The truth about the UK's cyber security capabilities?
Malware hits the Mac but is it worth worrying about?
At the end of last year, I highlighted a news story that described the UK's response to a cyber incident as ‘fragmented and failing'.
The original story had come from Computing, which also featured a former cyber intelligence officer for the US Army and the Defense Intelligence Agency (DIA) named Bob Ayers. He told Computing that he felt that Britain's cyber security program was "a collective of independent entities" rather than a streamlined unit.
In SC's story, we assessed these comments with some industry responses, mainly because of the claim that the UK is 15 years behind the US. This week I met with Ayers for the first time to further gauge his comments on this subject. Ayers, who set up the first US Department of Defense (DoD) response code lab in the early 1990s.
He said: “I started from scratch and in the second year, I had 155 staff and a $100 million budget.” Ayers, who began in 1969 as a counter intelligence analyst using the Arpanet system in the Pentagon and working on a Tektronix 4051, said that he was approached by defence agents to look at defending against adversaries and putting together programs with students from Stanford University "to go through environments we were not familiar with".
“In 2010-11 I was the senior cyber security adviser for Britain's £650 million cyber security defence programme and the bottom line is that in 2010, the Ministry of Defence (MoD) was roughly where the DoD was in 1992, roughly 20 years behind,” he said.
Asked why he felt this was, he said that it was a combination of cultural features, but especially that when something new is suggested there are two answers: ‘it's not my job' and ‘we don't have the budget'. He said that often people did not want to be dealing with anything that they did not understand.
“If it is not your job, then it is not your responsibility. Issues are about protecting the £650 million budget and this was approved while the Conservative party were in opposition and I wrote the security policy for them with a heavy emphasis on cyber,” he said.
“When this was put in place, everyone put in their nomination for some of the budget without knowing what a mature cyber program would look like and including specifics on technology, training, processes and facilities.
“But this didn't exist; all we had was a target figure and while all users of the money were legitimate, there was no consolidation within departments. There was no orchestrated master plan to drive the budget. They all went in and competed for budget and got it, but there was no one in charge and no one made a decision. It was all made by a committee to make a judgement.”
Ayers said that the challenge for the UK is realising that cyber doesn't fit into one department, it cuts horizontally through everything and everyone has a responsibility. “If you don't have that, you don't have a heterogeneous cyber programme,” he said.
“More is said than done; if you don't have a documented programme in advance with milestones you have no way to measure whether you are successful.”
He also said that the departments pitched for funds that would be distributed in four years, and that no one knows what the challenges or needs will be in four years. “If you justified the money for Wordstar, you cannot use it for Windows 7, but the guy who asked for it has left now and now another guy has to finish it,” he said.
I put the recent proposals of the Cyber Security Strategy to create a volunteer force of cyber experts to Ayers, and to consider the Pentagon's plans to increase its cyber command from around 900 to 4,000 military and civilian personnel over the next few years.
Echoing comments made by former British army intelligence analyst and now director of information security at Ernst & Young Mark Brown, Ayers called this "security on the cheap", saying that IT security is a full-time job where people have to be trained, current and "there".
He criticised pay scales at the MoD, saying that £15,000 analysts will be offered much more to work in the private sector after collecting training, leaving the department with "second rate people".
He said: “There is not much hope for the MoD and it has Tsars and created positions to create the programme but they have had no authority, power or money, it is just a name.”
Ayers now works in the private sector as commercial director of Glasswall Solutions, who look for anomalies in documents and reproduce the document with suspicious code and links removed. While his comments may seem harsh, it does feel that the UK is treading carefully when it comes to cyber security and it may be the case that the expertise is just under the radar.