Meet London's new cyber security hack-busting squad

The latest online attack has shaken Parliament - but London's brightest brains are leading the global fight back. Welcome to the cyber security capital, says Samuel Fishwick
Emily Orton is co-founder of Darktrace

Cyber attacks are the virtual reality that has just got real. On Friday, hackers — suspected of being Russian — broke into parliament, in a “sustained and determined” attack that compromised the network.

Using software that reportedly used brute force to overwhelm and guess passwords, only 90 email accounts were breached before the attack was rebuffed, but the UK’s defences are looking flimsy against a rising tide of online attacks. Last month, the NHS-crippling WannaCry virus crippled dozens of health trusts as computers were frozen. University College London was hit by a major ransomware attack this month that shut down its shared systems.

The devastating nature of such attacks lies in simplicity as much as state-of-the-art technology: it just takes one employee to open or respond to the wrong email. Barclays chief executive Jes Staley was left red-faced last month when he fell for a hoax email purporting to be from Barclays chairman John McFarlane.

London, though, is leading a fightback. In February, the Queen opened the National Cyber Security Centre, part of GCHQ in Victoria, which worked “around the clock” to shut down Friday’s attack. The booming fintech sector is a magnet for private-sector cyber security companies such as DynaRisk and CybSafe looking to service them. And so the best and the brightest talent are making their way to the capital. This group of ethical hackers and security experts are the new first line of defence.

“The parliament attack was pretty unsophisticated — the cyber equivalent of a criminal trying a door to see if it’s locked properly,” says Oliver Rees, 26, CEO of Southwark company Trustlight, whose job is to make sure cyber back doors stay locked. He’s part of London’s fightback against cyber crime in the UK. “The new normal is the everyday hackers trying to break into our phones, TVs and anything else that’s connected. The good news is that with a few simple steps, we can protect against 99.9 per cent of the attacks.”

CyLon (Cyber London), Europe’s first dedicated cyber security start-up accelerator, is based in Hammersmith and pumps £15,000 each into fledgling cyber security companies with bright ideas but bare pockets. It’s a three-month programme where entrepreneurial teams with innovative and disruptive business ideas are provided with access to expert training and guidance from an accomplished network of mentors and investors.

The capital is, therefore, a cyber petri dish, where we scoop out virus cultures and stick them under the microscope, then work on an inoculation. But who are they recruiting?

The AI cyber sentry

Emily Orton, Darktrace

Daniel Hambury/Stella Pictures

“Every year hackers are getting better,” says Emily Orton, 33, co-founder and director of Darktrace, the £400million-valued London-based cyber security firm, shortlisted for this year’s Evening Standard Business Awards, which claims to have beaten the WannaCry hack. There’s been an “industrialisation of the threat landscape” she says, as hackers become better funded and better equipped via the Dark Web.

“We’re seeing a move towards more automated threats, cleverer cyber weapons, and attacks towards trust in data, where people are in a network for longer, undermining its integrity.” The response? Their “machine learning AI” which “stops emerging threats as they happen”. Orton uses the analogy of the human body, with the skin being rudimentary firewall systems that keep out “elementary threats”.

“We’re the immune system that works to continually identify anything that gets through, adapting to any internal threat that shouldn’t be there,” she says. “It’s an AI that builds an understanding of what’s normal for the organisation, so it can spot when a device or person in organisation acts strangely and flag that in real time.”

The web’s guardian angels

Aleks Koha, Titan Grid

“Hackers never sleep, so neither do we,” says Estonian Koha, 23, CEO of Titan Grid, one of CyLon’s latest incubators. “They find the most annoying time to hit you, like a Friday, or a weekend, when the lights are on but nobody’s around to defend themselves.” Koha works round the clock with his five-man team in Hammersmith, to the extent that his girlfriend is “always glaring because my laptop’s on in bed late at night”.

Titan Grid specialises in “cyber counterintelligence” — it sweeps up and erase clients’ home addresses, emails, and phone numbers from the internet using automated tools. These are the most basic lockpicks a hacker looks for, with over 60 online identities stolen per second.

“It’s dangerous, because the information we collect is useful to hackers too,” says Koha. “We have targets on our backs.” Koha practices MMA and jujitsu in his spare time, which helps him “develop resistance to high pressure situations”. “We can’t stop 100 per cent of attacks happening in the first place, but we can give you a better lock than your neighbour,” he says.

The identity cloaker

Irra Ariella Khi, VChain

“I’m much more comfortable working with my brain rather than my face, nowadays,” says Khi, 33, a former model, an Oxford history and politics grad, and two-time e-commerce founder, who is fluent in nine languages. Her London start-up, Vchain, wants to make your identity “unhackable”, pitching to replace passports with blockchain technology, a digital ID key that no one can clone, which has so far been chiefly associated with Bitcoin transfers. “Data is stored very poorly right now,” says Khi. “You trade data for services you need, but have no quality control over how it’s captured.”

