Francis Maude speech at Cyber Security Challenge Masterclass
This was published under the 2010 to 2015 Conservative and Liberal Democrat coalition government
The minister opened the final of the 2014 Cyber Security Challenge Masterclass, which tests the cyber security skills of amateur contestants.
Thank you very much Judy [Baker, Chair of the Cyber Security Challenge].
It’s a great privilege to be asked to open the final of this year’s Cyber Security Challenge Masterclass.
It’s in its fourth year, as you said, and congratulations to you for kicking it off Judy. It’s got 75 sponsors from across government, business and academia – working closely together toward a shared aim, which is incredibly important, of a safe and secure internet.
So thank you to Stephanie [Daman, CEO] and the entire board for the work you’ve done to make this possible.
And it’s a particular pleasure to see your patron, Baroness Pauline Neville-Jones, here in the room tonight (13 March 2014).
Pauline recently stepped down as the Prime Minister’s Special Representative to Business on Cyber Security and in both this and her previous role as Minister for Security she’s helped advance the cause of cyber security immeasurably, particularly in raising awareness among senior business figures. And I think I can say if it hadn’t been for your passion and commitment to this Pauline, I think it’s much less likely that the government would have done this extraordinary thing which was — at a time of falling budgets overall and deep financial constraint — actually to commit a significant additional sum to this whole project and the programme and you deserve huge credit for that – so thank you from all of us.
We can never be complacent and there’s much work still to do — and there always will be, this will always be a work in progress — but over the past few years cyber security has rapidly moved up the agenda of company boards. UK businesses are now far better placed to manage the risks that exists.
The fact that so many leading companies are enthusiastically involved with this challenge is testament to this. Just look at the range of sponsors here tonight — BT, Juniper, GCHQ, National Crime Agency, Lockheed Martin and Bank of England. This kind of cooperation is precisely why we as a government are supporting the Cyber Security Challenge financially through our National Cyber Security Programme.
Cyber Security Challenge Masterclass final
Sometimes, when we talk about cyber security it’s all about the dark side — the threat. We shouldn’t lose sight of the fact that this is a threat because of the existence of something marvellous and how appropriate that in these few days when we’re celebrating 25 years of the World Wide Web, we should reflect on the transformation of all of our lives that the internet has brought; what a force for good it is in our lives, for the economy, for our ability to connect with each other and to organise our lives differently and better. It’s the biggest social and technological change in my lifetime.
And I think one of the strengths of the Cyber Security Challenge is that — in the middle of the sober and menacing nature of the cyber threat — it seeks to respond in a very positive way, by identifying and nurturing some of the exceptional talent that can be found in schools and universities and, of course, in offices and homes around the country.
So let me start by congratulating our participants. You’ve been put through a series of challenging scenarios and you’ve had to flex your intellectual muscles to get here tonight, so well done.
I’m told that there are 42 of you who have made it through to this face-to-face stage. Well, 42 as we know is a very auspicious number. According to The Hitchhiker’s Guide to the Galaxy, 42 is the answer to The Ultimate Question of Life, the Universe, and Everything.
Don’t worry — we’re not looking for anything quite as profound over the next couple of days.
Quite simply, we’re looking for raw talent.
There’s a gap between the increasing opportunities to work in cyber security and the availability of people with the right skills. And for the good of national security, commercial interests and the wellbeing of everybody, it’s a gap we need to close. And I’m increasingly confident we can. We haven’t yet, but we can.
Computer programmers and software engineers; logicians and statisticians; code breakers and code makers — as a nation, we’ve produced some of the greats. We have in the UK a fantastically rich heritage, from the Babbage Difference Engine to Tim Berners-Lee’s World Wide Web.
We have some of the best universities in the world for science and technology too.
But the kinds of people we’re looking for won’t always come with a double first from Cambridge. Or even from Oxford, which I’m told is much easier.
We know that aptitude can be found in all sorts of places.
