for service desk analysts, systems group task managers, engineers for services systems, network and electrical engineers, and software development engineers.

GCHQ and MI5 are equally busy, recruiting a phalanx of information intelligence experts to staff two new cyberstations set up by the Defence Cyber Operations Group to meet the challenge of Britain’s silent conflicts.

The security services attempt to attract talent by playing up the importance of the roles, touting unique opportunities to hack and probe in the national interest, but they face competition from better-paid roles in the private sector. Experts suggest that staff could earn three times as much employed in private sector companies, but there’s still an undeniable pull to having MI6 on your business card.

“The Government has to compete realistically in that market, and won’t be able to do it by purely looking at remuneration packages. However, the Government can play up the different types of work available at some of these institutions, and that it’s pretty unique,” says Adam Thilthorpe, director for professionalism at the BCS, who’s been working with the services on their recruitment. “There’s also its impact – or potential impact – on the UK, which is incredible, and on the world as a whole, so it’s that side of things the Government needs to push to attract ability.”

GCHQ recently admitted that it was having to pay bonuses to retain civil servants being lured away by the private sector, with everyone from Google to defence contractors looking for qualified and experienced staff.

“At one single American company, SAIC, which is private and isn’t even listed, if you go to the job listings and search for a position that requires top security clearance, and where the job description contains both the words ‘exploit’ and ‘vulnerability’, you’ll find 168 openings right now,” says Mikko Hypponen, security analyst at F-Secure.

Finding replacements for poached staff isn’t easy, especially given the strict rules on who can apply. The desperate shortage of applicants with the right skills was highlighted recently when GCHQ turned to Facebook to set a challenge for wannabe cybersecurity specialists, with eligible candidates pushed along the recruitment process if they managed to break the “can you crack it?” challenge.

The puzzle, designed to reflect real-life challenges, presented potential candidates for 35 available jobs with a grid featuring 160 pairs of letters and numbers that required a three-stage solution to crack.

Applicants first had to appreciate that the grid was code that could be run by an Intel x86-compatible processor, with the code relying on the RC4 algorithm to decrypt a block of data hidden in the PNG file of the grid itself.

Applicants then had to demonstrate JavaScript programming skills to create a virtual processor that would reveal within the data a location of an executable file to download. The last challenge was to reverse-engineer the executable to generate a licence file to show the mission had been accomplished.

GCHQ said there were various ways of solving the problem, which would demonstrate the way applicants’ minds worked, and that it was representative of challenges faced on a daily basis.

“GCHQ cybersecurity specialists spend time analysing executable code from many sources,” GCHQ says. “Sometimes it can be from malware that’s been discovered, to work out what it does, and where it comes from. On other occasions it can be to assist in the assessment of a security product, to ensure that what the developer has intended to do is actually what they’ve achieved in practice.”

Arm-wrestling with China

But the roles aren’t restricted to analysts working on code vulnerabilities or “arm-wrestling” with adversaries in China or Russia, who are widely believed to be actively targeting the UK’s systems on a daily basis.

Working alongside the coders and hackers are teams assessing the data, feeding it into risk assessment profiles, and co-ordinating resources, sometimes across departments.

“People think of security as being only a technical discipline, but there are a lot of other skills; risk assessment and the training of awareness and security management, which is about assessing things and advising people,” says Amanda Finch, general manager of the Institute of Information Security Professionals. “A lot of people are technical and enjoy getting into how to make things work or create technical controls, and they might be the penetration testers, working out how they can break into things. Then you have people designing firewalls and crypto codes, which is sexy to others – for me, the risk management side is very interesting.”

Despite the intriguing nature of the work, with echoes of Ian Fleming characters, many of the roles have more in common with The Office than James Bond.

There are many routine jobs that are crucial but monotonous: spotting a link in a database could make the difference between locating a potential terror plot or network breach, for example.

“There’s a lot of number crunching involved, purely because of the amount of info that’s available; part of the skill is trying to figure out what’s relevant,” says Thilthorpe. “It requires excellent technical skills to start with, then they’re developed through to a broader and greater understanding.”

A job in the security services has always been regarded as one of the most stable there is, not least because spy masters don’t want disgruntled former employees on their hands.

In fact, one way that GCHQ and other services are trying to recruit and retain experts is through the CESG framework, which shows off people’s skills and qualifications, and provides a career path from entrance level to the upper echelons of management.

