Official auditors have started scrutinizing the vaguely menacing fog that has obscured government spending on cyber security.
Early signs are that most of what passes for cyber crime on these shores is credit card fraud. Yet most cyber security spending has gone to intelligence and defence agencies. And much of the rhetoric used to justify the expenditure has been about “attacks” of an unspecified but most certainly frightening nature, by people of uncertain address and approximate degree of malice.
One thing is most certain though, on the publication today of the National Audit Office’s first report on cyber security spending, and that is that the cyber threat has been very good for business.
Or it has at least been good for the perception that the UK is a good place to do business. And that is good for business.
Booz Allen Hamilton, consultants of choice to the US military-industrial complex, commended the UK above all G20 economies last year for being most capable of withstanding cyber attacks and nurturing a digital economy.
This may be because most UK cyber security efforts have, according to the NAO, been concerned with stopping credit card fraud and trade in personal data. Their success looks good for UK plc.
It has also been lucrative for the security business, both public and private. It gave extraordinary priority to the promotion of computer security as an export industry. Of nine countries whose cyber security policies were reviewed by the NAO, none had placed as much emphasis on how they might incubate an industry.
Government meanwhile spent 73 per cent of its cyber security budget with intelligence and defence agencies.
Government statements on “cyber crime” are not usually so mundane. The Prime Minister marked the launch of this strategy in 2011 by declaring it would tackle terrorists as well as crooks.
A steady stream of vaguely frightening public statements have helped ease cyber badness into the ill-defined region where dirty feet and foreigners reside in the British psyche. The NAO noted a couple.
Jonathan Evans, the director general of MI5 said last year for example that there was more malicious activity in cyberspace than there used to be.
Foreign secretary William Hague meanwhile told the Budapest Conference on Cyberspace that Olympic computers systems were attacked every day the games were on last year.
Yet much of what passes for this sort of cyber crime are attempts at protest, vandalism and espionage. That’s not to say it might not be undesirable. Nor that it might be possible that hackers one day break into the air traffic control system and make all the planes crash. Or something. But the most significant breach of cyber security in Britain to date was the occasion in 2008 when two CDs of child benefit data got lost in the post by HM Revenue & Customs.
The implication of the HMRC data loss was that there would be some sort of peado frenzy if our data was not locked down as strictly as our kids.
Just two years later, the NAO notes, cyber attacks were elevated to one of the four highest risks to the security of the nation, alongside terrorism, invasion and natural disasters (which included pandemic disease).
What had also happened in this time is that the US military had elevated cyber space to one of five domains of operation (types of field of battle) alongside air, sea, land and outer space. Cyberspace was however a civil domain. That did not just mean civil in the sense of a peaceful village turned to rubble by care-less tanks and mortars, or a civil domain like that of a wedding party broken up by missiles fired from drones.
It meant also that most of what passed as cyber “attacks” that weren’t spotty kids and small-time hoodlums was espionage, and that included spying done by corporations. It is perhaps therefore appropriate that nearly two-thirds of UK cyber security spending is going on intelligence and not the military.
It was to be done by a principle best understood by comparison to the gun-toting American citizenry: that was that a nation would be more resilient against any sort of threat – whether foreign or home grown, official or bandit – if each and every constituent took its portion of responsibility for the whole.
In the UK strategy this meant two very mundane matters of utmost importance that have largely been drowned out by all the bombast. The first was that people should make sure their PCs are secure, so they don’t get press-ganged into some distributed, borg-like attack on the national biscuit distribution infrastructure.
And that corporations communicate openly about what is really known about what “attacks” really are happening on major systems.
Both of these most important initiatives appear to have got nowhere.
Corporations have been excused their part for many years because of their assumed right to be unassailed by the national interest. They fess up security breaches only reluctantly. They like to portray a public image as clean as a fresh-pressed, brown shirt. Computer security issues are treated like old-boys network secrets.
Yet the NAO’s intervention into this secretive world has reminded us that corporations participate not only so that each part of the economy might itself be, holistically, more secure.
If it is known precisely what these “attacks” are, it can be known precisely what this threat to national security is, so that it can be dealt with appropriately in the national interest, and not used as just another excuse for an arms race, or a land grab by some civil agency or industry.
Others have noted how unsatisfactorily vague it has all been so far beyond the work of the specific agencies charged with tackling some identifiable parts of “the threat” – namely the National Fraud Agency, which stops people nicking money off your credit card, and the Child Protection Agency, which stops paedos phishing for little kiddies (1,300 reports a month, apparently).
“If cyber attacks do not occur, it will be difficult to establish the extent to which that was due to the success of the strategy and its implementation,” said the NAO today.
It was trying to get the government to conduct its cyber strategy robustly, it said, in a manner that could be audited. It could be deduced that approximately two hundred million pounds had already been spent in a manner that could not be audited.
It wanted to see the cyber security fog “defined” properly, and “clarity” applied to the logic that those conducting these initiatives have used to justify themselves and their budgets. The NAO had for example been forbidden scrutiny of the £470m that intelligence and defence agencies got for civil cyber security.
Official UK agencies have chucked out some dodgy statistics on cyber “attacks” before now. Computer Weekly has asked for details in the past and been refused.
The computer industry’s accounts of the “threat” have been similarly self-serving. The NAO said such data should be treated with caution, noting a claim by Kaspersky Labs, a computer software company, that “the UK suffered around 44 million cyber attacks in 2011, compared with one billion attacks across the world”.
So there are two things that are certain after the publication today of the NAO’s plan to survey cyber security.
The other is that it is about time an official body started picking apart the weakly tangled web the security services and computer industry have weaved around this cyber stuff.