Friday saw the release of the government's Cyber Security Strategy that set out the UK's plans to build a more trusted and resilient digital environment.
Among the extensive plans are the following key strategies:
- A new national cyber security ‘hub' that will allow the government and businesses to exchange information on threats and responses;
- A cyber crime unit within the National Crime Agency that will build on the Metropolitan Police's eCrime Unit by expanding the deployment of ‘cyber-specials', giving police forces across the country the necessary skills and experience to handle cyber crimes;
- A single reporting system to report financially motivated cyber crime through the existing Action Fraud Centre will also be launched;
- Strengthening of the role of the Centre for Protection of the National Infrastructure (CPNI) to increase its reach to organisations that have not previously been considered part of the critical infrastructure;
- Work with ISPs to create a voluntary code of conduct to help people identify if their computers have been compromised and advise them on what action to take.
In October 2010, the government classified cyber security as a ‘tier one' national security priority and committed £650m over the next four years to bolster its cyber defences.
According to a statement issued with the strategy, this "heralds a new era of unprecedented co-operation between the government and the private sector on cyber security, working hand in hand to make the UK one of the most secure places in the world to do business".
James Brokenshire MP, parliamentary under-secretary of state for crime and security, said: “We want to ensure that everyone can make the most of the internet and online services while protecting themselves from crime. The new National Crime Agency will share knowledge and expertise across law enforcement agencies, building on the pioneering work done by the Metropolitan Police and SOCA.
“We are also reaching out to industry and the public to get involved. We all have a role to play in keeping ourselves and our families safe while enjoying the huge opportunities and benefits of surfing the web.”
Among security industry spokespeople, the plans were welcomed with acclaim: Frank Coggrave, general manager EMEA at Guidance Software, called the strategy "a positive step in the right direction"; Ross Brewer, vice-president and managing director for international markets at LogRhythm, said it was "great to finally see the UK government starting to take the cyber threat seriously and provide a framework to help organisations protect their assets"; while Kaspersky Lab senior security researcher David Emm said "a joined-up strategy for tackling cyber crime is a must".
Chris Hardy, regional director of central government, defence and security at McAfee, said: “Ultimately, today's Cyber Security Strategy announcement is a great way to increase the public's knowledge of online security, and the reaffirmation of the role that ‘get safe online' plays shows that it is a crucial tool in continuing to drive public awareness.”
Ilias Chantzos, senior director of legal and public affairs at Symantec, said: “Symantec welcomes the initiative to the continuously evolving threat of cyber attacks. The strategy reaffirms the government's commitment to tackling this complex issue and highlights a pertinent focus on leadership and international co-operation.
“It is promising that public-private partnerships are a key tenet of the strategy; this is particularly the case for critical infrastructure industries but applicable across all areas. Only by the timely sharing of actionable information can we respond to the evolving threat landscape and ensure better preparedness against attacks. Education and awareness remain key issues that should continue to be absolute priorities in tacking cyber crime.
“Perhaps most importantly, we believe that every national security and defence strategy needs to have a cyber defence element, which is why this strategy is so important and very much welcomed.”
David Harley, senior research fellow at ESET, said: “I welcome the fact that the government seems to be aware that the nation's security is not restricted to those organisations formally recognised as part of the critical national infrastructure. It's a good thing, on the whole, that more generalised cyber crime will be getting some attention as well as the more glamorous but very fluffy topic of cyber warfare, as in practice it's not always easy to separate the two.”
Rik Ferguson, director of security research and communication EMEA at Trend Micro, said: “The government have clearly worked hard with a wide variety of stakeholders to come up with a wide ranging and actionable strategy that contains several real and measurable goals, which is to be highly commended. If the UK manages to deliver on all the promises of this report it will put us in a leading position in Europe and globally to prevent online crime in the first instance and take action where it does arise.
“The conclusions of the report were only reached after extensive consultation with industry, law enforcement and internet bodies. The strategy presents relatively short term goals and I look forward to seeing them fulfilled over the next four years.”
In terms of building better bridges between the public and private sector, Paul Davis, director of Europe at FireEye, said: “The exchange of information, leading to greater visibility, is the first step in seriously tackling this growing threat to the UK. Yet it is the lack of real understanding of the threat landscape, how quickly it's evolving and the growing threat to UK plc, coupled with actionable data, which is the biggest hurdle in progressing this initiative.
“There are a number of security professionals and companies both here in the UK and abroad that could make a significant contribution to this initiative. I trust the recognition of this ‘new' threat brings with it a new approach in engaging with the industry. A cyber security hub centred on government but encompassing critical national infrastructure and potentially extending across key industries should be, and can be with the right political support, developed quickly.
“As welcome as today's announcement is, concrete steps need to be taken now. Initiatives coming into being in 2013 are too far in the future. The threat is real, it's happening now and it's well recognised by the agencies mentioned. We're ready to contribute; we want to get on board.”
While there was a welcome for the strategy, not all were completely satisfied with its content or delivery.
Nigel Hawthorn, V-P of marketing EMEA at Blue Coat Systems, said while it appreciates what the government is trying to achieve with the strategy, it failed to see how it would resonate with commercial organisations, despite bodies such as SOCA and UK Trade and Investment being featured prominently.
“If we're all going to work together, the government needs to take into account many more factors, including reaching out to the private sector and enterprise organisations to understand their concerns and what needs to be achieved,” he said.
Mike Maddison, head of UK cyber security at Deloitte, said the launch of the strategy was an encouraging step, but it will take international collaboration and a change in mindset for it to truly work.
He said: “Tackling cyber crime requires both national and international effort and collaboration, as opposed to countries working in isolation from one another. Nations will need to establish strong relationships globally to share threat information, and then define and agree norms for acceptable cyber behaviour.”
Harley said he was concerned that if the view of the threat landscape is dominated by cyber warfare/GCHQ, the private sector and home users could be left out.
Coggrave said: “The fact that the scheme has taken so long to develop gives us pause for thought. Can we fully rely on the efficacy of a strategy when its public unveiling has been delayed twice?
“The government maintains that it is vital to take a collaborative approach and work together to combat cyber crime, which is still an important issue. However, the sensitive commercial implications of knowledge sharing and this suggestion of an ‘open internet' need to be carefully thought out. Many organisations simply do not want to share their secrets, so as not to compromise competitive advantage.
“Another concern is whether the strategy is too ‘political' to be effective; if the cause becomes too bureaucratic, it doesn't necessarily have the rapid response approach needed to deal with the full gamut of cyber threats. Only time will tell if it will hit the mark and resonate with the audiences that truly need high levels of guidance to cope with the advanced threat landscape.”
Ash Patel, country manager for UK & Ireland at Stonesoft, said the strategy was "encouraging", but he was disappointed not to see any commitment to research to better understand current threats.
“Today's hackers have more sophisticated attack methods than ever before, and in order to generate the outlook that UK plc in cyberspace is secure, which is obviously something the government is trying to achieve, they need to be working to either slow hackers down or to build solutions that can protect companies against these advanced threats. If we don't spend any time researching cyber crime, the cyber criminals will always be one step ahead,” he said.
It is a fact of life that you are not going to please all of the people all of the time, but the criticism of the cyber security strategy is outweighed by its praise. What this does propose is very reassuring; its implementation will need to be timely, and trust will be its biggest hurdle.