During his recent trial at the Old Bailey, it emerged that David Kelley, a cyber hacker and member of the group that carried out a £77m hack on TalkTalk in 2015, was motivated by “spite and revenge”.
According to his defence, Kelley, who has Asperger’s syndrome and depression, became a “black hat” hacker after failing to achieve the GCSE grades necessary for a college course in computing, before joining the group of cyber-criminals responsible for the massive data breach.
Described by the prosecution as a “prolific, skilled and cynical cyber-criminal”, Kelley’s choices have caused significant harm and distress to a number of people. His actions and those of ofter cyber hackers who have gone down similar paths, are certainly not to be condoned regardless of the challenging circumstances they may face.
However, this case has shone a spotlight on an apparent issue between the hacker community and the corporate world: talented cyber hackers are not given the opportunity to do good with their skills – because they don’t ‘fit the mold’. This is an issue because cyber hackers have both skills and knowledge that the corporate world would benefit from.
By forcing potential cyber hacker candidates to meet rigid pre-defined expectations, and using outdated training programmes and qualifications, universities and big corporations are missing out on harnessing the potential of highly adept young operators — and in some cases losing them to the dark side.
“Big corporations are missing out on highly adept young operators – and in some cases losing them to the dark side.”
Cyber hackers are creative people – and that creativity is strangled
Cyber hackers with the right mindset for advanced cyber work tend not to pursue formal qualifications. Creative and often countercultural, they frequently share traits that, at best, make them seem a little different and, at worst, something of an outsider. The way they view the world means they don’t typically like to conform with formal process and training, which they might see as boring or pointless.
But this is what makes them strong cyber talent. They see something and want to dismantle it to understand its flaws; and by doing so, they can better understand how it might be fixed.
However, in requiring these people to be taught in a classroom environment, or to take a structured course, many educational facilities are strangling their creativity from the outset.
“Genuine talent can be overlooked simply by virtue of not having taken the right exams.”
Corporate culture is stifling this creative talent too, with its obsession with hiring by numbers based on accreditations or the achievement of qualifications required by legacy admissions processes. In the absence of their own technical knowledge, for example, an HR team seeking to hire cyber talent will tend to look out for recognised certificates or professional accreditation on a candidate’s CV. As a result, genuine talent can be overlooked simply by virtue of not having taken the right exams.
Those with real cyber talent should instead be judged on their contemporary skill set, be given creative tasks to prove themselves, and be engaged in stimulating activities and war games. Only by giving them the opportunity to demonstrate their skills will such talent be truly recognised.
The cyber security world needs to embrace diversity
When it comes to cyber security, the cyber hacker community represents a rich talent pool, with many of the skills necessary for the field. Without the right opportunities to demonstrate these skills, however, these individuals can find themselves pushed into the arms of criminals who don’t care how they look or act — just that they’re good at hacking for nefarious purposes.
This potential has not gone unrecognised. It’s to this end that the UK government recently announced funding in various neurodiversity training programmes as part of its Cyber Skills Immediate Impact Fund (CSIIF).
“When it comes to cyber security, the cyber hacker community represents a rich talent pool.”
Blue Screen IT’s HACKED initiative, for example, is designed to identify, train, and place neurodiverse candidates, among others, into cyber security careers, while Crucial Group’s Academy offers retraining in cyber security to veterans, including members of the neurodiverse community.
Backed by the CSIIF, Immersive Labs’ own Neurodivergent Digital Cyber Academy (NDCA) works with the National Autistic Society and UK Cyber Security Forum CIC to develop the technical capabilities and practical skills of individuals often overlooked when it comes to employment, enabling them to pursue a career in cyber security.
In the words of Margot James MP, Minister for Culture, Communications and Creative Industries: “Untapped talent in cyber security can be found anywhere but unless we look for it everywhere, we risk missing out. Diversity should be at the heart of what we do as we work to build a Britain which is fit for the future.”
Businesses and educational institutions need to nurture and encourage
We may never know what David Kelley would have done if he hadn’t been lured to the dark side. But we can hope that, in time and after rehabilitation, a business or individual might take a chance on him and give him the opportunity to display his full potential as a force for good.
Until then, there’s a real need for businesses and educational institutions to fix the way in which they measure and foster cyber talent, particularly among the neurodiverse. There are some highly skilled people out there. It’s in our interest to nurture them, and encourage them to develop their talents, rather than dissuade them by demanding certain boxes are ticked. Cyber security needs cyber hackers — let’s make them welcome.
James Hadley is CEO of Immersive Labs