CBR rounds up expert reactions to Francis Maude MP’s progress statement on the UK’s Cyber Security Strategy.
Cabinet Office Minister Francis Maude has announced UK Government plans to launch a new initiative to alert the public to cyber threats, in light of warnings that Britain’s critical national infrastructure could be a target.
Adam Kujawa, malware intelligence lead at Malwarebytes and former US Government cyber security analyst told CBR
"The use of private industry experts to help The Government fight against cyber threats is absolutely vital. The skills necessary for defending national networks against the increasingly sophisticated malware threat are not always possessed by government employees, so this will plug the knowledge gap. The US Government already uses contractors in this way and, as long as appropriate clearances are granted and respected, it works very well.
"Conversely, a lot of the highly advanced malware techniques faced by governments often eventually trickle-down into use against consumer computers, so this should be a relationship which works both ways. All in all, this is a great step to a more secure future and I for one hope that other countries follow the example of the UK."
Colin Tankard, managing director at Digital Pathways told CBR
"Whilst the government are right to take cyber threats seriously this level of security is only aimed at their own departments and agencies. For both companies and individuals the need for controls over who accesses their networks remains. They must have data security systems in place to monitor or block access to their networks providing layers of control with the ultimate end point that all data is encrypted."
Garry Sidaway, global director of security strategy at Integralis told CBR
"The key word here is collaboration – how does the Government intend to leverage the intelligence and skills of organisations focused on providing information security and risk management services? Business in financial services for example share information to prevent fraud – the Government must leverage these principles to provide a coherent cyber-security defence.
"The nature of the threat has certainly changed and the Government does need to leverage business to augment the services provided by GCHQ and others, but it must also ensure that this is a broad partnership of collaboration across multiple trusted parties."
Steve Redgwell, corporate managing director at Aon risk solutions
"We welcome the recognition by the UK Government that cyber crime is an increasing risk. As the government has stated, 93% of large corporations and 76% of small businesses had reported a cyber breach in the past year. An increasing dependence on technology exposes companies to attacks from cyber criminals and hackers resulting in the theft of personal data, cyber extortion and cyber business interruption.
"We recommend that organizations review their data security policies to ensure that they are adequately covered for all technology risks including non-physical damage and computer network risks, therefore exposing cyber and data coverage.
Guy Bunker, senior vp of products at Clearswift
"Cyber threats are an issue that will not be going away in the foreseeable future, and so it is incredibly positive to see the progress the Government has made in protecting the UK’s online interests across the board – from consumers to large organisations. I’m particularly pleased to see that the threat to SMEs is being taken seriously, as often, despite the fact that the majority of companies in the UK are SMEs, they frequently only have a small voice in matters of UK security. To compound this problem, small businesses often don’t realise the threats they are under. As the Rt. Hon. Maude points out, the cost of a security breach for SMEs is £15,000-£30,000 on average – a huge sum for any business, and a cost that certainly won’t be welcomed in a time when UK businesses are struggling to come out of recession.
"The Government is entirely correct in focusing efforts on education, as well as practical prevention. Yes, there are many threats from abroad, but there are just as many in the UK and even within organisations. With the Cyber Incident Response Team becoming fully operational next year and efforts being made to change behaviour online so that it is intrinsically safe, businesses and consumers are being afforded every opportunity to tackle cyber crime. As the Government has said, this is not an issue for Government alone – we must all take responsibility for our actions online, otherwise we risk losing our lead as a major internet-based economy."
Martin Sutherland, managing director of BAE Systems Detica
"We’ve reached an interesting juncture in terms of the development of the UK’s Cyber Security Strategy. The Strategy is in implementation phase right now and could arguably be more unified in terms of ownership of countering the threat. However, what is most important is that we maintain impetus and forward momentum. Cyber space is still a dangerous place where the threat is evolving and asymmetric and attackers are still able to act with enormously more agility than defenders.
"When we look back in five years’ time we will see that the government’s strategy has provided a catalyst for a series of innovative and useful activities, particularly around how industry can respond to and protect itself from cyber incidents – most notably the recent Cyber Incident Response Scheme announced by GCHQ. Nonetheless, there is still a long way to go before we can say that we are successfully countering cyber threats."
John Colley, Managing Director (ISC)2 EMEA
"The government has pulled together a comprehensive statement covering a lot of disparate and impressive initiatives, but I am not confident that the basic requirements are being covered or therefore that they are getting to grips with the problem,"
"They are missing an opportunity to create the kind of market and consumer interest required to have real impact, with the budget dedicated to education skills and awareness being the smallest slice of the pie.
"One year on, the public has moved into the Twitter era while the Government’s significant public initiatives have included publishing advice targeted at the FTSE 100 companies; and establishing Centre of Excellence status for a few universities," summarises Colley. "They have celebrated the effort behind plans to launch public private partnerships in 2013 for information sharing within industry sectors, and schemes for companies to improve governance.
"The major focus seems to be on influencing the elite and developing intelligence," Colley adds. "It is not enough and is out of step with how the management of society’s information security risk must evolve."
Ross Parsell, Director of Cyber Strategy at Thales UK
"To those who claim that the UK’s cyber security strategy lacks cohesion, I would point out that the strategy was only launched in November 2011. The government has achieved a tremendous amount of progress from an almost standing start. To those who say the strategy lacks accountability, responsibility for the strategy ultimately rests with the Office of Cyber Security and Information Assurance (OSCIA). Like any major initiative with so many parties involved, of course there have been implementation obstacles, but the objectives of the strategy are completely sound.
"One of the main benefits of the strategy is to tackle the skills shortage the UK faces when it comes to qualified information security personnel. The private sector currently struggles to hire qualified staff with expertise in cyber. The public sector cannot compete with the private on salaries which places the nation in a vulnerable position. Major initiatives likes the Cyber Security Research Institute will help a great deal in promoting cyber security earlier in the education cycle. Other key benefits of the strategy include raising awareness of the cyber threat in the public sector and conducting academic research into cyber issues.
"The Cyber Security Strategy is laying the foundations to make the UK one of the most secure places in the world to do business. Implementation of the strategy of course has not been perfect but the future of UK cyber security indeed looks bright."