HMG Issue Guidance on Huawei and the CNI

Huawei?  Indeed, who are they? Well, ask no longer.  The UK Government has published a paper on Huawei and the Critical National Infrastructure.  The Intelligence and Security Committee have released a redacted paper explaining why they don’t like Huawei.

They say they are “shocked that officials chose not to inform, let alone consult, Ministers on such an issue”

Key findings include

• The Government’s duty to protect the safety and security of its citizens should not be compromised by fears of financial consequences, or lack of appropriate protocols. However, a lack of clarity around procedures, responsibility and powers means that national security issues have risked, and continue to risk, being overlooked.
• • The BT/Huawei relationship began nearly ten years ago; the process for considering national security issues at that time was insufficiently robust. The Committee was shocked that officials chose not to inform, let alone consult, Ministers on such an issue. We are not convinced that there has been any improvement since then in terms of an effective procedure for considering foreign investment in the CNI. The difficulty of balancing economic competitiveness and national security seems to have resulted in stalemate. Given what is at stake, that is unacceptable.
• – The National Security Council should ensure that there are effective procedures and powers in place, and clear lines of responsibility when it comes to investment in the CNI. Crucially, the Government must be clear about the sequence of events that led to Ministers being unsighted on an issue of national importance, and take immediate action to ensure that this cannot happen again.
• • ***. REDACTED !!
• • While we note GCHQ’s confidence in BT’s management of its network, the software that is embedded in telecommunications equipment consists of “over a million lines of code” and GCHQ has been clear from the outset that “it is just impossible to go through that much code and be absolutely confident you have found everything”.54 There will therefore always be a risk in any telecommunications system, worldwide. What is important is how it is managed, or contained.
• • The UK Government has been able to leverage Huawei’sreputational concerns to encourage it to invest in the Cyber Security Evaluation Centre (the Cell) and become more transparent about its equipment and business practices. This is a significant achievement. However, we question why the Cell is only now approaching full functionality, over seven years after the BT contract was awarded.
• – Given these delays and the lack of evidence so far that it will be able to provide the level of security assurance required, we recommend that the National Security Adviser conducts a substantive review of the effectiveness of the Cell as a matter of urgency.More fundamentally, while we recognise that the Government does not expect the Cell to find every vulnerability, and that there are other mitigations in place, we remain concerned that a Huawei-run Cell is responsible for providing assurance about the security of Huawei products. Before seeking clarification, we assumed that Huawei funded the Cell but that it was run by GCHQ.
• – A self-policing arrangement is highly unlikely either to provide, or to be seen to be providing, the required levels of security assurance. We therefore strongly recommend that the staff in the Cell are GCHQ employees. We believe that such a change is not only in both Huawei’s and Government’s interests, but that it is in the national interest.
• – We note that GCHQ considers that there are advantages to the staff of the Cell being employed by Huawei. On the evidence that we have seen thus far we have not found this argument to be compelling. If, after further work is done to explore this issue, there are found to be insuperable obstacles to the Cell being staffed by GCHQ employees, then as an absolute minimum:
• o GCHQ must have greater oversight of the Cell and be formally tasked to provide assurance, validation and audit of its work; and
• o Government must be involved in the selection of its staff, to ensure continued confidence in the Cell.
• • While we have considered the risks around the telecommunications infrastructure, the same issues apply to any aspect of the UK’s CNI. Where there is a privately owned company answerable to shareholders, many of whom may be based abroad, there will almost inevitably be a tension with national security concerns.
• • It is not practicable to seek to constrain CNI companies to UK suppliers, nor would that necessarily provide full protection given the global nature of supply chains. The risk to the CNI cannot be eliminated, but Government must ensure that it is managed properly. There must be:
• – an effective process by which Government is alerted to potential foreign investment in the CNI;
• – an established procedure for assessing the risks;
• – a process for developing a strategy to manage these risks throughout the lifetime of the contract and beyond;
• – clarity as to what powers Government has or needs to have; and
• – clear lines of responsibility and accountability.
• When it comes to the UK’s Critical National Infrastructure, Ministers must be kept informed at all stages.
• • We do not believe that these crucial requirements existed when BT and Huawei first began their commercial relationship. From the evidence we have taken during this investigation, the procedural steps that we have outlined still do not appear to exist. However, as we went to press, we were told that the Government has now developed a process to assess the risks associated with foreign investment into the UK. Whether these processes are sufficiently robust remains to be seen: the steps we have outlined must exist to ensure that Government does not find itself in the same position again.

