Cyberfirst needs more than a change of gear

The teenage hacker (19) who broke the Italian Enigma and enabled the Battle of Cape Matapan

The UK is losing the battle for cyber talent to organised crime.

Scaling or privatising the Cyber First programme, as proposed by in the DSIT consultation that closes tomorrow is not enough.

Instead of establishing a new organisation, Cyberfirst should be restructured to work locally and nationally through the Cyber Security Council and existing mainstream on-line safety, safeguarding and careers programmes (like those run by the Careers and Enterprise Company) to attract talent before it goes to the dark side.

After an introductory background the blog below follows the structure of the consultation but gives answers to the questions the consultation does not ask.

Background

I have watched the UK cybersecurity skills market evolve over the past twenty years and been involved in many of the exercises to define needs and address shortages. Some succeeded. But many were doomed from the start by lack of clarity on the objectives and lack of realism with regard to the pre-conditions for successful delivery. These can be summarised as the “golden triangle” of employer engagement/access, student engagement/access and supplier engagement/access.

Until last November I was Convenor of the Advisory Group helping get support for the creation of Bard London Cyber Resilience Centre. That entailed looking at the skills supply chain for the City of London. I found global players supporting a variety of imaginative programmes to trawl the full diversity of London’s population from Cybergirls First (supported by Banks, Law Firms and their technology suppliers) to Cyber Benab (targeted at Caribbean teenagers and supported in the UK by the US banks which support similar programmes in New York).

After the recent election, in my role as Convenor of a Community Safety Partnership, a was briefed on how the money mules of inner London (the sub-contractors running the front-line money laundering, fraud and enforcement operations for organised crime) are enrolling teenagers with cyber talent on the path to digital serfdom before they ever see the Cyber First messages.

Many teenagers will, in consequence, be Cifas blacklisted  before they are old enough to apply for University or Apprenticeship.

Those briefing me want to run “win-win” early intervention programmes which will not only tell local teenagers (and younger age groups!) that “it is not cool to sell your on-line talent (and digital soul) for cheap food and trainers” but that there are opportunities out there to volunteer to help protect your sisters and grandparents and get yourself on the path to a well-paid globe-trotting job in a city sky-scraper.

Meanwhile Cyberfirst reaches a minority of pupils, in a minority of schools some years after the most talented and/or vulnerable have been exposed to recruitment attempts by their on-line “friends”.

Cyber First should be positioned at the intersection of Skills England and Cyber-prevent, Counterfraud and Counterterror.

As the largest direct and indirect employer of cyber professionals in the UK, Government (including GCHQ, MoD and their supply chains) needs to lead the way in combining early intervention (from extremism, drug abuse, mental health and violence reduction to sexual abuse and fraud)  with education and talent acquisition.

It needs to work with the Banks and Card Companies to attract, educate and inspire children before they are lured onto the path to digital serfdom by the Tik Tok, You Tube and other media adverts extolling the easy money and influence offered by the mule herders and cyber enforcers (mix of on-line and physical abuse and violence) of organised crime (from local post-code gangs, through county lines to global networks).

If Cyberfirst fails to do so, it risks trawling in a shrinking pool of middle class, clean skin, UK-citizens who qualify for a UK security clearance. It will not only miss out on the full diversity of talent that is needed, it will help drive much of that talent “to the dark side”, unable to get a legitimate job let alone one requiring a disclosure and barring service or higher security clearance.

Establishing a New Organisation: There should be no “New Organisation. Instead the Cybersecurity Council should be supported to work with and through one or more employer driven sector streams within existing STEM education and careers programmes.

The current programmes (from cyber explorers, through cyber first course and the girls competition to the undergraduate bursary programme were good when launched but need updating and scaling. 100 bursaries, 129 Cyber first Schools, 108 ambassadors from 8 regional hubs and networks should be compared to the reach of the Careers and Enterprise Company Careers and STEM Hubs , STEM Learning network and/or the Governors for Schools programmes for STEM Governors and more recently for Cyber Governors (with training organised via LGfL Safeguarding )

The Cyber security sectoral analysis 2024 identifies 2,000 suppliers employing 60,000 full time staff, 40,000 by only 174 large (i.e. more than 250 staff) employers. Most work with fewer than 30 large employers in the supply chains of GCHQ, MoD and the City of London. Most of those organisations already work with a variety of overlapping Cyber and STEM programmes, from local to global.

On the user side fewer than 8,000 organisations are large enough to have any in-house trained cyber-professionals. Most of these are part time with other responsibilities, from safeguarding to counter fraud. Few user employers are involved with cyber skills activities other than via the professional bodies and/or trade associations in which their staff are active.

