The UK's chancellor of the exchequer George Osborne has set out a plan today to make Britain one of the safest places to do business online by making cyber-security a top priority for government.
In a speech given at GCHQ in Cheltenham this morning, Osborne said he was announcing a bold, comprehensive cyber-security programme.
“It will give our companies and our citizens confidence that their cyber-safety is being properly protected. It will ensure that Britain remains at the cutting edge of the global cyber economy,” he said.
Taking advantage of savings from other government departments – which have had to cut their budgets by an average of 24 percent – Osborne said the government would double the amount being spent on cyber-security, from £950 million over five years to £1.9 billion over the same period.
Combined with other government spending on protecting IT systems, the total amount being spent by the government over five years on cyber-security will be £3.2 billion.
Osborne outlined a five-step cyber-defence programme.
Firstly, the country must take steps to defend itself online, and the government will be increasing the capabilities of the National Cyber Crime Unit which will work with agencies in other countries to make the internet unsafe for cyber-criminals.
The government will also take further steps to defend government systems and improve detection systems. It will also work with ISPs to divert traffic from known bad addresses.
Secondly, Osborne wants to rationalise the multiple agencies which have sprung up to deal with cyber-crime so that businesses have a single point of contact for help and advice, and he aims to achieve this with the creation next year of the National Cyber Centre which will report to the director of GCHQ.
“Reporting to GCHQ will mean the Centre can draw on the necessarily secret world-class expertise within this organisation,” he said.
The third plank of his plan is to ensure there are enough skilled coders by addressing the skills gap. The government will run a competition and invite bids from universities, businesses and others for ideas and plans for the creation of a new Institute of Coding – with a £20 million prize to the winning group.
Part four of the plan is to create a commercial ecosystem to encourage and nurture cyber startups. He envisages people moving in and out of organisations like GCHQ to stimulate the development of new products and services.
“We need an ecosystem in which great ideas get translated into great companies,” he said. The government will establish two cyber innovation centres where cyber startups, including security firms, can base themselves. One of the centres will be in Cheltenham, near GCHQ.
The government will also create a £165 million Defence and Cyber Innovation Fund, with the aim of supporting procurement across defence and cyber-security.
The final plank in the plan is to establish a deterrent capability in cyberspace, he said.
“Part of establishing deterrence will be making sure that whoever attacks us knows we are able to hit back,” Osborne said. “We need to destroy the idea that there is impunity in cyberspace.”
The government will defend robustly against any attacks on critical national infrastructure or the country's defensive capabilities. “We reserve the right to respond to a cyber attack in any way that we choose,” he said.
This will be achieved through investment in the National Offensive Cyber Programme, a partnership between the Ministry of Defence and GCHQ. Additional resources would be allocated to the programme over the next five years, he said. “We are stepping up not just the means of defence, but also the means to ensure that attacks on Britain are not cost-free.”
This investment will be part of the government's commitment to NATO to spend a minimum of two percent of GDP on defence, he said, details of which would be elaborated upon in the forthcoming Security and Defence Strategic Review.
Reaction from the cyber-security industry has been mostly positive.
Jonathan Luff, co-founder of Epsilon Advisory Partners and cyber security accelerator Cyber London, commented: “Now more than ever with we need the cutting edge security innovations developed by our best and brightest to be made widely available. At Cyber London we welcome anything that makes it easier for our cyber pioneers to bring their technology to bear and helps the latest technology reach the point of need faster.”
James Murphy, techUK's associate director for defence and security, said: “Today's announcements of enhanced funding and other initiatives are a clear indication that the government has grasped the singular importance of cyber-security to the UK's interests. What was once considered a niche area in the wider national security debate has emerged front and centre in the government's priorities.”
Richard Cassidy, technical director EMEA at Alert Logic said: “Overall this will certainly send a message of deterrence to those groups who might seek to target government and commercial sector organisations as part of a campaign; that said, however, we know that militant groups respond less favourably to nation state directives. Therefore the question has to be raised as to whether this announcement will simply focus these groups efforts on more advanced tactics and techniques, thus making it more difficult for our own intelligence organisations to monitor and detect. What is good is that there is a clear message on countering attacks by terrorist organisations and, if effective, it will certainly go a long way into slowing the progress and success rate of such groups.”
Matt Middleton-Leal, regional director, UK & Ireland at CyberArk said: “The recent attack on the US Office of Personnel Management (OPM) was a sobering reminder of the risks that public and private sector organisations are facing. The OPM breach emulated the attack pattern of many recent incidents, including Sony Pictures, Home Depot, United Airlines and more, as attackers initially breached perimeter security by using techniques designed to hijack powerful privileged credentials.”
Justin Harvey, chief security officer at Fidelis Cybersecurity, said: “I applaud the Chancellor for this change. I think that doubling the security budget is a great first step, but I hope that the government uses the money wisely. The government should be spending less money in ‘preventative' platforms and more in detection and response capabilities. This includes hiring the right people that know how to proactively hunt through endpoints and networks, but also the tools to support them.”
Ross Brewer, vice president and managing director international markets, LogRhythm welcomed Osborne's reassurances regarding the government's commitment to cyber-security but wants more commitment to spending on security intelligence. “While money is all well and good, what's important is where this money will be spent. The government needs to make sure that recent events don't result in knee-jerk decisions and it spends this extra money on areas that will be most effective in combatting attacks in the long run.”Itay Glick, CEO of Votiro agreed with Brewer, telling SCMagazineUK.com that the cost of an attack is so low that he expects an explosion in new attackers in the near future. In light of that, he questioned whether doubling the budget would be enough. He noted that governments are not known for embracing innovative solutions. “Government will usually spend on traditional threat protection solutions [which] usually does not include innovative technology that might help to prevent exploits,” he said.