Cached copy here 

Newsround

Some news, some true

Cyber attacks beat euro crisis as top risk facing banks, says Bank of England. U.K. banks consider cyber-attacks their biggest risk, even more than the euro crisis, Andrew Haldane, director of financial stability at the Bank of England, said. Mr. Haldane met with five major banks and four of them told him that cyber attacks were their main concern, Reuters reported. The management of this risk is somewhat in an early stage, Mr. Haldane said, and over the past five years focus on other risk factors might have distracted attention from cyber risks.

Senior politicians unite to issue call for data bill. The shelved Communications Data Bill would allow access to all Britons’ web browsing history Senior politicians from across the political divide have united to call for UK security services to be given greater internet monitoring powers. In a letter to The Times newspaper three former Labour home secretaries, three senior Tories and one Liberal Democrat urge changes. They say “coalition niceties” must not hinder counter terror efforts. A bill allowing the monitoring of all UK citizens’ internet use was dropped after Liberal Democrat opposition.

Chinese bootkit Guntior abuses Windows Help Center. Researchers at Sophos analyzed a recent version of the Guntior bootkit’s dropper and found that it utilizes a legitimate Windows executable file from Windows Help Center. 

 

Open redirect vulnerability identified in Facebook. A researcher from illSecure.com revealed a low-risk open redirect vulnerability in Facebook.

BAE snaps up cyber security recruits. Almost half of the trainees recruited by BAE Systems this year will join the defence giant’s burgeoning cyber and security business as companies look to protect themselves against increasing cyber threats. BAE said hiring more people for its Detica arm reflected Britian’s growing need for cyber security and the cost of cyber crime to the UK. FTSE 100-listed BAE said on Tuesday that of the 293 graduates and trainees recruited by the company this year, 130 of them – 44pc – will join Detica, BAE’s cyber and security division. Alongside its more traditional defence business, BAE offers services to companies to help them collect and manage data, as well as manage risk and respond to breaches of cyber security and protect themselves in future. BAE said hiring more people for its Detica arm reflected Britian’s growing need for cyber security and the cost of cyber crime to the UK, which is currently estimated to be between £18bn and £27bn, according to the National Audit Office.

 

Cyber threat hunting service from Dell SecureWorks. Dell SecureWorks has launched a new Targeted Threat Hunting service aimed at finding cyber attackers who might be lurking in an organization’s network, intent on committing a breach. Using cyber intelligence and proprietary hunting technology from the Counter Threat Unit (CTU) research team, Dell SecureWorks experts will search an entity’s IT networks and host computers for evidence of a compromise, leveraging pre-determined intelligence of adversaries and their methods. The CTU Special Operations team will search for any indication hackers might be operating in the organization’s environment. If found, they will conduct an extensive study of the threat, outline a plan to eradicate the hackers, and put defenses in place to prevent them from re-entering.

 

 

