UK desperately short of skills needed to combat cyber threats

NAO review suggests it could take up to 20 years to build up the necessary expertise

The UK's critical infrastructure is open to cyber-attacks because of a lack of experts able to thwart threats, warns a report by the National Audit Office (NAO).

The NAO, which scrutinises public spending on behalf of parliament, warns in its ‘UK cyber security strategy: Landscape review' that "the UK lacks technical skills and that the current pipeline of graduates and practitioners would not meet demand."

NAO interviewed personnel across government, business and academia to compile the report.

"Those we interviewed from academia considered that it could take up to 20 years to address the skills gap at all levels of education," warns the report. It adds that the government is working to overhaul ICT education in schools in order to gear it towards computer science and programming and "expects cyber security to be a strong strand of the future GCSE computer science syllabus".

The NAO estimates that cyber-crime costs the UK economy between £18bn and £27bn a year. There were 44 million cyber-attacks during 2011, with the NAO suggesting that 80 per cent could have been prevented by simple network "hygiene", such as the use of strong passwords.

Indeed, the report points out that the most common passwords of 2012 were "password", "123456" and "12345678", which cyber-criminals could easily exploit.

"The threat to cyber security is persistent and continually evolving. Business, government and the public must constantly be alert to the level of risk if they are to succeed in detecting and resisting the threat of cyber-attack," said NAO chief Amyas Morse.

"It is good that the government has articulated what success would look like at the end of the programme. It is crucial, in addition, that progress towards that point is in some form capable of being measured and value for money assessed."

The UK Cyber Security Strategy was launched in November 2011 to combat the increasing threat of cyber-crime. Speaking on the anniversary of its launch, Cabinet Office Minister Francis Maude - responsible for overseeing the strategy - said the UK was in a better cyber security position than it had been the year before. Others, however, beg to differ.

[Turn to next page]

UK desperately short of skills needed to combat cyber threats

NAO review suggests it could take up to 20 years to build up the necessary expertise

"It is hardly surprising that we are deemed unprepared to tackle current cyber security threats - as until recently, there has been a long-standing culture of complacency when it comes to proper cyber defence," said Paul Davis, director of Europe for global network security firm FireEye.

"It is a great step forward to propose greater promotion of science and technology in schools to develop the next generation of cyber security experts, but what happens in the meantime?" he asked.

"Organisations, particularly those with vulnerable intellectual property or critical national infrastructure to defend, must urgently up the ante on security to avoid the potentially devastating consequences of attack."

According to Thurstan Johnston, of software solutions company Faronics, improved general awareness of cyber threats is needed in addition to acquiring more security experts.

"There is not just a skills gap to consider, but also a huge awareness gap that needs to be filled. Many organisations still believe that they are sufficiently protected with just a good security package, which not only indicates blazing ignorance, but also a lazy approach to combating cyber-crime that could have expensive consequences," he said.

"The lack of awareness within organisations is frightening, especially when considering just how much damage attacks can inflict," Johnston added.