There are over 800 companies in the UK who claim to be in the cyber security business. The vast majority of these are small consultancies. Between them they generated £1.5bn in 2016.
The announcement claims that the global market for cyber security products will exceed £759 billion by 2021. The goal of this strategy is to enable UK companies to compete with the likes of Israel and the USA who are the leaders in the market.
According to International Trade Secretary, Dr Liam Fox: “Recent events show that the UK faces a diverse range of threats from hostile state actors. So in an increasingly digital world, it’s vital that we improve our cyber capabilities, which are crucial for national security and prosperity.
“The strategy I am publishing today will support UK companies to export our world-leading cyber security expertise, which will help strengthen our capabilities, and protect our country and our allies from those who wish us harm.”
This latest strategy is designed to support the 2016 National Cyber Security Strategy. That 80 page document set out how the UK was going to become secure and resilient to cyber threats. Since its publication, the number of attacks on UK Critical National Infrastructure (CNI) has increased. Anomali recently published its list of cyber threats to the UK CNI. Taken together, the two raise questions as to how well the UK is doing.
The 2016 strategy also put aside £1.9 billion for investment in cyber security. Unfortunately, that money was announced and re-allocated several times.
What is the Cyber Security Export Strategy?
This new strategy by the Department for International Trade (DIT) is focusing on three tiers of support:
- Pursue: DIT will act as trusted advisor to help UK companies sell to overseas governments, financial services and CNI providers. It has identified the USA, the Gulf and South East Asia as its targets. Given the size of the US cyber security industry this could be a hard sell when it comes to getting any serious traction. Gulf States are more accessible especially as many won’t do business with the regional cyber security superpower, Israel.
Japan is another target especially with the upcoming Olympics and Rugby World Cup. It also has its own cyber security industry with NTT ty and Fujitsu both multi billion dollar companies. Singapore is seen as a target for financial services security while private companies in India are also to be targeted. There will be a dedicated cyber security representative for the US, Gulf and Singapore.
- Enable: DIT has identified six key sectors which are prime targets for attackers and who are expected to have significant security budgets. The DIT claims that in 2016 governments around the world spent £27.66 billion on cyber security. Another big market is financial services which spent £16.09 billion. Healthcare is third on the spending list with £4.06 billion. That number is expected to explode over the next three years. The other target markets are CNI, infrastructure and automotive.
- Respond: Will help with branding and marketing around the world. There will also be access to DIT offices worldwide and support to help smaller companies secure cyber security contracts.
The issue of export controls is rightfully mentioned. However, it is an area where existing controls have proven inadequate. Claims that cyber security companies will not sell to repressive regimes have already failed. Much depends on whether those countries are friend or foe on the international stage. There are also concerns over sales to companies who disguise the end user.
Privacy campaigners are concerned about the potential abuse of cyber security products. The DIT has accepted that some cyber security technology should be regulated. The document says that the DITs Export Control Joint Unit (ECJU), supported by the NCSC, will advise when an export license for a piece of cyber security technology is required.
The strategy document goes on to say: “The licensing process examines each application against the consolidated EU and national arms export licensing criteria. Throughout this process ECJU will be advised by Foreign and Commonwealth Office, Ministry of Defence and NCSC experts to ensure rigorous, well-informed and timely licensing decisions are reached.”
What does this mean?
The UK Government is keen to show that the country can compete post Brexit. Cyber security is an area where the UK has a lot of expertise. The problem is that most of it is tied up in small companies. If there is to be a concerted push to develop a world-class business sector there also needs to be controls on the sale of those companies. This would keep technology in UK hands and provide a solid R&D base for the future.
As far as this strategy document goes, it’s a good start but leaves much to be considered. For example, targeting the USA might seem a good idea but it means competing with the heavy hitters in the industry. While there are niche opportunities for UK companies, there is also the chance that success will lead to acquisition.
It is also surprising that there will be just three regions getting their own cyber security representative. If the DIT is serious about this strategy then it needs to target more countries, regions and deploy more support. It will be interesting to see just how much of a benefit this strategy brings to the wider UK cyber security sector. Will it result in increased sales? Will it lead to greater investment by the private sector? Can the UK become a cyber security superpower like Israel?
The latter is unlikely as there is not the funding, infrastructure or support from the defence industry as happens in Israel. This means that the UK starts with a disadvantage. We wait to see how much money will be allocated and ring-fenced to make this strategy work.