For students of cybersecurity at Switzerland’s 150-year-old ETH university in Zurich, hacking is a legitimate part of the curriculum.
Students learn to infiltrate Internet and mobile networks in classes on “wireless electronic warfare” and “modern malware” designed to prevent computer malfeasance. The number of students enrolled in ETH Zurich’s information security master’s program has more than tripled since 2009, the university said.
Demand for cyber specialists is rising as companies such as Deutsche Telekom AG and ABB Ltd. hire more experts to counter risks to their networks and products. Cybersecurity has grown into a $60 billion global business, according to PricewaterhouseCoopers LLP, while concern over hacking has been heightened by reports of mass surveillance by the U.S. National Security Agency and eavesdropping of German Chancellor Angela Merkel’s mobile phone.
“The NSA affair was a wake-up call, but companies also became aware that there’s a lot more cyber criminality,” Juergen Kohr, head of cybersecurity at Germany’s biggest phone company Deutsche Telekom, said in an interview. Last year it suddenly became more competitive to recruit the right people, he said. “It’s a very, very embattled market.”
Gulp Information Services, a Munich-based subsidiary of Dutch recruitment agency Randstad Holding NV, said it received 2,423 requests for IT security specialists last year, up 54 percent from 2012 and almost seven times more than a decade earlier.
18 months ago, attacks by the so-called Shamoon computer virus against Saudi Arabian Oil Co., the world’s largest crude exporter, destroyed about 55,000 servers and workstation hard drives, according to U.S. officials.
Software made by Siemens AG, Europe’s biggest engineering company, and used to control water-processing plants, power grids and factories suffered an attack by a malicious program dubbed Stuxnet in 2010. It targeted Simatic WinCC, a supervisory control program that the world’s infrastructure agencies and manufacturers use to acquire and analyze data, the company said at the time.
Stuxnet was able to penetrate controls, send data back to its creators and eventually destroy systems.
The proportion of companies reporting losses of $10 million or more as a result of cybersecurity incidents has risen 51 percent since 2011, according to a survey of 9,600 executives in 115 countries by PwC last year. About 7 percent of respondents said they had suffered such losses.
About 30 ETH Zurich information security master’s students can also learn how to protect products such as cars. In an experiment, they learn how to open and start vehicles with off-the-shelf electronic hardware costing as little as $100 to analyze security flaws of wireless remote keys, according to Srdjan Capkun, an associate professor in ETH Zurich’s computer science department.
If a hacker wants to pursue a career outside the corporate world, governments worldwide are also keen to secure their services.
“Supply isn’t keeping up with the growing demand for talent,” said Kristina Huramsin, a Frankfurt-based recruitment consultant for Manpowergroup Inc.’s Experis unit who specializes in cybersecurity hires. “Since 2011 demand grew in tiny steps, but it jumped massively last September because of the whole Snowden affair.”
Former U.S. government contractor Edward Snowden began leaking documents in June that revealed NSA spying activities targeting companies, European Union institutions and governments.
While companies are keen to protect themselves, they’re also selling services that protect their customers.
Markus Braendle, head of cybersecurity at the world’s largest maker of power transformers ABB, said the 9/11 attacks also spurred demand for security services because the U.S. government required utilities to upgrade their cyber defences.
“Cybersecurity was the number one new boardroom issue of the past year,” said Leif Johansson, chairman of the European Round Table of Industrialists, whose 53 members are chief executive officers or chairmen of some of Europe’s biggest companies including Roche Holding AG, Nestle SA and Royal Dutch Shell Plc. “The potential consequences are huge and we need many more well-skilled employees to tackle those issues.”
Cybersecurity budgets increased on average by more than half in 2013, and almost half of respondents expect to increase their outlay further this year, according to the PwC study.
“New solutions are required, because traditional solutions are not able to detect these new threats,” said Marc Stoecklin, a 31-year old research scientist in cybersecurity analytics at International Business Machines Corp. in Zurich. He studied information and communication security and sciences at EPFL, ETH Zurich’s sister university in Lausanne.
To attract candiates, companies may pay as much as 25 percent more for security experts than for Web developers, said Huramsin. One headhunter even offered candidates the use of his holiday house in Switzerland, she said.
“You definitely need people who have a certain mindset -- which is thinking outside the box, figuring out how do I attack a system,” said Braendle, who is a ETH Zurich graduate.
ABB, which competes to supply equipment to power grid operators with Siemens, General Electric Co. and Emerson Electric Co., added cybersecurity managers for each of its 24 business units and bought a stake in security company Industrial Defender in 2010.
Siemens in December introduced a service it manages on behalf of clients to protect hardware from Web attacks. Siemens declined to be interviewed and said in an e-mailed statement that it takes industrial security “very seriously” as it works with clients to secure facilities.
While security is a priority for executives, companies are often reluctant to discuss breaches, said Braendle.
“We know that there have been attacks, incidents, breaches, but they are not being talked about,” he said. “It’s still pretty sensitive, people don’t want to share their experiences. And that makes it harder to defend against.”