This morning's announcment of a GCHQ initiative to help British business improve its cybersecurity was damned with faint praise in a FIPR "alert". They queried whether its guidance would amount to much more than that issued by the US Federal Communications Commission. I do hope it will not repeat the falsehood that 80% of the threat can be handled by "good house-keeping", i.e. keeping anti-virus et al up-to-date. The ceased to be true a couple of years ago, if it ever was.
Yesterday at the end of my blog on the first meeting of the pre-legislative scrutiny of the surveillance bill, I commented on the need to stop confusing the skills needed to update the UK's cyberwarfare capability with those needed to protect business and rebuild confidence in the safety, security and resilience of the on-line world. I should have qualified that statement.
There is an overlap - but it is in a taboo area.
Our cyber-warriors and those of the US and Isreal (and probably also those of Russia and China) have long been working on tools (e.g. those inside Flame and its more sophisticated counterparts), for covertly penetrating and exploring on-line systems in order to cause damage (e.g. Stuxnet) or loot their contents (e.g. the thefts from US transaction processing and payment clearing operations). Those tools, which current generations of anti-virus et al do not detect, are increasingly being used to steal customer files (including passwords, certification and authorisation details etc.) from on-line retailers and commercial secrets (including from the research and development operations of pharmaecutical and on-line gaming companies as well as from defence and aerospace).
Is GCHQ going to share its expertise in detecting and blocking those tools?
More-over is it going to support the effort necessary to mandate the use of security by design across the public sector (and its suppliers) and to support its adoption by major private sector players so that we stop the development of new applications which incorporate 20 and 30 year old vulnerabilities?
If so, we really will have cause to celebrate. Such co-operation could indeed help catapult the UK into poll position as a location in which to base globally trusted on-line operation.