Cracking a secret service job

It’s unlikely James Bond would have been recruited this way. The perks of this job do not include driving an Aston Martin, sipping martinis in exotic locations or saving the UK by shooting the cat-stroking villain.

Nowadays, a secret service job involves a computer, possibly located in a basement, and the only thing you are going to be intimate with is low-level computer programming code.

But recruitment to a secret service job was the intention of a mystery challenge that appeared at (www.canyoucrackit.co.uk) last week.

Specifically, it was to work as a cybersecurity programmer for GCHQ. GCHQ – the Government Communications Headquarters – is one of the three UK Intelligence and Security Agencies, the other two being MI5 and MI6.

Once canyoucrackit was launched, word circulated on Twitter and solutions to the three stages of the challenge started appearing on the net.

The site had some shortcomings, however, and enthusiasts found it was possible to circumvent the need to enter a code at all by entering the web address (http://www.canyoucrackit.co.uk/soyoudidit.asp). That’s when it was realised the challenge was part of a recruitment drive for GCHQ.

Comments quickly circulated about the fact the starting salary for a “cyber security specialist” at GCHQ was about £25,000 – a fraction of what a good security programmer could earn in industry.

The idea that solutions to the challenge would be posted and circulated was always part of the plan. TMP Worldwide, the agency behind the challenge, had issued a press release detailing that the rationale of the challenge was to “seed a message into social media channels” and that the desired result of the campaign was to reach people with a particular mindset and to encourage them to find out about GCHQ. The ultimate aim was to foster interest in GCHQ as an employer.

The other thing to note was that GCHQ would not accept anyone who had hacked illegally. Presumably this meant you couldn’t include hacking as part of your skill set on your CV?

What was absolutely clear, though, was that while the challenge itself succeeded in captivating interest, the people who were generating the solutions were not interested in the prospect of a job. The resulting media focus has also been on how GCHQ is engaging with programmers in terms of their programming interests rather than their desire for national security.

The job required a good university degree, which contained a certain irony: it is unlikely many computer science graduates would have been able to solve the challenge from what they had been taught at university. Very few universities now teach Assembler or generic problem solving skills.

This type of campaign has been run before. As far back as 1941, crossword puzzle competitions were being used as a means of selecting people to work at the secret code breaker unit at Bletchley Park in the UK

More recently, the Australian equivalent of GCHQ, the DSD (Defence Signals Directorate ran an ad that contained cryptic text. Although this was supposed to pique interest, there was no explicit need to solve the puzzle. But the text was similar to the canyoucrackit challenge in that it translated into low level programming code that eventually resulted in a web address to a hidden page

Unlike the canyoucrackit challenge, the DSD ads generated very little discussion anywhere.

The US Cyber Challenge organisation has been set up to try to stimulate interest in cyber security and to recruit individuals by running online competitions and cyber security camps.

Security agencies globally are facing increasing challenges against escalating cyber threats. In the cyber arms race, western countries in particular are struggling to attract enough smart people to work in these agencies.

This has led people such as Misha Glenny, author of “DarkMarket” to suggest security agencies should be hiring the hackers, as countries including Russia and China are allegedly doing.

The hiring of hackers is obviously a contentious issue but something the NSA in the US was at least publicly willing to consider.

Increasingly, private companies are moving into providing tools and expertise in the cyber security space. Like all software, this is becoming commoditised and available for purchase legally or otherwise.

As was revealed recently, the German company DigiTask has sold trojan software for communications interception on laptops.

The private spy software industry covers everything from viruses to botnets that can control thousands of mobile phones and is worth $5 billion a year. Last week saw the publication by Wikileaks of 287 documents about this industry.

A companion site, called the Spy Files, developed by French media company Owni has an interactive map detailing the countries where systems have been sold. Nobody should be particularly surprised about the pervasiveness of this technology, nor the fact it has mysteriously turned up in the hands of regimes which should not have had access because of national bans on dealing with rogue states.

National security agencies are increasingly using these off-the-shelf systems in their surveillance of both internal and external threats and for protective and combative purposes.

US agencies at least have another advantage: they can get access to underlying software systems that underpin the everyday use of the internet, such as Google, Facebook and Twitter.

From this perspective the necessity for US-based agencies to recruit and develop programmers of their own is not as critical.

One can’t help feeling, however, that if they threw in the offer of exploding pens or a company car equipped with missiles they’d have a much greater chance of success.