International Airlines Group, British Airways’s parent company, has already invested megabucks in Vchain — which she runs with co-founder Alexander Gorelik — after she won the pitch as the only woman on stage. “I find that competence wins out, whatever your gender,” she says. “If in a room full of boys, the girl puts her hand up, chances are you’ll be addressed — not first or second, perhaps, but you’ll be heard.” A single mother, she lives in Fulham with her five-year-old daughter.

The e-psychology gurus

Oliver Rees and Alexander Walker, Trustlight

“We’re new here,” says Oliver Rees, 26, CEO of Trustlight, another Cylon incubator that uses both technology and psychology to stop email fraud. He’s not just talking about the company. “We’ve had 200,000 years of human evolution to learn to sense when there’s a physical threat behind a bush,” he says, “but only 20 years to learn to sense threats online.”

It’s the people who most often accidentally give up the secrets, rather than the machines, agrees CTO Alexander Walker, 29. Ninety per cent of attacks start with someone receiving an email that isn’t genuine, he says. Trustlight, with the permission of companies, crafted fake emails in their testing stage to see who would take what bait.

“Invite anyone to be the keynote speaker at an event and they’ll click on the link every time,” says Walker. Not all hackers are the enemy, though. A Jordanian contacted them to highlight a security flaw, asking for a “bug bounty”; Rees replied that they couldn’t pay the money, but sent him a T-shirt instead. “He sent us a selfie, wearing it, and the happy ending is that now we work together.”

The cybersecurity credit raters

Andrew Martin, Dynarisk

Born in Toronto, Canada, Martin, now 35, was a “typical hacker in his teens, a near high school dropout, terrible at every subject apart from IT”. Having enjoyed the “adrenaline rush” of breaking into systems”, he “realised the risks if he actually stole anything”, so he stopped, “and started working for a bank to stop people like me breaking in”. (With his skills, getting a job when he moved to the UK in 2012 was easy.) His best trick was “reverse engineering viruses”, allowing him to “find out where they were talking back to”.

According to Martin, he “uncovered state-sponsored hacking, criminal groups in Eastern Europe, Asia and Central America”, handing intelligence to the police. He’s now left “the fun stuff” behind: his own company, Dynarisk, assesses an individual’s risk to see how likely they are to be hacked, giving them a cyber score and a tailored action plan of the things they need to do to protect themselves.

It also scans devices for vulnerabilities, checks to see if emails were breached (his own has been five times), sends safe, probing “phishing” emails and scans home browsers to see if can be accessed via the internet. He and his wife, Yasmin live in south London. They met in cyber security, “so you see, you can find love in this line of work too”.

The university of hacks

Oz Alashe, CybSafe

Oz Alashe, 40, is the daddy of all cyber security experts. As a father of two, a boy, five, and a girl, 19 weeks old, he worries about the online safety of his kids as much as the work of his GCHQ-accredited Canary Wharf firm CybSafe. He’s also served in the UK’s special forces, so he knows how to keep us safe. He’s therefore all about education: CybSafe is a cloud-based educational tool allowing companies and their staff to learn how to look after their own.

“Originally, we worked with cyber security experts, including ethical hackers, to learn the tools of cyber hackers: we then built a platform and modules that address what we learnt.” They then assess to see if staff behaviour is changed by simulating attacks, via phishing emails, corrupted SMS text messages or USB stick “drops” (they work with both government and commercial entities). “You’d be amazed at how many people pick up a USB stick with the word ‘bonuses’ written on it and plug it straight in,” says Alashe.

The counter-coders

Pedro Ribeiro, Immersive Labs

“If you’re going to protect against hackers, you need to know how to hack,” says Pedro Ribeiro, 33, CTO of Immersive Labs, another CyLon incubator, which teaches companies’ staff how to be hackers themselves. “It’s like playing a game of chess, and if you don’t have all the pieces, you don’t stand a chance.” Ribeiro’s been a legal ethical hacker for eight years, exposing companies’ flaws on their payroll, earning between “£500 and £2,500 a day”.

“The problem is, there’s a severe skills shortage, which means we’re expensive,” he says. To bring the costs down — and with increasing demand for hack-literate employees — Immersive Labs shows them how to do it, teaching them to pull source code, manipulate sites to their advantage, spot problems with programmes and exploit them. Ribeiro is a devoted martial arts disciple. “These days you have two types of hacker: the old-school doesn’t see the daylight type, and the opposite. It’s good for the body and the mind, and it fits with the hacking mind-set: you’re fighting something big, always going against the current.”

Follow Samuel Fishwick on Twitter: @fish_o_wick

Create a FREE account to continue reading

eros

Registration is a free and easy way to support our journalism.

Join our community where you can: comment on stories; sign up to newsletters; enter competitions and access content on our app.

Your email address

Must be at least 6 characters, include an upper and lower case character and a number

You must be at least 18 years old to create an account

* Required fields

Already have an account? SIGN IN

By clicking Create Account you confirm that your data has been entered correctly and you have read and agree to our Terms of use , Cookie policy and Privacy policy .

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged in