This morning I took a detailed look at the recent NAO Landscape Review of the UK Cyber Security Strategy This contains a better summary of the strategy and of departmental responsibilities for implementation than you will find in the original announcement: see page 14 for the split and page 15 for the governance.
Compare this with the summary of spend by departments over time (pages 16 and 22) and the reasons for the scale and nature of lobbying to get a share of the £650 million of extra spend become much clearer.
Nearly 2/3 of the extra (£384 million over the four years including £157 spent to date) is for the
Home Office has only £65 (£29 million spent to date) to improve the capabilities of law enforcement for "enforcing laws and combatting cybercrime". Cabinet Office has over twice the amount (£33 million) for task such as improving "technical capabilities" and "ability to respond to incidents" that BIS has (£13 million) for "building a culture that Understands the risks" and "improving skills at all levels". But BIS has already spent £17 million "Engaging with the private sector" - whatever that means. Given that that is more than its share of the extra funding and does not appear to include awareness or skills activities, presumably it includes spend from other budgets,
Meanwhile Cabinet Office has spent £9 million on the "co-ordinating programme, analysing trends and managing and responding to incidents and £4 million on skills activities.
The NAO report then describes the "six key challenges the Government faces in implementing its cybersecurity skills strategy:
- influencing industry to protect and promote itself and UK plc
- addressing the UK's current and future ICT and cyber security skills gap
- increasing awareness so that people are not the weakest link
- tackling cybercrime and enforcing the law at home and abroad
- getting government to become more agile and joined up: and
- demonstrating value for money
The are also differences regarding the priorities for action, with major victims (such as banks) often wishing to give a significantly higher priority to "attack" (e.g. using civil law to bankrupt predators and those who facilitiate their actions) than to sharing "intelligence" with those who want to use it to bid for next year's budgets - rather than to help co-ordinate "enforcement" action.
Given the small proportion of the £650 million devoted to skills, (other than those needed by GCHQ, MOD and the Intelligence and Security Services), and given the delays in contracting the programmes that have supposedly been agreed, many in industry wonder just how serious the Government is about addressing the second challenge. This has serious implications for the economy as a whole because of the risk that major users will respond by moving activties off-shore to where they can obtain the skills they need.
As soon as the contracts are agreed I am looking forward to helping line up employer support for those programmes that really are intended to meet their needs and not just those of the Intelligence and Security services, important though the latter undoubtedly are.
The NAO report on the value for money represented by Get Safe On-line and Think U Know illustrated that their effectiveness was limited by the failure of Government to provide the funding comitment that would allow them to plan ahead. Until this problem is addressed and Government websites routinely carry well publicised links for reporting problems and what to do if victimised, we run the risk that improving awareness will lead to increased paranoia on the part of the target communities rather than confidence and security.
The small sums devoted to improving the capabilities of law enforcement are a significant problem when it comes to persuading industry that Government is serious. But the disparity of resource between public and private sectors mean this will always be a matter for partnerhip. Hence the title of the EURIM-ippr studies into "Partnership Policing for the Information Society" , whose 50 or so recommendations are finally being implemented.
Getting the tribes of Whitehall to join up their activities on anything at all will remain a problem until the rewards for co-operation (i.e. budgets and promotion) are greater than those for protecting the departmental silos and winning their battles with each other for authority and control. The partnerships announced over the last few weeks are a major step forward but need quarterly review processes (which have credibility with those industry partners who are in a postion to contribute serious budgets and resources) for progress to be maintained. And the very concept of quarterly reviews appears culturally alien to many in central government.
Finally commes the challenge of assessing value for money. This is not unique to Whitehall. Information security specialists in the private sector, alongside many of those in the world of ICT as a whole, also find the concept totally alien. That is why so few of them have serious influence on board decisions, let alone make it to board level. The NAO Annex on assessing the value for money of cyber security (page 32 onwards) and the Appendices on the approach they intend to use for auditing are not perfect. They are, however, a good shot across the bows of those who expect to spend money without spelling out what they intend to achieve, how they expect to achieve it - and how success will be measured. They are a welcome first step on a long, long walk.
And now - back to the question with which I started this blog.
I have no idea - but unless we ask the question we will not get value from the balance of the £650 million which has not yet been spent.
Also I would hesitate to challenge the spending priorities. GCHQ is a world class resource capable of helping make the UK one of the most, or least, trusted location for globally trusted on-line operations. I know which I would prefer. And bringing the programmes to meet the skills needs of GCHQ alongside those of the priovate sector might well be a good way of achieving that.