UK cyber security is inadequate, says security committee

Intelligence Security Committee calls for better security education and CESG funding

The National Cyber Security Programme (NCSP) needs more work if the UK is to protect itself from cyber attacks, according to a report published today by policy examining body the Intelligence Security Committee (ISC).

The NCSP was announced as part of the Strategic Defence and Security Review in October 2010, with the government committing £650m to cyber security over a four-year period.

In its annual report, which was laid before parliament today by the Prime Minister, the committee said that although there had been progress in improving cyber security since the NCSP was established, it had still not met recommendations that the committee had set out in its 2010-2011 report.

The report did praise the government's efforts to raise the profile and awareness of cyber security, citing its London Conference on Cyberspace in November 2011 as an example, and to clarify ministerial responsibility and accountability for cyber security.

The government has transferred the responsibility from the Home Office to the Cabinet Office, and while the committee said it believed this made the situation "much clearer than it was previously", it remained concerned as to whether there was still potential for confusion.

In his response to the committee, Foreign Secretary William Hague said: "I don't think there is any confusion. There are a number of ministers with responsibilities in this area, but there needs to be because it does go across government to such an extent. I think the responsibility for cyber security has to be at a central point, so it is right that Francis Maude has the responsibilities that he has.

"That's not inconsistent with my oversight of GCHQ. But I think cyber security needs pulling together across all the departments. We have a very useful ministerial coordinating group on cyber security which I chair, including ministers from the Home Office, DCMS and so on."

One of the main recommendations in the report is that the NCSP should focus more on cyber security education.

[Turn to next page]

UK cyber security is inadequate, says security committee

Intelligence Security Committee calls for better security education and CESG funding

The chairman of the ISC, Sir Malcolm Rifkind, said: "In terms of defensive cyber capabilities, it is clear that the provision of security advice and education to government, business and individual computer users will generate the greatest improvement to our collective cyber security. Although the Communications Electronic Security Group (CESG) and the Centre for the Protection of National Infrastructure (CPNI), among others, continue to provide an invaluable service in this regard, we believe education and basic security measures should be given greater priority.

"We note that GCHQ and the other agencies have had some success developing cyber capabilities. However, the Committee is concerned at the lack of progress over 18 months into the National Cyber Security Programme: more needs to be done if we are to keep ahead in this fast-paced field," he said.

Another recommendation is for a more effective funding model for the Communications Electronic Security Group (CESG), which has had to be subsided by GCHQ to the tune of several million pounds a year.

"To a certain extent the problem has been addressed through short-term funding arrangements. However, the importance of CESG's Information Assurance work requires that a long-term funding model must be established," the report reads.

The ISC also said that more work was required to understand the nature and extent of cyber-attacks from Russia and China, which are focused on espionage and the acquisition of information.

It ended by stating that although progress had been made overall, "cyber security is a fast-paced field and delays in developing our capabilities give our enemies the advantage. We are therefore concerned that much of the work to protect UK interests in cyberspace is still at an early stage".