Threats to cyber security are growing rapidly and UK Government faces ‘a real struggle’ to find enough staff with the skills to fight them, says the Public Accounts Committee in a report, ‘Protecting information across government‘.
The Cabinet Office’s role in protecting information remains unclear within central government, and there appears to be no coordination across the wider public sector, the MPs say. They complain of poor reporting of low-level breaches in government, such as letters containing personal details being addressed to the wrong person; besides well documented data security breaches at Tesco, Northern Lincolnshire and Goole NHS Trust, Sage, and TalkTalk. The committee urges UK Government to establish a clear approach for protecting information across the public sector; as what it terms an ‘alphabet soup’ of agencies protect Britain in cyberspace.
London Labour MP Meg Hillier, chair of the committee, said: “Government has a vital role to play in cyber security across society but it needs to raise its game. Its approach to handling personal data breaches has been chaotic and does not inspire confidence in its ability to take swift, coordinated and effective action in the face of higher-threat attacks.
“The threat of cyber crime is ever-growing yet evidence shows Britain ranks below Brazil, South Africa and China in keeping phones and laptops secure. In this context it should concern us all that the Government is struggling to ensure its security profession has the skills it needs.
“Leadership from the centre is inadequate and, while the National Cyber Security Centre has the potential to address this, practical aspects of its role must be clarified quickly. Government must communicate clearly to industry, institutions and the public what it is doing to maintain cyber security on their behalf and exactly how and where they can find support.”
Comments
Phil Wood, Head of the School of Management and Professional Studies at Buckinghamshire New University said: “Millions of IT users who either work for small and medium enterprises, or for themselves, or even those who just use their smart phones as mobile computers, are the soft underbelly of our cyber protection.
We need a joined-up approach that is not just about business but also about the wider public understanding the possible repercussions of their own interactions and sharing of information.
“The cyber threat exposes us all to the types of risks outlined by the Commons Public Accounts Committee. We need a much more inclusive approach to the development of cyber awareness and protection.
“Whilst there are many educational and training programmes available for those who are dedicated to the cyber profession there is much less general awareness raising for the rest of us.
“Whilst the traditional methods of warfare will always be options for the implementation of foreign policy, the use of information and cyberattacks to destabilise democratic processes and underpinning our infrastructure is known to be effective-and will be increasingly used in what is termed ‘hybrid warfare’.
“Whilst soldiers, ships and aircraft may not be used, the effects of disabling or removing large elements of national infrastructure such as power generation and control systems can be achieved more quickly and at less expense using cyber attacks.
“Alongside this, what seems to be an increasingly evident use of misinformation to destabilise and undermine democratic processes is clearly an attractive option; as Sir Michael Fallon terms it: ‘weaponising misinformation’.
“Our approach at Bucks New University is to design and develop a range of programmes and school linkages through our Cyber Resilience Centre, based at University Campus Aylesbury Vale. There we aim to be able to put together everything from very, very straightforward and simple information and data management courses to much more technical specialist training and development.
“We are working on degree apprenticeships to ensure that cyber capabilities can be embedded within organisations, using dedicated cyber specialist employees, and we are also able to provide high-level professional development and awareness for executive and board members to help them to understand the depth and range not only of the technical issues, but also of the more traditional information security issues that face us all.”
Alex Mathews, Lead Security Evangelist at Positive Technologies, said “To encourage cybersecurity skills requires a cultural shift on behalf of the organisation trying to attract and foster talent. For this to happen, non- traditional values such as technical creativity and curiosity need to be given the necessary oxygen to flourish. Creating a research environment that encourages intelligent people to think in original ways with freedom, as opposed to operating within tightly defined parameters, is vital.”
Gavin Millard, EMEA Technical Director of Tenable Network Security, said: “As any organisation that has tried to hire cyber security professionals knows, the demand for skilled staff is far greater than the restricted pool of candidates. Significant steps have been made in recent years with universities bringing on new courses to educate the next generation of cyber warriors, but more still needs to be done to encourage young minds to turn to cyber security.
“With wages being driven up by demand, and greater visibility in the media of cyber security concerns, the amount of people entering the market is increasing but the Government and Department of Education should consider adding more focus on STEM (Science, Technology, Engineering and Maths) in the curriculum to help close the gap. To compound the issue for the government trying to protect our cyber shores, candidates are often chasing higher wages and the chance of earning large bonuses from a share in the private sector, versus a predictable, albeit generally lower wage and better long term benefits in the public sector.”
Peter Carlisle, VP EMEA at Thales e-Security says: “The UK’s chronic cyber skills crisis presents significant challenges for both government and for businesses when it comes to resourcing tech talent to tackle the rising tide of attacks. That’s why it’s vital that the public sector works closely with industry through organisations such as the National Cyber Security Centre to develop stronger processes around data security and ensure the next generation are properly trained with the necessary cyber skills.
“Initiatives like GCHQ’s CyberFirst programme are already offering hundreds of talented graduates support through bursaries, placements and employment opportunities which are critical for building a pipeline of the UK’s next cyber security leaders. Alongside this important skills drive, industry and public sector collaboration is key to safeguarding companies, critical national infrastructure and citizens from increasingly sophisticated cyber threats.”
And Stuart Clarke, Chief Technology officer of Cyber Security, Nuix, says: “Cyber-attacks are, and have been for some time a significant threat. These attacks come from within and from external sources. Prevention and detection of cyber-attacks requires a coordinated effort and while many technology solutions exist, a lack of skills in the industry means businesses are in danger of creating a security Frankenstein. More effort is required around education and awareness and also ensuring technology is blended with robust policies and procedures that users can understand and align with. A unified effort will help us to better understand and identify abnormal activities and therefore be better prepared to prevent incidents before they occur.”
