Will the UK Cyber Security Strategy make a difference?


UK Cabinet Office talks cyber threatsThe British government has today published its Cyber Security Strategy detailing how it plans to protect national security and the public from internet threats, and (hopefully) support the British economy at the same time.

The UK’s government plan is to co-operate with the private sector in the fight against cybercrime, beef up the computer crime-fighting authorities, invest in national defences and critical infrastructure against cybercriminal attack, make it simpler to report cybercrime, and boost public awareness of online risks.

Phew! There’s quite a lot to get right there. However, the devil is always in the detail and for someone like myself working in the computer security industry I’m always hungry for more information about exactly *how* some of these things will be put into place.

What we do know is that a large amount of money has been set aside to support the strategy. The UK government has apportioned £650 million (a billion US dollars) over the next four years for the scheme.

Where is the money going?
The lion’s share of the money is set aside for something called the “Single Intelligence Account”.

National Cyber Security Programme Investment

The “Single Intelligence Account” is the pot of money which funds Britain’s intelligence community: MI5, MI6 and GCHQ. The government is saying that the majority of the huge investment will help the UK detect and counter cyber attacks, based largely at GCHQ in Cheltenham, but details are frustratingly “classified”.

The strategy makes clear, however, that the British government, is investing in not just defence but also “proactive measures to disrupt threats to information security”.

This echoes statements made by Foreign Secretary William Hague in the past, who recently told the tabloid press:

"We will defend ourselves in every way we can, not only to deflect but to prevent attacks that we know are taking place."

None of this should come as a surprise. British politicians and the head of GCHQ have been talking up the cyberwarfare threat for some time, and last year ranked cyberspace attacks as a tier one priority for national security:

Tiers one, two, three..

Public and private sector – working together
The UK government’s strategy reinforces the need for public/private sector collaboration, especially the sharing of threat intelligence. Sophos, as with other industry players, already puts some focus on this area – regularly sharing data with a variety of government and private bodies.

Two way signBut a key question will be the specifics regarding how threat intelligence will be shared. For instance, when it comes to sharing information with government, private businesses will want to be assured that intelligence will not just flow one way (from them to the government) – but also in the reverse direction.

And let’s not forget, that the sheer scale of the malware problem – for instance – is so huge that the issue is often not sharing information but *filtering* it to find only the data that you are interested in, and analysing it it to make some kind of sense.

Co-operation needs to be more than annual conferences, and suited executives sitting around large tables talking about the issues. It needs to be a real-time, meaningful exchange of data which can help businesses and organisations defend against emerging threats.

A major issue with internet security is user awareness, and whilst the strategy puts more focus on user awareness, this is an area that still needs more attention. This is evidenced by the prevalence of fake anti-virus attacks (currently 7th in the top 200 malware samples seen by SophosLabs this month), much of which is preventable with simple user awareness.

KitemarkThe strategy describes how “kitemarks” could help consumers distinguish between genuine and rogue products.

Would a “kitemark” really be that useful to the average internet user? I’m not so sure.

It’s easy to predict that scammers will simply put bogus kitemarks on their sites and fake anti-virus products to fool products into believing that they are legitimate. After all, they already use the names of legitimate anti-virus products and award logos.

The Government’s plan is to boost the Get Safe Online website, which is laudable. Get Safe Online already has some great advice for non-technical internet users on how to avoid threats.

Get Safe Online is a terrific website with superb material on it, and there’s no doubting the very real determination of the people behind the organisation to spread the word about how to use the internet safely. But – and it’s a big but – no-one apart from security geeks seem to know about the website, and we’re hardly the most important people to train about computer security.

Without more money being sent promoting the site to a wider audience, it will continue to suffer from a lack of awareness and most people will simply not know that it exists.

Measuring success
In his introduction to the report, Francis Maude MP, gives the strategy’s aspirations – and what it plans to have achieved by 2015.

The strategy's aspirations

However, what it doesn’t reveal is how it plans to *measure* its success. Measurement of progress is always going to be essential, without it – you simply won’t know how good a job you’re doing at fighting cybercrime, and whether resources need to be augmented or put to work with different priorities.

Going forward
To be worthwhile, the UK government’s strategy needs to be relevant. Whilst the strategy outlines objectives, it is critical that any approaches taken to counter cybercrime reflect the changing nature of internet user and are flexible enough to take account of emerging technologies, such as the rapid growth of mobile devices and storing data in the cloud.

Sophos will continue its work with the British government in assisting them meeting the core objectives of this strategy of which we are broadly supportive.

It’s hard to predict in advance just what the impact of the strategy will be, but hopefully greater resources will be in place to counter cybercrime and bring those responsible to justice. Ultimately, time will tell.

But one thing which is encouraging to see is the push for wider adoption of the Budapest convention on cybercrime, which puts in place compatible frameworks for cross-border law enforcement. As the internet has no national boundaries, we need greater multinational co-operation to ensure that there is no hiding place for the bad guys.

Internet crime has become an organized, professional operation – with those behind it adapting quickly to changing circumstances and exploiting opportunities. The stakes are getting higher for businesses, governments and end users, and it is not a battle that can be won easily. Nevertheless, seeing the UK authorities treat it as a serious concern is welcome news.

If you’re interested in reading more about the UK’s Cyber Security Strategy, you can download a PDF from the Cabinet Office website.