The government has unveiled its long-awaited UK Cyber Security Strategy document, intended both to boost Britain’s defences against cyberattacks and create a safe environment for e-commerce to flourish.
The document, “The UK Cyber Security Strategy: Protecting and promoting the UK in a digital world", explains how a budget of £650 million will be spent to protect the UK from cyberattacks, boosting police efforts to catch criminals and also raising awareness among the general public.
We said we needed a culture shift within Cheltenham (GCHQ) where they hold the dark secrets of what’s going on, so that some of that information could be more widely shared.
National Cyber Security Programme
As one of the outcomes of its Strategic Defence and Security Review in 2010, the government put in place a £650 million, four-year National Cyber Security Programme (NCSP). Half that money, according to the strategy paper, will go to Government Communications Headquarters (GCHQ), the government’s main intelligence centre in Cheltenham. In exchange for the extra funding, GCHQ will be expected to play a broader role and share its intelligence and technology for the economic benefit of the country.
“Government will explore ways in which expertise can more directly benefit economic growth and support the development of the UK cybersecurity sector without compromising the agency’s core security and intelligence mission,” the document says.
Increased security certifications
The UK Cyber Security Strategy document also recognises the need for more people to become experts in information security. It says the government aims to improve levels of professionalism in information assurance and cyberdefence across the public and private sectors. It also promises to establish a scheme for certifying the competence of information assurance and cybersecurity professionals by March 2012, and a scheme for certifying specialist training in 2012. It also mentions the Cyber Security Challenge as a way of bringing new talent into the profession.
National Crime Agency
Policing of cybercrime should also receive a boost. As part of the government’s plan to create a National Crime Agency (NCA), it will create a new national cybercrime defence unit, drawing together the work currently carried out by the e-crime unit in the Serious and Organised Crime Agency and the Metropolitan Police’s Central e-crime Unit. “The new unit will underpin the work of all four operational commands of the NCA (borders, organised crime, economic crime and Child Exploitation and Online Protection Centre (CEOP)) by providing specialist support, intelligence and guidance,” the document says.
The plan will also encourage the greater use of professionals from the private sector to help with policing. “The Metropolitan Police Central e-crime Unit has made groundbreaking use of Police Specials with relevant specialist skills to help tackle cybercrime: We will encourage all police forces to make use of such ‘cyber-specials,’” the document says. “We will involve people from outside law enforcement to help tackle cybercrime as part of the NCA cybercrime unit.”
Education for the general public
An important part of the strategy will be an education programme to encourage better Internet ‘hygiene’ among the general public and greater awareness of the threats they face. According to GCHQ, 80% or more of successful attacks are defeatable by simple best practices, such as updating antivirus software regularly. It therefore aims to help people protect themselves by improving education about cybersecurity. For instance, the document suggests the government may use social media to spread the message about threats and online scams.
The document also proposes the development of security “kitemarks” to help consumers buy reliable security products. “BIS will work with domestic, European and global and commercial standard organisations to stimulate the development of industry-led standards and guidance that help customers to navigate the market and differentiate companies with appropriate levels of protection and good cybersecurity products,” it says.
The government also plans a bigger role for Get Safe Online, the government-backed initiative for promoting good Internet practice. The document says joint discussions are already underway with Internet companies, retailers and ISPs about how to improve Internet security. In addition to promoting security awareness, its role will be, through the proposed kitemarks, to help consumers distinguish between genuinely helpful products and advice and the purveyors of “scareware.” A joint action plan will be launched in the new year, it promises.
Global Operations and Security Control Centre
In recognition of the growing strategic importance of the Internet, the document says the Ministry of Defence has recently opened a new Global Operations and Security Control Centre at Corsham, Wilshire, to act as a focus for cyberdefence for the armed forces. It adds that a second Joint Cyber Unit, also at Corsham, “will develop and use a range of new techniques, including proactive measures, to disrupt threats to our information security.”
Ross Parsell, director of cyberstrategy at Weybridge-based Thales UK, said initial planning for the strategy began last February when industry leaders were invited to 10 Downing Street to discuss the issue. The discussion resulted in the creation of a set of working groups, which began their work in March 2011. “From the start, we have covered a range of areas, including cybercrime, how to help SMEs, consumer interests, and threats to big business. Bringing that all together has been quite a task,” he said.
Parsell said one area of tension in the discussions was how much information GCHQ was prepared to share with broader industry. “We said we needed a culture shift within Cheltenham (GCHQ) where they hold the dark secrets of what’s going on, so some of that information could be more widely shared,” he said. “There was little bit of tension about that; they are willing to make the culture shift and push out more information, but they’d like to see it being acted upon.”
The Government’s UK Cyber Security Strategy document promises a safer environment for businesses and the public. It aims to fulfil its promise with a new security programme, more certified security professionals, security kitemarks and other initiatives.