The civil service needs to change its ethos and recruit 'hackers' — people with the necessary skills to deal with the unpredictable nature of the cyber-environment, a former home secretary has urged.
Lord Reid of the Institute for Security and Resilience Studies, based at UCL, has called for the civil service to recruit 'hackers'. Photo credit: andrew_j_w/Flickr
"Traditionally, people in the public sector are good team players rather than individual thinkers. They are those who stay inside the rules rather than think outside the box," Lord Reid of Cardowan told ZDNet UK on Wednesday. "With cyber, you're liable to look for the opposite."
Reid, who is chair of the UCL Institute for Security and Resilience Studies (ISRS), spoke to ZDNet UK at the launch of the institute's Cyber Doctrine report in London.
The government, public and private sectors have launched a number of efforts to recruit people with the necessary information security skills and mindset to deal with cyberattacks. For example, the Cyber Security Challenge has just started its second year of competitions, while the Ministry of Defence is trying to find people for its Defence Cyber Operations Group.
Reid acknowledged that some hackers see the military as authoritarian and avoid involvement with the forces.
On the other side, he argued, companies and government agencies should realise that people with good information security skills are often free-thinking and not a traditional candidate for a civil service or corporate job.
A hacker is someone who cuts code, and the public sector has always recruited people who cut code.– Jamie MacIntosh, ISRS
"I don't think there's necessarily a difficulty in recruitment, providing people realise the qualities fitting for a cyber-environment," said Reid.
The report's co-author Jamie MacIntosh, the ISRS director of programmes, said organisations need to get a clearer picture of the kind of person suited to cybersecurity roles.
"A hacker is someone who cuts code, and the public sector has always recruited people who cut code," MacIntosh told ZDNet UK. "The public and private sectors have difficulties recruiting, and there are questions from the top to the bottom."
At board level, companies and agencies need to understand the risks associated with employing a hacker. In addition, degree courses need to be tailored to challenge students and teach how to hack, according to MacIntosh.
Internet is 'inherently subversive'
Similarly, governments need to recognise that the internet cannot be controlled by traditional methods, according to Reid.
"You can't control the internet by law or deterrence," he said. "The internet is inherently subversive of traditional power structures. You need a conceptual framework to allow you to handle the challenges."
Reid called for the government to set up a taskforce to establish and develop cyber-resilience guidelines for the UK. The taskforce should be assigned a dedicated minister and be accountable to the National Security Council, he said.
In particular, the UK should look to technological innovation to mitigate cybersecurity threats, Reid urged. The government should fund 'innovation incubators' to house technology start-ups, which would be required to "succeed fast, or fail fast", he said. These small businesses could then sell services to the public and private sectors.
For its part, the government would have to tweak its procurement processes to focus on outcomes, rather than requirements, to be able to benefit from this innovation, said MacIntosh. That would allow agencies to keep up with the rapid pace of technological change.
"If the procurement process is fixated on requirements that take 28 months to deliver, and technology changes every four months, you are never going to get past base one," he said.
Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.