Data and securityCyber SecurityBest form of defence: Is the Government’s cyber strategy on the right track?

Best form of defence: Is the Government's cyber strategy on the right track?

The government recently published its cyber security strategy for the next five years, but does the ambition plan focus on the real threats?

In 2014, the UK government signalled its determination to make the country the safest place to do business online anywhere in the world. The centrepiece of that effort was the second version of its effort to combat cyber crime, the National Cyber Security Strategy, 2016-21.

Philip Hammond, chancellor at the time of the cyber crime strategy’s publication, committed £1.9bn over its lifespan in order to ‘defend systems and infrastructure, deterring our adversaries, and developing a whole- society capability – from the biggest companies to the individual citizen’. The opening pages of the strategy promise that by 2021 the UK will be ‘secure and resilient to cyber threats, prosperous and confident in the digital world’.

Over its 80 pages, the CS strategy lays out in the detail the threats facing government, businesses and individuals as well as how the government proposes to combat them. And it’s clear the problem is not going away.

According to the 2016 Government Cyber Health Check and Cyber Security Breaches Survey, “Last year, the average cost of breaches to large businesses that had them was £36,500. For small firms the average cost of breaches was £3,100. 65% of large organisations reported they had suffered an information security breach in the past year, and 25% of these experienced a breach at least once a month. Nearly seven out of ten attacks involved viruses, spyware or malware that might have been prevented using the Government’s Cyber Essentials scheme.”

Teething troubles

Two years into the project, and it’s clear that while some progress has been made, the continued threat from cyber criminals remains real. For Alan Calder, founder and executive chairman of IT Governance, while the new strategy does build on the progress made between 2011-2016, there is little in CS strategy that’s new.

“The five controls that it focuses on right now are good, and exactly what they should be: by highlighting access control; boundary firewalls and Internet gateways; malware protection; patch management and secure configuration, the strategy is focusing on the right areas,” he says.

“However, a close read shows it was more of the same, albeit with a bit more focus on the role of the National Cyber Security Centre (NCSC), and greater emphasis on cyber partnerships; but it should be said that the government commitment of cash is small overall.”

According to the strategy, the ‘NCSC provides a unique opportunity to build effective cyber security partnerships between government, industry and the public to ensure that the UK is safer online’.

Under the new plan, the centre will provide cyber incident response and be the UK’s authoritative voice on cyber security. ‘For the first time, key sectors will be able to engage directly with NCSC staff to get the best possible advice and support on securing networks and systems from cyber threats’.

Muddled thinking

However, in its desire to raise the general levels of awareness, engagement and action among UK firms to the cyber threat, Calder believes that the strategy is in danger of over cooking things.

“The government, in its enthusiasm for the idea, has encouraged lots of accreditation bodies to set up their own certification schemes,” he says. “But that means you get schemes of different levels of quality across the UK, and that’s not so good. I understand the government desire not to be seen to be favouring anyone, but that’s why the UK Accreditation Service (UKAS) exists – to make sure it’s done consistently. But they don’t use UKAS for the scheme and that’s a pity.”

So where are the key gaps? “I think the main thing they could do in terms of what to add to the accreditation scheme is demanding evidence of staff training.”

In Calder’s view, the essence of good cyber security lies with people and behaviour. For most businesses, he argues, how staff behave determines whether an organisation is vulnerable to a breach. “Such a high percentage of breaches happen because people click on a link they shouldn’t click on, or send email they shouldn’t send, or fail to encrypt date. It’s not expensive to encrypt things these days,” he says.

“There’s no technological silver bullet –it comes down to good hygiene, and solid procedures,” agrees Paul Vlissidis, Technical Director and Senior Advisor at cyber security consultancy NCC Group.

“Most companies have been targeted at some time, but new businesses are especially vulnerable,” he says. “It requires boldness and confidence to do a scam and it does happen. We have to make sure there are systems in place.”

Thinking fast and slow

“Digital security isn’t how much people think of as life,” Calder says, pointing out that cultural change is just as important to defending against nefarious actors. “They’ve become used over the last few decades that you probably need to lock the door when you leave the house, but they simply haven’t got used to the idea that if someone sends you a really interesting email you probably should think twice about clicking on a link.”

However, it’s fair to say that the latest CS strategy does try to take this into account. In terms of supporting businesses to improve their internal processes, the government says it aims to work through organisations such as insurers, regulators and investors which can exert influence over companies to ensure they manage cyber risk.

