- "You have a cryptographic failure, and then the terrorists take advantage of it, and then there's a bomb..."
- "If a UAV is being used for crowd control and it falls on someone, it could kill them"
- "You need to write good software."
- "Security people find it difficult to talk about [some topics] because they fear they may compromise something" - a statement with which I disagree strongly, in fact it's hard to get them to shut up
- "the British Business Federation Authority [wants to start an] Application Authentication Policy Management Authority"
- "I had a word with an investment banker ... and he reckoned that if all his trading desks all failed, he'd save money" - regards disaster recovery
But for my money (all of £24) the most interesting speaker was the first, Captain Ian McGhie RN of the Office of Cyber Security and Information Assurance - OCSIA. My interest was twofold, in seeing 1) how the government presented "Cyber", and 2) how the audience reacted to that.
The former is easy to describe; the Government line is "£640 million of new investment over four years" - in fact that is pretty much the entirety of the Government's position on "Cyber". There will soon be published a National Cyber Crime Strategy, but until that time we should be reassured that there is "£640 million of new investment over four years". There was a pie-chart which explained how the spending would be broken up; the categories were:
- operational capabilities 65%
- critical infrastructure 20%
- cybercrime 9%
- reserve and baseline 5%
- [I missed the annotation for the remaining 1%]
And there were questions from the audience; one asked The USA is spending billions, are we really spending enough money? - Captain McGhie's measured response being that £640 million is what we are spending, and that more money would cause stagnation.
My (related) perspective is already on record, but for clarity: I believe that the Government should only look after its own systems, and that £640 million is probably about £620 million too much. There was no mention at all made of CERT and its kin; there was also surprisingly little mention of the Police and how the above 9% applies to them; but in response to a question about imposing aerospace-like regulation upon IT development Captain McGhie conceded that the the days are gone when the Government could impose its will on the private sector in terms of enforcing Government-approved designs and architectures.
I was left with the sense that the room's attendees fell into two camps, those excited at the prospect of public funds, and those hoping that the offer public funds would save anyone from asking awkward questions.
So I asked one. There had been much talk of British Cyberspace and sovereignty, so I asked:
Can you tell us, please, where is "British Cyberspace", what are its "sovereign boundaries", and who are the "we" that are being defended? For instance, does "British Cyberspace" extend to the personal information of every British citizen who submits such to Facebook?
The response - at greater length - can be reduced to its opening phrase:
You'll agree that cyberspace is boundaryless and that we have to work towards security issues [that may exist] in any possible area...
As any security consultant will tell you: this statement flags an infinite remit - a Triple-A guaranteed recipe for wastage and scope-creep. £640 million will not be enough. There can never be enough money when no boundaries have been set.
So if you're a cyber-believer then get your snout in the trough right now - it's about to be filled.