UK Cyber Security Strategy

November 28, 2011

The government has released its UK Cyber Security Strategy (http://www.cabinetoffice.gov.uk/sites/default/files/resources/The%20UK%20Cyber%20Security%20Strategy-%20web%20ver.pdf). The document describes the current state of Internet threats, and key areas which need to be addressed. Primarily it focuses on better resourcing for the computer crime authorities, improving communication between government and the private sector, and investing in national defences and critical infrastructure against cybercriminal attack to raise awareness. 

Three key areas which are: 

• Finance – it promises to spend £650 million over four years on the National Cyber Security Programme, with the ‘Single Intelligence Account’ receiving the most funding (MI5, MI6, and GCHQ being the primary benefactors within this).

• Public and private sector collaboration – the sharing of threat intelligence

• Awareness – as attacks such as fake anti-virus continue to run rife (currently 7th in top 200 malware samples seen this month), proposals such as using kitemarks and boosting the GetSafeOnline website are being put forward.

A joint public/private sector cyber security ‘hub’ for exchanging cyber threat and response information will begin in pilot this December with five business sectors – defence, telecoms, finance, pharmaceuticals and energy.

Action Fraud, the national fraud reporting and advice centre run by the National Fraud Authority will become the central portal for businesses and the public to make it easier to report financially motivated cyber crime. 

Stewart James from DLA Piper’s Intellectual Property & Technology practice commented:

‘I don’t think this is so much about commercialising GCHQ but a recognition that in order to protect critical national infrastructure against cyber-attack the government needs to work with industry and that will necessarily involve the security agencies sharing some of their intelligence, skills and resource with industry and vice versa.

The need for collaborative defence has been discussed in open forum for a number of months now, so this announcement is not really a surprise. One of the other elements that has been discussed is the need for greater education. Many organisations believe that they have cracked IT security because they have seen a decline in the number of classic attack attempts. But this ignores the changing dynamic of cyber security, and the fact that the next round of attacks will be far more insidious and will come from inside corporate networks.

As well as the need for government to work with industry we believe that there will be a need for governments to work together: cyber-security, whether at the lower level of cyber-crime or higher levels of cyber- espionage, sabotage or even cyber-warfare, will require increased levels of international collaboration.’  

Graham Cluley, senior technology consultant at Sophos, said:

The strategy is a good start from the Government and it is clear that it is not only investing in defence, but also proactive measures to disrupt threats to information security. The devil is always in the detail however, and it will be interesting to see how these programmes will be put into place, and how their success will be measured,’ said. ‘For example, when it comes to sharing information with the Government, private businesses will want to be assured that intelligence will not just flow from them to the Government, but also in the reverse direction.

Another ambiguity is how kitemarks would actually work – it is predictable that scammers will simply put bogus kitemarks on their sites and fake anti-virus products, to appear legitimate. Finally, with emerging technologies, such as the rapid growth of mobile, and storage of data in the cloud, it is essential that the strategy is flexible enough to take account of this.

Internet crime has become an organised, professional operation – with those behind it adapting quickly to changing circumstances and exploiting opportunities. The stakes are getting higher for businesses, governments and end users, and it is not a battle that can be won easily. Nevertheless, seeing the UK authorities treat it as a serious concern is welcome news.