The Chancellor of the Exchequer Philip Hammond on November 1 formally launched the Government’s new National Cyber Security Strategy. Among other things it’s encouraging industry to ‘up its game’ to prevent damaging cyber-attacks.
Philip Hammond said: “Britain is already an acknowledged global leader in cyber security thanks to our investment of over £860m in the last Parliament, but we must now keep up with the scale and pace of the threats we face. Our new strategy, underpinned by £1.9 billion of support over five years and excellent partnerships with industry and academia, will allow us to take even greater steps to defend ourselves in cyberspace and to strike back when we are attacked.”
Likewise Ben Gummer, Minister for the Cabinet Office & Paymaster General, said that the UK can be proud that the UK leads the world in cyber security. He said: “No longer the stuff of spy thrillers and action movies, cyber-attacks are a reality and they are happening now. Our adversaries are varied – organised criminal groups, ‘hactivists’, untrained teenagers and foreign states. The first duty of the government is to keep the nation safe. Any modern state cannot remain secure and prosperous without securing itself in cyberspace. That is why we are taking the decisive action needed to protect our country, our economy and our citizens.”
The Government can point to success in its own field; for example phishing sites impersonating government’s own departments would have stayed active for two days – now it is less than five hours. Philip Hammond also pointed to the recent success of government in reducing the ability of attackers to spoof @gov.uk emails – extracting information from people into replying. The spoofing of [email protected] has gone from 50,000 per day to effectively zero in the past six weeks, Philip Hammond said. For his speech at The Future Decoded (Microsoft) conference, at ExCeL London, launching the stratgegy visit https://www.gov.uk/government/speeches/chancellor-speech-launching-the-national-cyber-security-strategy.
More in the December 2016 print issue of Professional Security magazine.
The five-year strategy (to 2021) also covers Critical National Infrastructure defined as sectors like energy and transport; ‘taking the fight to those who threaten Britain in cyber-space’; cyber security teaching in schools, cyber apprentices, and retraining schemes; and a new ‘cyber security research institute’ – a virtual collection of UK universities which will look to improve security of smart phones, tablets and laptops. For the 84-page strategy in detail visit https://www.gov.uk/government/publications/national-cyber-security-strategy-2016-to-2021.
Comments
Matt Horan, director of C3IA Solutions in Poole, Dorset, said: “This announcement confirms that the government is committed to hunting down cyber criminals, whatever their motive. It has set up the National Cyber Security Centre – which is business-facing – and understands the new threats that all companies and parts of the state are facing.
“It is a growing problem, but with most cyber attacks it is because someone presses the wrong button or reacts to a phishing-type email. In about 70 per cent of cases staff are the weak point because they don’t necessarily understand the risks and the threats.
“We provide awareness training for companies and so often we’re brought in following an attack – not before it. SMEs are especially vulnerable because they think that becoming cyber secure might be costly. But it’s nothing compared with the cost of a successful cyber attack to the business.
“It is about risk management and something that all businesses should be considering. After a decade working mainly for government agencies we are dealing with more and more commercial clients and offer a comprehensive cyber service.”
The trade association the British Retail Consortium (BRC) welcomed the strategy. Hugo Rosemont, Crime and Security Policy Adviser at the BRC said: “Strong public-private cooperation is an essential ingredient of an effective approach to cyber security, and the emphasis the new strategy places on partnership with industry is very encouraging. Following hot on the heels of the recent launch of the NCSC, the strategy is an effective framework that can help to strengthen the UK’s digital resilience. The British population is one of the world’s biggest users of e-commerce and the retail industry is encouraged by the steps the Government is taking to work with industry, and make sure the UK is one of the safest places to do business online.”
Nick Matthews, Managing Director in corporate finance advice firm Duff & Phelps’ Disputes and Investigations practice, described the announced 50-strong boost to the National Cyber Crime Unit, part of the National Crime Agency, as laudable. “However, there is no substitute for businesses taking steps to protect themselves or at least be ready to respond to a cyber incident. Complete protection from cyber risk, however, is impossible for a business to achieve and any framework of controls must be risk-based and proportionate if it is not to impact unduly the ability to do business.”
Managing Director of security systems installation company Axial Systems, Mike Simmonds, said: “£1.9B sounds like a lot of money when said in the context of a programme to improve cyber-defence, and I hope that as well as delivering the necessary technical “bridges and moats” in the country’s security-sensitive infrastructure, a suitable proportion of it will be employed to educate those who currently fall foul of the low-level and somewhat unsophisticated “scatter-gun” scam emails and other mechanisms used to poison users and companies alike so that the human element is addressed, as well as the technical symptoms.
“There is a great deal that technology can do as a partial-solution to these ills, by reinforcing network perimeters/cores and ensuring user connections are as secure as possible. But, when the innocent-looking invoice appears in front of the untrained office junior as an incoming urgent email and a simple double-click on the “invoice copy” deploys its payload, the case for education, education, education becomes paramount. Security is not a destination, it’s a state of mind.”
Dave Larson, COO and CTO at Corero Network Security, said: “The ever increasing and evolving cyber threat landscape has become dinner table conversation as of late, these events are becoming increasingly common, and proactive, automated solutions must take centre stage in defeating the threat. The modern Nation cannot sit back and hope that the next cyber-attack won’t impact critical infrastructure or take down major online institutions.
“These initiatives must be paired with consumer education in understanding the threats that exist and how to avoiding becoming an unintentional pawn in cyber warfare. Additionally, when you think about attacks on the Internet of Things escalating from consumer devices to businesses, enterprises, government agencies, utilities and more – you realise it is time to more aggressively secure every endpoint so entire networks including cloud services don’t collapse and leave us vulnerable to other forms of terrorism.”
And Lars Lunde Birkeland, Head of Communication at Promon, an anti-malware product firm, said: “It is encouraging to see the UK government recognise just how crucial a national cybersecurity strategy is. But where it falls short is in its commitment to securing the mobile channel: this is an area where cyber-criminals are becoming increasingly savvy, yet the government’s provision is focusing largely on research, rather than implementing rapid yet effective solutions.
“Mobile devices have become ubiquitous, so naturally hackers are seeing them as a key medium through which to conduct their criminal activities. For this reason, neglecting to focus heavily on mobile cybersecurity at the governmental level could pose serious problems for both the government and businesses in the not-too-distant future. Mobile cyber crime is happening right now, so implementing effective defences should be an immediate priority. Research can go a long way towards helping define the future of mobile cybersecurity, but action needs to be taken now if the government and UK businesses want to stay ahead in what is becoming an increasingly high-stakes game.”
