In October last year the government pledged an extra £650m of funding for the UK’s cyber security efforts, describing the risk of cyber attacks on the UK as a “tier one threat”. Then in March this year, Neil Thompson, director of the Office of Cyber Security and Information Assurance (OCSIA), said the UK’s aim is to lead international efforts to combat cyber threats. However, despite such talk of leading the way in tackling digital dangers, doubts persist over whether the country’s cyber security apparatus is fit for purpose.
Informed estimates suggest there are between 20 and 30 UK public sector bodies that exist either wholly or in part to fight cyber crime, hacktivists and the cyber threat from foreign agencies and governments. When asked for an exact figure, the Cabinet Office said it was unable to come up with a number.
In July this year, the Information Security Council released its annual report stating that the government has shown “confusion and duplication of effort” in its approach to cyber security, strongly suggesting that the UK’s digital defences are riddled with overlapping responsibilities and inefficiencies.
In the same report, former security minister Baroness Neville-Jones is quoted as describing the organisational structure of the UK’s cyber crime effort as “not ideal”.
More damning still was the following statement from the chief of the Secret Intelligence Service: “I’m not sure the Cabinet Office processes for determining what is a coherent cyber programme [are] as sophisticated as [they] should be.”
Charlie McMurdie, head of the Police Central e-Crime Unit (PCeU), believes that the organisational cohesion between the various cyber crime fighting agencies is improving.
“We’ve now reached a stage where we have a semblance of order and a structure around what we’re doing and how we’re co-ordinating our efforts with other departments and bodies.”
However, she acknowledges that the situation could be better.
“There’s been enormous progress, but there’s still far more to be done. We need far more integration with industry and the other external bodies who work closely with us.”
So according to McMurdie the situation is not as bad as it seems, and is improving. But how did the UK’s cyber defences get in such a fragmented state in the first place?
McMurdie pins the blame on organic growth. “In the UK it’s been a very organic growth, cyber demands have dictated different organisations appearing with different responses.”
But Ross Anderson, professor of security engineering at the University of Cambridge, believes that this lack of strategy has resulted in an ineffective response.
“[The UK’s cyber security strategy is] fragmented, messy, inefficient and hopelessly under resourced,” he says.
He explains that part of the problem is lack of longevity: cyber security agencies in the UK tend to have a short shelf life.
“The UK never manages to sustain a cyber crime effort beyond a year or two. The government set up the National Criminal Intelligence Service [itself formed from the National Drugs Intelligence Unit], which didn’t work. Then they set up the National Hi-Tech Crime Agency. That couldn’t get enough money from the Treasury to work properly, so instead they narrowed their remit and investigated child pornography [on the internet].
“All these agencies basically got shuffled off into SOCA [Serious Organised Crime Agency]. They put lots of the useless bits of other agencies in there, which meant that people in the Met [Metropolitan Police] could get on with their work.”
In July, the government announced plans to abolish SOCA, and replace it with the National Crime Agency (NCA).
But Anderson has concerns around the longevity of this organisation too: “Is the NCA going to be useful or will it last only a couple of years, go off on a wild goose chase and be abolished?” asks Anderson.
The Cabinet Office, the department in charge of cyber security, claims all the disparate bodies it employs in its cyber efforts are necessary.
“Cyber security is an issue that cannot be effectively tackled by one large department. The threat is such that a multi-agency, holistic approach is required, drawing on the expertise of the intelligence agencies, law enforcement, wider domestic policy departments and the private sector,” said a Cabinet Office spokesperson.
However, Anderson warns that the system cannot cope with the modern cyber criminal. “Our mechanisms for international police co-operation were basically designed for the likes of Dr Crippen - one high profile individual villain.
“But if you’ve got a bunch of anonymous people just making a few hundred pounds at a time, and if they’re doing it across international boundaries using technology that most policemen don’t understand, then the current system can’t cope with that.”
Anderson predicts that the problem will worsen if the system is not fixed.
“There’s going to be a rising tide of fraud and scams that will undermine public confidence in electronic commerce. This will make it harder for governments to deliver services online, and they can forget about the Silicon Roundabout if the UK becomes a bad place for online business.”
The government will release its new cyber security strategy later this month.