UK cyber security ‘becoming more consolidated’, says ENISA. Attempts to consolidate all the various bodies that have some responsibility for the UK’s cyber security are making steady progress, according to the European Network and Information Security Agency (ENISA). The government has been heavily criticised in the last year for a “lack of cohesion” between the various UK organisations set up to work towards its cyber security strategy. Former head of the GCHQ and CESG, Nick Hopkinson, told Computing last year that there was a need for rationalisation between the organisations, as co-ordinating a policy and strategy would be a challenge when dealing with the numerous bodies involved. But a year on from Hopkinson’s comments, ENISA’s head of unit, resilience and CIIP, Dr Vangelis Ouzounis, has said that every country including the UK, is trying to consolidate their own strategy. “In every member state there are different distributions which have been developed for different purposes, now they all have slightly different responsibilities around cyber security and of course there are overlaps. Every country is trying to consolidate their national strategy and ENISA does not intervene because although we recommend the simplification and avoidance of overlaps, it is up to the member states [to take action],” he told Computing at ISACA Insights World Congress 2013, in Berlin. “The [different bodies in the UK] have been developing from the bottom up over the years, that is why there is this situation but I believe that the UK cyber security strategy is now trying to consolidate the agencies – things like the Cyber Security Centre will help it to do this,” he added. Ouzounis admitted that the lack of cohesion was a problem but said that on a positive note, the problem had been identified and the government was trying to fix the issue. He also said that while the US is “advanced” in its cyber security strategy, he did not consider the country’s strategy as a template for European countries to follow, stating that some European countries may even be more advanced, without specifying which countries he was alluding to. “There are other countries that are doing equally as well [as the US] or even better, having developed other concepts that are working well,” Ouzounis said. As for the UK, Hopkinson was not the only expert to criticise the bodies involved in the UK cyber strategy for a lack of cohesion. Former US cyber intelligence officer at the Department of Defence, Bob Ayers, told Computing that “people seem to be getting resources in the absence of a cohesive plan and an ability to force compliance with that absent plan, [the UK] seems to be doing a lot, but never confuse activity for achievement”. While Mark Brown, director of information security at Ernst & Young, added: “I think there are 27 ministers of the state who have part of security in their job title, can anyone tell me who the actual person is who is solely accountable? The answer that always comes back from government is ‘no'”.

After CNN patches vulnerability, diet spammers start abusing Ask.com flaw.Spammers abused an open redirect vulnerability in CNN’s Web site until the news organization closed the vulnerability. However, similar vulnerabilities in Ask.com and Yahoo continued to be used in the spam campaign.

 

McAfee says it made a mistake, Koobface worm not on the rise. McAfee acknowledged that it made a mistake in reporting that the Koobface worm has been on the rise, when instances of it have in fact decreased.

 

New variant of Bicololo malware disguised as legitimate antivirus app. Researchers discovered a new version of the Bicololo malware disguised as VIPRE Antivirus.

 

New Android trojan app exploits previously unknown flaws, researchers say.Researchers discovered a sophisticated Android malware dubbed Backdoor.AndroidOS.Obad.a that can be used to execute commands via a remote shell, send SMS messages, steal data, and download additional malicious apps.

Newsround

Some news, some true

FBI: Cyber Criminals Using Photo-Sharing Programs to Compromise Computers. In the latest of what seems to be an ever-growing trend, hackers and internet criminals are finding new ways to get into computers and cause chaos. The FBI has seen an increase in cyber criminals who use online photo-sharing programs to perpetrate scams and harm victims’ computers. These criminals advertise vehicles online but will not provide pictures in the advertisement. They will send photos on request. Sometimes the photo is a single file sent as an e-mail attachment, and sometimes the victim receives a link to an online photo gallery. The photos can and often contain malicious software that infects the victim’s computer, directing the user to fake websites that look nearly identical to the real sites where the original advertisement was seen. The cyber criminals run all aspects of these fake websites, including “tech support” or “live chat support” and any “recommended” escrow services. After the victim agrees to purchase the item and makes the payment, the criminals stop responding to correspondence. The victims never receive any merchandise.

Oh the irony: Hacking group Anonymous has Twitter account hacked by rival group. YourAnonNews (YAN), a Tumblr blog and Twitter account that supports the hacktivist movement Anonymous and posts regular tweets about breaking news stories, appears to have been hacked today by a group known as the Rustle League. More than two dozen tweets have since been issued from the account, containing a wide range of racial and potentially offensive language. The main Anonymous Twitter account recognised the hack before sharing a report by Softpedia. It’s unclear whether the central Anonymous group is assisting YourAnonNews to restore order at this time. Anonymous has also tweeted, however, to say that it has notified both Reuters and the BBC about the takeover.

