The UK government minister responsible for cyber security issues, the Rt Hon Francis Maude, has released a statement and a pair of reports looking back over the first two years of the government’s Cyber Security Strategy and detailing further plans going forward.
One of the key developments expected in the near future is the unveiling of a security standard for businesses, which early reports on Maude’s statement predicted would be a requirement for firms hoping to pick up government contracts.
Variously described as a “baseline“, a “kitemark” and a “badge“, the new standard is being developed in collaboration with the British Standards Institute, the Information Security Forum and other players, and is expected to be released publicly in March of 2014.
Those expecting the “Organisational Standard” to be mandatory for firms doing business with the government may be a little disappointed though, as the statement’s wording leaves plenty of wriggle-room to allow firms to avoid conforming.
While firms in general will be encouraged to adopt the standard, in government procurement compliance will be mandated only “where proportionate and relevant” – so, if anyone wants out and has enough clout, it’s likely they’ll be able to persuade the government to continue doing business with them.
A group of firms currently supplying the Ministry of Defence (MoD), including BAE Systems, Rolls Royce and HP, have shown willingness to adopt the standard when it is released, but again there seems to be no definite requirement of the sort imposed by the US Defense Department a few weeks ago.
Hopefully once the standard is finalised and released the rules regarding its use will be made stricter and less flexible.
There’s a lot more covered by the two reports, with the retrospective overview of progress highlighting the creation of the new National Crime Agency (NCA) and its cyber sub-division the National Cyber Crime Unit (NCCU), set up a few months ago, and its successes so far.
These include a number of high-profile international operations, as well as sending out an email warning people about Cryptolocker.
A number of other initiatives are mentioned, including information-sharing partnerships, the Centre for the Protection of National Infrastructure (CPNI) and its Cyber Risk Advisory Service for businesses, and the budding CERT-UK, as well as the recent banking simulation project known as “Operation Waking Shark 2“.
Looking forward, we can expect expansions and improvements in all these areas, plus new initiatives such as “kite-marking” of cyber security professionals and products. Police expertise will be increased, with half of the NCA’s 4000 staff expected to receive training in cyber investigation.
Education in general is a major theme, with new plans ranging from primary schools to universities and on into professional training and certifications.
A “major public awareness campaign” is planned for January 2014, with Sophos namechecked alongside Facebook and BT as partners in the project.
Just how successful some of these endeavors will be will of course depend on the details, with much of the information in these reports still fairly vague and non-committal.
Nevertheless, it’s good to see government making the right noises and putting some fairly considerable effort into cyber security in all sorts of areas.