A friend of mine asked me about the UK’s mooted Cybersecurity “volunteer” force; this is approximately how I responded:
The Cyber-Force thing is simultaneously scary, tragic and amusing; Iain Lobban – Director of GCHQ – has been heard to lament that they cannot afford to pay for geeks:
…that essentially they can’t compete with private sector industry for salaries and conditions.
The truth is a little more complex and a little less clear-cut than that.
From my modest experience of the demographic – dating from around 1994 to the present day – the UK defence establishment has subsisted by chewing-up public spirited geeks who were willing to trade shitty pay for unfireable job-security and an index-linked civil service pension from age ~55ish, thence to buy a cottage in Cornwall, or Provence or something.
The unfireable pension opportunity has now evaporated and DERA (the Defence Evaluation and Research Agency) which provided the hinterland of geeks for GCHQ was largely privatised as Qinetiq – significant numbers have left that – plus computing is now sexy again, so suddenly a lot of the UK’s core security expertise is going into private hands.
You know my perspective on “cyber” – that it is a framing of the debate to launder:
- public relations/propaganda, and …
- expansion of state regulation opportunity
…as a necessary new military activity in a new “domain” – the domain of “communications” – which they call “cyber” because calling it communications would be too obviously unmilitary for people to bear.
Not to mention that honesty would sound too “Orwellian”.
However the good manpower is now off earning loadsamoney with either:
- “Big Data”, or…
- “Silicon Roundabout Startups” – which are sacrosanct because they may save the economy and the DTI is currently behind them.
…and therefore GCHQ are calling for volunteer cyberwarrior do-gooders.
If in one scenario this is not terrifying to normal people then it bloody well ought to be, if only for the example of “LOVEINT” at the NSA:
…because if the best-funded cyberagency in the world has significant spy-on-your-ex-lover issues, what the hell will happen when you let loose a bunch of volunteers on the spook-internal databases of the UK?
There would be rather more “snoop on your mate’s ex-girlfriend” than “Edward Snowden” activity, to be sure.
But let’s instead imagine that GCHQ are not fools and that the volunteers are kept at a discreet arm’s length from the datacentre at Cheltenham; what then? Will you have a bunch of volunteers going around to BNFL and setting up firewalls for nuclear power stations? Or trying to hack into the National Grid? I think they’re already equipped.
What will they be doing, and will they actually be any good at it? And whom will they be depriving of a paid job in the interim? Answers: they won’t be sure, not terribly, and possibly themselves.
I’ve spoken with a competition winner from the GCHQ “UK Cyber Champion” contest and it seems that even if they really like you as a person, the public sector does not have the culture to employ creative, individualistic, modern computer people.
So I think they are in trouble; and you can’t justify the budgets if you can’t get the staff.
If I was to suggest a way out for GCHQ and the Government it would be to stop fretting about process so much, stop throwing money at the big defence contractors and instead engage directly with smaller parties in the private sector.
But that will never happen on the scale which it needs to. Alas.
 my perspective on cyber: www.slideshare.net/alecmuffett/how-to-think-clearly-about-cybersecurity-v2