One cannot disagree with the government’s intent and vision for dealing with cyber security in the UK, as revealed in the Cabinet Office’s recently published cyber security strategy. With the annual cost of cyber crime in the UK estimated to be in the order of £27 billion, the requirement for a solid strategy to tackle the challenge is indisputable.
The devil is in the detail though, and while the government is on the right track, a number of things caught my attention. Foremost is the division of the much heralded £650 million due to be spent over the next four years. It appears that much of this money is being used to mitigate the spending cuts suffered by various government departments earlier in the year.
Nearly 60 percent of the £650 million is going to the intelligence agency GCHQ, which should already have the cyber security remit included in its current plans. Another 10 percent of the budget is being given to Government ICT for building secure online services. Surely their plans already incorporate secure building of these services. It is unclear where the money for law enforcement is allocated, but presumably it is included in the 10 percent apportioned to the Home Office.
This seems to be a parsimonious amount. Given that the annual cost of cyber crime in the UK is a staggering £27 billion, an annual law enforcement spend of approximately £16 million is woefully inadequate.
Unfortunately, the government has not consulted with the information security profession during the development of this strategy. Information security professionals and their supporting membership bodies today represent proficient, knowledgeable and experienced people working at the cutting edge of information security to secure the organisations they work for. Also, they are already serving as a significant resource to the academic community, business, social organisations and the public at large across geographies at a local, national and international level - looking at issues ranging from cybercrime and cyber warfare to the impact of the skills gap to the threat landscape and general awareness. The UK government needs to engage with the profession to leverage its expertise and knowledge in this area.
The Cabinet Office acknowledges the need to develop cyber security skills and capability in the UK and alludes to improving educational involvement. On this pertinent issue of skills development, (ISC)2’s research highlights that the information security profession is maturing - just less than 10 percent of the people working in the field are under the age of 29. There is a dire need to revisit IT curricula and embed information security more deeply into existing academic courses. In addition, there is a requirement for information security courses at the undergraduate level.
Today in the UK, with academic institutions being part educational organisations and part businesses, there are more than 60 Master’s level courses aimed at the lucrative working student market, creating a skills void at the entry and junior levels in the information security industry.
Public investment at undergraduate level is required to ensure that students graduate with the necessary security knowledge to hit the ground running when they join the workforce. Industry is not in a position to take on the overhead costs of training and skills development from the bottom up.
Fleetingly, the strategy document mentions raising public awareness of cyber security but omits mention of how it proposes to do that. High profile cyber security awareness campaigns (of the calibre of the successful HIV and Aids initiatives) that make the general public aware of cyber security and the simple precautions they can take as individuals to avoid becoming targets for online theft and cyber crime are necessary.
It is interesting that just two percent of the overall budget has been granted to the Department of Business, earmarked for working with the private sector to improve resilience in the face of cyber threats; while the Cabinet Office has allocated itself five percent of the budget to coordinate Internet security initiatives. The emphasis of the government’s strategy appears to be very much on making large corporates safe, who in fact already have a good understanding of how to protect their businesses. It is the small and medium sized businesses who are vulnerable and require assistance.
Overcoming the nation’s cyber security challenge is no mean feat, and there can be no doubt that the government’s heart is in the right place; however, to tackle the issue, there is a need for coherent and well-defined initiatives. The information security profession, in the UK and internationally, has harnessed the collective experience of subject matter experts at the top of their field representing private and public sector organisations alike and has already put a great deal of effort into establishing the foundations for a common understanding of the issue across the globe. The government must take advantage of this large and experienced resource, which in turn is eager to help with tackling the problem.
Posted by John Colley, CISSP, Managing Director, (ISC)2, EMEA.
(ISC)2 is the largest membership body of information security professionals, with 80,000 certified members worldwide, and the administrator of the CISSP®.