A criminal waste

‘Everyone knows about the code-crackers of GCHQ. But a far bigger pool of talent is underground: alienated young hackers tempted to the dark side, because they find no outlet for their skills elsewhere’

Tech lesson
(Illustration by Miles Cole)

Cybercrime is estimated to cost the UK £27 billion per annum, or around a fifth of the NHS budget this year. It is going to get worse. Not enough cyber security professionals are available, and those there are lack the necessary skills.

Yet the UK sits on a huge pool of unexploited talent. Everyone knows about the code-crackers of GCHQ in Cheltenham, Silicon Glen in Scotland, Silicon Fen in Cambridge and Silicon Roundabout near my old flat in Shoreditch. But a far bigger pool of talent is underground: alienated young hackers who may struggle to write a CV and find formal employment, but excel at writing code and finding vulnerabilities in systems. They are tempted to the dark side, because they find no outlet for their skills elsewhere. 

The word “hacker” has mostly negative connotations, immediately implying criminality. But all cyber security professionals, at least those that are any good at it, are hackers. A hacker is someone who can hack into a system. Whether they do so with or without permission is secondary.

Having met and worked with many young hackers, I know they can help solve the crisis. The National Crime Agency, GCHQ and the Metropolitan Police all see the potential too. That was one reason why Hacker House, the ethical hacking company I founded, was awarded a grant by the Department of Digital, Culture, Media & Sport (DCMS) to develop a portal and framework for harnessing ethical hacking skills. In 2014, I hosted events in Shoreditch where talented youngsters could play with my library of gadgets, eat pizza and have fun meeting like-minded individuals. This was not a business, just a concept. I was not able to train these advanced minds, but I was able to reach them on a human level, to consider the decisions they made and the challenges they faced.

Many came from rough homes and had tough life stories. The education system had done little to stimulate them. Parents or teachers, even if they could recognise cyber talent, usually did not know how to channel it; the youths themselves were not “corporate”, did not know how to make themselves employable, and lacked social skills. The only people who did recognise their value were criminals.

Arthur (not his real name) felt constrained by the school curriculum. All he wanted to pursue was his talent: hacking. He wanted to get a job but hated interviews, avoided crowded spaces at all costs, and refused to take public transport in London. If he did not like you, he would not work for you. The first time I met him he thought I was “a fed”—not the first time the hacking community has accused me of this. If you were too posh or made him feel uncomfortable, he would shut down and refuse to speak. But he had a lot to say about the state of cyber security, and after I convinced him to speak on stage at one of my InnoTech events—this particular one brought hackers, crime agencies and policy-makers together—he found his confidence. He soon built a career out of public speaking, runs his own company and provides for his family lawfully.

Another passionate young man was unable to pursue ethical hacking as a career because his father wanted him to take over the family refrigeration business, arguing that hacking meant dead ends and prison. One of the most amazing minds I have ever met dropped out of school to work in the family firm. I wish I could have spoken to his dad to inspire him to see his son’s real talent.

Another lad I worked with came from an extremely violent background. Without a stable home, he left school at 13 and began selling hacked computer networks on the streets. This life of toxic destruction eventually caught up with him and he was arrested and sent to prison. Now 26, he has paid his debt to society and has the chance to turn his life around. The most valuable use of his skills would be to a business, since he knows how to scan servers, work in and out of the dark web, and has seen first-hand where harvested credentials are bought and sold. His knowledge would be an asset to a company; he knows how to protect against attacks because he used to be the attacker. But who will hire him? Where will he legitimise his skills?

This is why I founded Hacker House, alongside Matthew Hickey, a professional cyber-security researcher. He also saw the potential of what Dominic Cummings calls the “wild cards”. People who do not fit inside the box of commercial experience, lack letters after their name and cannot or will not write a CV. We developed a practical, classroom-based course called Hands on Hacking, which teaches people how to enter industry and gain lawful employment within cyber security roles such as penetration testing—mimicking a hostile attack in order to highlight weaknesses. Harnessing hacker talent brings a double bonus. First it will weaken the cybercrime industry, cutting off its supply of new entrants, and perhaps even weaning existing workers away. Second, it strengthens our defences. We cannot afford to wait. While you are reading this, a criminal is stealing money or data from your business, your government, your friends, your family—or you.