The next five years: what could the UK's 2016-2021 Cyber-Security Strategy look like?

Bryan Lillie puts forward suggestions for what the UK's cyber-security strategy should contain in the next five years

Bryan Lillie, chief technology officer, cyber-security, QinetiQ
Bryan Lillie, chief technology officer, cyber-security, QinetiQ

In April the Cabinet Office released the results from the last five years of UK cyber-security development policy. The UK Cyber Security Strategy 2011 - 2016 Annual Report acted as the conclusion for the 2011-2016 strategy and cited numerous successes: the launch of the UK's Computer Emergency Response Team (CERT-UK), collaborations with the UK's Centre for the Protection of National Infrastructure (CPNI) and the establishment of the Cyber Essentials training scheme, making basic cyber-security training available to businesses of all sizes.

The next five years look set to be equally positive. There is £1.9 billion of investment set aside as well as a new National Cyber-Security Centre, officially announced on the 26th May by Matt Hancock MP. An "ambitious cyber skills programme" that will "significantly increase" the number of cyber-security experts in the UK is also in the pipeline, alongside plans to connect public and private sector expertise for the benefit of both. This will all be wrapped up within a new strategy, due "later in 2016".

The cyber-security world is changing fast as the capabilities, inventiveness and also audacity of attackers grow. Distributed Denial Of Service (DDOS) attacks can be bought for as little as US$5 (£3.80), while hacks have become behavioural as well as technical affairs; the government reported in 2015 that 75 percent of large organisations suffered a staff-related security breach. Critical national infrastructure is also now increasingly under attack, with Ukraine and Bangladesh being the most high profile victims of 2016. To ensure the UK doesn't sit alongside these countries, any five year strategy, due to such an 'arms race', must be almost prescient in how it plans for future threats.

Machine learning is one such threat only just beginning to make the news and is one that has a lot of room to shift and develop. A (slightly dramatic) piece in Wired defines the technology as "advanced AIs that learn autonomously, adapting to changes in corporate technology or its users". These programmes, used for defence or attack, sit within systems, altering behaviour based on what it experiences within that infrastructure. While the article claim of these being "quiet and unseen, able to hijack or kill an organisation at will" may be extreme, the potential such attacks have to disrupt is large. As they learn and adapt to the behaviour of their target's defences and IT, how can they be countered? Automated hacking strategies such as these are very hard to predict as the victim either does not know it is happening or they don't know what will happen if they defend themselves against it. The sophistication of these programmes means they may well react when targeted, causing more disruption. Defences equal in capability need to be in place to seek, react to and neutralise such threats; making sure the UK has such ability will be crucial to the UK's ongoing security.

With the Internet of Things becoming more established, the routes that such threats can use will only increase. The IoT doesn't just encompass home environment monitors or fridges that can order fresh milk. Buildings are becoming more connected as building management systems (BMS) that can be accessed remotely are installed. The Building Information Modelling (BIM) industry is expanding and will see technologies placed within constructions to track use across their lifespan and allow for better management of facilities. IoT is a catch-all term for such developments and is becoming central to many industries. Take healthcare. Patient monitoring systems are becoming connected to allow for continuous tracking and, potentially, automated care routines. Yet there is proof that these can be hacked through a simple USB drop, providing a route to then infiltrate porous hospital networks. Government policy must be clear on how organisations (and individuals) should protect themselves from such invasions and also ensure that the techniques and technology to do so is sufficiently developed and available. That can be done by encouraging industry to step up to the plate or directly involving itself in development, a drive already hinted at by the promise of connecting public and private industries over the next few years. Whatever strategy is used, the increasing interconnection of our daily lives is a major challenge that needs confronting.

The pool of talent needed to confront such challenges is, thankfully, growing. We are seeing more people entering cyber-security careers thanks to a concerted awareness campaign by the industry over the past few years. Yet the skills gap is still widening. Industry reports state that by 2019 six million professionals will be needed, but the projected number is currently only four and a half million. It has been described as the "largest human capital shortage in the world". If we don't have the manpower to keep pace with the industry then we won't develop the technology and infrastructure to deal with new cyber-threats.

A cultural shift is needed not only to bridge this gap, but also raise awareness of how big a part cyber-security could play in our lives in the future. That is the overarching idea that future governmental plans must convey. These threats are moving out of the IT industry and into culture, consumer technology and popular consciousness. We must not only develop specific defences to types of attack but broaden awareness amongst the population so that we all know how to protect ourselves when using technology, from social media to work computers and personal smartphones. If this is front and centre of Cabinet Office plans, then I'm confident we will continue to be the world leaders in cyber-security for years to come.     

Contributed by Bryan Lillie, chief technology officer, cyber-security, QinetiQ