All the latest UK technology news, reviews and analysis


GCHQ and NSA outsourcing cyber security tasks to third-party vendors

24 Sep 2013

mikko-hypponenGovernment agencies such as GCHQ and NSA are outsourcing their requirements to private security firms to boost their cyber capabilities, according to F-Secure.

F-Secure chief research officer Mikko Hypponen (pictured left) reported uncovering evidence that the NSA's Tailored Access Operations (TAO) unit and GCHQ are outsourcing missions to third-party security companies.

"One thing I've been doing for the past two years is finding where they get their expertise from. Do they recruit in house and train? Do they go to universities?" he said.

"I found these job posts listing experience with ‘the Forte Meade customer' as a necessary skill. The Forte Meade customer is the NSA."

Hypponen confirmed to V3 that he has seen similar job posts for roles with the UK GCHQ and several other government intelligence agencies. He added that the trend is unsurprising and is simply a sign that agencies are suffering the same effects of the ongoing cyber skills gap as private industry.

"It's no wonder they're outsourcing, because they can't build or find the skills inside. If you want to have a good cyber offensive capability you need a new arsenal of exploits. You need a fresh supply of weaponised exploits, which builds a demand in the market," he said.

A lack of skilled cyber security professionals is an ongoing concern within Europe. Within the UK the government has listed plugging the gap as a key goal of its ongoing Cyber Strategy. As part of the strategy, the government has launched several education-focused initiatives designed to increase the number of young people training to enter the information security industry.

Initiatives have included the creation of new higher education centres, apprenticeship schemes and open challenges. Most recently the UK GCHQ has launched a Can You Find It challenge to help find and recruit the next generation of cyber security code experts.

Hypponen said the outsourcing is troubling as it sheds further doubt on intelligence agencies' ethics, which have come into question since the PRISM scandal. The PRISM scandal broke when whistleblower Edward Snowden leaked confidential documents proving the NSA was gathering vast amounts of web user data from tech companies such as Google, Facebook, Microsoft and Apple.

Since word of the scandal broke the NSA has attempted to downplay its significance and justify its PRISM operations, claiming its agents looked at just 0.00004 percent of global web traffic. Hypponen dismissed the NSA's arguments, claiming there is no justification for PRISM.

"As the leaks came out they tried to explain ‘they're just monitoring the foreigners', which concerned me. I'm a foreigner. But then they said it's nothing to worry about as if it's not foreigners its part of the War on Terror. But then it emerged they'd targeted the EU. It's very difficult to list spying on an ally government department as being part of the War on Terror," he said.

"The next justification was ‘everyone's doing it' and this is no different. But it is different, as no country has the visibility the US does. How many businesses use US-based companies' systems? There used to be some people using Nokia, but that's been sold to the US. Skype used to be trusted but its been sold to the States. All the world is using a US-based cloud system that the US government has a legal right to. It's not the same."

The F-Secure chief added that the NSA's behaviour is doubly troubling as it has tarnished two of the most positive technology innovations of the age. "The two greatest tools of our time have been turned into government surveillance tools. I'm talking about the mobile phone and the internet. George Orwell was an optimist. This is what's happened."

Hypponen is one of many security experts to slam the NSA over PRISM. Renowned cryptographer Bruce Schneier attacked the NSA in August over its treatment of former anonymous email service provider Lavabit, claiming the agency has "commandeered the internet".

Lavabit was an anonymising mail tool used by Snowden. Lavabit owner Ladar Levison shut the service down earlier this year claiming unspecified requests from the NSA meant continuing the service would inevitably force him to commit crimes against the American people.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson
About

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus
Poll

Tech gifts for Christmas 2014

Is a new tablet on your wish list this festive season, or have they become yesterday’s fad?
13%
24%
12%
6%
45%

Popular Threads

Powered by Disqus
iPhone 6 is available in silver gold and space grey

iPhone 6 video review

The best iOS handset to date

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv3may

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging

ibmv3may

Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Oracle Integration Architect

FPSG are currently recruiting for the Oracle Technology...

Senior Systems Engineer

Senior Systems Engineer 35 hours per week, all...

International Sales Manager

International Sales Manager Location either Delft...

Application Developer - .NET / Java / C# / HTML5 / CSS / Android / iOS

Application Developer - .NET / Java / C# / HTML5 / CSS...
To send to more than one email address, simply separate each address with a comma.