I re-read the “Initial National Cyber Security Skills Strategy: increasing the UK’s Cyber Security Capability” after attending the first of their discussion meetings. The meeting illustrated the difficulty of the task the DCMS team will have reconciling the need of MoD and GCHQ for patriotic cyberwarriors and the need of the rest of us for the skills to protect ourselves and our customers at the same time as working with law enforcement to identify on-line predators and use a mix of civil and criminal law to remove and/or deter them, wherever they may be.
The skill sets do overlap.
But do they overlap sufficiently for a single professional body?
Almost certainly not.
Hence the reason the creation of a Cybersecurity Council makes such good sense.
But the Council will not meet the needs of UK plc if Government support is constrained to fit the undoubted needs to grow our own indigenous cybersecurity skills base while neglecting the need for the City of London, as the world’s premier financial services and global trading hub, to have the cross-cultural and jurisdictional skills base needed by a global hub for security audit and investigatory co-operation. And what about the need to protect the rest of society from script-kiddies, on-line bullies, pederasts and those using social media to promote, for example, a gang-driven, drug-fuelled teenage subculture.
The strategy also neglects the skills needed to build and maintain a resilient and secure digital infrastructure for a society that is critically dependent on 24 by 7 on-line service. The failure to regulate UK telecoms (including internet services) as part of the critical national infrastructure, with all that implies (including for the relevant skills), appear to undermine the rest of the strategy.
I strongly recommend reading the strategy and thinking long and hard before answering the questions. And remember the deadline – March 1st.
Below I summarise the points I am thinking of making in my own submission.
Perhaps most controversial for many readers is that the number of genuine cybersecurity professionals, capable of a UK eyes only security clearance, needed is probably only about 10% of the numbers being bandied about by those making business plans for new professional bodies. Instead we need are very much larger numbers of competent technicians with skills that cross professional boundaries.
Moreover, if we really do want to a world leader, we should look at how to be at the heart of setting and auditing global skills standards and co-operating wholeheartedly with non-Nato countries educating and training those who will help secure the on-line world against all-comers (including nation state actors, “ours” as well as “theirs”). The latter also entails fixing the vulnerabilities that are there because nation state actors want them to be there.
Hence my sympathy for DCMS officials expected to reconcile the irreconcilable – or rather produce a globally acceptable and evolving fudge machine. I am mindful of how, nearly a decade ago, office also from across Whitehall came together to block the joined-up Home Office e-Crime strategy on which I and others had spend so much time and money.
My points below follow the structure of the Consultation paper.
The Strategic Context – Page 15
I found the analysis of the size of the cybersecurity skills gap (page 12) very odd. I then looked at the background report “Understanding the UK Cybersecurity skills labour market” and understood why. It repeats an error common to almost all reports on UK IT skills and demand. It fails to appreciate that 95% of the 1.4m UK businesses with employees have fewer than 50 staff, none of them full time on IT support, let alone cybersecurity. The responses to the survey come from those remaining other 5%, plus the Cyber consultancy community. The statement that 710,000 business and 107,000 charities have a “technical skills” gap is then used to produce numbers requiring differing different types of skill. The UK has barely 250,000 businesses with more than 10 staff and only 42,000 with more than 50. It has barely 34,000 charities with more than £100,000 of income and only 11,600 with more than £500,000. Most businesses with under 50 staff use packaged and/or outsourced IT products, services and support. They have no-one with serious in-house IT, let alone cybersecurity expertise. Only businesses with more than 250 staff (7,500) and charities with more than £5 million turnover (2,200) are likely to have any in-house cybersecurity expertise, as opposed to providing one of more members of staff with the training to know when to call in an “expert” and, hopefully, a call off contract with a reputable “expert.
