With headlines frequently reporting large-scale cyber attacks, the UK’s cybersecurity measures – and their weaknesses – are under constant scrutiny and criticism. Yet many businesses fail to give sufficient priority to cybersecurity. The City of London Police Commissioner has claimed that businesses will not properly focus on cybersecurity until a cyber attack causes a major global company to cease trading. In the same speech, the Commissioner said that he believed the UK Government is doing “all it can” to address the threat.
Defending against the menace of cyber attack cannot be achieved by any government on its own. The private sector and wider public sector will have to take their share of responsibility to help secure the digital resources of the UK.
Nevertheless, it certainly helps the cause to have strong leadership from government. In this article we consider whether the UK Government really is doing all it can to promote the defence of the UK against the growing menace of cyber attack.
The National Cyber Security Strategy
The Government published the National Cyber Security Strategy in 2011. The vision was to ensure that in 2015 the UK would “derive huge economic and social value from a vibrant, resilient and secure cyberspace, where our actions, guided by our core values of liberty, fairness, transparency and the rule of law, enhance prosperity, national security and a strong society”. To achieve this, the Government has provided £860 million of funding and committed to the following objectives:
- to tackle cyber crime and make the UK one of the most secure places in the world to do business online;
- to make the UK more resilient to cyber-attacks and better protect UK interests in cyber space;
- to help shape an “open, vibrant and stable cyberspace” which the UK public can use safely and that supports open societies; and
- to build cybersecurity knowledge, capability and skills in the UK.
What progress has been made so far?
Some key examples of the Government’s progress to date which may be of interest to businesses – many of which are documented in a December 2014 Government progress report – include:
Raising awareness and assessing risk
The Government has attempted to increase business awareness of cybersecurity risks and threats in various ways. For example, it has:
- published new guidance for businesses, such as BIS’ guidance for the corporate finance sector and Non-Executive Directors (for more commentary, see here) and GCHQ’s bring your own device guidance. In January the Government also updated its 10 Steps to Cyber Security guidance;
- carried out annual surveys to help raise awareness of the risks and impact of security breaches, such as the Cyber Governance Health Check (published following a 2014 survey of FTSE350 companies – for more commentary see here) and the Information Security Breaches Survey;
- launched the BIS Cyber Essentials accreditation scheme in June 2014 which enables organisations to demonstrate their cyber resilience. The scheme is designed to encourage more organisations to adhere to a basic set of security standards which prevent the most common forms of attack. Accreditation may also help encourage consumer confidence in the businesses which invest time and money in gaining accreditation;
- worked with specific sectors in relation to cybersecurity issues, such as the financial services sector where the Bank of England has developed the CBEST vulnerability testing framework (see our separate article on this, here).
January 2014 also saw the launch of Cyber Streetwise, a campaign intended to improve cybersecurity among the public and SMEs (for example to encourage the use of more secure passwords). This campaign may benefit larger businesses too by (for example) reducing incidences of online fraud.
Promoting the UK cybersecurity industry
The Government has set a target of £2 billion of cyber security exports by 2016 and is working with industry in a joint Cyber Growth Partnership to pursue several initiatives, including the establishment of regional cybersecurity business clusters. The Government has also promoted the UK’s cybersecurity expertise overseas. For example, in January David Cameron visited the Obama administration with 12 UK cyber defence firms.
The Cybersecurity Information Sharing Partnership (CiSP) was launched in 2013 and permits organisations to share threat information which is then analysed and provided along with advice to the rest of the CiSP community. In 2014 CERT-UK also launched a scheme to facilitate the exchange of cybersecurity information on a regional basis. In 2015, GHCQ will expand a programme allowing communications service providers to share cyber intelligence so that action can be taken to protect their customers.
GHCQ is investing £3 billion over the next nine years to develop cyber intelligence. Two new bodies have also been set up to specifically deal with cybersecurity matters: the National Cyber Crime Unit, and the UK’s Computer Emergency Response Team (CERT) which supports critical sectors to prepare for cyber-attacks, co-ordinates with other CERTs, and provides alerts and information to CiSP members and the public. Further, dedicated policing units have been established, such as Operation FALCON, a collaboration between the Metropolitan Police’s fraud squad and cyber crime unit.
