- Security TWENTY
- Women in Security
Failings in the way the Cabinet Office established its cyber security programme mean that the UK Government does not know whether it will meet the programme’s goals and raises questions about its plans to tackle cyber-attacks after 2021. That’s according to a report by the National Audit Office (NAO).
The official auditors say that the Cabinet Office has started preparations for its future approach to cyber security, but risks repeating previous mistakes. It seems unlikely that the Cabinet Office will have decided on its overall approach to cyber security before the 2019 Spending Review, which is expected to determine government funding for the next few years. This increases the risk of the Cabinet Office making the same mistake that it did in 2015, when funding was agreed before it published its Strategy outlining the government’s approach to cyber.
Amyas Morse, head of the NAO, said: “Improving cyber security is vital to ensuring that cyber-attacks don’t undermine the UK’s ability to build a truly digital economy and transform public services. The government has demonstrated its commitment to improving cyber security. However, it is unclear whether its approach will represent value for money in the short term and how it will prioritise and fund this activity after 2021. Government needs to learn from its mistakes and experiences to meet this growing threat.”
The report says that although Government networks and services already have cyber security features built in from the start, the Government does not believe it will achieve its strategic outcome of making its digital systems as secure as possible against cyber-attacks in the period to 2021; nor that it will have engaged enough with businesses and citizens to ensure they are effectively managing their cyber risks.
To download the 53-page report visit the NAO website.
The programme has completed three years of its five-year life starting in 2016, and has £648m of planned funding for the two years to 2021. As the auditors say, the Government has broad ambitions: developing cyber skills in the UK, ‘active cyber defence’ and incident management to defend from attacks, and how to urge the public and private sector to make their digital systems more secure.
As for developing a cyber security profession within government, the Cabinet Office intends to create a formal cyber security profession within government by April 2019. This is the auditors note off-track as the staff left the unit responsible when it was transferred from HM Revenue & Customs to the Cabinet Office. Other government departments have charge of parts of the programme; skills and research for example belong to the Department for Culture, which includes digital; the Foreign Office and Home Office have roles; as does the National Cyber Security Centre (NCSC), part of GCHQ. As for the NCSC, the auditors note that it began in 2016 as a merger of four bodies, to become the UK technical authority on cyber security; and has had an impact, for instance leading the national response to the Wannacry malware in May 2017 that hit parts of the NHS.
The NAO did point out ‘inherent tensions between NCSC’s role as an open body providing advice and guidance and its parent body, the Government Communications Headquarters’ (GCHQ) role as a secret intelligence organisation’. Some 600 GCHQ staff transferred to NCSC when it opened and the NCSC has used GCHQ facilities and commercial frameworks; however as the NAO put it, the NCSC has to ‘change behaviours from a secretive to a more open and outward-facing culture’.
Jake Moore, of cyber security company ESET, said: “In 2016, £1.9billion may have sounded like a huge financial injection but cyber security needs a constant flow of resources, both people and financial support. If this money were to simply dry up in 2021 then over a short period of time all the good work done thus far could unravel. Admittedly, the government set itself some tough goals but they were achievable and it has been largely successful. Britain has been no safe haven for cyber criminals and the NCSC is known across the world as a solid force against cyber criminality. However, cyber security requires a multi layered approach and shouldn’t be left to the NCSC alone. We all need to adapt to this rapidly changing digital space and must remember that cyber security is an investment, not an expense.”
And Israel Barak, chief information security officer at Cybereason, said: “Risks to critical infrastructure such as industrial control systems can be minimised and managed. However, threats against this industry in particular will never be completely eradicated. In the past, the cyber criminals Cybereason has observed attacking networks in this industry would have been stopped with a combination of well-designed ‘defence in depth’ strategies and an active, attentive SOC. When focusing on the criminal element, their capabilities tend to be far more manageable from a defensive standpoint and that is perhaps the biggest takeaway. The larger portion of the threat to critical infrastructure is something that security products and practitioners are good at combating. By paying attention to hygiene and best practices, companies running ICS can greatly reduce their risk despite the threats they face.
“In general, most countries are highly vulnerable to cyber-attacks on critical infrastructure because the systems are generally old, poorly patched and managed, and designed before cyber threats were a significant concern. This means the ability to cause damage is significant, if the attacker knows what they are doing. Power grids are interconnected and thus vulnerable to cascading failures. If an attacker knows which substation to take offline or cause a surge in, they can take down significant portions of the grid without conducting a large number of intrusions. Beyond power generation, there are significant localised effects a hacker can create by going after sewage/water treatment, industrial chemical production, or the transportation system. In general, these systems are also poorly defended and have the largest capacity for real world effects via cyber.”