Cyber security has moved up the national agenda in the past year, with the UK government paying increasing attention and allocating increasing budget to bolstering UK cyber defences.
The government has stepped up its efforts in this area to help support UK business, with special attention to those that form part of critical national infrastructure and financial infrastructure.
The launch of the first national cyber threat sharing partnership marked an important step forward in the past year, with another milestone due in 2014 when the UK national CERT becomes operational.
The UK government plans several more initiatives in 2014 aimed at promoting the UK as a safe place to do business online and at taking a global leadership position on cyber security matters amid growing calls for international treaties on cyber security and cyber weapons.
Read Computer Weekly's top 10 UK cyber security stories of 2013 here:
In March, the UK government announced a partnership with industry to share information and intelligence on cyber security threats. Cyber attacks were rated as one of the top four threats to UK national security, alongside international terrorism, in the National Security Strategy of 2010 and a re-assessment in 2012.The Cyber Security Information Sharing Partnership (CISP) delivers a key component of the UK national cyber security strategy in facilitating information-sharing on cyber threats.
In November, Chris Gibson was confirmed as the director of the UK’s new national computer emergency response team (CERT-UK), which is set to become operational in early 2014. Francis Maude, the Minister for Cabinet Office, said Gibson brings a wealth of experience in cyber incident response in the private sector, both in the UK and internationally. “His first-hand knowledge and understanding of cyber security will be invaluable as he leads the national CERT,” he said.
Most of the FTSE 350 companies place cyber risk on the board agenda, with over half accounting for cyber risk in their strategic risk register, a cyber governance health check has revealed. In July 2013, the heads of the UK’s intelligence agencies and the Department for Business, Innovation and Skills called on the country’s top 350 listed companies to take part in the exercise. The call was made a day after business consultancy firm KPMG published a report revealing that cyber leaks at FTSE 350 firms are putting the UK’s economic growth and national security at risk.
Five organisations have been named as the first certified consultancies in the government’s scheme to help UK organisations respond effectively to the increase in cyber attacks. The Certified Incident Response scheme is backed by CESG, the information assurance arm of GCHQ, and the Centre for the Protection of National Infrastructure (CPNI).
Security experts welcomed the most extensive cyber threat exercise in two years to test the preparedness of the financial infrastructure to withstand a sustained cyber attack. On 12 November 2013, Operation Waking Shark 2 tested thousands of staff at London’s major financial institutions with a simulated cyber attack on systems on which the UK’s financial system depends. The Bank of England, the Treasury and the Financial Conduct Authority monitored responses to assess the ability of the UK’s core financial services providers to withstand cyber attacks.
The UK must set rules for the cyber security of critical national infrastructure to ensure utilities are safe from attack, says Chris McIntosh, chief executive at communications firm ViaSat UK. “We need legislation because simply issuing a government advisory means there will always be organisations that will ignore that,” he told Computer Weekly.
The UK government is to invest more than £850m to develop and maintain what it calls“cutting-edge” capabilities to tackle cyber threats.“Crime is at record low levels and this government is taking action to tackle the cyber threat, investing more than £850m through the national cyber security programme,” the Home Office said. The statement comes after a report by the Home Affairs Select Committee said that, despite being the preferred target of online criminals in 25 countries, the UK is still complacent about cyber crime.
The Ministry of Defence (MoD) is teaming up with nine large defence firms and telecoms providers to strengthen the UK’s cyber security. The Defence Cyber Protection Partnership (DCPP) is the latest in a series of cyber security initiatives by the government since cyber threats were categorised as one of the national defence priorities in 2010. The partnership will look to implement controls and share threat intelligence to increase the security of the defence supply chain.
In March, UK communications intelligence agency GCHQ announced a second academic research institute, which will find new ways of analysing software automatically to combat cyber threats. The GCHQ group’s work is aimed at providing businesses, individuals and government with additional confidence that software will behave in a secure way when installed on operational networks. Funded by a £4.5m grant, the new research institute is made up of teams from six universities and forms part of the government’s plan to increase the UK’s academic capability in all fields of cyber security.
Governments must understand that cyber weapons are extremely dangerous and have to agree not to use them, according to Eugene Kaspersky, founder and chief of security firm Kaspersky Lab. “It would be good if governments were to sign a treaty against the use of cyber weapons in the same way as they have done against nuclear, biological and chemical weapons,” he told Computer Weekly.