Closing the cyber security skills gap
It’s easy to get swamped by unending definitional debates when trying to grapple with cyber-terrorism. This short article is going to avoid being prescriptive. Rather, it places the emphasis on countering cyber-terror, to offer a more productive, problem-based view and practical set of considerations. Here are some problems one might consider in scope: the rapid and sustained spread of ideas that both inspire and cause anxiety and distress; and malicious attacks on hardware, software, data and people that cause harm.
We can plan to counter these without having to define cyber-terror. For example, whether someone is necessarily terrorised or killed is a limiting view, as real day-to-day problems still remain to be addressed. What is required are skills and knowledge, ways of operating and leadership.
There is a well-documented shortage of individuals with sufficient technical skills in the cyber area. It suggests that supply from colleges and work-based learning is not meeting demand. Many colleges are working to design and build courses, supported by government initiatives that seek to shape efforts around common bodies of knowledge or industry standards. For example, the UK Centres of Excellence initiatives, championed by GCHQ, have sought to endorse courses that align with the Institute of Information Security Professionals (IISP) skills framework.
Of course these initiatives are only in part driven by responses to terror. Motivations are diverse such as intellectual property theft, growing a digital economy, e-crime and hostile activities by states.
There is also a question of who needs to be educated. For example, if we accept the view that cyber security is everybody’s responsibility, can it not be argued that counter-terrorism is also everybody’s responsibility? Take the radicalisation of young people through social media, inspired to leave Britain to join terrorists in other parts of the world. This brings ethics, religion, values and education into scope, nurturing the cooperation of whole families and communities.
It calls for the up-skilling of teachers, police officers, community figures and many others in culture, communications, online safety advice, recognising warning signs and other matters associated with ‘Prevent’.
Redefinition of skills
The capacity problem in skills and knowledge is exacerbated by the redefinition of core skills for law enforcement and military personnel. Now nearly every crime (and terror investigation) has a digital element, crucial to intelligence and evidence. To not include social media or technical factors in an investigation or operational factor is almost inconceivable. On one hand the highly technical skills and knowledge mentioned before are in short supply, on the other, leaders will not give appropriate direction to the intelligence cycle, if they are unaware of technological and social changes to everyday lives. Moreover, there is an ongoing, highly controversial, public debate about what are appropriate ways of working for intelligence and other agencies. Indeed, if one can argue that counter-terrorism is everybody’s responsibility, how do we define the scope of surveillance?
Defence of information systems
The problem of ways of working also extends to how active we wish to be in our defence of information systems. One view holds that we cannot ‘patch’ our way to security, as patches for system vulnerabilities are only deployed post their discovery. One therefore needs to be ‘forward’ of the network in hacker communities and other forums trying to get wind of what might be coming. This also applies to exploiting information systems to assess the future generic capability and intention of threat actors. The challenges of ways of working are not only technical but also legal and ethical. This is because the techniques used for cyber intelligence may look exactly the same as those for cyber attack. International consensus on this is currently hindered by low levels of trust in relationships, coupled with competing interests.
Leadership is therefore required for a number of key reasons. First is to pursue the confidence in measures required in building international consensus on addressing the problems (even when we can’t agree on precise definitions). Second is that whilst counter-terrorism is everyone’s responsibility, it is critical that there is senior sponsorship, or we are left with the futile activity of no one driving change, and maintaining momentum. Finally, it is only senior leadership that can bring the diverse elements required to address the problem spaces above – a strategy with ends, ways and means. New ways of working need to be instituted and supply and demand shaped to meet the skills and knowledge gaps, both specialist and core.
So much of this short article has dealt with training and education. It is essential that leaders in government and industry have a close two-way relationship with education providers.
It is in our training establishments, schools and universities, where rigorous thought can be applied to future problems, and our counter-terrorism practitioners and citizens educated. Trust and a shared purpose are essential.
Nigel Jones and Ian Tunnicliffe will be speaking at CTExpo on Tuesday 21 April in the Cyber Threat Intelligence stream.