It may seem mundane to reward cyberspies with civil service grades, but it provides a logical progression that may convince staff to stay in the public sector.

“We need people who are flexible, can think outside the box and think on their feet – and we need to show people that this is a career that’s fun, interesting, and not badly paid,” says Judy Baker, director of the Cyber Security Challenge, which was set up by the Government, GCHQ and private sector security companies to filter and encourage talent. “If we don’t get it right, it’s hugely serious for the future. It isn’t only national security – it isn’t even only the digital economy – it’s how people live their lives.”

Recruiting the right people

Unlike technical meritocracies such as Microsoft or Google, the security services have a reputation as something of a closed shop, recruiting from elitist institutions. But with IT security skills in short demand, the landscape is changing and the forces are widening the search for suitable candidates.

“The days of the tap on the shoulder at Oxbridge being the only way into these services have gone,” says Thilthorpe. “The number of skills and the variety of skills that governments and security services need mean they have to throw the net wide – and some of the skills are really very specialist.”

A job in the secret services is also no place for extroverts. “GCHQ is an organisation that has secrets of crucial importance to the security, defence and economic wellbeing of the UK,” GCHQ says in its guidance to would-be employees. “Foreign Intelligence Services are active in this country and are targeting these secrets. To protect yourself and the UK’s secrets, don’t take everyone at face value.”

The organisation recommends employees “keep to an absolute minimum details relating to their employment that are discussed with friends, family and other contacts”.

The guidelines portray a world in which employees need to consider their work security in almost every aspect of their lives, from where they live to where they go on holiday.

“Employees should let Personnel Security know if they were moving into a flat share with foreign nationals,” GCHQ insists, while “if you are planning any travel to unusual locations, either before you start your employment or once you have joined, you should notify a member of Personnel Security before making any payments.”

That may sound like it’s tinged with paranoia, but the mysterious death of MI6 cybersecurity operative, Gareth Williams, in 2010, proves it isn’t necessarily misplaced.

Part of the application process is a vetting period that can take up to six months, or even longer, which is a key consideration for anyone thinking of switching from current roles.

The Developed Vetting process will involve interviews with pretty much anyone the service sees fit; referees, friends and family could all be included, with questions ranging from lifestyle and drug use to political persuasion.

“The checks can be intrusive, but are only carried out to the level necessary to safeguard national security,” GCHQ says. “You’re not obliged to go through the vetting process, but if you choose not to, you won’t be appointed to a post for which Developed Vetting clearance is required.”

There are other prerequisites that are specific to the nature of the roles, including British citizenship and no history of criminal computing behaviour.

“The first thing isn’t to get a criminal record and blow your chances of getting a clearance, so don’t hack anything, don’t steal cars – if you do, you won’t get security clearance and you won’t get a job with the Government,” says Hypponen. “The second thing to understand is that, normally, computer security jobs are international, and you can get a job in almost any country you want, but that doesn’t hold true for these jobs, these jobs you can only get in your home country.”

Ethical dilemmas

For those who make it through the arduous recruitment process, life at the cutting-edge of communications security might be rewarding, exciting even, but working on national security poses its own set of ethical dilemmas.

Cyberspies may well be involved in developing tools that could have a dramatic impact on people’s lives, either in the UK or overseas.

“There are problematic situations that you could end up in,” says Hypponen.

“A lot of these governmental trojans used to spy on people are being created by people who are looking for work along these lines, so their tools, their technologies, will end up being used to carry out surveillance and collect personal details from people. Their lives will be blown open by your work; these are things individuals should think through before applying for such positions.”

In the wake of the much-publicised Stuxnet attack, which damaged an Iranian nuclear enrichment plant, it’s increasingly clear that cybertools could have a very real physical impact.

It’s widely accepted that online experts of every political persuasion are studying how to attack controls systems, such as the Siemens controllers hit by Stuxnet and the SCADA systems that regulate power and water supplies. What might seem like a simple line of code created by the security forces could end up being deployed as a destructive weapon.

“If we go forward and think of real cyberwarfare scenarios, and offensive use of malware to protect your homeland, what should antivirus companies and professionals be doing in situations such as these?” says Hypponen.

“Who’s going to write those viruses, and will people who are working for security companies be recruited to do offensive work? There are many ethical questions, many of which haven’t been thought through or haven’t been seen – yet.”

Author: Stewart Mitchell