The UK government today confirmed nearly £2 billion of investment in cyber-security as part of its new cyber-security strategy, also released today. UK Chancellor Philip Hammond, presenting to Microsoft's Future Decoded conference, made a speech today in which he set out the government's landmark cyber-security strategy for the next five years in Parliament today.
Industry reaction to the news has so far been equal parts welcoming and sceptical. Although many greet the investment with open arms, they also express reservations about how the government's great enthusiasm will trickle down into the private sector and civil society.
That previously announced £1.9 billion will go towards bolstering public cyber-safety and defending critical infrastructure, such aspower grids and transport services, from cyber-attack.
This includes so-called ‘automated defences' against cyber-attack, which will intercept inbound threats.
"The plot surrounding the Chancellor's plan to inject £1.9 billion into the nation's cyber security defences is, at best, a confusing one", Lee Munson, security researcher at Comparitech.com told SCMagazineUK.com.
Automated defences sound great, said Munson but "quite how they will work is entirely unclear at this time, but this security researcher is super-excited at the prospect of the silver bullet so many of us in this industry have yearned for since the dawn of the internet."
"Significant investment" will apparently go towards pursuing attackers and strengthening the ability of law enforcement to do so domestically and beyond the borders which cyber-criminals hide behind, all supported by the recently opened National Cyber Security Centre.
James Tolfree, UK director at Cryptzone thinks that the announcement to pursue attackers represents a new intervention in cyber-defence policy.
He told SC that "Talk of ‘strike back' represents quite a change in mindset. Traditionally, UK government's cyber-strategy has focused on ‘defence' but in recent months we have heard much more rhetoric around an offensive cyber-capability. This recognises that the cyber-space is the new battleground – you can't be in a battle space with only a defensive position, especially when dealing with state-sponsored cyber-attack strategies."
"While this is a welcome increase to the UK's focus on its cyber-defence capabilities, some uncertainties remain," Ed Parsons, associate director at MWR Infosecurity told SC.
But, he added, "It is unclear from where the government will find 50 cybercrime specialists for the NCA when there is such a massive skills shortage within the industry. The necessary changes to recruitment within the industry will not be achieved overnight. Instead, the reality is this government-backed initiative should be seen as a multi-year, perhaps generational effort to drive sufficient numbers of specialists into cyber-security.
Looking to the future, the government will invest heavily in research with the Cyber Security Research Institute, which, according to the government could help to "one day make passwords obsolete." The cash will also go towards training a cyber-ready workforce, reinforcing a nascent array of education schemes that include apprenticeships, retraining programmes and cyber-security teaching in schools.
The chancellor also emphasised the need for boards and CEOs to get with the programme in terms of cyber, something high level executives are often seen to have dropped the ball on.
The sizeable investment in the UK's security is welcome says Christine Andrews, managing director at compliance consultancy, DQM GRC, but "unfortunately real progress will only occur when the organisations themselves start taking data governance seriously and consider cyber-security as a boardroom issue – not a problem that can be resolved in a backroom department."
David Navin, corporate security specialist at Smoothwall echoed that sentiment, saying "hopefully this new government spend will resonate with UK boardrooms and show the importance of having a robust security programme in place with everyone from the CEO, CFO and CTO, ensuring they are educated to the risks and understand the importance of having strong enterprise grade security measures in place."
Andrew Rogoyski, head of cyber security at the CGI Group and the chair of Tech UK's Cyber Security Group noted that "The strategy is outright damning about UK business' willingness to invest in cyber-security to protect itself and has highlighted the use of regulators, insurers and investors to drive a better response from companies."
Essentially, if businesses don't get their act together, the UK government will do it for them
The strategy also delivers a new revelation: the European General Data Protection (GDPR) Regulation will be committed to even though the UK will pull out of the European Union in 2019. The GDPR will mark a new regulatory landscape for UK organisations who have never before faced the kind of data protection compliance, nor the harsh enforcement powers that the law contains.
The only disappointment said Rogoyski, "is the failure to recognise that cyber-space is invented, implemented and run by international businesses, not governments – there is a strong need to work more closely with global technology companies in order to really deliver our digital future in a way that is safer and more secure."
Those watching the speech, took to Twitter to voice their opinions. Scott Carey, a tech journalist noted that there was only one mention of personal privacy
Further reaction to follow....