Secret teen hacker army ridiculed

Wayward minister making stuff up again?

Seven Steps to Software Security

The UK government's reported decision to employ ex-hackers to work at a newly-established Cyber Security Operations Centre have met with derision from both a high-profile former hacker and an acknowledged cybersecurity expert.

Lord West, the Home Office security minister, first suggested that former hackers (or "naughty boys", as he described them) might play a key role in Britain's revamped cyberdefence strategy back in June. At the time it seemed like just another in the admiral-turned-minister's growing list of eccentric observations on various aspects of security policy.

For example, he later suggested that a net-flinging entanglement "bazooka" designed to stop speedboats might be just the job for use on "topless lovelies". This was doubtless surprising to its developers, who saw it as a weapon against USS Cole-style suicide attacks.

However, last weekend the Sunday Express reported that the MI5 had hired "50 computer-savvy hackers – some of them still teenagers – to work in a newly formed top secret Cyber Operations Command." The majority of the teens are Asians, the paper adds. All are subject to the same level of background security checks used to clear the employment of other intelligence staff. The Sunday Express helpfully adds that this means they have signed the Official Secrets Act and are forbidden from "tell[ing] their parents or girlfriends what they do in the windowless basement area in the Security Service building beside the Thames".

Lord West reportedly described the new hires as "youngsters who use their talents to stop other hackers from closing down this country".

Mathew Bevan (AKA Kuji), a British hacker arrested and unsuccessfully prosecuted for hacking into secure US government networks back in 1994, who later became a successful security consultant, helped us pick apart the many implausibilities of the story.

"These hackers were described as having been 'naughty', but did not have any criminal records," Bevan told El Reg. "How on earth they came to the attention of GCHQ without getting caught (as being caught would suggest that charges would be brought, and if not how come?)."

Bevan noted the lack of buzz about any attempt to recruit hackers by members of the security service.

"I have not heard of any UK hacker/ex-hacker/naughty boy actually having been approached to work at this level," he said. "The truth is that of course they couldn't find 50 UK hackers, because those who are actively hacking are doing their best to not get caught. So they had to outsource to India or China. This begs the question, how on earth did these people even manage to pass the stringent security checks which are performed to work within government offices? Even the USA is saying that due to the amount of hacking coming out of China, that employing Chinese to secure America's Government machines is perhaps not a good idea."

The Welsh former-hacker turned successful hypnotherapist concludes that the whole MI5 hacker-hire story is exaggerated, at best. He speculates that the motive for creating such an elaborate yarn might be one of gaining bragging rights, a posture full of contradictions.

"So this elite team of 'naughty boys', of course, it's not true," Bevan said. "The details have been exaggerated at the least but most likely have been made up, just another attempt at psyops and a way of us to look cool to the American administration, which has said it has hired hackers."

"We have to go bragging to the world that we have ex-hackers in our employment whilst at the same time we are actively trying to extradite or prosecute others. This is sending out a conflicting message as to whether hacking is wrong or a career choice. When it comes to team size, if you have to claim that you have such a big and impressive one everyone knows that its probably very tiny and disappointing," Bevan concludes.

Security consultant Rik Ferguson, someone who has actually worked with GCHQ, said that the idea of idea of hiring reformed hackers to face off against state-sponsored cyberspies, tech-savvy terrorists and cybercriminals from eastern Europe is woefully misguided.

"What really upsets me with this story is the implication that *only* young (former) criminals have the skills required to carry out the work necessary to combat cyber terrorism," Ferguson writes. "I have not personally met any of the team that have been hired for these posts at Cyber Operations Command, but I have a feeling that they wouldn’t care too much for the implication either."

Ferguson repeats Bevan's point that the government is sending out mixed messages about the legality of hacking, more influenced by Hollywood than reality, by suggesting it is both reprehensibly criminal and simultaneously a useful national security skillset.

"It is entirely unacceptable that our security services and our government are broadcasting the message that the only qualification necessary for a job in MI5 is being a hacker (one bad enough to have got caught). People who have been found to have broken the law should not be allowed to profit from their misdeeds, especially by way of an employment offer in the very field of their criminal activities. Would you hire a convicted embezzler as a your accountant? How about a teenage convicted embezzler?"

Ferguson's critique of "schoolboy tales of hiring 'naughty boys' for hi-tech derring-do" can be found here. ®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story


Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.