Expert says UK government is too preoccupied with launching cyber attacks

Cambridge professor says only 10 per cent of UK's cyber security war chest is devoted to defence

A security expert has claimed that the UK is devoting most of its cyber crime fighting efforts to cyber attack, leaving limited resources for defence.

Speaking exclusively to Computing, Ross Anderson, professor of security engineering at the Cambridge University computer laboratory, stated that 90 per cent of the government's recent funding injection into cyber security was going to the UK's offensive capability.

"The spooks - GCHQ [Government Communications Headquarters, pictured] - are getting 90 per cent of this new £650m for cyber security [they are responsible for cyber attacks]. The rest, about £65m, is going to the police."

Anderson blamed the imbalance on the fact that the UK's cyber defence capabilities are organisationally placed within GCHQ, the body responsible for electronic espionage, or cyber attack.

"Like the US, the UK has unfortunately got the government's offensive and defensive arms linked together.

"CESG [Communications-Electronic Security Group], which is supposedly defending the core functions of government against for example cyber espionage by the Chinese, is a small subsidiary of GCHQ whose job is exploiting those sources abroad.

"This mixed mission is very bad policy, because it means defensive interests are always less important than an offensive approach."

Anderson claimed that GCHQ's security researchers are much more likely to use any security loopholes they discover for attack than defence.

"Suppose you're a scientist at Cheltenham and you come up with a new exploit of Windows. Are you going to tell Microsoft, get it patched and protect 60 million Brits? Or are you going to keep quiet about it so you can exploit 1.2 billion Chinese and 1 billion Indians, for example?"

"Because of the way incentives work within organisations, you always find the offensive mission dominating the defensive mission, even when that is to the detriment of national interests," said Anderson.

He explained that the UK follows the US organisational model.

"In the US, the NSA [National Security Agency] does everything [including attack and defence], which is one of the reasons the UK does it this way.

"The total amount spent on cyber crime in the US by the federal government is only about $100m [£61m]. As in Britain, almost all of the cyber conflict dollars are spent on offence rather than defence.

"Even so, the US law enforcement agencies do most of the heavy lifting in the world. The UK's contribution to the overall fight against cyber crime is very small."

Anderson concluded by saying that Germany organises its cyber security in a better way, in his opinion.

"The Germans have got it organised properly in that the defensive arm, the BSI [Federal Office for Information Security] is a separate organisation that reports to the Chancellor through a separate cabinet minister from the BND [German Security Service].

"The right way to handle information, intelligence and security agencies in the modern age its to have the intelligence agency and the security agency running quite separately."