Cybersecurity is one of the four Tier One threats identified in the new UK Security Policy. We have 18 months to get fit for purpose before the Olympics when the threats of overload and attack come together. Our broadband networks are too full of backhaul bottlenecks, even if the local access was adequatei. Our current and currently planned mobile networks look set to collapse as all those i-phones and i-pads are used to watch the Games. And that is before cyberattack. Meanwhile all the world’s fraudsters are likely to be focussed on London and those visiting with credit and debit cards from around the world.
The probabilities of chaos are unacceptably high, unless we take rapid and effective action, starting now. That has to include serious investment in vulnerability and bottleneck removal and operational security skills. £650 million of central funding over four years is small beer – unless it is used to get much better value from the £600 million per annum of fragmented departmental spend on “information assurance”, and to leverage co-operation with those in the private sector who spend somewhere over £3 billion a year (including over £1.5 billion without outside suppliers) trying to secure their systems – from corporate networks to home PCs.
We need crash training programmes (modules at all levels) because most of those in post, including/especially at the top, lack the skills or experience to even plan what is needed.
The Information Society Alliance (EURIM) paper on Security by Design is due to be launched on 27th October. At the same time announcements will be made on follow up exercises on Security Procurement and on Cybersecurity Skills. The latter two exercises will have tight time-tables for identifying who is willing to work with who to achieve practical results to short order. The “coping” study of the scale and nature of what is needed for the e-Crime reduction partnership is now under way but those who are serious about wishing to protect their organisations and its customers from chaos can no longer afford to wait – they have to start work in parallel – testing what is likely to work so that they can expand rapidly as the overall picture becomes clearer.
The role of the Alliance and of the Partnership is not to duplicate what is being done by others, but to secure political (corporate politicians as well as elected ones) support for joined up thinking and operational co-operation across the tribal (as well as organisational, regional and national) boundaries of security, law enforcement, customer service and marketing (yes marketing!).
That is not always easy. While I am still interested in hearing from those who can help, I and my colleagues in the Alliance are now often fully loaded, with little time for those who do not obviously bring resource and budget to the table. I therefore apologise in advance if this blog gets rather sporadic over the next few weeks.
The good news, of course, is that the entries will also get shorter.
I should also add that the pressures over the next years mean that we will also need much better informed and more constructive debate (leading to action) on the means of preserving the Internet as a medium for free speach and protest at the same time as protecting the vulnerable from abuse. For example it should be possible to cleanse the domain name system while preserving anonymity for those who need it. But we need to set that as an objective – rather than seeking to retain the hippie ideals of the Internet’s founding fathers (including their paranoia about governments) by also preserving in aspic the solutions they devised in the 1970 and 1980s for the technologies of yesterday.