This is a crucial building block to cyber defence. Hackers and criminals have no respect for international borders; it is essential that governments build an international governance structure to tackle the international cyber threat. The Government has been working with other countries to crack down on cyber crime, improve cross-border law enforcement, and establish the UK as a technology and policy leader. For example, it was recently announced that the UK and US would work together to stage cyber attack war games – the first one being on the financial sector later this year – and improve their exchange of cyber intelligence.
Education, skills and training initiatives
The UK’s poor showing in international education league tables for science, technology, engineering and maths is not just a national embarrassment; it is also a national security issue. The Government recognises this and has implemented various initiatives to ensure that businesses will have access to cyber workers with the necessary skills and expertise, including by:
- funding the development of GCSE and A-level cybersecurity materials;
- working with higher education to develop cybersecurity studies, grant recognised status to research universities, and funding research and training centres. GHCQ has also certified some cybersecurity masters degrees;
- encouraging computer science graduates to develop an interest in cybersecurity;
- organising competitions and other initiatives as part of the Cyber Security Challenge;
- offering professionals a skills certification framework under the CESG Certified Professionals Scheme;
- developing online training courses for lawyers and accountants and SMEs.
Efforts have also been been made to bolster specialist police officers’ skills in order to ensure that law enforcement authorities can properly investigate cyber crime.
What else could the Government do to help businesses?
To its credit, the UK Government has made significant progress to date by implementing the National Cyber Security Strategy. However, this is an arms race. The UK’s digital economy faces determined criminals and nation states who have the intent and the means to hack UK critical infrastructure and UK business and to exploit UK consumers. There is always more that can be done. For example:
More needs to be done in terms of sensitising organisations to cybersecurity risks.
Many businesses still appear to be in the dark about the true scale of cyber risks based on the results of the 2014 FTSE 350 Cyber Governance Health Check which revealed that only 24% of FTSE 350 companies base their discussions on cyber risk on comprehensive or robust management information. Detection rates of hacks are still poor. A recent survey found that the median average number of days taken by organisations to detect a hacker on their systems was 229 days, which is a lengthy period of time for hackers to exploit data assets with impunity.
The Government could consider more proactive measures such as requiring certain businesses deemed to be particularly high risk (e.g. critical infrastructure providers) to undergo mandatory cyber accreditation.
More needs to be done to share and encourage the sharing of threat information.
The Government could take a more pro-active role in terms of sharing detailed threat information and making it easier for businesses to share knowledge with each other. As the Commissioner himself said: “The answer is not more policing […] But better collaboration between law enforcement and industry, with the role of police increasingly about helping industry to protect itself.” Some businesses are already partnering to share information with each other, but the reach of individual businesses is necessarily more limited than the Government’s. The UK could learn here from the US experience where the flow of information between business and law enforcement (notably the FBI) is much more of a two-way street.
Policing and law enforcement needs to improve.
Despite the National Crime Agency’s estimate that cyber crime costs several billion pounds a year, a recent report into policing found that more work is required to close the widening gap between cyber threats and police capability. In particular, the report refers to a serious underreporting issue when it comes to cyber crime, arguably due to lack of confidence in the police – according to a 2013 Home Office report, businesses report less than 2% of online incidents to police. Further, whilst the UK has specialist officers with expertise in cyber crime, the report states that every police officer should receive cyber training, understand cyber crime and be able to deal with it.
The Government needs to ensure businesses have access to skilled workers.
Lastly, the Government could do more to ensure that in the long term, people with the right skills are available to support businesses. The Government’s initiatives so far are a step in the right direction, but have focussed on secondary and further education only. Many in the industry think that the national curriculum for all children – not just those above 11 years old – should include computer science skills so that children learn how computers work, as well as how to use them. This would encourage more people to eventually get into the more complicated field of cybersecurity. Fortunately, the Government appears to be taking initial steps to remedy this, having announced that tech businesses are supporting a £3.6m initiative to deliver computing training in primary schools.
Cyber defence costs money and in the current climate it is unlikely that we will see any further significant investment in cyber defence by the UK Government, whoever wins the May election. With competing demands for public funding and further significant cuts likely to be imposed by the next administration, cyber defence will have to make do with a limited budget. As such it is all the more important for the UK Government to use that limited resource wisely and encourage the private sector and wider public sector to step up and share the burden of cyber defence.