Security suppliers and other industry commentators have generally welcomedthe government’s long-awaited new UK...
cybersecurity strategy, but not without reservation.
The strategy, finally published on 25 November, focuses on better resourcing for computer crime authorities, improving communication between government and the private sector, and investing in national defences and critical infrastructure against cybercriminal attack.
The highest praise has been for the UK government’s:
- Treatment of cyber threats as a serious concern;
- Recognition of the role that cybersecurity plays in relation to the UK economy;
- Decision to make public/private partnerships a key tenet of the strategy;
- Commitment to proactive measures to disrupt threats to information security, not only defence;
- Goal of putting the UK in a leading position to prevent online crime and raising awareness among consumers and small, medium and large enterprises;
- Commitment to review currently legislation to ensure it remains fit for purpose;
- Promise of a unified body at the heart of UK law enforcement;
- Intention to undertake extensive lobbying and support for cross-border cooperation on prosecuting cybercrime.
Cybersecurity strategy lacks detail
While widely acknowledged as a “good start”, most security industry representatives feel the strategy does not provide enough detail on how its goals can be achieved, how success will be measured, and what the deadlines are for many of the initiatives.
The strategy does not go far enough to bring the private and public sector together in the fight against the cybersecurity threat, said Rob Cotton, chief executive of IT assurance company, NCC Group.
“The announcement of help and support from GCHQ [Government Communications Headquarters] for private sector companies is helpful. However, with large amounts of our critical infrastructure and our GDP [gross domestic product] relying on the IT security of our private sector, it may not be enough," he said.
When it comes to sharing information with the government, private businesses will want to be assured that intelligence will not just flow from them to the government, but also in the reverse direction, said Graham Cluley, senior technology consultant at Sophos.
There was some interesting language around the “development and use” of proactive measures to disrupt criminal activity, but there needs to be greater clarity on how that kind of activity will remain within a legal framework, said Rik Ferguson, director of security research at Trend Micro.
The government also talked extensively about how the right to privacy would be protected online, while still insisting on the need for protection of intellectual property, he said.
“There is clearly still a great deal of negotiation that needs to take place with ISPs [internet service providers] and other stakeholders to define a means that this can be achieved without significant resistance from industry and from the internet population,” said Ferguson.
Strategy needs a commercial viewpoint
While the government’s promotion of "kitemarks" for cybersecurity software to help businesses make more informed choices is positive, there needs to be a system that anyone can sign up to, where knowledge of criminal web pages can be shared between millions of users around the world, said Nigel Hawthorn, vice-president, marketing Emea, at Blue Coat Systems.
“To win this fight, both businesses and consumers need to share their experiences,” he said.
Around 6% of the UK’s GDP is generated by the internet, which is a stark reminder to every business owner that if they are not embracing the internet for business and less than 6% of their revenue is generated by the internet, then they are behind the “iTimes”, said Hawthorn.
“We appreciate what the government is trying to achieve with the strategy, but what’s concerning is that although leading organisational bodies such as SOCA [the Serious Organised Crime Agency] and UK Trade and Investment [UKTI] are featured prominently, we fail to see how this is going to resonate with commercial organisations. If we’re all going to work together, the government needs to take into account many more factors, including reaching out to the private sector and enterprise organisations to understand their concerns and what needs to be achieved,” he said.
David Harley, senior research fellow at ESET, said while it is a good thing that more generalised cybercrime will be getting some attention, as well as the more “glamorous” topic of cyberwarfare, he is concerned that if the view of the threat landscape is too cyberwarfare/GCHQ-dominated, it may not always work to the best advantage of the private sector and home users, whose priorities and assumptions may be very different.
However, he conceded "there have to be benefits from the involvement of security agencies with undoubted expertise in specialist contexts”.
Government needs a better understanding of cybercrime
Others have expressed disappointment that the government is not committing to any research to better understand today’s threats to help combat them.
“If we don’t spend any time researching cybercrime, the cybercriminals will always be one step ahead,” said Ash Patel, country manager for UK & Ireland at Stonesoft.
Another common concern among critics it that the sensitive commercial implications of knowledge-sharing and the suggestion of an “open internet” have not been thought out properly.
“Many organisations simply do not want to share their secrets, so as not to compromise competitive advantage,” said Frank Coggrave, general Manager Emea, at Guidance Software.
Coggrave added that the strategy may be too "political" to be effective. “If the cause becomes too bureaucratic, it doesn’t necessarily have the rapid response approach needed to deal with the full gamut of cyber threats,” he said.
So despite the generally positive response to the UK’s new cybersecurity strategy, many feel government needs to clearly communicate exactly how the strategy will be implemented and by whom. There needs to be a clear pathway to make this work, they have said.
Some also feel that there is no time to delay, and that the implementation date of 2013 for initiatives is too far in the future. The UK needs concrete steps to be taken immediately.
While the principles are sound, the effectiveness of the new cybersecurity strategy appears to depend on the government to provide the necessary assurances, ensure its actions are transparent and the role of all the stakeholders is clear, and to ensure delivery sooner rather than later.