The hacking challenge hopes to attract articulate and talented contestants to fill a UK-wide skills gap in tech security
Two contestants brief PWC’s Andrew Miller on Koffee Café’s problems, while Alex Hern observes in the background. Photograph: Rupert Hartley
Koffee Cafe has a problem: its website, while just about useable for the small coffee chain, is held together with string, chewing gum and hope.
For the past few years, it’s survived because no one important has bothered to pay attention to it, but that’s due to change. A multinational coffee chain has expressed interest in an acquisition, and now the auditors are being brought in to make sure there aren’t any hidden dangers. If they look hard enough, they’ll find some blinders.
Not only has the company left up a voucher code generator that can get crafty users free coffee for life – it’s also storing the credit card numbers of at least 20,000 of its customers in an insecure database.
Thankfully, Koffee Cafe doesn’t exist. The company is a fiction, put together to test the ability of some of the UK’s best hackers while promoting the idea that cyber security is a career which people can, and should, consider entering.
The cafe – and its website and IT infrastructure – were created by Cyber Security Challenge UK, a not-for-profit that works with some of the UK’s biggest tech companies to design and run events that aim to close the gap between the country’s need for talented cyber security staff, and the number of people actually working in the industry.
Its flagship events, the challenges themselves, are only open to those who aren’t employed in cybersecurity: Dan Summers, the winner of the first challenge in 2011, was a postman. He still works for Royal Mail, but these days as a security consultant for their IT department.
“What we try to do is inspire people,” says Stephanie Daman, the organisation’s chief executive. “Using the competition, we identity those who are good. We try and tell them to develop their talents and skills, and several of them play with us for several years. And at that point, a lot of them have got to the point of thinking ‘OK, I really do want to do this as a career’ so they start sending their CVs out, and most of them end up in the industry.”
Hacking challenges are nothing new. Even before “penetration testing” took over as the term for hacking into systems to test their security, companies and individuals were setting up systems and offering prizes to those capable of breaking into them.
Money, fame and prestige
Some do it for the money, such as a share of the £1.6m Google is offering to the victors of the Pwnium 4 challenge to break into their Chromebook laptops. Others do it for the prestige or fame; the Cicada 3301 puzzle continues to entice code breakers worldwide with no discernible prize at all.
But the cyber security challenge differs from many in calling for more than just coding ability from its contestants.
The vulnerabilities in the Koffee Cafe website are very real, and Symantec, who provided the technical background to the event along with consultants PWC, say they are all based on flaws seen in past clients (although few companies would have quite so many all at the same time). But it’s not enough to just break into the server.
“There are two sides to this challenge,” says Symantec’s Sian John. “One is the technical bit… but what’s great about today is that being technical isn’t the full skill.”
“Information security has been around for years, but now you’re talking about cyber security. People think it’s the same thing, but the difference is that the rest of the business cares now. If you look at most of the senior security professionals now, they suddenly realising they need to learn how to talk.”
A different set of pressures
PWC’s contribution to the event is an effort to mimic those pressures. The contestants also have to brief Koffee Cafe’s chief information security officer, speak to the press, and give Koffee Cafe’s executives a plan of action, all based on what they have been able to find in just hours of testing. That leads to a very different set of pressures.
“Some bits are so much easier than others – like the infrastructure hacking, for example,” explains Andrew Stockwell, who works in user support and taught himself cybersecurity basics from podcasts on the Tube.
“We discovered there was a Windows XP server, and it was vulnerable to a certain attack, so we used that and we were in… I’m trying to avoid the presentations as much as possible. I don’t like standing up in front of crowds. I did a Toastmasters course at school, and that didn’t help.”
Sitting in on the briefings with the information security officer (played by Andrew Miller, the cybersecurity director of PWC UK), it’s clear that even among those contestants who felt confident enough to volunteer to represent their teams, some are better than others.
One starts listing version numbers of installed software as though it’s obvious to all concerned what the problem is. Even when pushed, it takes several tries for Miller to encourage a non-technical answer; eventually, the contestant recommends downloading the latest patches from Microsoft.
‘Freak out and turn the site off’
Some go too far in the other direction. A pair arrive for the briefing with a slick slideshow and well-rehearsed lines, but also seem afraid of delivering bad news. When they tell Miller that there is a leak which exposes the administrator password, their only advice is “be careful”. “Freak out and turn off the site until you get this fixed” might sound less professional, but in the circumstances it may well be better advice.
However, this is a learning experience, and by the time of the press interview a few hours later, everyone is far more polished. Symantec’s Emma Jeffs played the part of the reporter interviewing Koffee Cafe’s security team, and I was invited to join in. In order to keep up the role-play, I had to pretend to pretend to be a journalist – a novel experience, but one I was well qualified for.
Sadly, it seems like the first thing everyone is taught about dealing with the press is “tell them nothing”, and even with my professional skills I could not wheedle out more than a vague statement that “Koffee Cafe’s customers will be notified if there’s any risk to their credit card data”.
Beyond the games, Daman reiterates the core purpose of the challenges: “To get the right number of properly qualified people into the cyber security profession. We’ve got a skills gap; loads of jobs, not enough people. We sit in that gap, trying to close it.”
In the end, the challenges themselves can only go so far – the 30-or-so attendees aged between 17 and 50 are all likely to be seriously considering a change in career, but you can’t fix an industry a roomful of people at a time. For more widespread change, Daman pins her hopes on the organisation’s school’s programme, which teaches students the basics of cryptography.
“We teach students what cyphers are all about,” she says, “and then they are given the chance to break some cyphers that we provide. Then the second stage is designing their own cyphers, and pitting them against other schools.
Women and girls
“What it does is it keeps people interested in these sorts of subjects. It also, I hope, encourages women and girls to stay interested, because you’ll notice there are very few women and girls here today.”
The focus on cyphers – the rudimentary basis of encryption and codebreaking – hints at another of the event’s supporters. It obtains much of its funding from the government, and a GCHQ spokesperson says the agency is “proud of its association with, and sponsorship of, the cybersecurity challenge”.
“It is through initiatives such as this,” they continue, “that organisations, be they in the public or private sector, can continue to develop and maintain our leading edge in cyberspace by being able to recruit the right people with the right skills.”
Somewhat less of a deliberate goal, but an achievement nonetheless, is showing self-taught hackers that they can use their talents in a more productive way. Daman emphasises that they don’t ask contestants about that side of their history, but some admit it anyway, volunteering, for example, that they prodded their school network to see what would happen.
Aaron Devaney, a 38-year-old software developer from Leeds who won the overall prize at the end of the challenge, had a more traditional route into the field, but still one driven as much by curiosity as by professional ambition.
“In my day-to-day work we have [penetration testing] companies report on the security of our products and looking through the reports, I started to get interested in how they found out the information they did.”
Daman sees her role as taking that curiosity and convincing people that it shouldn’t stop there. “These are valuable skills,” she says. “Not everyone can do this. And if, on top of that technical ability, you are able to articulate what you’re doing, you’re a very prized individual. There is a job out there for you.”