What the next government's cyber-security policy should look like

What the next government's cyber-security policy should look like
What the next government's cyber-security policy should look like

Whoever had won the 2015 UK General Election, one thing was always going to be imperative: the need to make cyber-security a priority. This country's economy is no longer reliant on manufacturing and heavy industry as it once was. The fast-growing services sector has helped to rebalance the economy and is now by far the biggest contributor to GDP.

But it's at risk if we don't improve the resilience of critical infrastructure to attack, make it safer for organisations to do business, narrow the skills gaps, improve cyber-policing and get better at sharing threat information.

The great encryption farce

If there's one thing David Cameron's comments on state surveillance told us a few months ago, it's that politicians just don't understand encryption. In the wake of the Charlie Hebdo attacks, he suggested that in extremis, law enforcers should be able to gain access to encrypted communications. If this plan were enforced, then the backdoors which platform providers like Apple and Google would be asked to provide the security services would inevitably find their way into the hands of the bad guys – putting UK businesses at risk.

His new UK government must abandon any such approach and realise that encryption protects British IP, fosters innovation and reassures regulators and shareholders. Law enforcement, of course, must be given as much help as possible to track down serious criminals, but this is not the right way.

Securing our infrastructure

One area where the new government could do something more positive is in the area of critical national infrastructure (CNI). Although most of the UK's CNI is run by private firms, they look to the government for guidance. The last National Cyber Security Strategy claimed the government would work to help ramp up the outreach work done by the Centre for the Protection of National Infrastructure (CPNI). But I'd like to see more done.

Specifically, we need to be clearer on definitions – which companies fall under the CNI banner – and on what they need to do to make systems more resilient to attack. The problem in many industries is that systems are running out-of-date software which is internet connected – a recipe for disaster and playing right into the hands of the cyber-criminals. 

We need to enforce standards for security by design here. Contracting security consultants to patch current systems is like putting an Elastoplast on a bullet wound.

Plugging the gaps

We all know there's an IT information security skills shortage globally. In fact, the newly released Global Information Security Workforce Study by (ISC)2  predicts it will reach 1.5 million professionals in the next five years. The truth is that computer scientists are taught how to create, how to code, but not how to disassemble and question why something works as it does.

Just look at Heartbleed and Shellshock. No-one questioned the security of critical Linux modules – they effectively just copied and pasted. This approach to computer science teaching is killing curiosity – and curiosity is exactly what you need to be a good cyber-security professional. You need to be a problem solver, an Alan Turing.

The private sector, Trend Micro included, has been forced to spend a great deal of money on internal education programmes because the standard of university graduates simply isn't high enough. We need cyber-security elements built into every computer science course, and we need basic information security in every university course. At the very least it will make graduates safer internet users and in the best case scenario it could even spur some on to a career in the industry.

Sharing and policing

Another key pillar of the Coalition's National Cyber Security Strategy was information sharing between public and private sectors, to benefit national security and improve the resilience of UK PLC. Although the government has launched the Cyber Security Information Sharing Partnership (CISP) as a way for companies to share threat info in real-time, just 750 organisations have joined up so far. The truth is that unless we get a mandatory breach reporting law, as promised by the EU General Data Protection Regulation, firms will be reluctant to share threat info with each other or government agencies. The stakes are just too high for them financially.

Which brings me finally to cyber-security policing. Once again, it's an issue indelibly intertwined with economics. We all know that UK police are chronically short of suitably qualified cyber operatives. Initiatives like introducing dedicated cyber-units to each of the nine Regional Organised Crime Units (ROCUs) and London's Operation FALCON (Fraud and Linked Crime Online) – which brought together the Met's fraud squad and cyber crime unit – are to be welcomed. But nothing will change without more funding.

Any new government must set aside budget to raise police salaries to private sector levels – or at least to get them nearer the mark. At the moment they're virtually half – hardly an inducement to work there if you're a young, gifted cyber-security graduate. I truly hope the new government will be able to set aside short term political gains for genuinely long-term investments which may not reap their rewards until the next or next but one parliament. But sadly, I think I may be disappointed.

Contributed by Raimund Genes, CTO, Trend Micro