In its ambitious Government Transformation Strategy, published in February 2017, the British Government describes itself as “one of the most digitally advanced in the world”. But, by the Government’s own admission, it still has much to do. The success of the Strategy is predicated to a large degree on the talent it can recruit to make it happen.
Historically, cyber security has often been overlooked in this recruitment drive, but just a glance at the threat landscape should remind public sector managers to ignore cyber at their peril. And the industry skills crisis only adds to the sense of urgency.
Fortunately, there are answers. A renewed focus on teaching digital skills in schools that will help establish knowledge that the cyber security profession even exists is key. Cyber safety online must also be core to the curriculum. In the meantime, the government is rightly investing in retraining and education programmes like the Cyber Schools Programme, Cyber Discovery, to provide access to a previously untapped pool of talented individuals.
A world leader
The Government states that the UK has a “world-leading digital economy”. Now, it is trying to mirror the online-fuelled growth of that economy and transform its own internal and externally facing services. The strategy announced by the Government Digital Service (GDS) back in February 2017 aims to use £450m to save £3.5bn by the end of 2020, while continuously improving services for citizens and government workers.
Services will be built quicker and at a lower cost, designed with the citizen front-and-centre, and continuously improved based on data and evidence. It’s all about meeting the expectations of an increasingly tech-savvy populace, who are used to innovative services outside the Government sphere, whilst improving trust between citizens, businesses and the state. Crucially, the Government admits in its headline vision statement that it must “build secure systems by default, ensuring that we create protection against cyber crime through every stage of our digital transformation.”
Security supports transformation
Secure online services can only be effective if you bake security in from the start. It’s what GDPR recommends, it’s what the new NIS Directive recommends, and it’s agreed as best practice across industry. As our lives become increasingly digital and played out online, you expose systems, citizen data and highly sensitive IP to greater risk of attack, from attackers who can act with impunity from behind the anonymising shield of the internet. They only need to get lucky once to succeed, whereas we need to be on top of our game at all times to minimise risk. It’s a tough ask, but it’s not impossible.
Cyber-threats are everywhere for Government: from nation state operatives to financially motivated cyber criminals, and hacktivist groups. The threats are far from theoretical. The National Cyber Security Centre (NCSC) claimed recently that since launching in October 2016, it has responded to more than 800 “significant” incidents, including 34 that required a cross-governmental response. Late last year, NCSC CEO, Ciaran Martin, warned of Russian attacks aimed at critical infrastructure. The ante has been upped further in recent weeks with yet more warnings.
Parliament has even suffered at the hands of hackers. A “sustained” attack in June 2017 blamed on Iran resulted in the compromise of a handful of parliamentary email accounts. The attackers tried to crack 9,000 accounts, potentially in a bid to get a deeper foothold inside systems. In 2016, several government websites and services were taken offline for several hours by a massive DDoS attack against DNS provider Dyn. That’s not to mention the infamous WannaCry attack, which forced the cancellation of an estimated 19,000 NHS operations and appointments. Additionally, research suggests that over a quarter (27%) of UK councils have been affected by ransomware.
While the external threat is greater, there are also threats from within — where risk is often harder to mitigate. Data breach incidents reported to privacy watchdog the Information Commissioner’s Office (ICO) in October-December 2017 increased 178%. Preventable incidents including failure to redact data and sending data by email to the wrong recipient dominated the list.
Aside from the 5.4m employees working for central and local government, the public sector is also saddled with a large and growing supply chain of partners and contractors, introducing more risk at every turn. Each new supplier comes with more employees that could be phished or accidentally leak data. It should be remembered that the hugely damaging breach of 22 million federal employees’ details at the US Office of Personnel Management (OPM) came about as a result of a breached contractor.
Time to skill up
It’s therefore absolutely vital that the Government’s digital transformation drive also includes cyber security at every stage, and this starts with ensuring skilled industry professionals are on board. There’s just one problem: the cyber security sector is suffering a global skills shortage which is rapidly turning into a crisis. The worldwide workforce is heading for a shortfall of 1.8m cyber security workers by 2022, with the UK rapidly approaching its own skills “cliff edge” as older practitioners retire without new entrants to take their place.
This can leave current teams stretched and provides some serious recruitment headaches, especially for public sector employers that may not have the funds to attract the brightest and best. In the long term, the answer is to get more kids interested in related subjects. That’s why SANS is part of a group working with the Government to deliver the Cyber Schools Programme, which uses gamification techniques to develop skills and identify those with natural talent. These efforts will take several years to show results but it’s critical that we start to enthuse and train the cyber defenders of the future, today.
The challenge is exacerbated by the fact that an effective security team requires the input of a wide range of skills over multiple disciplines. Traditional recruitment approaches may also fail in this sector, because highly competent individuals simply don’t fit the hiring profile. You need to first correctly identify what you need and then find the right talent pool. This also proves to be a moving target as broader technology markets are rapidly evolving and adoption of new technologies can quickly create requirements for new skills or types of practitioners.
One opportunity the public sector must take advantage of to reduce skills gaps and support transformation initiatives is retraining. SANS has run several retraining academies independently and in 2017, teamed up with the Department for Digital, Culture, Media and Sport in 2017 to deliver the Cyber Retraining Academy — testing and then selecting those with the greatest aptitude for cyber-skills for an eight-week intensive training programme. Over two-thirds of the academy graduates — who hailed from a wide range of professional backgrounds — are already in new cybersecurity roles. Our experience has shown us that it’s not all about having hard-core techie skills: the ability to work in a team and business skills are also extremely important to a successful career in cyber.
Successful public sector digital transformation requires committed, talented staff. To overcome cyber-skills shortfalls, it may require us to think outside the box — but then again, the most effective cyber security professionals rarely fit the ‘profile’.
James Lyne is Head of R&D at the SANS Institute