The government’s ambitious attempt to upgrade the UK’s cyber security capabilities will struggle as long as the country fails to turn out enough graduates with the right skills, a National Audit Office (NAO) report has hinted.
True to its title, the NAO’s UK cyber security review: Landscape review is more of a summary of recent history around government and cyber security initiatives than an acid critique, but the pointers buried within its pages are still hard to miss.
Despite government efforts to rectify the skills gap since 2010, experts interviewed by the NAO lined up to tell it that science and technology subjects remained relatively unpopular at school level which resulted in a weak take-up in universities.
Those graduates who did exist would often end up in the private sector thanks to better career prospects and pay, the NAO found, leaving what experts believed will be a 20-year slog to make up the skills gap at all levels of education.
In short, the internet economy and the threats posed to it have been growing faster than the pool of skills needed to impose management and security on it.
CIO UK blogger Rik Ferguson, vice president of security at Trend Micro, said: "The report from the NAO clearly illustrates that more needs to be done, even in the current 2011-2015 £650 million funding plan. While the 'repatriation' of stolen card details may sound impressive, it represents only one face of cybercrime.
"The current plan has focused too heavily on giving advice to enterprises, leaving SMEs an attractive and underprepared victim. Government needs to dedicate more budget than they currently have done, they must also make more effort to make computer science attractive in schools. Universities need to offer specialised information security courses for the CIO of tomorrow."
During 2012, GCHQ started a modest fight back by funding grants to eight universities to establish Academic Centres of Excellence in Cyber Security Research.
At the same time, the UK spy hub also sank £3.8 million into setting up the first academic programme devoted to cyber security research.
The report steered away from assessing the impact of the government’s headline additional £650 million investment in cyber security between 2011 and 2015 – it was too early to judge results – but the authors said that this might prove hard to do when the desired outcome was simply that nothing happened.
Some 59% of the available increase was being consumed by security and intelligence departments, 14% by the Ministry of Defence.
National Cyber Security Programme
The report doesn’t stress it but this leaves relatively small sums to doled out to departments such as the Home Office, responsible for policing.
Figures within the report show that enforcing laws and combatting cybercrime will consume a modest £28 million under the National Cyber Security Programme in the two years to 2013.
“This report stresses that government must work hand-in-glove with people and businesses in order to build awareness, knowledge and skills,” said committee chair, Margaret Hodge MP.
“With this government committing £650 million additional funding to cyber security, my committee will want to ask how the action of the 15 government organisations involved in delivering the strategy is being properly coordinated and what progress has been made,” she warned.
Experts also warned the NAO that government had focused its cyber security activities on larger organisations at the expense of SMEs, which remained far less aware of its advice.
There was a need for a clear set of standards handed down from government on what constituted robust security, especially in the myriad companies in often complex supply chains.
Interviewees felt that it was up to larger organisations to pass down their expectations and guidance to the smaller companies they worked with.