H4cked Off: Why austerity shouldn't apply to cyber security
Stuart Sumner explains why failing to properly invest in cyber security isn't an economy, it's a gamble
The £650m over four years that the government allocated to cyber security in 2010 was recently branded "embarrassing" by Bob Ayres, a former intelligence officer at the US Department of Defense, in an interview with Computing, and yesterday a swathe of experts at Infosec told me that it is nowhere near enough.
Prime Minister David Cameron and Foreign Secretary William Hague have been keen to trumpet their investment to the press whenever possible, but it's hard to find anyone with an in-depth understanding of the situation who finds the figure even remotely palatable.
Adrian Price, head of information security at the Ministry of Defence, is charged with protecting the data crown jewels - the information which if lost, could in his words "cause military operations to fail, involve wholesale loss of life and potentially bring down the government". He also feels that the UK's spending on cyber security is woefully inadequate.
"The rule of thumb tends to be that a minimum of 20 per cent of gross turnover should be spent on protecting information and assets, so £650m is not enough," he said.
"It's not enough; it works out as roughly £10 per person," added Arnie Bates, head of information security at Scotia Gas Networks.
So has the government failed to ask the experts how much money is really needed? Has it asked them, and subsequently ignored their recommendations? Or did it just settle on the lowest figure it thought would look acceptable?
Charlie McMurdie, head of the Metropolitan Police's Central e-Crime Unit, explained that she is able to demonstrate a return on any investment in her team, with funds invested resulting directly in foiled attacks.
"If I put £100,000 worth of police resources on an attack, it'll prevent £20-30m being lost from the economy," she stated. However, she too lacks the required funds.
"I wish I had three or four times the capability I have," she said. "If I got another £5m, I could hire the right people to provide the capability [I need]. We need to invest far more, and commit to upskilling law enforcement more."
McMurdie's plea for an additional £5m is thrown into stark contrast by US cyber budgets. The US will spend £2.5bn on cyber security this year alone, and will raise this to £3.1bn next year. Scott Cruise, legal attaché from the FBI to the US Embassy in London, emphasised that his organisation is rapidly directing its focus to cyber crime.
"Cyber crime is fast emerging as the next threat on the horizon to eventually surpass terrorism. We're now calling it a national security threat. The FBI is going through tremendous changes now as far as we look at cyber security, hiring computer experts, training agents to be more equipped to deal with these cases, and reducing national vulnerabilities to cyber attacks."
[Turn to page 2]
H4cked Off: Why austerity shouldn't apply to cyber security
Stuart Sumner explains why failing to properly invest in cyber security isn't an economy, it's a gamble
In the government's defence, journalist and broadcaster Misha Glenny pointed out that in this time of austerity, we should be thankful for anything at all, even a token sum. Without doubt this is a bad time to start making demands on a budget stretched thin to the point of transparency, but let's take a look at some figures to see how they stack up.
The first is the £27bn David Cameron has repeatedly claimed cyber crime costs the UK every year. Whilst this figure has been widely derided as being plucked straight from a Whitehall flunky's floppy-haired imagination, there's an immediate disparity between the putative cost to the economy, and the amount the government sets aside to mitigate it.
Now for the real stat attack.
The government is set to rake in £612bn this year, from a wide variety of sources including £155bn from income tax, and £39bn from corporation tax - probably the two figures most threatened by cyber crime. So even in purely selfish terms the government should be investing more, to protect its own income if nothing else.
This year the defence budget is £40bn, placing the UK fourth in the global league table of war spending (behind the US, China and France). Not bad for a small, increasingly globally irrelevant island off the coast of mainland Europe. Or actually, quite bad, depending on your perspective. The figure would have been smaller, but the Ministry of Defence was allowed to roll over an underspend of £1.6bn from last year.
Perhaps more money for cyber security could have come out of this pot, especially given the underspend? After all, our national security is increasingly threatened by the malevolent cyber activities of state-sponsored groups, rather than say, physical invasion by a foreign power.
And it's politically divisive, but I'd argue that our interests would be better served by an increased cyber budget, than say nuclear defence programme Trident - the scrapping of which was a major part of the Liberal Democrats' election manifesto/prize-winning work of fiction.
Or there's the £31bn that will be spent on public order and safety. I don't highlight this as a figure especially high in fat and thus ripe for trimming - the police are experiencing heavy cuts and can ill-afford more - but rather that public order and safety are both threatened by criminal activity on the internet.
Let's change tack. Rather than attempting to siphon funds from already emaciated budgets, let's have a look at other forms of government spending. Like HS2.
Whereas other countries like Spain, France, Germany, Japan and a disappointingly high number of others already have national high-speed train services, and have done for several decades, sleepy old England is only just now noticing the trend, and seeking ways to produce the minimum possible benefit for the maximum cost. Or so it seems.
[Turn to page 3]
H4cked Off: Why austerity shouldn't apply to cyber security
Stuart Sumner explains why failing to properly invest in cyber security isn't an economy, it's a gamble
Ignoring the broader plan to provide a fast transport backbone to the entire country, let's just take a look at the first phase, which aims to provide a 120-mile high-speed track from London to Birmingham. The result, it's hoped, will cut the standard journey time from one hour and 24 minutes, to just 49 minutes. So you'll enjoy an extra 35 minutes in your day unless, like millions of us, you don't regularly travel between London and Birmingham.
That's going to cost the public purse between £15.8bn and £17.4bn.
Leaving aside environmental concerns, fears of further congestion in an already consumptively podgy London, and worries that jobs and investment will be dragged away from the Midlands - the figures don't seem to add up.
As a nation we're prepared to spend around £17bn (and that's assuming this project will buck the trend and not go vastly over-budget) to get to Birmingham slightly faster, and £650m to defend against something that (allegedly) costs us £27bn EVERY YEAR.
William Hague repeatedly identifies the UK as a global leader in cyber security. He said it at his London Conference on Cyberspace in 2011, he repeated it in 2012 at the Budapest Conference on Cyberspace, then said it again that year at his party's conference in Brighton.
I salute his ambition. I applaud the rhetoric. I just doubt his sincerity.
The Budget has come and gone this year, but next year the four-year period of the initial investment in cyber security comes to an end. It's time for Cameron and Hague to put their money where their mouths are, and make a show of intent.
The next investment in cyber security should be measured in billions, not fractions thereof. This sum will pay itself back many times over, as funds are prevented from flowing out of the economy due to crime, and organisations increasingly view the UK as one of the safest places in the world to do business.
Failing to properly invest in our nation's cyber security isn't an economy, it's a gamble. Cameron, Hague and Osborne, take note.