UK cyber security - fragmented and failing

Has the government turned the tide on criticism of its strategy, or does it still have work to do to shore up national security?

The UK's cyber security strategy was set out to protect national interests by building a trusted and resilient digital environment. But the strategy has been criticised since its inception for being "inadequate" and moving at a "glacial pace".

This is despite the government announcing plans to invest £650m over a four-year period from 2010 on the programme. So just how well placed is the UK to accomplish its cyber security goals?

A key criticism came from former GCHQ and CESG head Nick Hopkinson, who told Computing that the UK lagged behind the US, France and Germany in its ability to respond to cyber-attacks because of a "lack of cohesion" between the various organisations set up to work towards the strategy.

This is a view shared by former US cyber intelligence officer for the US Army and the Defence Intelligence Agency (DIA) Bob Ayers (pictured).

"The most fundamental problem is that there is no one either accountable or responsible for the implementation of the programme. In many ways, the UK cyber programme is like the EU, a collective of independent entities more concerned with their individual departmental interests rather than those of the nation as a whole," he told Computing.

Mark Brown, director of information security at professional services firm Ernst & Young, agreed with Ayers that there is no clear direction from the government as to what the cyber responsibilities of the different departments are.

"It is a question that the private and public sector are looking for an answer to, and until it is answered there will always be the question of who is responsible for assisting UK businesses within UK plc on managing cyber risks," he said.

However, head of cyber security at consulting firm BAE Systems Detica Dave Garfield believes it is inevitable that the UK's strategy lacks cohesion because it is going through a process of implementation. He states that the strategy has a clear set of goals and details how to address them.

"I don't think [the strategy] is that bad, I think there is a subtlety when things go from strategy to implementation; there is a transition period and things aren't as unified as they used to be. When you reflect on how well the UK as a whole is progressing against its strategy and compare this to other nations, we are in a good place. It has put us in a level of maturity as a country and is something to be proud of," he said.

UK cyber security - fragmented and failing

Has the government turned the tide on criticism of its strategy, or does it still have work to do to shore up national security?

To illustrate his point, Garfield referred to the Cyber Power Index from consulting firm Booz Allen Hamilton, which benchmarks the ability of G20 countries to withstand cyber attacks and deploy the appropriate infrastructure for a productive economy. The UK is placed first on the list, followed by the US, Australia and Germany.

But Ayers, now commercial director at security software provider Glasswall Solutions refuted these claims, stating that the UK is far behind the US in its cyber security plans.

"In many ways, the UK is at a point where the US was in 1995 with regard to cyber programmes. Many elements of a strategy are still absent in the UK including ‘professionalisation' of cyber security personnel, revised legislative and regulatory controls that are applicable to cyberspace and links into the academic world to increase the output of personnel suitable for working in a national cyber programme," he said.

But although different countries may be at different levels in dealing with cyber threats, Ernst & Young's Brown believes that all countries are far behind the cyber criminals who are launching attacks.

He believes that all countries are playing catch-up.

"This is because the moment legislators catch up with the criminal organisation in one country, the criminal fraternity moves to another jurisdiction," he explains.

Earlier this month, foreign secretary William Hague helped to set up a cyber security co-operation pact between India and the UK. A similar pact has been made with the US, while in October the UK began talks with China and Russia to create a "cyber emergency hotline".

Brown states that until information security can be viewed from a global perspective, as opposed to from a national jurisdictional perspective, the world will always be playing catch-up with criminals.

"Will we ever have a day where all countries are working together for a single constant aim of protecting information security?" he questioned.

The problem, according to the Intelligence Security Committee, is that the government does not understand the nature and extent of cyber-attacks from Russia and China, which are focused on espionage and the acquisition of information.

This is compounded by the view from RSA chief Art Coviello that criminals and nation states are working together to launch cyber-attacks, suggesting that even if countries work together, nations are still some distance from being able to trust one another.