There is then the question of how many of the “experts” merit the term “professional” and how many are best described as “technicians”, competent to use the semi-automated tools which can be mastered in the 3 – 4 month modular training programmes which produce “consultants” capable of being billed to HMG at £2-300 per day. To the numbers quoted should be added those not on degree courses or IfA “approved” apprenticeships. One commercial training provider appears to have a throughput of over 3,000 students a year (counting up the numbers of the courses it is contracted to run for major aerospace and defence contractors and/or cloud computing suppliers). Meanwhile the big four accounting firms are believed to each be training several hundred a year via the “cyber-academies” they run with the help of well-known Universities. BT has claimed that it has 3,000 in its cybersecurity operations and has said it is training 300 “apprentices” a year and looking to recruit a further 300 a year from outside to replace turnover.
Meanwhile the financial services industry has largely outsourced/co-sourced technical cybersecurity while embedding cybersecurity modules within mainstream disciplines from risk management to identity and access control (including know your customer), fraud prevention and asset recovery. ISACA (over 150,000 members world-wide, over 15,000 in the UK) is probably the main professional bodies for those “auditing” cybersecurity in the financial services sector. Its “body of knowledge” appears to be far wider than that envisaged, because its members already have to audit IoT devices integral to on-line, interactive payment, shipping and maintenance services around the world
The main gap in the analysis is, however, the skills to build and maintain the nations digital communications infrastructure. There is talk of societies increasing dependency on connected devices and services but not on the need to treat digital communication as part of the critical national infrastructure – with the implications that would have for regulated standards for quality of service, resilience and response times and for independent certification of the competence of those maintaining the necessary inter-operable networks with mutual standby.
That leads to the question of the skills to address the responsibilities of Internet Service Providers, including “Over the Top” providers, given that their use of algorithms to fine tune service provision of behalf of advertisers means that “innocent carrier” status no longer applies. They look set to face a perfect storm of class actions under civil and/or common law for the consequences (suicide and murder let alone lesser injuries and suffering) of their failure to take “reasonable action” to enforce their terms and conditions
The National Response – Our Mission
There is a need to unpack the needs for UK or NATO “eyes only” skills for national defence and cyberwarfare purposes from those of the financial services sector where UK-based organisations may be part of the critical national infrastructures (including payment services and sovereign wealth management) of Governments around the world.
One of the best ways of ensuring that the UK has world class skills is to maintain and foster the position of City of London as the neutral base for auditing and quality controlling the cybersecurity of the rest of the world – even if that means operating, at least in some respects, at arms-length from the City of Westminster. That relationship needs to open and honest, including the means for handling the inevitable conflicts, for it to be open trusted and trustworthy.
A Structured and Trusted Profession
Trust is earned. Much will depend on the nature of the “delivery lead”. It needs to be a mutual, jointly owned by a balanced mixed of UK and International professional bodies and trade association with Government contributing as a major user/employer of skills. It also need to move rapidly towards the creation of a de facto “certificate to practice” regime, with members maintaining inter-operable (common formats/definitions) log books of training, updating and performance, validated by course/assessment providers, employers and customers.
A Vibrant Education and Training Ecosystem
The “demystification” of cybersecurity careers is much easier said than done, given that these are probably evolving faster than the attempts to describe them.
It is probably easier to:
• describe the various roles,
• the attitudes, aptitudes, knowledge and experience they might draw on and
• how these might be demonstrated and/or acquired
It is probably that in future, as in the past, the majority of those working in cybersecurity will have transferred in from other career paths and a spell in cybersecurity may well be a stepping stone to another career path.
We need to make it much easier to assemble courses and training and assessment programmes from evolving modules which are internationally recognised,
How successful the Cybersecurity Council is crating the necessary frameworks will help determine its overall it overall success/failure.
Government (DfE as well as DCMS on Cyber) should support (both funding and information on its own activities) clearing houses for work experience, apprenticeship and training opportunities (both local and national) and guidance on pastoral care, particularly for the neuro-diverse and returners.
