Chancellor Philip Hammond is developing a strategy for spending the £1.9 billion left by his predecessor George Osborne to get a grip on the growing problem of cyber security.
While some will ponder whether even such mind-boggling figures are ever going to be enough to do anything but skim the surface of the cyber security problems facing the UK, others are more concerned with semantics.
“This is largely a question of where you draw the line concerning what is cyber security and what isn’t,” says Robin Wilton, technical outreach director for privacy and identity at the Internet Society. “The citizen’s interests are better served by a clearer and more restrictive definition of cyber security.”
To get the linguistic ball rolling, Mr Wilton defines cyber security as having two goals. One is protecting those parts of the critical national infrastructure that make the internet possible and the other is protecting the parts critically dependent on the internet to operate. In this latter category, Mr Wilton means the parts which could be disabled by an internet-borne act.
“If malware targeted at supervisory control and data acquisition or SCADA-compliant systems were able to shut down the water and waste systems of a large part of the UK,” he argues, “I would view that as a cyber-security issue.” The point of drawing such boundaries is that without them the number of calls on Mr Hammond’s budget that could be made under the heading of cyber security are endless.
Cyber security spend
It’s vital to remember that even security spending is not a budget of the bottomless-pit variety. “Government needs to continue to invest,” says BT Security chief executive Mark Hughes, “but there is no magic number that will make the problem go away.” But £1.9 billion is most definitely a drop-in-the-ocean number.
“Exclude large organisations,” says Professor Steven Furnell, head of the Centre for Security, Communications and Network Research at Plymouth University, “and just share that funding among the 5.4 million small and medium-sized enterprises that make up 99 per cent of UK businesses and each would get a whopping £70 per year for the next five years.” Obviously, the government investment must rely upon being strategic perfection then, which could be problematic.
£1.9 billion is most definitely a drop-in-the-ocean number
Earlier this year, the National Audit Office (NAO) published a pejorative report slating how the government approached digital security. Of the 1,600 staff within 73 government teams tasked with responsibility for data security, the NAO said they were “operating without cohesion and governance”. According to Sir Amyas Morse, head of the NAO: “The Cabinet Office, departments and the wider public sector need a new approach.”
While conceding that the NAO is right in some regards in its report, Unisys chief security architect Salvatore Sinno argues: “The government has taken big steps to improve the way in which they look at governance and overall approach to digital security.”
There’s no doubting the sheer scale makes it a monumental challenge for the government, with myriad interlinking departments impacting millions of people. There’s also no doubting the scale of the challenge in relation to privacy.
“For true cohesion and governance of data to be achieved,” Mr Sinno says, “there needs to be some level of permission for the government to share this information internally between departments.”
Striking the right balance between privacy and consent issues when updating the current policy framework around data security is important, as is applying the right amount of carrot and stick across the public sector threatscape.
“Funding can help government provide carrots through driving new processes and encouraging the use of red team simulations to assess the ability of an organisation to find an active attacker,” says Kasey Cross, director of product management at LightCyber, “while sticks come in the form of the General Data Protection Regulation (GDPR).”
John Shaw, vice-president of product management at Sophos, agrees that the government decision to double down on a commitment to implement the European Commission’s GDPR with fines of up to 4 per cent of revenue, is as good a stick as you get.
“If the record fine for the TalkTalk breach had been the £93 million implied by GDPR instead of the £400,000 under the current framework, a lot more boardrooms would be discussing improving their cyber security,” says Mr Shaw.
It’s clear the public has accepted that cyber security is now a vital necessity and that cyber threats will not go away without serious action
Not everyone agrees, of course, and Philip Lieberman, president of Lieberman Software, insists that the alignment of the UK with the European Union on data privacy and cyber security has been at the core of miserable security within both.
“The first step in improving security is the complete discarding of the existing privacy regulations foisted on the UK by the EU, and the creation of sensible and practical rules that balance the needs of government and business with reasonable accommodation to the needs of consumers,” says Mr Lieberman.
One thing that consumers need is trust in those who handle our data and public fears regarding the same might slow government digital transformation efforts down. David Emm, the principal security researcher at Kaspersky Lab, doesn’t see any signs of a slowdown though. Not least, perhaps, as most of the digital transformation effort is coming from the private sector; think biometric development, internet of things.
“I don’t see that there’s a huge amount of public concern around security either,” he says. “There’s shock and horror when we hear about a breach, but if there was legitimate fear, we’d see fewer people carrying out online transactions.”
So, if not mistrust and fear, what is the barrier to digital transformation such as there is one at all?
Easy, says Microsoft UK’s national security officer Stuart Aston, it’s budget constraint.
He is sure that while public and organisational fear is driving a slow digital transformation rate, it is austerity that has been the predominant hindrance in terms of adoption. To a certain extent, public fear is healthy after all; it means everybody has a vested interest and must ultimately be accountable for cyber security. It means cyber security is an important component of the relationship between government and citizens.
“It’s important to note that the recent announcement that spending on cyber security would be increased did not raise any negative response in the media or from the population,” says Greg Sim, chief executive at Glasswall. “How many other budgetary announcements go unaccompanied by the grumbles of taxpayers?”
It’s clear the public has accepted that cyber security is now a vital necessity and that cyber threats will not go away without serious action. This has been, and will continue to be, an ongoing war which the government and the people are committed to winning together.
“Cyber security is important to the relationship between government and citizens,” the Internet Society’s Mr Wilton says, “because of the extent to which our daily lives depend on the proper functioning of the digital realm.”
If you think about it, cyber security is now a core competence of national governance. The ability to manage the nation’s cyber security competently is as critical to our economic and social wellbeing as the ability to execute any major function of the political executive.
“A government that can’t deliver effective law enforcement and criminal justice is at the mercy of organised crime,” Mr Wilton concludes, “and a government that can’t protect the nation’s digital assets is at the mercy of bad actors reaching into almost every aspect of modern life.”