“In doing so, we will highlight the clear business benefits and the pricing of cyber risk by market influencers, “ the CS strategy states. “We will seek to understand better why many organisations still fail to protect themselves adequately and then work in partnership with organisations such as professional standards bodies, to move beyond raising awareness to persuade companies to take action. We will also make sure we have the right regulatory framework in place to manage those cyber risks the market fails to address. As part of this, we will seek to use levers, such as the GDPR, to drive up standards of cyber security and protect citizens.”

Hearts and minds

So, is the message getting through, and are companies taking seriously the guidelines and provisions laid out in the government strategy? “It’s becoming more familiar, but it’s not really that way in most people’s private life, so it’s not going to translate easily to the workplace,” says Calder.

“We do see, even in organisations that are trying really hard on this, instances where staff will still click on the wrong link. We do a phishing test and we send them a fake email and when they click on the link we can tell. And we quite often see senior managers – even senior IT managers – clicking on the link. There are the people that commissioned the test!”

Many in the cyber security community agree that government should be driving much broader awareness of basic risks. In Calder’s view, the only way to do that is by really making it part of a certification standard. And that means that companies cannot simply rely on people remembering, we have to go out of our way to teach them, test and improve it.

Vlissidis agrees that there are limits on what a government-led cyber strategy can do to ensure business leaders change behavior across their organisations. “Most cyber crime relies on social engineering, and they’ll often hit you with correct information – your name, or address, job title – that’s a good way to put people off their guard. The truth is they could have got that from a data breach, or just by googling stuff. Most of us in our professional lives have info out there.”

Tangled up in red tape

However it’s fair to say that the Centre’s role in addressing the ever-changing threat is somewhat hampered by the same curses that often slows down well-intentioned initiatives: bureaucratic inertia and inter-office squabbling.

As the public facing side of the UK’s principal spying arm, GCHQ, the NCSC serves two masters: the public (and indeed the IT community tasked with implementing NCSC guidelines) and the government, more specifically the top secret levels of government focused on espionage and secrecy.

As a recent Wired op-ed put it, “Security professionals such as those at the NCSC believe strongly in their work combating threats to the safety of the network, so the practice of hoarding zero-day vulnerabilities would be troubling to them.

Within intelligence agencies such as GCHQ, it can be difficult to raise concerns internally, increasing the potential security threat from insiders. If an employee’s legitimate worries aren’t being heard, it could lead to whistle-blowing – with a disastrous impact on national security.”

Ultimately, the success of the strategy will be judged on two key criteria: whether UK organisations continue to thrive in the digital sphere, developing new products and opening up new markets via online and cyber channels; and whether the measures put in place successfully prevent a repeat of major breaches like the WannaCry attack in May 2017, which saw the NHS across the UK targeted.

So what does success look like? For the government, there are three main metrics:

  • a higher proportion of incidents are reported to the authorities, leading to a better understanding of the size and scale of the threat;
  • cyber incidents are managed more effectively, efficiently and comprehensively, as a result of the creation of the NCSC as a centralised incident reporting and response mechanism; and
  • we will address the root causes of attacks at a national level, reducing the occurrence of repeated exploitation across multiple victims and sectors.

Whether the strategy will succeed in achieving all this remains to be seen. But it’s clear that there is a determination to try, and to put the UK at the leading edge of cyber security.

Related Articles

Government and tech industry hold roundtable on IoT security

Cyber Security Government and tech industry hold roundtable on IoT security

4y Jay Ashar
New Army cyber operations centres for MOD

Cyber Security New Army cyber operations centres for MOD

4y Jay Ashar
Competing priorities biggest roadblock to cybersecurity

Cyber Security Competing priorities biggest roadblock to cybersecurity

4y Jay Ashar
Cybersecurity is a market for lemons

Cyber Security Cybersecurity is a market for lemons

4y Bernard Parsons
Compulsory cyber awareness training for Cardiff council staff

Cyber Security Compulsory cyber awareness training for Cardiff council staff

4y Jay Ashar
UK government to assess the cyber security capability landscape

Cyber Security UK government to assess the cyber security capability landscape

4y Jay Ashar
New capability to help organisations fight cyber threats

Cyber Security New capability to help organisations fight cyber threats

4y Jay Ashar
Room for more cybersecurity over and above GDPR

Cyber Security Room for more cybersecurity over and above GDPR

4y Jay Ashar