Belgian PM’s personal emails hacked and sent to newspaper. Hackers have sent emails from Belgium’s Prime Minister Elio Di Rupo’s personal account to De Morgen newspaper, the daily said on Friday. Dating from 2004 to 2008 when Di Rupo was president of Belgium’s socialist party and before he became prime minister in 2011, the emails were mostly of a private nature, although some did refer to his political activities, the paper said.

Stratfor hacker faces jail after admitting cyber-attack. Information taken from Stratfor was published by Wikileaks which defended Hammond after his guilty plea. A 28-year-old US man faces up to 10 years in prison after pleading guilty to carrying out a cyber-attack on global intelligence firm Stratfor. “Anarchist and hacker” Jeremy Hammond – who said he was part of activist group Anonymous – was charged with stealing information from Stratfor in 2011. The data included details of more than 850,000 clients, including government and law enforcement agencies.

Some of the accessed material was subsequently published by Wikileaks. Credit cards linked to some of the accessed details were used to spend more than $700,000 (£465,000) – with some of the money going to charities including the Red Cross and Save the Children.

NATO defence ministers to discuss cyber security. A meeting of NATO defence ministers will be held next week at NATO headquarters in Brussels. A key item on the agenda is the issue of cyber defence, which has become an issue of increasing concern for the security of tech-dependent western nations. Cyber defence is a particularly tricky issue; the attacks themselves are very diverse, ranging from simple distributed-denial-of-service (DDoS) attacks that make websites inaccessible to strikes that have the potential to cause physical destruction. Espionage is also a serious threat; in February the Washington Post reported on a US National Intelligence Estimate that blamed China for a massive cyber espionage campaign intended to steal military secrets. Estonia was subjected to a large, sustained cyber attack in 2007 that lasted several days and left commerce in the Baltic country paralysed. The campaign is thought to have originated in Russia, but it is still unclear exactly who was responsible. Georgia was subjected to a cyber attack in advance of its 2008 war with Russia over the border region of South Ossetia. The attack was limited to shutting down a handful of Georgian government websites, but was the first incident of a cyber campaign coinciding with a shooting war.  Attribution is another aspect of cyber attacks that makes them very problematic. Due to the interconnected and largely anonymous nature of the internet, it is not difficult for the perpetrator of an attack to conceal their location. Even if the physical origin of an attack is located, determining the individuals or organisation responsible may not be possible. Unlike many traditional weapons, the knowledge and technology needed to conduct cyber attacks are largely unregulated and extremely prolific; one needs little more than access to an internet server and a modicum to technical skill to launch an attack. This means that cyber attacks can originate from any number of sources, ranging from state-directed campaigns to teenage pranksters.

Chinese military to launch cyber war games next month. The notion of a nation state conducting war games to test its military readiness is hardly a new idea, but China is approaching its next round of fake war with a new twist: This time, the war games will be conducted in the virtual realm. Somewhere, teenage Matthew Broderick is smiling. A report from the Xinhua news agency – the official press agency of the People’s Republic of China – has announced that the upcoming exercises will, in part, “test new types of combat forces including units using digital technology amid efforts to adjust to informationalised war.” The short report states that the exercises, which will be carried out next month at the country’s largest military training field at the Zhurihe training base in China’s Inner Mongolia Autonomous Region, will also “be the first time a People’s Liberation Army exercise has focused on combat forces including digitalized units, special operations forces, army aviation and electronic counter forces.” Eight military academies are forecast to participate in the war games, as well as members of the 38th and 68th combined corps of the Beijinh Military Area Command. The June date for the exercises mean that they are likely to follow a meeting between U.S. President Barack Obama and Chinese President Xi Jinping in California next week. The two are expected to discuss cyber security in light of renewed fears of Chinese cyber attacks into U.S. military networks.