Broader Cybersecurity Capability
The Government should work with the Information Commissioner and others to implement the outstanding recommendation of the Culture Media and Sport Select Committee report “Cyber Security – the protection of personal data on-line”.
“All relevant companies should provide well-publicised guidance to existing and new customers on how they will contact customers and how to make contact to verify that communications from the company are genuine. This verification mechanism should be clearly signposted and readily accessible, as with existing customer contact and complaints mechanisms.” (Para 14)
“security by design should be a core principle for new system and apps development and a mandatory part of developer training, with existing development staff retrained as necessary.” (Para 18)
“where the risks of attack are significant, the person responsible for cyber security should be fully supported in organising realistic incident management plans and exercises, including planned communications with customers and those who might be affected, whether or not there has an actual breach.” (Para 20)
“it should be easier for consumers to claim compensation if they have been the victim of a data breach. There are a number of entities (for example the Citizens Advice Bureau, ICO and police victim support units) that could in principle provide further advice to consumers on seeking redress through the small claims process. It would be useful for the Law Society to provide guidance to its members on assisting individuals to seek compensation following a data breach. The ICO should assess if adequate redress is being provided by the small claims process.” (Para 25)
“All telecommunications companies and on-line retailers, and other cyber-vulnerable organisations, should take steps to ensure that compliance with data protection rules and Cyber Essentials are key criteria when selecting third party suppliers.” (Para 26).
“Cyber Essentials should be regularly updated to take account of more recent attacks, including the need for security, incident management and recovery plans and processes for responding to cyber ransom demands.” (Para 30)
“The ICO and Cyber Essentials should publish further guidance on informing the relevant authorities and include best-practice examples of how to inform in an appropriate way those affected, in order to strike the best possible balance between protecting information that is sensitive to police investigations, whilst recognising consumer/customer requirements to be made aware of a breach that may affect them. This is particularly relevant as the EU GDPR will extend the obligation to inform consumers to all companies and organisations, not just telecommunications companies and ISPs.” (Para 33)
“escalating fines, based on the lack of attention to threats and vulnerabilities which have led to previous breaches.”. Para 18 … escalating fines for delays in reporting a breach.” and “scope to levy higher fines if the organisation has not already provided guidance to all customers on how to verify communications.” Para 34
“the attention of individuals within the organisation may be better engaged by the threat of a custodial sentence, rather than a fine for their employer.” (Para 36) “bring into force Sections 77 and 78 of the Criminal Justice and Immigration Act 2008, which would allow a maximum custodial sentence of two years for those convicted of unlawfully obtaining and selling personal data.” (Para 37)
“Companies and other organisations need to demonstrate not just how much they are spending to improve their security but that they are spending it effectively. We therefore recommend that organisations holding large amounts of personal data (on staff, customers, patients, taxpayers etc.) should report annually to the ICO on:
• Staff cyber awareness training;
• When their security processes were last audited, by whom and to what standard(s);
• Whether they have an incident management plan in place and when it was last tested;
• What guidance and channels they provide to current and prospective customers and suppliers on how to check that communications from them are genuine;
• The number of enquiries they process from customers to verify authenticity of communications;
• The number of attacks of which they are aware and whether any were successful (i.e. actual breaches).
Such reporting should be designed to help ensure more proactive monitoring of security processes (both people and cyber) at Board level, rather than reporting breaches after they have happened. Those submitting reports should also be encouraged to include such data in their own annual accounts to help give confidence to customers, shareholders and suppliers that they take security seriously and have effective processes in place. (Para 38)
“The vulnerability of additional pooled data is an important concern that needs to be addressed urgently by the Government. Part of the response could be to require enhanced security requirements and background checks for those with access to large pools of personal data.” Para 41 .
My guidance on the DCMS Report recommendations for the Main Board Directors of Computer Weekly readers is available here. DCMS and the ICO have yet to provide a substantive response but they are even more apposite now that the GDPR has come into force.