At ZSB Formulas, a company that makes chemicals such as those used in nerve gases, there’s a suspected data crack. Signs in the firm’s linkage disclose a plan of Church House, an old building in the shadow of Westminster Abbey. A date is uncovered; its target the Royal Family, a bio attack is imminent.
The Challenge on Friday is the latest effort to help identify prospective British cyber security experts. Forty-two applicants are taking part after qualifying through a series of online challenges, from university students to those seeking a career change. Hopefully some will walk away from the experience with offers from industry and government to help start a career in the sector, and help to fill in the cyber security skills gap in the UK, after averting the biological weapon.
It’s entirely fictitious. In light of recent events, organisers of the Cyber Security Challenge UK are anxious to reassure that the “terrorist attack” they’ve orchestrated bears no resemblance to real-life events. ZSB Formulas is completely fictitious, the people walking around in biohazard suits are play-acting, and no one is really at risk when the countdown clock reaches zero. But the skills candidates will need to beat the challenge are real.
The attack might be bogus, but the experiment rises the issue of a thoughtful lack of competence to survive with real-world cyber-attacks. One recent study suggested that by 2020, there will be a shortfall of 1.5 million cyber security professionals worldwide.
In a spookily-darkened room in Church House, contestants work in teams named after chemical elements to locate and disarm the fake bio-bomb. Assessors from government agencies such as GCHQ and the National Crime Agency, as well as businesses such as sponsors QinetiQ, track their progress.
For the first time in the Challenge, applicants not only have to fend off the simulated cyberattack, but do so without breaking the law. If they want to do anything that might be considered an offense against regulations such as the Computer Misuse Act or the Regulation of Investigatory Powers Act (RIPA), they have to ask for permission. “Otherwise they could be deemed as being one of the bad guys—this is white hat hacking rather than black hat hacking,” said Green. “The technology and the knowhow is very similar, but we work within the law.”