Hackers exploit Ruby on Rails vulnerability to compromise servers, create botnet. A vulnerability in Ruby on Rails that was patched in January has been seen being exploited by attackers to take over servers and create a botnet. 

 

 

Deloitte Acquires Specialist Cyber Threat Firm Vigilant. Deloitte, recognized by Forrester Research, Inc. as both a leader and the largest information security consulting organization in the world, strengthened its cyber security capabilities today by acquiring substantially all of the assets of Vigilant, Inc., a specialist in security monitoring and cyber threat intelligence. Vigilant provides consulting, managed services, and information services that help organizations detect and respond to emerging cyber threats. The combined practices will operate under the Vigilant by Deloitte brand. Vigilant’s suite of cyber threat management services complements Deloitte’s market-leading security consulting practice and enhances Deloitte’s cyber threat offerings. As a result, Deloitte has expanded its ability to provide customized security solutions to the world’s leading enterprises in high-risk industry sectors, such as financial services, aerospace and defense, retail, manufacturing, technology, communications, energy, and pharmaceuticals. 

 

Secunia accidentally discloses image viewing application vulnerabilities. A researcher accidentally emailed information on vulnerabilities in ERDAS ER Viewer to a public vulnerability mailing list. The large image file viewer is used by various organizations, including some in the defense industry.

 

 

Microsoft Launches Cyber Threat Intelligence Program To Battle Botnets, Malware In The Cloud. Microsoft launched the Cyber Threat Intelligence Program on Wednesday, a new system that uses the Windows Azure cloud computing platform to fight botnets and malware. The system will allow Microsoft to share information on computer virus infections with Internet Service Providers and Computer Emergency Response Teams in near real-time. Microsoft said in a blog post that it expects the program to dramatically increase the ability to keep up the changing cybercrime landscape. Microsoft is working with teams in Spain and Luxembourg, and said the new cloud-based program will, “allow these organizations to have better situational awareness of cyber threats, and more quickly and efficiently notify people of potential security issues with their computers.” C-TIP will send updated data related to computers infected with malware every 30 seconds using Windows Azure, giving antivirus teams nearly instant access to the most recent data on botnets and malware. 

 

Experts find code execution flaw in PS3, password reset bug in Sony Entertainment Network. Researchers at Vulnerability Lab revealed that several vulnerabilities in Sony’s Playstation 3 firmware were disclosed to Sony and recently fixed. They also found that the Sony Entertainment Network Web site’s password recovery function could be exploited to reset users’ passwords. 

 

Expert reports two security issues to Dropbox, only one fixed. A researcher at Security Pulse found and disclosed two vulnerabilities in Dropbox. The first, an open redirect flaw, was addressed by Dropbox, while the second, a bug that allows attackers to unsubscribe users from the Dropbox for Business mailing list, was not regarded as a security issue by the company. 

 

DoS vulnerability in ModSecurity fixed. The developers of the ModSecurity firewall fixed a vulnerability that could be exploited to crash the firewall, among other fixes. 

 

Chinese hackers breach top weapons designs. According to a report prepared by the Defense Science Board, Chinese hackers have gained access to the designs of many of the United States most sensitive advanced weapons systems. 

 

Drupal.org compromised. Drupal.org’s security team discovered unauthorized access that exposed user names, countries, emails, and hashed passwords. Drupal.org reset all user passwords and was continuing to investigate to find out if other kinds of user information were also exposed.

 

Kelihos botnet used for “Only 24 hours left to shop” pharma spam campaign. Cisco researchers discovered a pharmaceuticals spam campaign using the Kelihos botnet. The campaign sends out massive amounts of spam instead of trying to bypass spam filters, and the site linked to in the emails uses various means to track users.

 

“Beta Bot” marks the latest banking malware to hit the online underground. A researcher at RSA reported the discovery of a new financial and root access malware dubbed Beta Bot. The malware has been seen for sale on underground forums and appears to have been created by a skilled programmer. 

