Huge improvements are needed in the government’s approach to cyber security, the IT security industry has warned ahead of today’s Strategic Defence and Security Review.
The review will attempt to provide a framework for the country’s response to cyberattacks, which the government yesterday branded as a “tier one” threat alongside terrorism. Cabinet Office sources suggested that more than £500 million will be allocated to the effort.
“The target for cyber terrorists will be our national infrastructures – water, power, emergency services and internet – and we need to protect the computer systems that operate these infrastructures,” said Mark Darvill director at security firm AEP Networks. “Traditional security technologies are in no way up to the challenge.”
He added: “As with the authenticity signing of the internet, it is collaboration within the security industry that will give us the biggest chance of successfully defending against cyber warfare.”
“As a country, we have struggled to deal with modest, home-grown threats effectively, so what chance do we have against professional computer criminals?” warned Christopher Boyd, senior threat researcher at GFI Software, adding that it was “essential” to invest in proven technology and the right people.
He said the government needed to upgrade computers from the Microsoft Internet Explorer 6 browser, describing it as having “numerous security flaws”. Two months ago, the government turned down a petition to upgrade its browsers to a newer version over security concerns, saying the move would not be “cost-effective”.
There also needed to be the right processes in place to ensure people could disclose any cyber crime they found, he said. “Until recently, you couldn't even report computer crime to the National Hi-Tech Crime Unit – you had to go to a local police station and hope the officer at the desk knew what you were talking about and escalated your report to the right department.”
Most security suppliers welcomed the announcement of an intention to tackle cybercrime, even if it would be a difficult challenge.
Alastair MacWillson, global managing director of the security practice at services firm Accenture, said there were “no easy answers”, adding that going on the offence “beats defence”. Recent research by the company found that 58 percent of executives are said to have lost sensitive personal information through cyber attacks.
But industry experts they said they awaited a defined set of steps to tackle the problem, and warned that defence and security spending cuts should not hit cyber security efforts.
“How much of a difference will the money really make, if government departments are going to have to cut back on people and IT spending?” asked Alan Bentley, senior VP at Lumension. “Government departments will need to be provided with the right guidance over their risk priorities.”
Security needed to be “ingrained within corporate and government IT systems, rather than an add-on as an afterthought”, added Alex de Joode, security officer at hosting provider LeaseWeb.
Any attempt to tackle cyberattacks nationally also needed the efforts of internet service providers, security monitoring organisations and businesses, he added: “It is important that the government works closely with the ISPs and IT security organisations to establish clear lines of communication.”