In a speech later today by Philip Hammond, Chancellor of the Exchequer he is to announce that the UK Government will invest heavily in cyber defence. The money will come as part of a £1.9 billion government security strategy. It will see the UK significantly increase both its defensive and offensive capability in the area of cyber security. This is also aimed at protecting businesses and citizens from the constant barrage of online attacks.
What is on offer?
That’s a good question. As with all these speeches from government ministers it is long on promise but short on detail. There is already confusion over the amount of money being spent. Reports have carried various amount with an upper limit of £1.9 billion. How much of that will go directly into cyber defence and how much will be shared with other departments is unknown.
One of the key elements is the National Cyber Security Centre (NCSC). Part of GCHQ, it opened for business last month. This is headed by Ciaran Martin who has already given his view of what the NCSC would do. At the time the big question was how would the NCSC would fund its goals? We now know that it is being given substantial funds to go after both criminal organisations and those who are state sponsored.
Turn cyber defence into cyber attack
The UK government recently revealed that it was active in cyber warfare as part of the campaign against IS. This new strategy is promising more of that. There is a lot of talk about how to target malware, cyber criminals and hackers. Martin spoke about this in Washington in September. Ironically, the day after saying the UK Government had dealt with fake email from HMRC another campaign started.
Martin has said that this has to be a public/private collaboration. He believes that Internet Service Providers (ISP) need to do more. They will argue that to do so means extra cost for them which will have to be passed on to customers. There will also be claims that they cannot deliver on other parts of the government’s broadband policy if money is spent elsewhere. Hammond will need to decide if money is to be given to the ISPs to help them better secure their infrastructure. This is likely to be a political minefield and one that will be interesting to watch.
The more important issue is how much attacking will be done. Targeting terror groups like IS is one thing. Going after state sponsored hackers who are better trained and equipped is something else. There are a lot of claims around state sponsored involvement in the cyber attacks on the US election. Russia is alleged to be at the heart of this with money and resources being funnelled to cyber criminals and hacking groups. Will the UK now follow Russia lead and sponsor its own third-party attackers?
Cyber defence of national infrastructure
This is an area where spending money will come easily. There is a lot of very old and very insecure technology in parts of the national infrastructure. Security is also not always a key part of any infrastructure build. For example, the current electrification of the railways in Wales has no Cyber Security project manager. Yet the project is getting new signalling systems that could be accessible by hackers.
There has been vast sums spent on NHS IT projects over the past two decades. Many of those systems are insecure and do not talk to each other. This has forced IT staff to create their own data interoperability solutions. They are not based on standards and there is no ‘security first’ approach to much of this.
Hammond has already identified the NHS as in need of defending. He has also said ‘security first’ approach must form part of all new government digital services. This is a little late in the day. Security first has been a mantra, although not really practiced, for over a decade now. It seems strange that Hammond feels it should start now. Those working in the Government Digital Service will be equally confused. They have spent a lot of time trying to get suppliers to understand the importance of security in their solutions.
Education a key player
Academia is one of the target areas for this strategy. It is going to expect funds to help it expand the current number of cyber security courses on offer. Many of the current courses are poor adaptations of existing computer science courses. They offer little in the way of education in forensic analysis of cyber attacks. They also lack practical sessions in ethical hacking, something that organisations can use to test their risk status.
The problem with relying on the education sector to deliver a coherent strategy is time. Courses take time to write and evaluate. The basic cyber skills training needs to take place at GCSE level. It takes at least seven years from starting a GCSE course to finishing a degree and this doesn’t account for the design and tuning of the course.
One area where the government could invest here would be in vocational rather than university led education. This would allow employers to send staff on day release training to hone their cyber security awareness. It would also quickly increase knowledge and awareness.
Once the full speech is published it may contain more details that will answer some of the criticism. However, it is more likely that we will end up waiting months before we see policies and exactly where the money will be spent. The UK Government is finally stepping up its own position on cyber security. This can only be seen as good news for everyone