 

Motorola’s password in a pill and electronic tattoo. Always forgetting your password? Tech company Motorola is working on some rather unusual solutions! They’ve unveiled an electronic ‘tattoo’ that sticks to your skin. It has a circuit so gadgets can identify you. Another experimental idea is a password pill you swallow – that transmits a signal to devices outside the body. The pill doesn’t need batteries because it’s powered by stomach acid – but Motorola bosses say it won’t be on sale any time soon.

 

Newsround

Some news, some true

PayPal vulnerable to cross-site scripting again. A student in Germany disclosed a cross-site scripting (XSS) vulnerability in PayPal’s German language version of the site.

.

.

Experts find multiple security flaws in Trend Micro’s DirectPass 1.5.0. A researcher from Vulnerability Lab found two vulnerabilities in Trend Micro’s DirectPass password management software that could allow arbitrary code injection, hijack sessions, or perform other actions.

.

ITV and Sky both hit by the Syrian Electronic Army. Members of the Syrian Electronic Army hacktivist group compromised the Twitter account of U.K. broadcaster ITV News and hacked at least six Android apps for U.K. broadcaster Sky in the Google Play Store. Google later removed the compromised apps.

.

0-days in Novell Client for Windows. Two zero day vulnerabilities were discovered by eEye researchers in Novell Client for Windows that can allow local code execution within the kernel.

 

.

Researchers find unusual malware targeting Tibetan users in cyberespionage operation. ESET researchers found a piece of cyberespionage malware dubbed Win32/Syndicasec that bypasses Windows User Account Control (UAC) to run arbitrary commands without prompting users to confirm.

Attackers use Skype, other IM apps to spread Liftoh trojan. The Liftoh trojan is being spread via shortened links in Skype instant messages, with malicious links being clicked more than 170,000 times, according to Symantec researchers.

Mr Alan Stockey Rants

Alan Stockey Rants

Full marks to Alan Stockey at this month’s Rant. He gave an excellent speech on why Sharing is Caring. Sharing information between incident response teams is well worth the candle.

Security Consultant: The Best of Times

It’s no accident that being a consultant is often the goal for many a worker; it is perceived as a cushy number, a well paid sinecure solving other people’s problems and not living with the consequences.  So, what are the best bits about being a con(slut)ant?

You are handsomely rewarded.  Not in the league of a premier league footballer, or possibly even an IT contractor, but well enough for the work required: more than a teacher but slightly less than a headmaster (ish).  Likely to be slightly more than you’d get as the equivalent industry  position.  Don’t forget your car allowance too.  It’s the way the employers give their staff another £6K per year without having to pay National Insurance, pension or it to be bonusable.  All of this and the other cash benefits below add a good 20% to 60% onto your base salary.

Culture of expenses. Everyone claims expenses, it’s expected.  Expenses for expensive coffee.  Taking a client to lunch.  Taking your team to lunch.  It’s just so much easier in a consultancy where the expectation is that there are expenses and usually approvals are delegated from the budget holder to their PA who may query a high-value item but it usually goes through.

Cash benefits.  Consultancies usually have great benefits: healthcare; gym; pension; lunch allowance; concierge service; wellbeing; expenses for everything as noted; fully expensed mobile telephone

More cash benefits.  With all these expenses the consultant would be daft not to push them through a credit card that gives them points/cash/miles.  When you are in a hotel, booking flights and racking up £1,000 of expenses every single week the points add up.

And more.  If you are in a hotel, all your meals are provided for.  Some consultants  without families will not have a permanent home but may rent out their flat or use a relative’s address.  They then effectively live free of charge at the client’s expense.  What they do is have a big breakfast at the Hilton and squirrel away a bit into a doggy bag which they have for lunch. They then get their £30 per deim which they spend at Tesco and scoff in their room.

And more. The cash benefits really do go on.  The consultant gets an annual bonus.  This is usually in the range of 10% for the worker consultant, to 15% for the team leader.  Up to 50% for the principal or director.  Of course, for equity partners then the sky is the proverbial limit. They may get their broadband at home paid for, unused laptops will find their way into the consultants own home (for return when they resign),

And more and more. Yes, even more.  The consultancy realises that it’s only asset is the CV of its staff, so they will pay for: exams (though often only if passed); courses (though these tend to be frowned on if too expensive); professional body membership (the consultant may well be a member of half a dozen organisations costing a grand a year); attendance at conferences provided the utilisation remains high.

