The government has launched the UK’s first national cyber security strategy, aiming to bring a “coherent approach” to the multitude of organisations tasked with tackling digital threats to businesses and the public sector.

To enhance the UK’s ability to detect and respond to attacks and make information sharing about threats more resilient, new funding will also be provided.

“Just as in the 19th century we had to secure the seas for our national safety and prosperity, and in the 20th century we had to secure the air, in the 21st century we also have to secure our position in cyber space to give people and businesses the confidence they need to operate safely there,” said prime minister Gordon Brown.

The announcement follows the lead of President Barack Obama, who launched a US national cyber security strategy in May.

The UK plan highlights the need for government, organisations across all sectors, international partners and the public to work together to meet the strategic objectives of reducing risk and exploiting opportunities by improving knowledge, capabilities and decision-making to secure the UK’s use of cyber space.

Two initiatives announced as part of the strategy stand out as being pivotal to the new plan’s success.

An Office of Cyber Security (OCS) will be set up in Whitehall to provide strategic leadership for government departments and businesses through a shared view and intelligence on threats and attacks.

And a multi-agency Cyber Security Operations Centre (CSOC) will provide co-ordinated protection of the UK’s core IT systems.

CSOC will be based at GCHQ in Cheltenham, already home to the government’s key communications monitoring service and existing agencies such as CESG, which oversees the technical aspects of information assurance and runs the Computer Emergency Response Team which provides assistance in resolving serious IT incidents for the public sector.

Perhaps the biggest challenge facing the new strategy is the need to co-ordinate the work of the large number of different organisations already involved in protecting the UK’s digital infrastructure.

The government’s Cyber Security Strategy document lists 16 existing organisations, each with different – ­ but sometimes overlapping ­ – responsibilities (see below).

Robert Hannigan, the prime minister’s security adviser, said the government wants to use existing skills and resources as much as possible.

“With the CSOC, we will look at using existing infrastructure ­ – we wouldn’t want to spoil the work that has already been carried out. The OCS is all about policy-making and one of the key points for us is to develop skills to get the knowledge we need and we will work with the industry to create that,” he said.

And that co-operation extends internationally. “There is no point in developing this on a single national basis. That is why we are working closely with other countries ­ – we are already doing a lot of work with the US, Canada and Australia in that area. There is also some work going on with EU players. We expect there will be some international legal issues there but this is going to be a long, drawn-out debate,” said Hannigan.

“We will work across the spectrum, from schools to business sectors, and work with knowledge transfer networks to make it happen. [The availability of skills in the market] is a huge opportunity for us. Recruitment is getting easier, so it is a good time to find people.”

The quality of the resources behind the strategy will be key to its success, according to Andy Kellett, senior security research analyst at Butler Group.

“It sounds as if they are pulling it all under one roof, and it looks like they are following the US lead. But I’d like to see some significant resources put behind it, and I’d like to see the substance of what they will actually be doing going forward, and how effective it is – ­ for now it’s case of ‘wait and see’,” he said.

Kellett also called for a greater role for cyber security experts in business and the IT industry.

“Potentially, there are better ways of going about this than re-inventing the wheel in Whitehall, because surely all this already exists ­ – the top security vendors have been doing this for years,” he said.

“Why not co-ordinate and integrate with their systems, and also co-ordinate with the top chief information security officers in business. The government is going to have to make sure the recruitment is right and the people they put in place are the best.”

Speaking at a conference on cyber crime organised by vendor Unisys last week, National Police Improvement Agency detective superintendent John Mooney highlighted the challenges thrown up by rapid advances in technological threats.

“From a policing perspective, we always seem to be playing catch-up,” said Mooney. “We need a better ability to share information. Everyone working from the same song sheet would be a good thing.”

Multiple agencies will have bearing on strategy
The Cyber Security Strategy enables the formation of two new organisations to help oversee and co-ordinate the activities of the 16 bodies already involved in tackling e-crime and cyber security. All 18 groups are listed below with their areas of responsibility:

Association of Chief Police Officers (Acpo) – oversees the development and direction of the police service in England, Wales and Northern Ireland; Acpos in Scotland.

Attorney General’s Office & the National Fraud Strategic Authority – responsible for policy to combat online fraud and e-crime.

The National Security Secretariat – supports and advises the prime minister, and the Cabinet’s National Security Committee, on all areas of natio nal security.

Centre for the Protection of National Infrastructure – provides security advice for businesses and organisations in the national infrastructure.

Cyber Security Operations Centre – set up to monitor developments in cyber space, providing collective situational awareness, analysis of trends, and to improve technical response co-ordination to cyber incidents.

Department for Business, Innovation and Skills – responsible for industrial and economic policy, and regulatory policy, particularly in the telecommunications sector.

Devolved Administrations – responsible for those functions that have been devolved to Northern Ireland, Scotland and Wales, according to their different devolution settlements.

Foreign Office – foreign policy, international relations and international laws and behaviours in cyber space.

GCHQ – responsible for operations, capability and policy support, including CESG as the National Technical Authority for Information Assurance.

Home Office – deals with issues associated with the use of cyber space for criminality. The Home Office includes the Office for Security and Counter-Terrorism for terrorist-related use of cyber space.

Joint Terrorism Analysis Centre – issues assessments of terrorist cyber intentions and capabilities.

Metropolitan Police – tackles e-crime through its Police Central e-Crime Unit.

Ministry of Defence – responsible for issues concerning the military use of
cyber space, including defence policy and doctrine.

Office of Cyber Security – initially set up in the Cabinet Office, with overall ownership of the Cyber Security Strategy, providing strategic leadership across government for cyber security issues.

Secret Intelligence Service (MI6) – deals with the collection of intelligence overseas to promote and defend the national security and economic well-being of
the UK.

Security Service (MI5) – tasked with protecting the country against covertly organised threats to national security.

Serious Organised Crime Agency – covers issues relating to organised criminal use of cyber space.

Technology Strategy Board – through its Network Security Innovation Platform, this body is tasked with developing innovative ways to improve online safety, security and resilience.

Source: Cyber Security Strategy of the UK, June 2009