Take Tommy Flowers for instance — the man who developed Colossus, the world’s first programmable electronic digital computer. He worked as an electrical engineer for the General Post Office — the forerunner of BT, which makes tonight’s venue perhaps an especially fitting one. During the Second World War, the government’s code and cypher school at Bletchley Park was sceptical about his invention, so — poor fellow — he had to build it in his spare time using his own money.
But it worked and went on to play an instrumental role in the planning for D-Day, 70 years ago.
Bletchley Park was full of people from all kinds of different backgrounds.
Dillwyn Knox, a renowned expert in Egyptian papyrus.
Pioneering women like the zoologist Miriam Rothschild and the linguist Mavis Batey who, not content with cracking Enigma codes, went on to become a noted garden historian after the war.
And I noticed when I was at Cheltenham in GCHQ recently at the little museum they have of Bletchley memorabilia, a list of the names of people who had been recruited to Bletchley from universities during the last war. Next to J. R. R. Tolkien — the connection between Norse mythology and breaking cyphers is obvious — I noticed 2 names from my old Cambridge college, who were fellows there when I was there, who’d been recruited. And were they computer scientists or mathematicians? No, they were ancient historians. One of them produced a classic work on ancient Rome. What was needed was brainpower: sheer, intellectual brainpower. The ability to process difficult things and make sense of things that didn’t seem to make sense. Intellectually formidable, all of these people served their country, even though they probably didn’t recognise at the time the significance of what they were doing.
When Churchill went to visit Bletchley, he is reported to have said:
When I told you to leave no stone unturned recruiting for this place, I didn’t expect you to take me literally.
Well, tomorrow you’re going to be I’m told in the Churchill War Rooms — and we’ll be looking for the kinds of people with the skills to be the next Tommy Flowers or Mavis Batey.
And we all know they’re out there, but they’re not always obvious.
On a visit a year or so ago, I remember meeting a young apprentice at a small cyber company in Malvern where, rather improbably, there is this cluster of cyber security related businesses. Not where you’d expect to find it — but great. And this young man who was 16, starting his apprenticeship, he’d been thrown out of school. He wasn’t succeeding academically, it wasn’t his thing. He was disruptive at school and they’d bunged him out. But he loved computers, he loved doing this stuff and was brilliant at it — and he’s found his niche. And I remember asking him how many like you were there in your school — and he replied about half the class.
That’s quite a rich talent pool to draw from and are we getting as good as we need to be at spotting that raw talent and using it? Helping people find their niche, the thing they’re brilliant at. And in this country, which is such a rich source of talent, ingenuity and creativity, we must be finding more of them, more quickly, earlier and getting them to work.
So that young man has found his niche and I’m sure he will go on to do amazing things. Some of the brightest and best are self-taught. We want to find people who might not have trodden the usual conventionally career path.
So that’s why we have been supporting the Cyber Security Challenge, through the National Cyber Security Programme, to demonstrate the excitement of this profession to as wide an audience as possible.
That includes young people, making their first tentative steps into the workplace.
But it also includes people already in the world of work, who have the skills, the aptitude or the ability, but haven’t previously considered this as a career — they might not think they have the right technical qualifications or because they’ve already started on a different career trajectory.
So one of the things we want to do is to make it easier for sideways entry mid-career.
A case in point is the winner of the first Cyber Security Challenge — Dan Summers — who was working as a postman. He still works for Royal Mail — but now in vulnerability management.
I can tell you today, that almost 1 in 3 people who have previously reached the final face-to-face stage of this competition go on to find work in the field of cyber security.
So for a third of the contestants here tonight, the next 2 days could be the first step on this new career path.
And even those who choose not to pursue it as a career will leave this contest with an increased awareness, which they will take with them into other careers and workplaces.
Another previous masterclass winner, Jonathan Millican, will be speaking later and I look forward to hearing about his challenge.