And more, here is the big one.  If they are smart they get their travel paid for. As the typical consultant will usually work on a client site, the engagement letter will specify that expenses are paid so the consultancy does not care that the individual’s travel from home is paid for.  In the case where the consultant is based in an office that isn’t the office they are working in, it becomes easier to get this through.  This is particularly useful where the consultant does not live in London as most consultancies tend to do much of their work there.  The numbers on this really can be staggering.  Consultants will happily live in, say, Manchester and be based there but work in London and travel every day (see the hotel …). Or they will live within two hours commute which may cost say £8K per year, but they’d have to earn £16K to take home the £8K to pay for the season ticket.  Meaning the consultant’s effective pay is increased by a whopping £16K.  Though this does make it harder to find the next industry role.

It’s easy work. The actual work is easy, although admittedly the client may well expect you to be on site all day and you may have to live out of a hotel.  A typical consultant doesn’t have to live with or implement the consequences of their actions.  The tasks are usually within their skill set; if they are not, then your employer will pay for you to read a book.  The good consultant only needs to be one chapter ahead of the client.

Someone else gets the work for you.  Resource management exist to match your CV with the new opportunities. Often with no interview or competency test.

Varied work.  When you get into the office on a Monday morning you’ve no idea where they will send you on Monday afternoon.

Easy entry to new clients.  Resource management or the client lead partner wants an analyst for Barclays, Shell, MoD, Sainsbury’s or any other client for which the consultant has zero industry expertise.  It’s easier to get a role with no industry expertise and therefore increase your skillset.  You might be a government expert, with experience only with MoD:  in open competition, you’d never get a role with a bank either as a permie or a contractor because they would simply look at your experience and that of the next person.  However, the consultancy will happily place you because they understand that sometimes subject matter trumps industry.  Now you’ve got banking expertise, which you can spin into SOX, BASEL, PCI DSS or whatever you want.  So now, you can get that contract role with the bank and the transition is compete.

Flexible working.  As long as you are earning a fee, no one back on the mother ship cares where you are.  You could be on the moon.  More likely you are working from home.  Unless the client wants to see bums on seats of course.  Just make sure you send emails in the evening.

Team around you. As a consultant you’ll have a team of like-minded subject matter experts around you.  If the client asks you to do something you’ve not done before, just ask on the mailing list and someone will help. This is possibly one of the major advantages for clients where typically the entire functional team may be one person and if there are others, they won’t often be as trained or skilled as the consultancy team.

Open neckwear. Many men in many consultancies don’t wear a tie.  They are expected to wear a suit.  Women are expected to dress up, but not too tarty.  You can usually spot the consultant in a room full of clients, especially where the client staff are female civil servants or female council workers.  It’s harder with male council workers, but their suits tend to have ties and the shirts don’t come from Thomas Pink.

Promotion. The consultancy is oriented on consultant grades.  The expectation is that the individual will apply for promotion and move up the ranks.  That client team in industry may well have been at the same pay grade and position for the past ten years.  How depressing is that?

Great CV.  If the consultant has to find a new job, the CV will usually be pretty good as there will be many varied clients; varied projects; and opportunities to demonstrate functional and behavioural excellence.

Always learning. The constant churn of new projects means that the consultant always has opportunities to learn new best practice and improve those skills.

Respected views.  While the client won’t respect the individual in a corporate sense, the views will be respected, not least because that report cost them £30K.  The report may well be filed and never read, but it will at least be there.  The client may well believe that the consultant is a god-on-earth and possess a unique insight.  Which is all very flattering.

Vendors love you. And will buy you lunch.

Just a few of the reasons to be cheerful when working as a consultant.  Might explain why the competition is quite high.