UK Cyber Security Strategy cuts corners and ignores consumers, say critics

Sounds good but needs more money to work
  • John E Dunn (Computerworld UK)
  • — 06 December, 2012 08:14

The Government's Cyber Security Strategy remains too fixated on high-level 'macro' security issues and fails to offer enough new investment in consumer safety, cyber-policing or the need to boost the capacity of university courses, John Colley of security organisation (ISC)2 has argued.

Earlier this week, Cabinet Office minister Francis Maude offered an overview on the first year of the Government's £650 million four-year investment to defend the nation's infrastructure and business from the huge rise in online threats.

While praising initiatives such as the Cyber Security Research Institute, the expansion of education should have been made a far bigger spending priority, said Colley.

"The information security workforce will need to double in the next five years," said Colley. "Where are all these people going to come from? If you look at the breakdown, education gets the smallest investment."

The Strategy was heavily influenced by the 'world according to GCHQ', which had too big an input into its content and spending priorities.

As to the challenge of creating a deeper security culture by educating the public and investing in the policing necessary to aid that, the Strategy had little to say. The sums earmarked for policing in particular was far below the scale of the problem, said Colley.

At times Maude's statement sounded like a headmaster delivering a school report, full of aspiration and good intentions but light on defined progress, he added.

"The major focus seems to be on influencing the elite and developing intelligence. It is not enough and is out of step with how the management of society's information security risk must evolve."

Others were critical of the Strategy's half-hearted plan to create a UK Computer Emergency Response Team (CERT) of the sort that already exists in many other countries.

"The creation of a cyber-reserve and a UK Computer Emergency Response Team (CERT) does not go far enough. The level of threat continues to grow at a pace that cannot be met through part time action," commented Ernst & Young's director of information security, Mark Brown.

This resource had to become full time, he argued.

"A reserve force, made up of retired information security professionals, runs the risk of being unable to keep pace with the changing technologies and risk mitigation practices necessary to maintain a strong defence."

There is certainly plenty of heat and light in the Government's Strategy. As well as the national CERT with its Cyber Reserve and the Cyber Security Research Institute, the plans talks up the work of HMRC's Cyber Crime Team, the CISP (cyber-security information sharing partnership) between Government and business and, not forgetting, the much-lauded Police Central e-Crime Unit (PCeU).

Balancing the reservations of some, the Government's plans have also received plenty of support, albeit mostly from vendors in the security elite that will deliver the services as part of lucrative contracts. As ever, security is a business - a big one.

"When we look back in five years' time we will see that the government's strategy has provided a catalyst for a series of innovative and useful activities, particularly around how industry can respond to and protect itself from cyber incidents - most notably the recent Cyber Incident Response Scheme announced by GCHQ," said BAE Systems Detica managing director, Martin Sutherland.

"Nonetheless, there is still a long way to go before we can say that we are successfully countering cyber threats."

Tags: Cabinet Office, security, public sector, GCHQ

Espionage outpacing financial crime as better reporting improves security picture: Verizon

READ THIS ARTICLE
MORE IN Data Protection
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Audit Management Solutions

Manage the complete audit lifecycle from audit universe identification and risk assessment to management/board reporting and quality assurance.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.