The Government’s Cyber Security Strategy remains too fixated on high-level ‘macro’ security issues and fails to offer enough new investment in consumer safety, cyber-policing or the need to boost the capacity of university courses, John Colley of security organisation (ISC)2 has argued.
Earlier this week, Cabinet Office minister Francis Maude offered an overview on the first year of the Government’s £650 million four-year investment to defend the nation’s infrastructure and business from the huge rise in online threats.
While praising initiatives such as the Cyber Security Research Institute, the expansion of education should have been made a far bigger spending priority, said Colley.
“The information security workforce will need to double in the next five years,” said Colley. “Where are all these people going to come from? If you look at the breakdown, education gets the smallest investment.”
The Strategy was heavily influenced by the ‘world according to GCHQ’, which had too big an input into its content and spending priorities.
As to the challenge of creating a deeper security culture by educating the public and investing in the policing necessary to aid that, the Strategy had little to say. The sums earmarked for policing in particular was far below the scale of the problem, said Colley.
At times Maude’s statement sounded like a headmaster delivering a school report, full of aspiration and good intentions but light on defined progress, he added.
“The major focus seems to be on influencing the elite and developing intelligence. It is not enough and is out of step with how the management of society’s information security risk must evolve.”
Others were critical of the Strategy’s half-hearted plan to create a UK Computer Emergency Response Team (CERT) of the sort that already exists in many other countries.
“The creation of a cyber-reserve and a UK Computer Emergency Response Team (CERT) does not go far enough. The level of threat continues to grow at a pace that cannot be met through part time action,” commented Ernst & Young’s director of information security, Mark Brown.
This resource had to become full time, he argued.
“A reserve force, made up of retired information security professionals, runs the risk of being unable to keep pace with the changing technologies and risk mitigation practices necessary to maintain a strong defence.”
There is certainly plenty of heat and light in the Government’s Strategy. As well as the national CERT with its Cyber Reserve and the Cyber Security Research Institute, the plans talks up the work of HMRC’s Cyber Crime Team, the CISP (cyber-security information sharing partnership) between Government and business and, not forgetting, the much-lauded Police Central e-Crime Unit (PCeU).
Balancing the reservations of some, the Government’s plans have also received plenty of support, albeit mostly from vendors in the security elite that will deliver the services as part of lucrative contracts. As ever, security is a business – a big one.
“When we look back in five years’ time we will see that the government’s strategy has provided a catalyst for a series of innovative and useful activities, particularly around how industry can respond to and protect itself from cyber incidents – most notably the recent Cyber Incident Response Scheme announced by GCHQ,” said BAE Systems Detica managing director, Martin Sutherland.
“Nonetheless, there is still a long way to go before we can say that we are successfully countering cyber threats.”