But it’s by no means a case of “mission accomplished” and never will be. This will always be a work in progress. The internet is defined by its openness and its speed. It’s organic, self-sustaining and self-propelling. It doesn’t have a rewind button. You can’t pause it. It’s going to go on growing – and our training and education has to keep pace.
So to avoid a gap in our cyber defences in 10 or 20 years’ time, we need to look not just to the needs of the current workforce, but over the horizon, to those still in school.
562 schools no less have already registered for the Cyber Security Challenge Schools Programme, with an additional 170 still to be contacted for the next round. Potentially that’s almost 22,000 pupils who have gone from having little or no knowledge of cyber security to now recognising it as an exciting and realistic career opportunity.
So we’ve made a further grant of £100,000 to the Cyber Security Challenge to expand the pilot regionally and nationally, so it can run twice yearly, and can link participating schools to local universities.
I’m pleased to see some of the schools here tonight — and the final of the schools competition takes place next week.
Cyber Security Strategy
Our support for the Cyber Security Challenge is an important part of our Cyber Security Strategy.
We’ve backed the strategy with £650 million over 4 years — to which we added another £210 million last year, to take us through to 2015 to 2016.
In a time of austerity, most areas of government have had to contend with a squeeze on their budgets — so the fact we are increasing spending on cyber security demonstrates how high it rates in our priorities.
But spending, by itself, is not enough. Better skills underpin the government’s whole Cyber Security Strategy. We simply won’t achieve all the other objectives without it.
Earlier today, the Department for Business announced a range of measures we are taking to help increase our capability.
We’ve now developed cyber security content for each stage of education, including teaching materials and e-learning courses to promote cyber security learning in schools. And we’ve funded initiatives for graduates and post-graduate students, as well as internships and apprenticeships, because we want to strengthen the skills of new entrants.
But closing the gap between demand and availability of skills doesn’t just require a focus on education — we also need to ensure cyber security presents an attractive and appealing career choice.
So the task for industry and business and government is to work together to turn cyber security from a little understood role performed by a small number of technical experts, to a mainstream profession — one that’s respected and valued, with proper opportunities for development and progression, so it can attract and retain the best talent.
CESG, the information security arm of GCHQ at Cheltenham, now has a scheme to certify cyber security professionals in the UK. It helps government and business to recruit people with the right skills — at the right level — to the right jobs.
Together with the development of National Skills Standards and learning pathways, developed in conjunction with e-skills UK, it’s helping to define a career path because through regular opportunities for re-assessment it enables individuals to progress as their skills and experience grows.
Next week, the Department for Business is hosting a Cyber Security Skills Showcase to raise awareness about what government is doing and how industry can get involved — and I’m pleased that the Cyber Security Challenge will be represented there.
Finally, because of the relentless and ever-changing nature of cyber threats, we also need to be on the front foot to develop new skills and capabilities in the future.
Cyber security research
4 years ago, our understanding of cyber security was relatively low and there wasn’t really the means of expanding that knowledge in a sustained way, which is why we are also investing in research.
Today we have 11 new academic centres of excellence in cyber security research; there are 3 new research institutes and 2 centres for doctoral training. They’ll help us appreciate and predict cyber risks and identify gaps in our defences — because, as the old adage goes, to be forewarned is to be forearmed.
So, in conclusion, over the next 2 days, you’re going to battle it out face-to-face until one of you emerges as “Top Gun”. But actually, this is a competition from which everyone stands to gain.
Our workforce will be more skilled.
The UK will be a more secure place to do business.
People will be safer online.
Ultimately, better cyber security shouldn’t be viewed as a necessary evil — it should be seen as a massive opportunity. For many, including some of those in this competition, it’s an opportunity for a satisfying and rewarding career. It’s also one of the businesses of the future that can help the UK achieve strong lasting growth. And it will help us all reap maximum benefit from the limitless potential of the information age.
So very good luck to you all — thank you very much.