UK Cyber Security Strategy cuts corners and ignores consumers, say critics

Sounds good but needs more money to work

The Government's Cyber Security Strategy remains too fixated on high-level 'macro' security issues and fails to offer enough new investment in consumer safety, cyber-policing or the need to boost the capacity of university courses, John Colley of security organisation (ISC)2 has argued.

Earlier this week, Cabinet Office minister Francis Maude offered an overview on the first year of the Government's £650 million four-year investment to defend the nation's infrastructure and business from the huge rise in online threats.

While praising initiatives such as the Cyber Security Research Institute, the expansion of education should have been made a far bigger spending priority, said Colley.

"The information security workforce will need to double in the next five years," said Colley. "Where are all these people going to come from? If you look at the breakdown, education gets the smallest investment."

The Strategy was heavily influenced by the 'world according to GCHQ', which had too big an input into its content and spending priorities.

As to the challenge of creating a deeper security culture by educating the public and investing in the policing necessary to aid that, the Strategy had little to say. The sums earmarked for policing in particular was far below the scale of the problem, said Colley.

At times Maude's statement sounded like a headmaster delivering a school report, full of aspiration and good intentions but light on defined progress, he added.

"The major focus seems to be on influencing the elite and developing intelligence. It is not enough and is out of step with how the management of society's information security risk must evolve."

Others were critical of the Strategy's half-hearted plan to create a UK Computer Emergency Response Team (CERT) of the sort that already exists in many other countries.

"The creation of a cyber-reserve and a UK Computer Emergency Response Team (CERT) does not go far enough. The level of threat continues to grow at a pace that cannot be met through part time action," commented Ernst & Young's director of information security, Mark Brown.

This resource had to become full time, he argued.

"A reserve force, made up of retired information security professionals, runs the risk of being unable to keep pace with the changing technologies and risk mitigation practices necessary to maintain a strong defence."

There is certainly plenty of heat and light in the Government's Strategy. As well as the national CERT with its Cyber Reserve and the Cyber Security Research Institute, the plans talks up the work of HMRC's Cyber Crime Team, the CISP (cyber-security information sharing partnership) between Government and business and, not forgetting, the much-lauded Police Central e-Crime Unit (PCeU).

Balancing the reservations of some, the Government's plans have also received plenty of support, albeit mostly from vendors in the security elite that will deliver the services as part of lucrative contracts. As ever, security is a business - a big one.

"When we look back in five years' time we will see that the government's strategy has provided a catalyst for a series of innovative and useful activities, particularly around how industry can respond to and protect itself from cyber incidents - most notably the recent Cyber Incident Response Scheme announced by GCHQ," said BAE Systems Detica managing director, Martin Sutherland.

"Nonetheless, there is still a long way to go before we can say that we are successfully countering cyber threats."

Join the CSO newsletter!

Error: Please check your email address.

Tags Cabinet Officesecuritypublic sectorGCHQ

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place