* States struggle to find enough cyber security experts
* Private sector, anti-establishment causes both rivals
* Could China, Russia “patriotic hackers” turn on masters?
By Peter Apps, Political Risk Correspondent
LONDON, April 20 (Reuters) - Cyberspace is likely to be a key battleground for states in the 21st century but recruiting those with the technical skills to fight there and retaining their loyalty will be a tough task.
From hacking attacks aimed at information theft and commercial espionage to the Stuxnet computer worm believed to have been designed to attack Iran’s nuclear programme last year, information warfare is rising rapidly.
Code making and breaking has been a prized skill in the art of espionage since ancient times but the swiftly moving pace of technology and the sometimes erratic personas of those at the cutting edge pose many challenges.
“There is absolutely not enough of them, you need an order of magnitude... more than we have at the moment,” said John Bassett, associate fellow at the Royal United Services Institute in London and a former senior official at Britain’s Government Communications Headquarters (GCHQ).
In both Western countries and emerging powers such as China and Russia — seen as viewing cyber warfare as a key area of interest — governments have been recruiting hard through competitions, universities and sometimes social media sites.
A Reuters special report last week showed some U.S. experts were concerned Beijing was already pulling ahead in the cyber espionage field, revealing that proxy talks between the two powers were already underway on avoiding unintended escalation.
In an era of heightened confrontation and technical advances, retention is a challenge. Skilled specialists can burn out, be poached by the private sector or can be tempted by criminal or anti-establishment causes. Many of the best may have difficult, sometimes eccentric personalities.
A young U.S. Army intelligence analyst, Bradley Manning, is widely suspected to have been the main source for Wikileaks of classified U.S. files. Some worry about what experienced government-trained “cyber warriors” might do.
“If they go rogue in some way, that’s most unfortunate,” said Bassett. “You can’t rule it out... The central factor in all of this... is the human factor... Part of managing them is that these are going to be slightly edgy people.”
Some say states are running to catch up with private companies who have long been left largely to fend for themselves against criminal and individual cyber attacks and hacking.
“We’ve seen more and more (government) organisations taking people on secondment, bright sparks coming in for a few years,” said Julian Midwinter, vice president at information security firm I2. “Partnership is the only way to get that capability fast enough.”
I2 says it is itself a good example of such a partnership. Based in the English university town of Cambridge, it is at the cutting edge of analysing huge quantities of data intercepted by law enforcement and intelligence agencies and says its software helped track down former Iraqi leader Saddam Hussein in 2003.
Some insiders say the private sector brings with it a more mainstream style — well-groomed Silicon Valley types rather than basement hackers or eccentric academics reminiscent of Britain’s World War Two codebreaker HQ at Bletchley Park.
But companies themselves are also looking to poach good government talent.
“The most difficult problem for any state will be first finding these cyber warriors with the mindset, the skills and who can be trusted with... national security and then keeping such people when they’re in very high demand and can earn twice as much in the private sector,” said Toralv Dirro, security strategist for anti-virus firm McAfee.
The skills governments need are also evolving, moving beyond the technical and analytical functions normally required by intelligence agencies. Security experts say complex battles in cyberspace are increasingly possible, with rivals potentially burrowing into each other’s systems to inflict damage.
That requires learning what could be a whole new form of warfare, exploiting fleeting opportunities, reacting to the moves of an opponent, utilising new technology, code and programmes to maximum possible effect.
“It’s going to be a mixed discipline and any team will need deep techs, smart analysts and... people with flair and imagination — “cyber special forces”,” said Bassett, adding that only a handful of such people existed at present.
An article in a U.S. Air Force academic journal this year examining a hypothetical future cyber and conventional military conflict between China and the United States suggested it might be necessary to co-opt criminal hackers into government service.
Computer science graduates could also suddenly find themselves commissioned into National Guard units, it suggested.
Russia and China are already believed to have outsourced much of their cyber capability to semi-independent “patriotic hackers” encouraged to scour foreign computers for information and occasionally mount attacks such as those against Estonia in 2007 and Georgia in 2008.
But such an approach is not without risks and mean that cyber warfare capabilities are less under national control than conventional militaries.
Should such countries ever face North Africa-style revolts, those in power could find they have sown the seeds of their own destruction, facing the theft and distribution of embarrassing official information as well as attacks on key systems.
“Given the nature of hackers, it’s going to be like herding cats,” said Bassett. “You might be able to give them some money or tools which they would find interesting and keep them pointing in a certain direction for a certain period of time. But whether that would then give them any residual loyalty is a very open question.” (Editing by Gareth Jones)