Secret teen hacker army ridiculed

Wayward minister making stuff up again?

Choosing a cloud hosting partner with confidence

The UK government's reported decision to employ ex-hackers to work at a newly-established Cyber Security Operations Centre have met with derision from both a high-profile former hacker and an acknowledged cybersecurity expert.

Lord West, the Home Office security minister, first suggested that former hackers (or "naughty boys", as he described them) might play a key role in Britain's revamped cyberdefence strategy back in June. At the time it seemed like just another in the admiral-turned-minister's growing list of eccentric observations on various aspects of security policy.

For example, he later suggested that a net-flinging entanglement "bazooka" designed to stop speedboats might be just the job for use on "topless lovelies". This was doubtless surprising to its developers, who saw it as a weapon against USS Cole-style suicide attacks.

However, last weekend the Sunday Express reported that the MI5 had hired "50 computer-savvy hackers – some of them still teenagers – to work in a newly formed top secret Cyber Operations Command." The majority of the teens are Asians, the paper adds. All are subject to the same level of background security checks used to clear the employment of other intelligence staff. The Sunday Express helpfully adds that this means they have signed the Official Secrets Act and are forbidden from "tell[ing] their parents or girlfriends what they do in the windowless basement area in the Security Service building beside the Thames".

Lord West reportedly described the new hires as "youngsters who use their talents to stop other hackers from closing down this country".

Mathew Bevan (AKA Kuji), a British hacker arrested and unsuccessfully prosecuted for hacking into secure US government networks back in 1994, who later became a successful security consultant, helped us pick apart the many implausibilities of the story.

"These hackers were described as having been 'naughty', but did not have any criminal records," Bevan told El Reg. "How on earth they came to the attention of GCHQ without getting caught (as being caught would suggest that charges would be brought, and if not how come?)."

Bevan noted the lack of buzz about any attempt to recruit hackers by members of the security service.

"I have not heard of any UK hacker/ex-hacker/naughty boy actually having been approached to work at this level," he said. "The truth is that of course they couldn't find 50 UK hackers, because those who are actively hacking are doing their best to not get caught. So they had to outsource to India or China. This begs the question, how on earth did these people even manage to pass the stringent security checks which are performed to work within government offices? Even the USA is saying that due to the amount of hacking coming out of China, that employing Chinese to secure America's Government machines is perhaps not a good idea."

The Welsh former-hacker turned successful hypnotherapist concludes that the whole MI5 hacker-hire story is exaggerated, at best. He speculates that the motive for creating such an elaborate yarn might be one of gaining bragging rights, a posture full of contradictions.

"So this elite team of 'naughty boys', of course, it's not true," Bevan said. "The details have been exaggerated at the least but most likely have been made up, just another attempt at psyops and a way of us to look cool to the American administration, which has said it has hired hackers."

"We have to go bragging to the world that we have ex-hackers in our employment whilst at the same time we are actively trying to extradite or prosecute others. This is sending out a conflicting message as to whether hacking is wrong or a career choice. When it comes to team size, if you have to claim that you have such a big and impressive one everyone knows that its probably very tiny and disappointing," Bevan concludes.

Security consultant Rik Ferguson, someone who has actually worked with GCHQ, said that the idea of idea of hiring reformed hackers to face off against state-sponsored cyberspies, tech-savvy terrorists and cybercriminals from eastern Europe is woefully misguided.

"What really upsets me with this story is the implication that *only* young (former) criminals have the skills required to carry out the work necessary to combat cyber terrorism," Ferguson writes. "I have not personally met any of the team that have been hired for these posts at Cyber Operations Command, but I have a feeling that they wouldn’t care too much for the implication either."

Ferguson repeats Bevan's point that the government is sending out mixed messages about the legality of hacking, more influenced by Hollywood than reality, by suggesting it is both reprehensibly criminal and simultaneously a useful national security skillset.

"It is entirely unacceptable that our security services and our government are broadcasting the message that the only qualification necessary for a job in MI5 is being a hacker (one bad enough to have got caught). People who have been found to have broken the law should not be allowed to profit from their misdeeds, especially by way of an employment offer in the very field of their criminal activities. Would you hire a convicted embezzler as a your accountant? How about a teenage convicted embezzler?"

Ferguson's critique of "schoolboy tales of hiring 'naughty boys' for hi-tech derring-do" can be found here. ®

Beginner's guide to SSL certificates

More from The Register

next story
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
prev story


Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.