Is autism an asset to UK cyber security?

Cyber security could provide opportunities for people with neurodiverse conditions to flourish.

Sign Up

Get the New Statesman's Morning Call email.

When Steve Morgan was 17, he devised a plot to steal his teachers’ passwords. It was simple in theory, but more complicated in practice. Morgan wrote a copy of his college’s terminal software, burned it on to a chip and replaced the original CPU with his own. A few days later, he covered his tracks by putting everything back in its place, and then passed on a list of redacted passwords to his college.

“No one could work out how I’d done it,” he tells Spotlight. The college enlisted the support of IBM, whose staff were so impressed they offered Morgan a full scholarship to study in the United States. But there was a catch; he would have to spend seven years working for the company after graduation. “When you’re 17 years old, seven years is a very long time,” he recalls. “I didn’t sign.”

Reflecting on the hack more than 30 years later, Morgan says he was driven by curiosity alone. While some students may have used the data for nefarious means, the satisfaction of gaming the system was enough for him. “I’m curious,” he says. “I have to know everything about everything.”

The 49-year-old has always seen the world differently, but it was only recently that he discovered why. Earlier this year, Morgan was diagnosed with a form of autism known as Asperger’s syndrome, after his sister saw the symptoms of the condition described on TV.

In the United Kingdom, just 16 per cent of autistic adults are in full-time work. While some such as Morgan show an exceptional talent for problem solving and pattern spotting, people with autism may struggle with interviews, away-days and the other trappings of office life. The world of work can seem at best intimidating and, at worst, impenetrable.

There is, however, a growing recognition in Whitehall that some employees with autism and other neurodiverse conditions can carry out specific tasks at a level that few others can match. In the right environment, people with autism flourish, and ministers now hope they could help solve some of the country’s most pressing and complex problems.

Earlier this year, the Department for Digital, Culture, Media and Sport quietly launched a six-month pilot fund aimed at boosting the number of women and people with neurodiverse conditions working in the cyber security industry. Women make up just 17 per cent of the British technology workforce, while the unemployment rate among people with autism in Britain is several times higher than the national average. Harnessing their skills could, the government hopes, help the UK to close the cyber skills gap and meet the rising threat posed by hostile states and cyber criminals.

“Companies, governments and public services are under almost constant attack through the cyber sphere, so it’s absolutely vital for our national security and the protection of our public services and businesses that Britain has a really strong cyber security sector,” says the Minister of State for Digital and Culture, Margot James. “But one of the biggest problems we’ve got now is the lack of skills. We have therefore taken a very proactive approach in looking at the sort of routes that have not necessarily had enough investment in them for people to come forward and opt into careers in cyber security.”

The pilot initiative, dubbed the Cyber Security Immediate Impact Fund, provides funding for training centres to deliver courses equipping people with the skills needed to quickly find a job in the sector. Seven centres around the UK are currently participating in the scheme. Two focus exclusively on training people with neurodiverse conditions, while one targets women and another lone parents.

In June, Morgan became one of the first people to enrol in the scheme. After turning down IBM while he was at school, he forged a successful career as a tech professional in London before becoming a consultant at NatWest at just 25. But he found the world of work challenging, at times. “It’s mainly from not understanding what my thoughts were,” he says. “I loved the things that everyone else hated and hated things that everyone else seemed to love.” After suffering a crisis of confidence, Morgan has been working in the local ambulance service for the last few years. He is now eager to make a return to the industry in which he first found his feet as a teenager three decades ago.

“The course provides a level of training you just don’t normally get,” he says. Immersive Labs, a direct recipient of the fund, delivers the learning modules, while a range of speakers, from chief security officers to researchers at cyber security vendors, make guest appearances every week. Morgan is one of 15 trainees taking part in the scheme at the Community Cyber Security Centre in Worcester.

James says the pilot has been so successful that the government is now investing a further £500,000 in the scheme and expanding it to other underrepresented groups around the UK. “The pilots we’ve run so far
have demonstrated a real passion for these capabilities and people are really responding well to the opportunity that this training investment is providing,” says the minister. “So we’re dramatically stepping up the investment to enable this to be rolled out across the country.”

In 2001, the journalist Steve Silberman wrote a groundbreaking report for Wired magazine titled “The Geek Syndrome”. The story documented the unusually high rate of autism diagnoses among the children of Silicon Valley workers. Its key message – that the region had attracted people with “autistic genes” – sent shockwaves through the California tech comunity. But for some tech workers, it came as little surprise. In the previous year, Microsoft had started paying for behavioural training for the autistic children of its employees.

Closer to home, the signals intelligence agency GCHQ has a long and proud history of employing neurodiverse staff, stretching back to the Bletchley Park era. Today, around 120 of its employees have a neurodiverse condition. “We are well known for celebrating neurodiversity and have many staff on the autistic spectrum,” the agency’s then director Robert Hannigan said in 2016. “They are precious assets and essential to our work of keeping the country safe.”

But not everyone shares Hannigan’s enthusiasm. Nearly 17 years after “The Geek Syndrome” was published, it’s feared British businesses are still failing to appreciate the value in employing neurodiverse staff. Emma Philpott runs the Worcester centre Morgan is enrolled in. Over the next few weeks, the government’s investment in the scheme will run dry, and Philpott has been asking businesses to plug the gap.

“I’m not sure that will be possible,” she says. “We get referrals from the police, the Department for Work and Pensions and the NHS every week or so. The need is there, but I don’t think the funding is there. Also, I realise the will is not really there for commercial companies to employ people who need a bit of extra support; they say it is, but it isn’t. For some companies it is, but employees have to be located near them, and it’s really hard.”

But for the businesses that are willing to invest in autistic workers, the payoff is huge, says Philpott. “The trainees are very talented, they’re lower cost than people who have been in the system for a long time and they tend to be very loyal, so there’s many, many things that make them particularly good as employees,” she says. “But they need some training and support to get them to the point where they can be employed. By investing in the scheme, businesses would really be investing in future employees.”

In lieu of big corporate backers, Philpott’s business, IASME – a cyber accreditation body – is putting £180,000 into the centre. The funding will secure employment for around a dozen people on the scheme for 12 months.

“The centre’s main aim is going to be providing affordable internet protection for the most vulnerable in society, who are targeted by criminals at the moment,” Philpott explains. “But also we’re going to act as a sort of temping agency. We’ve already had a company give us a discrete small package of cyber security work which can be done remotely.”

While Philpott has struggled to find a backer in time for when the government funding ends, she points out that “if it wasn’t for that grant, we wouldn’t have got going in the first place. It’s brilliant really. We’re going to run the centre for a year and see if we can cover our costs.”

Morgan is due to spend two days a week getting the security operations centre up and running, but he doesn’t see himself working there forever. “Looking back over my career, I love the project environment – being able to put in massive effort, get something working perfectly and then moving on to the next project.” What might that be? “I’m not actively applying for jobs, but I’m meeting so many people from so many organisations, I just have this feeling that the right thing will come along.”

Oscar Williams is editor of the NewStatesman's sister site NSTech.