Will the UK Cyber Security Strategy make a difference?

Filed Under: Data loss, Law & order, Malware, Privacy, Social networks, Spam, Vulnerability

UK Cabinet Office talks cyber threatsThe British government has today published its Cyber Security Strategy detailing how it plans to protect national security and the public from internet threats, and (hopefully) support the British economy at the same time.

The UK's government plan is to co-operate with the private sector in the fight against cybercrime, beef up the computer crime-fighting authorities, invest in national defences and critical infrastructure against cybercriminal attack, make it simpler to report cybercrime, and boost public awareness of online risks.

Phew! There's quite a lot to get right there. However, the devil is always in the detail and for someone like myself working in the computer security industry I'm always hungry for more information about exactly *how* some of these things will be put into place.

What we do know is that a large amount of money has been set aside to support the strategy. The UK government has apportioned £650 million (a billion US dollars) over the next four years for the scheme.

Where is the money going?
The lion's share of the money is set aside for something called the "Single Intelligence Account".

National Cyber Security Programme Investment

The "Single Intelligence Account" is the pot of money which funds Britain's intelligence community: MI5, MI6 and GCHQ. The government is saying that the majority of the huge investment will help the UK detect and counter cyber attacks, based largely at GCHQ in Cheltenham, but details are frustratingly "classified".

The strategy makes clear, however, that the British government, is investing in not just defence but also "proactive measures to disrupt threats to information security".

This echoes statements made by Foreign Secretary William Hague in the past, who recently told the tabloid press:

"We will defend ourselves in every way we can, not only to deflect but to prevent attacks that we know are taking place."

None of this should come as a surprise. British politicians and the head of GCHQ have been talking up the cyberwarfare threat for some time, and last year ranked cyberspace attacks as a tier one priority for national security:

Tiers one, two, three..

Public and private sector - working together
The UK government's strategy reinforces the need for public/private sector collaboration, especially the sharing of threat intelligence. Sophos, as with other industry players, already puts some focus on this area - regularly sharing data with a variety of government and private bodies.

Two way signBut a key question will be the specifics regarding how threat intelligence will be shared. For instance, when it comes to sharing information with government, private businesses will want to be assured that intelligence will not just flow one way (from them to the government) - but also in the reverse direction.

And let's not forget, that the sheer scale of the malware problem - for instance - is so huge that the issue is often not sharing information but *filtering* it to find only the data that you are interested in, and analysing it it to make some kind of sense.

Co-operation needs to be more than annual conferences, and suited executives sitting around large tables talking about the issues. It needs to be a real-time, meaningful exchange of data which can help businesses and organisations defend against emerging threats.

A major issue with internet security is user awareness, and whilst the strategy puts more focus on user awareness, this is an area that still needs more attention. This is evidenced by the prevalence of fake anti-virus attacks (currently 7th in the top 200 malware samples seen by SophosLabs this month), much of which is preventable with simple user awareness.

KitemarkThe strategy describes how "kitemarks" could help consumers distinguish between genuine and rogue products.

Would a "kitemark" really be that useful to the average internet user? I'm not so sure.

It's easy to predict that scammers will simply put bogus kitemarks on their sites and fake anti-virus products to fool products into believing that they are legitimate. After all, they already use the names of legitimate anti-virus products and award logos.

The Government's plan is to boost the Get Safe Online website, which is laudable. Get Safe Online already has some great advice for non-technical internet users on how to avoid threats.

Get Safe Online is a terrific website with superb material on it, and there's no doubting the very real determination of the people behind the organisation to spread the word about how to use the internet safely. But - and it's a big but - no-one apart from security geeks seem to know about the website, and we're hardly the most important people to train about computer security.

Without more money being sent promoting the site to a wider audience, it will continue to suffer from a lack of awareness and most people will simply not know that it exists.

Measuring success
In his introduction to the report, Francis Maude MP, gives the strategy's aspirations - and what it plans to have achieved by 2015.

The strategy's aspirations

However, what it doesn't reveal is how it plans to *measure* its success. Measurement of progress is always going to be essential, without it - you simply won't know how good a job you're doing at fighting cybercrime, and whether resources need to be augmented or put to work with different priorities.

Going forward
To be worthwhile, the UK government's strategy needs to be relevant. Whilst the strategy outlines objectives, it is critical that any approaches taken to counter cybercrime reflect the changing nature of internet user and are flexible enough to take account of emerging technologies, such as the rapid growth of mobile devices and storing data in the cloud.

Sophos will continue its work with the British government in assisting them meeting the core objectives of this strategy of which we are broadly supportive.

It's hard to predict in advance just what the impact of the strategy will be, but hopefully greater resources will be in place to counter cybercrime and bring those responsible to justice. Ultimately, time will tell.

But one thing which is encouraging to see is the push for wider adoption of the Budapest convention on cybercrime, which puts in place compatible frameworks for cross-border law enforcement. As the internet has no national boundaries, we need greater multinational co-operation to ensure that there is no hiding place for the bad guys.

Internet crime has become an organized, professional operation - with those behind it adapting quickly to changing circumstances and exploiting opportunities. The stakes are getting higher for businesses, governments and end users, and it is not a battle that can be won easily. Nevertheless, seeing the UK authorities treat it as a serious concern is welcome news.

If you're interested in reading more about the UK's Cyber Security Strategy, you can download a PDF from the Cabinet Office website.

, , , ,

You might like

5 Responses to Will the UK Cyber Security Strategy make a difference?

  1. all for security but can we really afford this at the moment in our economy, £650 million is alot of money that can be spent elsewhere like the NHS or Schools or even economic growth

  2. A lot of it is already implemented, this is just the official media campaign. Andrew

  3. Chatbacksecurity.com · 1408 days ago

    Is good to see that some of the organisations and initiatives in place to tackle/educate on cybercrime have received a mention in the new strategy. £650million is a lot of money, but split over 4 years I am not too sure even that amount will be enough!

  4. SecBoyUk · 1408 days ago

    I'd turn the question on it's head and ask can we afford not to with reports like this: http://www.bbc.co.uk/news/uk-politics-12492309  Most security decisions are risk versus cost to mitigate so given these numbers it's a no brainer! Plus the £650k is over 4 years where as the cost of ecrime shows as £27bn a year

  5. Michael · 1408 days ago

    Yeah, the £650 million figure's a little too slim, although The Guardian's saying GCHQ will hire out some of its expertise, so maybe it will generate revenue through that.

    My biggest criticism, apart from the over-use of that irritating 'cyber' word, is the strategy's too focused on businesses, and I'm guessing large businesses. GCHQ could actually knock two cats with one stone by concentrating on providing security education to the general public. People are far more likely to apply good security practice in the workplace when it's also relevant to their personal lives.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at https://grahamcluley.com, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley