The new National Cyber Security Strategy must take steps to correct the “market failure” in organisations' ability to manage cyber-risk and evaluate the consequences.
That was the message from James Snook, deputy director for business, crime and skills in the Office of Cyber Security and Information Assurance in the Cabinet Office.
Snook was speaking at a Westminster eForum seminar entitled “Cyber Security in the UK: emerging threats, building resilience and policy priorities” on Thursday.
In the keynote address, Snook outlined some of the issues that the government would address in the new cyber-security strategy document due to be launched in the autumn.
He began by describing the government perspective on the threats faced by the UK, the consequences of the threats and how HM Government will respond.
Lest anyone doubt the government's commitment to the cyber issue, he reminded the audience that a five-year round of investment totalling £1.9 billion has been announced, about double the previous five-year funding round.
“To provide a very brief overview, the heart of this matter is the fact that the cyber-security threat facing the UK and every country around the world is incredibly multi-faceted and being multi-faceted, it presents a range of new challenges that we are frankly not used to dealing with or don't have the capability to deal with and are trying to address,” he said.
He talked about the problem of attribution in tracing the source of cyber-attacks – in particular attacks by nation-states.
“Cyber is in many ways an anonymous attack vector,” he said. “You can do attribution but it very difficult to do confidently, and with that cloak of anonymity, it becomes very difficult to rely on the classic military and diplomatic tools we have at our disposal to respond to cyber-attacks.”
High-end malware being developed by nation-states and advanced criminal groups is not only posing a direct threat to governments, companies and other organisations but is also leaking out of these groups into the hands of lower-level criminals who copy their methods.
In particular, he pointed to the fact that terrorist groups don't currently possess advanced cyber-weapons but with the growing underground market, these capabilities could soon be within their grasp, he said.
Partly for these reasons, cyber is considered a tier one threat by the government – an absolute priority for prime minister David Cameron.
“It has regular PM attention and the PM has asked the second most powerful person in government, the chancellor [George Osborne], to lend dedicated attention to this issue,” he said.
And on a more domestic level, the government is investing in the UK's ability to investigate cyber-crime. However, criminals are often located overseas so much work is being done to foster cross-border cooperation, “on a scale we wouldn't do for many other types of criminal activities”,” he said.
The goal is to increase the cost for the criminals, to encourage them to shift their attention to softer targets or drop out of the cyber-crime business for good.
As much as the government wants to tackle cyber-crime and is investing in the fight, Snook was keen to emphasise that it couldn't tackle this problem alone.
“It means working closely with industry to track the proceeds of cyber-crime, and taking out the ability of the criminals to generate profit from this,” he said.
He laid some of the blame for this at the feet of industry. He said that it was clear there had been “a market failure in the ability of organisations to manage cyber-risk”.
“The UK economy is significantly advanced. We have some of the best companies in the world who are adept at managing commercial risk and exploiting commercial opportunities,” he said. “With the exception of a few who absolutely do demonstrate best practice and thought leadership in this area, many boards and organisations are not properly managing cyber-risk.”
He added: “They don't know how much to invest and where to invest. They don't understand what skills they need within the workforce to tell them how to do those things.”
The country may be short 300,000 cyber-security professionals by 2020 – a skills gap that represents a massive risk to the UK economy.
While the government is investing in education at all levels, he said, industry must do more to invest in professional cyber-security talent as well as educating the workforce in basic cyber-security principals.
He bemoaned the investment gap in cyber-security, sometimes referred to in the tech startup community as the “valley of death” – the gap between the small amounts of startup cash that new companies can attract to get started and the larger investments they need in order to keep going long enough to make a viable product.
To help address that gap, the government has launched the £165 million Defence and Cyber Innovation Fund which will provide venture capital funding and help young companies find a government client to help prove their products.
An emerging problem for government has been the number of organisations within government which deal with cyber-security.
“We have, in the past five years – to be brutally honest – been organically growing the cyber-capability,” he said. “We have invested here and here and here and there has been an emerging alphabet soup of organisations doing various things on cyber.”
The government's new National Cyber Security Centre (NCSC) should help to rectify this, further evidence of the government getting to grips with the problem of cyber-security, he said.