The current proposal is too modest to make any serious difference to improving the talent pipeline for GCHQ, MoD and Police and their suppliers. By contrast the large suppliers to the City of London by working in partnership with the imaginative talent attraction programmes increasingly supported by the private sector, particularly financial services and aerospace and their security providers. .

That is probably best achieved by supporting Government departments and agencies to become employer members of the Cyber security  Council to recruiters to work worth with Department for Education to use the creation of “Skills England” to rebuild the employer driven national and local networks that were so badly damaged when the last government halted support for the Sector Skills Councils and later passed the LEP functions to Local Government .

Organisational Structure: cyber skills are global and local – not national or regional

The LEPs were of uneven quality but Local Government has many other priorities. The effect of putting skills policy under democratic (alias politicians and advisory committees of “experts”) control has been a collapse of employer engagement with skills initiatives at almost all levels with most staff leaving after being transferred from LEPs to Local Authorities with “other priorities” (e.g. housing, social services and financial survival).

DSIT should use the opportunity to begin the process of rebuilding employer engagement with cyber skills programmes via the new  Business Board Network . Instead of creating a new body it should encourage public sector employers (including central and local government) to work alongside the private sector (including via the Cyber Security Council and relevant trade association and professional bodies) to support those existing skills programmes and networks that already have serious support and participation from the main employers and trainers of cyber security staff. Examples include The Cyberhub Trust whose FE and HE partners appear to run the majority successful Cyber Boot Camps.

That is probably best achieved by encouraging existing bodies (e.g. the Career and Enterprise Company) to provide sector streams within their geographic careers and STYEM education networks and to link these to the relevant global skills networks (including trade associations and professional bodies), taxonomies, suppliers and accreditations, using  SFIA – the global skills and competency framework for a digital world as the glue.  SFIA is already mapped onto the US NIST cybersecurity standards used by financial services around the world) and most of the professional qualifications and accreditations.

As community interest companies and or charities, organisations like Careers and Enterprise Company,  Governors for Schools and London Grid for Learning (the world’s largest school support network) can accept donations and grants but  Government funding should primarily by  via employer contributions and support from departments, agencies, trade associations and professional bodies which recruit and train cyber talent. They should be linked to the employer needs analyses (using SFIA) which are currently missing from the skills and training programmes – which are also commonly missing. Where is that for DSIT?

The current “assets” of Cyber First probably have little or no commercial value and pretending otherwise is a delusion. Contributing toward open-source content is a far more productive way forward and is already being explored by leading UK defence contractors.

The Mission needs to be prioritised     

The claimed mission is ambitious and goes well beyond what Cyberfirst has delivered to date. It covers tech and stem as well as cyber, however is defined. There are many players seeking support to deliver programmes and materials to promote tech and stem careers and/or improve diversity in the talent pipeline. Almost all claim to have a “public good” mission. Most are seeking to engage with employers to achieve their objectives. Few manage to engage with those running the recruitment and training operations of the main employers of cybersecurity staff.

Scope

CyberFirst should work alongside the Cyber Choices programme of the National Crime Agency with a focus on providing the missing link between those looking for cyber talent and the many other groups that are more effective at reaching the full range and diversity of schools and youth groups, including those not in main-stream education.

Education and interventions need to be at all levels and tailored to the audience. The patois to use to help change the behaviour of teenagers in Lambeth is different to that for similar groups in Islington, let alone Liverpool, Manchester or Birmingham. Programmes therefore need to engage local audiences in tailoring messaging for their peers.

They are also more effective if they begin before the individuals have begun to taste the rewards of bad behaviour. The youngest person referred to  the Home Office cyber prevent pilot in Plymouth was eight (Blue Screen IT is now BIT Group). But almost the only mainstream employer for those with a criminal record but not seen as being at “moral hazard” is usually GCHQ. They are also one of the few large employers to provide the pastoral care that many of those with “extreme talent” require.

Perhaps the most valuable role would be to fund a regulatory updated mapping and signposting service to enable those providing relevant services to identify each other and operate in partnership when their interests overlap.

The future role of Government

NCSC and DSIT should most definitely remain involved going forward but on behalf of government as employer helping attract talent into the full range of public sector cybersecurity roles, from helping vulnerable patients securely access NHS services to joining the Armed Forces as cyber warriors.

In terms of attracting diverse talent, as opposed to those who can get a UK security clearance, it is however, probably more important to engage UK financial services, via those concerned to address child financial exploitation (the cutting edge of the recruitment efforts of organised crime), with the mainstream careers programmes of the Department for Education