The UK Cybersecurity Strategy announced today provides a long overdue linkage between initiatives led and planned via Home Office, BIS, MOD, Cabinet Office, DCMS, FCO. It contains much that is to be welcomed, such as using the unique resource that is GCHQ to help protect the private as well as public sectors. I particularly welcome the focus on drawing in private sector expertise, including volunteering programmes for the police and armed forces. I also like the way that strategy majors on the need to act on skills at all levels from basic awareness to post graduate, mandates that 25% by value of government security be spend with SMEs and flags the need to kite mark security products and services.
Given that I have spent nearly a decade calling for many of the actions that have finally been announced it would be surprising if I was not pleased. We need to recognise, however, that difficult though it has been to get commitment across Whitehall to a meaningful joined up strategy, it will be even harder to sustain that commitment and secure the implementation of the actions plans.
£650 million was a powerful carrot but the task will cost nearer £6.5 billion and there is no more new money. Therefore the blance will have to be found by making much better use of the £4- 5 billion a year the public and private sectors (combined) already spend on the inefficient use of “sticking plaster” products and services. Much of the savings should come from the moving to security by design, including making use of the physical addressing facilities that are built into almost all mobile devices (Trusted Computing)
Implementing the strategy will present major challenges, including to major private sector players whose business models are a decade behind the times as well as to those in the public sector who are used to command and control, not co-operation. But we can no longer afford to let the cybercriminals continue to lead the way in organising effective partnerships. The stakes are too high.
We all have to help ensure that players (including regulators and compliance teams who get in the way of good practice) stop jockeying for position and start working together, across departmental and organisational boundaries to remove opportunities for malpractice.
That means finding reasons to co-operate which demonstrate rapid payback and whet appetites for more co-operation. I expect to be able to blog on a number of tehse over the next few weeks.