Showing posts from 19 August 2011

H4cked Off: UK cyber security – a disaster waiting to happen?

19 Aug 2011

Computing reporter Stuart SumnerCyber security is viewed by the government as a ‘tier one threat', as it stated in October last year, along with a pledge to invest £500m over four years into the UK's response to the problem.

And with the Olympics now just under a year away, with the accompanying global attention (both from sports fans and criminals) that it will bring, the need for a ‘tier one response' to the tier one threat appears more pressing than ever.

In March this year, Neil Thompson, director of the Office of Cyber Security and Information Assurance (OCS), stated that the UK wants to lead internationally on cyber security.

But are we as a country set up in the right way to even lead our own fight against cyber criminals, hacktivists and malicious foreign agencies, much less lead our peers?

Off the top of my head I can think of 20 different public sector organisations with cyber security as a core function, besides the OCS mentioned earlier.

I haven't got the space to list them all, but a few of the more recognisable names are the Government Communications Headquarters (GCHQ), Centre for the Protection of National Infrastructure (CPNI), Police Central e-Crime Unit (PCeU), Cyber Security Operations Centre (CSOC) and the National Crime Agency (NCA) (itself an eventual replacement for the Serious Organised Crime Agency (SOCA).

And there are many more, with overlapping briefs and confused chains of command. 

In the words of former security minister Baroness Neville-Jones, who possesses the gift of understatement, the organisational structure of the UK's cyber crime effort is 'not ideal'.

Does this sound like a cogent and co-ordinated response to the cyber threat? Or does it sound like a fragmented mess, possibly the result of organic and unplanned growth rather than a strategic and cohesive network of assets?

In July this year, the Information Security Council (see, there's another organisation) released its annual report which stated that the government has shown "confusion and duplication of effort" in its approach to cyber security.

Apparently the chief of the Secret Intelligence Service (and there's another) was similarly unenthused at the UK's setup, stating: "I'm not sure the Cabinet Office processes for determining what is a coherent cyber programme [are] as sophisticated as [they] should be."

I spoke to the Cabinet Office requesting a list of all government organisations with a cyber security function. I was told that such a list would be impossible to pull together. I'm guessing that's because they have no idea exactly how many such bodies exist.

OK, "How about a list of those organisations with cyber security as their principal function?", I asked. "We'll think about it" was the terse and slightly irritated response I got.

I'm still waiting for the results of that cogitation. I shan't hold my breath.


Stuart Sumner, chief reporter and security geek