Talking cyber security with the UK government
Malware hits the Mac but is it worth worrying about?
It is easy to be critical of the government when it comes to cyber security, but the truth is that up against attacks, a lack of funding and an increasingly able adversary, what it is achieving is not all that bad.
In pursuit of a major government interview, I was recently given access to a senior government official who, while willing to talk, asked to be unattributed. I ran through some of the UK's major achievements, and pointed out that while government spending is being reviewed, the £650 million fund was not a common handout at the moment.
I laid down the four key areas of cyber security action for discussion: the Cyber Security Strategy that was launched in 2011; the Cyber Security Information Sharing Partnership (CISP); the Cyber Reserve Force; and the Cyber Security Research Institute (partnerships with universities and efforts to address the overall skills gap).
I was only able to get 30 minutes with the official, so inevitably some areas were going to be skimmed over, but what I did get was a real insight from inside.
We began by talking about one of the government's key objectives: making the UK a safe place to do business, recognising that there is a huge economic benefit to cyber space.
“In order to protect that benefit we need to make sure we are mitigating some of the risks that come with it,” the official said.
Awareness campaigns are needed “among big business”, he said, as well as guidance on how companies should go about addressing the cyber security threat, especially with regards to how boards could engage with government.
“It wasn't focused on a lot of very technical detail but it was a board official or CEO, what the questions are that you need to be asking ‘to make sure we have got cyber security sorted' essentially,” he said.
Such campaigns will also extend to SMEs. He added: “The best way we can achieve sustained business change is to make sure there are economic incentives in place – attracting companies that have a lot to invest in intellectual property.”
He admitted that the government still has a long way to go when it comes to consumers, so for the rest of this year it was looking at focusing on them.
This is where the information sharing concept comes in, as small businesses may be using consumer technology and will benefit from enterprises' threat data.
I asked him if the Get Safe Online project was continuing, especially after former home secretary David Blunkett was critical of the lack of action on it. I was told that the government is still part-funding it as the place where people are pointed to for advice.
He said: “It is still going ahead and the key thing is to make sure people know it is there and drive people towards it for the advice that they need. We have broad awareness campaigns, but we hope people will be pointed towards it.
“Making the UK more resilient to cyber attack is our second strategy, and this comes from investment in awareness.”
Finally, we got onto the hot topic of the skills shortage. He said the government has been active in trying to address this, beginning with education, from GCSE level to PhD, in terms of cyber security training.
“To date we have developed course material for GCSEs that can be part of the IT curriculum; we have done some for A-level too and are working in the degree space, so if you are doing a computing degree you should be doing cyber security as part of that,” he said.
The government has announced its sponsorship of PhD bursaries at Royal Holloway and Oxford Universities, for example.
In conclusion, I asked how he felt the government could help the overall cyber security agenda. Following on from the launch of the Cyber Security Strategy, he said prosperity exists within this field and that UK industry is well placed to benefit from an expansion of cyber security markets.
“So everything is around raising awareness and incentives; clearly government has an objective to achieve that, apart from security reasons, but we are also aware of the cost benefit as well due to increased demand around cyber security services, and we are committed to helping UK industry to benefit from that,” he said.
Next for the government is the ‘cyber growth partnership' – co-chaired by David Willets MP, minister of state for universities and science, innovation and space, and BT CEO Ian Livingstone – to gather businesses together to better understand how to support the growth of this UK sector.
So is the government taking cyber security seriously? Well, the message seems to be a loud and clear ‘yes'. Its agenda is on ensuring that the UK is a place to do business, and if we are safe, then the thumbs are up for enterprise.
What needs to be done next is for the Cyber Security Strategy to bear fruit in terms of a visible result of better collective intelligence, training both in schools and universities, and also in the private sector, better resources for businesses and consumers and the creation of a national computer emergency readiness team (CERT).
Of course, these things are not easily done overnight, but in a few months we will be marking the second anniversary of the strategy and it would be good to see some clear examples of progress. For a government with spending challenges, it is easy to praise the work done so far.