The US government is suddenly getting serious about cyber security. The recent Presidential Executive Order demonstrates very clearly the elevation of cyber security to the top tier of risks by the US intelligence agencies (above terrorism for the first time).
While initiatives on this side of the Atlantic have been less high profile, the UK government cannot be accused of not taking cyber threats seriously. As far back as 2005, the then NISCC (National Infrastructure Security Coordination Centre, now CPNI) was warning publicly of targeted Trojan attacks coming from the ‘Far East'.
Indeed NISCC itself was established in 1999 with a public profile and a remit to defend industry from cyber attack. So why, nearly 14 years since the UK government first took steps to raise the issue of cyber security, is it still posing such a challenge?
There are a number of reasons. Firstly, cyber security is a nebulous topic. While we as practitioners will all have common understanding of what we mean when we talk about security, the reality is that it will mean something different to every organisation, depending on their business function, location, risk appetite and an array of other factors.
This makes establishing a single coherent message challenging for the government, which doesn't deal well with messages that by necessity have complexities and subtleties. Think of successful government campaigns – drink driving, or back in the eighties, AIDS awareness – all of these consisted of a single, simple message that can be pushed repeatedly.
Then there is the problem of dealing with the issue of the day. Chris Carter, creator of the X-Files, famously didn't want the show to solely feature a ‘monster of the week', and built in strong narrative arcs that spanned episodes, and even series.
It was this that hooked the fans and gave the show longevity. Government initiatives are reactive and driven by whatever the biggest issue is at any one time. The 24-hour news cycle, periodic spending reviews and the inevitability of another election, while all on different timescales, all pull the government in different directions.
Add in the occasional black swan (an economic crisis, terrorism or a war) and it makes establishing and maintaining funding for multi-year initiatives challenging.
This lack of consistency is compounded by the lack of a clear lead for cyber security. Companies outside of the critical national infrastructure or defence sectors have had little direct contact with the government, and had no clear government lead to provide support and direction on cyber threats. The diversity of industry in the UK adds to the challenge.
While it is easy for the civil service to use terms such as the ‘private sector' and ‘industry'; the reality is clearly a huge diaspora of organisations of varying sizes, doing an enormous variety of different business activities.
Finding the right level of engagement also poses a problem. Government seniors like to deal with captains of industry. Those who understand the technical issues, and write mitigation strategies would prefer to engage with IT management. This results in (ironically) Chinese whispers, where industry leaders will get a high level brief, from which they will take key messages and pass back to their own IT staff, who will struggle to make use of a brief that was by necessity high level, stripped of technical details and lacking in context.
In the face of these issues, it is convenient for businesses to complain that they aren't being given information they need, and everything would be okay if the government just took the initiative. There may be an element of truth to this, but protection of corporate networks remains solely the responsibility of the corporation, and not the government.
It is incumbent on those responsible for running companies to take cyber security seriously, and more importantly ensure there is budget available for security projects (be it recruiting staff, providing training or investing in technology).
Additionally, there are now more opportunities for any organisation to engage with the government. In November 2011, the government launched the latest edition of the national cyber security strategy and since then, the Cabinet Office has piloted an initiative for industry information sharing partnerships (the Cyber Security Information Sharing Partnership).
At the beginning of March, the department for Business, Innovation and Skills publicly called for participants to submit evidence in support of the development of a set of cyber security standards (those interested have until October 2013 to respond). The UK will be establishing a nation Cert (Computer Emergency Response Team) to respond to incidents and the National Crime Agency will have a National Cyber Crime Unit.
These opportunities to engage proactively with the government should be seized by any organisation that wants to take cyber security seriously. Government initiatives will never be effective if those responsible for the data and the systems crucial to the UK economy do not participate and engage.
Rob Pritchard is the director of Abstract Blue Consulting