The UK's response to a cyber incident has been described as ‘fragmented and failing' and having a ‘lack of cohesion' between various organisations.
According to former GCHQ and CESG head Nick Hopkinson in an interview with Computing the UK has a ‘lack of cohesion' between the various organisations set up to work towards the strategy. This week, Bob Ayers, former US cyber intelligence officer for the US Army and the Defence Intelligence Agency (DIA), also told Computing that he felt that Britain's cyber security program was "a collective of independent entities" rather than a streamlined unit.
He said: “The most fundamental problem is that there is no one either accountable or responsible for the implementation of the programme. In many ways, the UK cyber programme is like the EU, a collective of independent entities more concerned with their individual departmental interests rather than those of the nation as a whole.”
Ayers also suggested that Britain is decades behind the US and lacks the ability to produce ‘professionalised' cyber security personnel.
“In many ways, the UK is at a point where the US was in 1995 with regard to cyber programmes. Many elements of a strategy are still absent in the UK including ‘professionalisation' of cyber security personnel, revised legislative and regulatory controls that are applicable to cyber space and links into the academic world to increase the output of personnel suitable for working in a national cyber programme," he said.
David Harley, senior research fellow at Eset, who told SC Magazine that he had been involved with Computer Emergency Response Teams (Certs) in the past, said he felt that fragmentation is inevitable in state-centric, politically driven security scenarios.
“Actually, in relatively democratic Western states it's naive to think that national security is purely a matter of governmental strategy. There is, of course, very relevant expertise in government departments and law enforcement, but those agencies have to cooperate (sometimes reluctantly) and co-exist with private enterprise, and are to a considerable extent reliant on their links with the security industry,” he said.
“The point, I guess, is that measuring a nation's security by its political strategy (or as much of its strategy as is made public) is a little naive, especially when politicians and commentators insist on treating cyber espionage and sabotage and all sorts of cyber crime as one single problem that a government is going to solve by telling specialist agencies, industry, the national infrastructure (whatever you understand by that) and the security industry how to operate.
“It's not wrong to try to introduce some degree of regularisation of relationships between those groups in accordance with social policy and political strategy. The fact is, though, that most nations stay on top of national security - insofar as they control it at all - through all kinds of relationships between disparate groups (some more public than others).”
Brian Honan, founder and chair of the Irish Cert, said that looking from the outside in, he did feel that the UK is behind certain countries in term of cyber security, with the US, Israel, Russia, China and Iran developing their capabilities three to five years ahead of the UK.
He said: “The majority of the above countries have had computer offensive techniques integrated into their military for quite a while, especially Russia, China and Israel. However, from a European point of view I would see the UK as being one of the top countries. It has a number of Certs to look after different areas but the main Cert, the Centre for Protection of the National Infrastructure (CPNI), has its concentration at the critical network infrastructure level. The UK also has the skills and knowledge within GCHQ. Let's also not forget that the UK has been fighting terrorism for a number of decades now and as a result has developed a lot of skills.
“[One of the biggest] challenges though that the UK face, and it is not unique, is the ability to recruit those with the appropriate skills to support the strategy. It is important that the UK invests the time and money necessary to properly develop its capabilities in this area to not only defend against attacks from hostile nation states and terrorists organisations, but to also ensure UK businesses and citizens can operate safely in the online world.”
Last week marked a year since the UK government launched its cyber security strategy, which proposed, among other things, a new national cyber security ‘hub' that will allow the government and businesses to exchange information on threats and responses, a cyber crime unit within the National Crime Agency, the strengthening of the role of the CPNI to increase its reach to organisations that have not previously been considered part of the critical infrastructure and a single reporting system to report financially motivated cyber crime.
Also last week, Enisa called for better cooperation and coordination between Certs and Law Enforcement Authorities, claiming that collaboration between the two is hindered by their inherent cultural differences.