“Digital is the new frontline of national security, commented Rob Norris, VP head of enterprise & cyber security EMEIA at Fujitsu in response to reports of GCHQ head Jeremy Fleming describing how keeping the UK safe from cyber-attacks is now as important as fighting terrorism.
In a report in the Telegraph newspaper Fleming noted how increased funding for GCHQ is being spent on making it a "cyber-organisation" as much as an intelligence and counter-terrorism one. He reiterated reports last week from its public-facing offshoot, the NCSC about the 600 significant cyber-attacks requiring a government response in the past year since the NCSC was set up – of which the WannaCry and attacks on Parliament were most notable. Last week, NCSC head Ciaran Martin said that 1, 131 cyber attacks had been reported in NCSC's first year.
Prior to establishment on the NCSC, GCHQ's work on cyber-security "too often felt like the poor relation" said Fleming. He went on to explain how the NCSC works with private firms, schools and universities as well as the media, as part of its cyber-security role, in a way that can "feel deeply challenging" for the more secretive GCHQ.
This need for cooperation between government, industry and the public is echoed by commentators on the sector from within industry, with businesses also urged to not over-rely on government, but take responsibility for their own defences.
“It is imperative that national industries, businesses and individuals continue to invest in technology and training for themselves instead of relying upon the secretive Cheltenham-based agency doing all of the hard work for them," commented Lee Munson, security researcher for Comparitech.com in an email to SC Media UK.
Phil Beckett, MD, disputes and investigations for Alvarez and Marsal agrees, telling SC “..., businesses in particular would be naïve to think it is solely the responsibility of the government to protect our cyber-sphere. They too need to take their own courses of action, to ensure they are doing everything they can to protect their systems and data. Data is now one of the, if not the most valuable business asset, so firms across the UK need to ensure they're protecting data appropriately. This is also a key element of the requirements to comply with the upcoming General Data Protection Regulations (GDPR) which provides safeguards to individuals' private/personal data and includes the potential for significant fines for non-compliance.”
Marcin Swiety, cybersecurity director at IT service provider Luxoft concurs, commenting: “Both business and governments need to implement sound security assurance programmes for protection of their assets and IT operations. They need to build their detection capabilities tightly coupled with an effective incident response scheme.”
Norris adds, “That of course means that our national security infrastructure must keep up, with continuing investment in GCHQ, for example. It's also vital that we inform employees and the public about the basic principles of cyber-security, as in many cases they may be on the front line of attacks. It is not only down to GCHQ to protect our digital borders and critical national infrastructure; it is everyone's responsibility to recognise the threat and educate employees to respond accordingly. By acknowledging the national importance of cyber security and taking preventative measures, we can ensure we are adequately prepared for the challenges to come.”
One of the reasons that self reliance is needed, according to Munson, is “... concern... whether the agency has sufficient skilled resources to stay on top of both cyber-attacks and more traditional terrorist type attacks at the same time – regular police forces are certainly devoting much of their time to counter-terrorism and I do wonder whether GCHQ can recruit sufficient numbers of skilled personnel to tackle both fronts simultaneously.”
As a result, Mark James, security specialist at ESET warns, “With so many companies connecting through the digital world it's impossible to protect it 100 percent. As data enters and exits various points in the digital highway, it usually only needs to be authenticated once- if successful you have full control no matter where you originated from and as more companies integrate then the dangers increase, without proper defined security structure we are fighting a losing battle."
And Kirill Kasavchenko, principal security technologist at Arbor goes further, after noting, “...we should all contribute to the effort of keeping our country safe,” he goes on to suggest, “Governments and businesses must expect to be unable to defend against such an attack – and whilst it is essential to have cyber-defences in place, cyber-policies shouldn't stop there. There should also be an incident response plan in place for if a threat makes it past initial defences, and this should be rehearsed so individuals can act quickly to contain a threat.”
Kirill concludes: “Fostering collaboration between researchers, government and business provides the best long-term defence against attacks. The announced GCHQ cyber-threat protection funding is another step forward to a safer nation that will hopefully make cyber-crimes less of a profitable avenue of growth for criminals.”