Secret teen hacker army ridiculed
Wayward minister making stuff up again?
The UK government's reported decision to employ ex-hackers to work at a newly-established Cyber Security Operations Centre have met with derision from both a high-profile former hacker and an acknowledged cybersecurity expert.
Lord West, the Home Office security minister, first suggested that former hackers (or "naughty boys", as he described them) might play a key role in Britain's revamped cyberdefence strategy back in June. At the time it seemed like just another in the admiral-turned-minister's growing list of eccentric observations on various aspects of security policy.
For example, he later suggested that a net-flinging entanglement "bazooka" designed to stop speedboats might be just the job for use on "topless lovelies". This was doubtless surprising to its developers, who saw it as a weapon against USS Cole-style suicide attacks.
However, last weekend the Sunday Express reported that the MI5 had hired "50 computer-savvy hackers – some of them still teenagers – to work in a newly formed top secret Cyber Operations Command." The majority of the teens are Asians, the paper adds. All are subject to the same level of background security checks used to clear the employment of other intelligence staff. The Sunday Express helpfully adds that this means they have signed the Official Secrets Act and are forbidden from "tell[ing] their parents or girlfriends what they do in the windowless basement area in the Security Service building beside the Thames".
Lord West reportedly described the new hires as "youngsters who use their talents to stop other hackers from closing down this country".
Mathew Bevan (AKA Kuji), a British hacker arrested and unsuccessfully prosecuted for hacking into secure US government networks back in 1994, who later became a successful security consultant, helped us pick apart the many implausibilities of the story.
"These hackers were described as having been 'naughty', but did not have any criminal records," Bevan told El Reg. "How on earth they came to the attention of GCHQ without getting caught (as being caught would suggest that charges would be brought, and if not how come?)."
Bevan noted the lack of buzz about any attempt to recruit hackers by members of the security service.
"I have not heard of any UK hacker/ex-hacker/naughty boy actually having been approached to work at this level," he said. "The truth is that of course they couldn't find 50 UK hackers, because those who are actively hacking are doing their best to not get caught. So they had to outsource to India or China. This begs the question, how on earth did these people even manage to pass the stringent security checks which are performed to work within government offices? Even the USA is saying that due to the amount of hacking coming out of China, that employing Chinese to secure America's Government machines is perhaps not a good idea."
The Welsh former-hacker turned successful hypnotherapist concludes that the whole MI5 hacker-hire story is exaggerated, at best. He speculates that the motive for creating such an elaborate yarn might be one of gaining bragging rights, a posture full of contradictions.
"So this elite team of 'naughty boys', of course, it's not true," Bevan said. "The details have been exaggerated at the least but most likely have been made up, just another attempt at psyops and a way of us to look cool to the American administration, which has said it has hired hackers."
"We have to go bragging to the world that we have ex-hackers in our employment whilst at the same time we are actively trying to extradite or prosecute others. This is sending out a conflicting message as to whether hacking is wrong or a career choice. When it comes to team size, if you have to claim that you have such a big and impressive one everyone knows that its probably very tiny and disappointing," Bevan concludes.
Security consultant Rik Ferguson, someone who has actually worked with GCHQ, said that the idea of idea of hiring reformed hackers to face off against state-sponsored cyberspies, tech-savvy terrorists and cybercriminals from eastern Europe is woefully misguided.
"What really upsets me with this story is the implication that *only* young (former) criminals have the skills required to carry out the work necessary to combat cyber terrorism," Ferguson writes. "I have not personally met any of the team that have been hired for these posts at Cyber Operations Command, but I have a feeling that they wouldn’t care too much for the implication either."
Ferguson repeats Bevan's point that the government is sending out mixed messages about the legality of hacking, more influenced by Hollywood than reality, by suggesting it is both reprehensibly criminal and simultaneously a useful national security skillset.
"It is entirely unacceptable that our security services and our government are broadcasting the message that the only qualification necessary for a job in MI5 is being a hacker (one bad enough to have got caught). People who have been found to have broken the law should not be allowed to profit from their misdeeds, especially by way of an employment offer in the very field of their criminal activities. Would you hire a convicted embezzler as a your accountant? How about a teenage convicted embezzler?"
Ferguson's critique of "schoolboy tales of hiring 'naughty boys' for hi-tech derring-do" can be found here. ®
A bad fashion show instead of an advancement in cybersecurity?
I guess this announcement (hiring "Hackers" with criminal record) is a nice way to tell all the employees in the intelligence/government organizations that they have no skills to perform their job. Or better yet, their education, experience and training is worth nothing...
Since hiring "troubled" teenage youth is a "fashionable" trade, perhaps the state/local police should hire gangs to provide protection to civilians and get rid of the police officers. Oh, and we can also do the same for health care! Next time on of these "brilliant" decision makers requires a health examination or surgery they should go to their local high-school and ask to obtain medication for their condition or have an operation by one of the students!
Just because a person in one government agency made a poor decision to hire teenagers/criminals because they watch poorly scripted, sensationalized TV shows (e.g., NCIS) it doesn't mean that the rest of us have to suffer... Unfortunately we do...
There are many, many brilliant professionals with credible background in science (e.g., engineering, computer science, physics) and exceptional experience that make these glorified "hackers" look like "bone heads" which is actually what they are...
A famous example : T. Shimomura versus K. Mitnik.
"by suggesting it is both reprehensibly criminal and simultaneously a useful national security skillset"
Lets list some others...
* Breaking and entering
* Killing someone
* Creation of fake identities
* Secretly recording someone without their knowledge
* Destruction of property
* Driving at high speeds on public roads
* Detaining someone against their will
All "reprehensibly criminal" when performed by a normal citizen, all "useful national security [skills]" when known by officially-sanctioned personnel.
Spinning another Ripped Yarn ....... All fur coat and no knickers
"a newly-established Cyber Security Operations Centre .." .... which doesn't appear to have any dedicated real or virtual address or communications director.
My own request of an MPand her Office staff for such, only returned a disappointing email@example.com. which of course has one talking to monkeys rather than the organ grinder.
But such appears to be the way of parliamentary democracy so that the public are always excluded from those who would imagine themselves powerful and right and immune.
Done properly, CyberIntelAIgent Security Operations render the likes of a spooky MI5 and MI6 and Special Branches of other Intelligence Services, either redundant or servants to Virtual Space Forces and that would obviously be a matter to be immediately resolved and further explained to deny any petty turf war conflicts which they would be ill equipped to deal with.
It also renders Government[s] on a sticky wicket too, and one can easily imagine them not want to queer their own lucrative pitch, with such shenanigans as are aired here ...... but it is delusional of them to imagine that they are indispensible or even really necessary, whenever the Private Pirate Sector can deliver whatever is needed at a true cost, rather than at an inflated value.
A true cost which is easily adjusted to suit its future market value and potential rather than being anything to do with present needs and feeds. Seven sevens is easily changed to eight eights and nine nines for Binary Control of Reality Systems which is what CyberIntelAIgent Security Systems of Operations Offer and dDeliver...... Virtually.
A little something for the Business Secretary to mull over, this weekend, and respond to of course, for we wouldn't want to deny him the chance to do something useful for AI Change, would we?