This autumn, some 20 upper secondary school students in Espoo took a course on information security, hacking, its ethics, and information security testing. They were taught by top experts from the security company Second Nature Security (2NS) and visiting lecturers from the police, the National Cyber Security Centre and LähiTapiola. To conclude the course, the students had the opportunity to test the information security of the city’s information system.
The course had multiple objectives that ensured that not only did the students learn but the city and society also benefited from the course. We as a city were eager to see if we could involve young people in our information security testing in the future – we wanted to see if they have the necessary skills.
Seven reports on defects
The students gave us seven reports on defects. Some addressed usability while others clearly revealed vulnerabilities.
One of the participants, 17-year-old Niklas Halonen found a vulnerability that someone could have used to access other people’s personal data. Niklas was rewarded for his discovery and for reporting it by a grant sponsored by LähiTapiola, as thanks for improving the city’s information security.
Niklas Halonen was awarded a grant after discovering a serious vulnerability in one of the city’s services. Juho Ranta, Chief Technology Officer at Second Nature Security, was in charge of the key contents of the course.
More information – and awareness
Did the course enhance information security in Espoo? Yes, because it improves with every vulnerability that is detected and fixed. However, I would like to discuss the objectives and impact of the course as broader, more far-reaching gains that may be difficult to measure.
Across our organisation, the visibility of the course has increased general awareness of and even interest in information security. Increased awareness means that people take better care of security, also at the unconscious level. The key people in charge of Espoo’s information security also gained more information and know-how about this new way of testing our systems.
The world and technology are changing at an increasing speed, and we as public administrators must stay on top of our game. This means that we need bolder and more agile ways to ensure security. I hope the course contributes to this goal by lowering the threshold of trying new ways of doing things, both in and outside Espoo.
To be continued... in Espoo and elsewhere!
Thanks to the course, Espoo has been contacted by many interested parties such as authorities, both in Finland and abroad. It looks like we will not remain the only municipality that teaches and benefits from hacking, as others also plan to adopt this idea.
The Hack with Espoo course did indeed seek to draw public attention to hacking and involving young people. We wanted to encourage others to boldly experiment with novel ways of developing information security.
As said before, the city would not have been able to pull off the course on its own. We needed external help. On behalf of the City of Espoo, I would like to thank 2NS, the security company that bore the main responsibility for teaching and supported the city in preparing the target information system for the course, both during and after the course. We are grateful to LähiTapiola for sponsoring the grant and participating in teaching. Furthermore, we thank the police and the National Cyber Security Centre for giving lectures.
Hack with Espoo will continue. It is our pleasure to announce that we will continue working with 2NS and organise the course again in 2019, drawing from the experiences we gained this time. The course it may also be expanded from upper secondary schools to other schools as well.
Chief Information Security Officer
City of Espoo
Read also the previous blog post: Hack with Espoo – upper secondary school students hack the city’s systems