Shortly after the publication of the US Cyberspace Policy
Review the government released its own strategy: "The Cyber
Security Strategy of the United Kingdom",writesCrispin
Blunt, shadow minister for home affairs and
counter-terrorism.
Cyber security is a serious priority for the Obama
administration. The cyber security report was one of the first
commissioned by the administration on 9 February. Its findings were
presented personally by the president on 29 May, and the review
itself is an in-depth analysis covering the most prevalent issues
of cyber security.
Having had 12 years to think about it the same cannot be said
for the government's published strategy. The proffered excuse is
that the disclosure of detailed analysis would expose potential
vulnerabilities to those with malign intent. One would have thought
they could have found a middle ground between compromising national
security and this "Ladybird" version of the US strategy, in which
policy is noticeable for being absent. Minimal or no attention is
given to key areas such as coordination of the new cyber structures
with existing agencies, response to a cyber incident, information
sharing between government and industry and international
action.
The threat is real and growing. It comes from state actors, as
the Estonians and Georgians can testify, having suffered Russian
cyber attack. It could come from terrorist groups who are exploring
the possibilities of crippling critical national infrastructure and
from organised crime and individual hackers. The scale is
breathtaking, the Association of Chief Police Officers estimates
worldwide online fraud at £52bn in 2007. Cyber criminals,
undoubtedly including state actors among them, are estimated to
have stolen intellectual property from businesses worth up to
$1trillion last year.
The government's response was to announce the creation of a
Cyber Security Operations Centre (CSOC) to monitor trends and
developments within cyber space. There will also be a new unit set
up in the Cabinet Office, The Office of Cyber Security (OCS), to
oversee the implementation of the new Cyber Security Strategy.
Muddle of agencies and mandates
However, there are already 16 different departments and agencies
listed as being involved in cyber security in appendix 2 of the
strategy. If there has been an assessment of the different
mandates, achievements and efficiency of these organisations it
hasn't been made public. It is difficult therefore to see how the
new cyber structures will advance efforts towards a comprehensive
and coordinated response. Instead, the government looks in danger
of presiding over a patchwork muddle of agencies and mandates.
There is no consideration within the strategy of how we would
respond to a cyber attack. No mention can be found of a framework
for response or who would lead it. There is no discussion of issues
such as back up communications networks for security and emergency
personnel. All of these are given coverage in the US review.
Effective means to resolve the problems faced in sharing
information between government, industry and the research community
are considered at some length in the US review. This includes the
government sharing information with industry and, where possible,
providing the research community with cyber-security event data.
This could be expanded to facilitate the sharing of vulnerabilities
and incidents with trusted allies.
This is a sad contrast with the attitude of the current Labour
government, where the desire to restrict information sharing has
led to the diluted document put before us a "strategy". The private
sector complains that some of the agencies set up to advise and
assist businesses in protecting their networks, such as CESG, are
good at gathering information, but reluctant to disseminate it.
This culture of information hoarding has to be changed.
Otherwise how can we make a thorough appreciation of the risks and
consequences of cyber attack and facilitate the adoption of best
practice and the most appropriate cyber defence strategy across the
board?
Formulaic jargon
The Cyber Security Strategy for the United Kingdom is a master
of the formulaic jargon we have come to associate with the Labour
government, but this cannot hide the fact that is almost totally
devoid of substance. The government cannot go on pretending that
this is due to considerations of national security when nations
such as the United States are willing to publish comprehensive and
considered analysis such as we have seen recently.
President Obama was also able to make explicit the limitations
that will be placed on US authorities. "Our pursuit of cyber
security will not include monitoring private sector networks on
internet traffic. We will preserve and protect the personal privacy
and civil liberties that we cherish as Americans." I fear what our
government currently has in mind would preclude the current British
prime minister saying something similar.
Conservative plan
A Conservative government will set up a National Security
Council to deliver a strategy for the UK. That strategy will flow
from a comprehensive security and defence review. The lines of
authority and responsibility will be clear.
One of the most urgent tasks is to deliver international
cooperation between states on cyber issues. We can no longer
tolerate even supposedly friendly states trying to peer at our
electronic secrets. This is no longer about privileged information;
it is about the secure delivery of our critical national
infrastructure. Failure of any of the information systems that
control our energy, traffic or food distribution could have
catastrophic consequences.
All states, including those we have a sometimes difficult
relationship with have too much at stake not to cooperate in this
area. We can all unwittingly harbour groups who will attack other
states electronically. This was a causus belli when
Afghanistan played host to Al Qaeda. With the damage that can now
be caused by successful electronic attack this threat must be
managed. A new Geneva Convention on cyber warfare is required. This
is but one area on which our strategy is almost completely silent.
A new government with a new approach for the digital age is
required. It is time for our analogue leadership to move aside.