Last week Francis Maude laid before parliament his ‘progress report’ on UK Cyber Security Strategy. That it appears to read OK is a tribute to the literary skills of Cabinet Office civil servants, smoothing over the turf wars, confused responsibilities, inaction and lack of leadership under this government.
That some progress has been made I am very happy to acknowledge, but in the same time the scale of the problem has grown exponentially – and I use the term in its mathematical rather than political sense – and what improvements there have been are overwhelmed by the height of the mountain still to climb.
Since its first publication in 2011, there has been a hole the size of a GSM network in the UK’s Cyber Security Strategy – it made almost no mention of mobile although that is where we are seeing the fastest rise in cyber attacks.
The other big omission was around cyber skills. It is one of its four objectives: ‘building the UK's cyber security knowledge, skills and capability’, but this government has always seen this in terms of high level expertise, professionals, big business, the military and government, rather than the skills ordinary people need to live safely in cyberspace.
We have repeatedly pointed out that of the £650 million found for cyber security last year barely 10 percent went on ordinary citizens, the vast majority going to big business and the government.
So I was pleased to see Cabinet Office minister Francis Maude respond by apparently wringing another £210 million out of the Treasury:
The 2013 Spending Review directed a further £210 million to the NCSP [National Cyber Security Programme] in 2015-16, on top of the £650 million set aside over the previous four years.
The only problem is that neither the Autumn Statement nor the Treasury Green Book actually mention cyber security, or the NCSP.
I have put down some questions about where the money has come from:
To ask the Minister for the Cabinet Office, when the extra £210 million announced by his department on 12 December 2013 was assigned to the cyber security budget; and from where it has been allocated.
And I look forward to the answer.
Despite the confusion, I welcome their attempts to address our concerns:
In the coming year we will target SMEs with a special strand of our planned public awareness campaign, to begin in January 2014
From January 2014 the Home Office will deliver a major public awareness campaign together with a range of private sector partners
But so far the signs are not hopeful that the Cabinet office has been able to persuade other departments to take cyber security seriously.
So when they say:
They [BIS] have also been working closely with industry to develop an agreed “Organisational Standard”. Last month, the Minister for Universities and Science announced details of this new standard which will not only give companies a clear baseline to aim for in addressing cyber-security risks to their company but will enable them to advertise the fact that they meet a certain set of criteria on cyber-security.
What they actually mean is that after a seven-month consultation they have agreed to begin to work with industry to develop a standard and what they apparently intend to do, to make up for the lost time, is to co-opt the IASME standard without giving the company any recompense.
Help for small businesses to engage with government anyone?
Equally in the same week as Department for Work and Pensions (DWP) secretary of state Iain Duncan Smith says that there will be no fraud on Universal Credit, the Cabinet Office reveal that there have been 28,500 hits on the Universal Credit website from abroad. Obviously these could all be technology journalists interested in the evolution of digital government in the UK... but the fact that the Cabinet Office is highlighting this to UK journalists suggests that there might be something a little more concerning.
And again, when I ask the Department for Health about cyber security and their policy commitment to a ‘paperles NHS’ I am told: “An assessment of the security implications was not made at the time of the announcement.”
Yes, that is very reassuring. Especially when we have smart cities, smart grids and the internet of things coming down the line.
I don’t pretend that cyber security is easy, simple or obvious. But I think what is obvious even in the season of goodwill is that we are a long way from being cyber secure.