A codebreaking challenge posted online has proved to be a useful marketing tool for UK spy agency GCHQ. It's the latest example of security services looking to the Internet to recruit the next generation of cyber analysts and code-crackers.
It is unlikely that James Bond would have been recruited this way. The perks of this job do not include driving an Aston Martin, sipping martinis in exotic locations or saving the UK by shooting a cat-stroking villain. Nowadays, a secret service job involves a computer, possibly located in a basement, and the only thing you are going to be intimate with is low level computer programming code.
But recruitment to a secret service job was the intention of a mystery challenge that appeared at www.canyoucrackit.co.uk last week. Specifically, it was to work as a cybersecurity programmer for GCHQ, one of the three UK Intelligence and Security Agencies, the other two being MI5 and MI6.
The site had some shortcomings, however, and enthusiasts found that it was possible to circumvent the need to enter a code at all by entering the web address http://www.canyoucrackit.co.uk/soyoudidit.asp. It soon became apparent that the challenge was part of a recruitment drive for GCHQ. Comments circulated about the starting salary for a “cybersecurity specialist” at GCHQ of about GBP 25,000 – a fraction of what a good security programmer could earn in industry.
It appears that posting and circulating the solutions to the challenge was always part of the plan. TMP Worldwide, the agency behind the challenge, had issued a press release detailing that the rationale of the challenge was to “seed a message into social media channels” and that the desired result of the campaign was to reach people with a particular mindset and to encourage them to find out about GCHQ. Interestingly, GCHQ specified that they would not accept anyone who had hacked illegally.
What became clear was that although the challenge succeeded in captivating interest, the people who were generating the solutions were not interested in the prospect of a job. Resulting media coverage focused on how GCHQ is engaging with programmers in terms of their programming interests, rather than their passion for national security.
Although the job offer required a good university degree, it is somewhat ironic that many computer science graduates would have been unable to solve the challenge from what they had been taught at university. Very few universities now teach Assembler or generic problem solving skills.
This is far from the first time spy agencies have carried out a recruitment drive in this way. As far back as 1941, crossword puzzle competitions were being used as a means of selecting people to work at the secret code breaker unit at Bletchley Park in the UK.
More recently, the Australian equivalent of GCHQ, the DSD (Defence Signals Directorate), ran an ad which contained cryptic text. The text was similar to the ‘Can you crack it’ challenge in that it translated into low level programming code that eventually resulted in a web address leading to a hidden page. Unlike the ‘Can you crack it’ challenge, the DSD ads generated very little discussion anywhere.
Security agencies globally are facing increasing challenges against escalating cyber threats. In the cyber arms race, western countries in particular are struggling to attract enough smart people to work in these agencies. The US Cyber Challenge organisation has been set up to try to stimulate interest in cybersecurity and to recruit individuals by running online challenges and cybersecurity camps.
Certain figures such as Misha Glenny, author of DarkMarket, have been vocal in advising that security agencies should be hiring hackers as countries like Russia and China are allegedly doing. The hiring of hackers remains a contentious issue, but something that the NSA in the US was at least publicly willing to consider.
Increasingly however, it is private companies that are moving into providing tools and expertise in the cybersecurity space. Like all software, this is becoming commoditized and available for purchase legally or otherwise. National security agencies are increasingly utilising these off-the-shelf systems in their surveillance of both internal and external threats and for protective and combative purposes.
US agencies at least have another advantage, and that is that they can get access to underlying software systems that underpin the everyday use of the Internet like Google, Facebook and Twitter. From this perspective the necessity for US-based agencies to recruit and develop programmers of their own is not as critical.
One can’t help feeling, however, that if they threw in a few exploding pens or a company car equipped with missiles, they’d have a much greater chance of success.
Follow David Glance on Twitter