How relevant is UK Cyber Strategy to the Cyberbattles of recent weeks

Yesterday I blogged on the consequences of the recent cyber battles between Spamhaus and its allies (supposedly including five western law enforcement agencies, Google and others) and the Cyberbunker and its allies (supposedly including the Russian Business Network), the overall impact of which was to slow down the web significantly in the UK and parts of Western Europe but not in the United States and elsewhere. At about the same time the Egyptians caught three divers trying to cut the cables that link major UK on-line operations to their help desks in India.

This morning I took a detailed look at the recent NAO Landscape Review of the UK Cyber Security Strategy This contains a better summary of the strategy and of departmental responsibilities for implementation than you will find in the original announcement: see page 14 for the split and page 15 for the governance.

Compare this with the summary of spend by departments over time (pages 16 and 22) and the reasons for the scale and nature of lobbying to get a share of the £650 million of extra spend become much clearer.

Nearly 2/3 of the extra (£384 million over the four years including £157 spent to date) is for the

security and intelligence services, including GCHQ and CESGon “National sovereign capability to detect and defeat hign endthreats. £90 million (including £31 million spent to date) is for MoDfor “mainstreaming cyber throughout defence”. Barely £65 million, overfour years, is to improve the security of government IT and it looks asthough £12 million of that has been spent to date on “improving theresilience of the public sector network”.

Home Office has only £65 (£29million spent to date) to improve the capabilities of law enforcementfor “enforcing laws and combatting cybercrime”. Cabinet Office has overtwice the amount (£33 million) for task such as improving “technicalcapabilities” and “ability to respond to incidents” that BIS has (£13million)  for “building a culture that Understands the risks” and”improving skills at all levels”. But BIS has already spent £17 million”Engaging with the private sector” – whatever that means. Given thatthat is more than its share of the extra funding and does not appear toinclude awareness or skills activities, presumably it includes spendfrom other budgets,

Meanwhile Cabinet Office has spent £9 million on the”co-ordinating programme, analysing trends and managing and respondingto incidents and £4 million on skills activities.  

The NAO report then describes the “six key challenges the Government faces in implementing its cybersecurity skills strategy:

  1. influencing industry to protect and promote itself and UK plc
  2. addressing the UK’s current and future ICT and cyber security skills gap
  3. increasing awareness so that people are not the weakest link
  4. tackling cybercrime and enforcing the law at home and abroad
  5. getting government to become more agile and joined up: and
  6. demonstrating value for money

Giventhe small proportion of the cyber security spend devoted to improvingthe security of Governments own IT, it is little wonder that Government ishaving problems with influencing industry. It is said that oneUK-based bank alone spends more than £600 million a year protectingitself and its customers. Several more are said to have in-house informationsecurity teams larger that the whole of central government, addedtogether. When it comes to looking at fraud (most of which is nowIT-linked) the disparities are event greater.

The are also differences regardingthe priorities for action, with major victims (such as banks) often wishing to give asignificantly higher priority to “attack” (e.g. using civil law tobankrupt predators and those who facilitiate their actions) than to sharing”intelligence” with those who want to use it to bid for next year’s budgets – rather than to help co-ordinate “enforcement” action.  

Given the small proportion of the £650 million devoted to skills,(other than those needed by GCHQ, MOD and the Intelligence and SecurityServices), and given the delays in contracting the programmes that havesupposedly been agreed, many in industry wonder just how serious the Government isabout addressing the second challenge.  This has serious implicationsfor the economy as a whole because of the risk that major users willrespond by moving activties off-shore to where they can obtain theskills they need.

As soon as the contracts are agreed I am lookingforward to helping line up employer support for those programmes that reallyare intended to meet their needs and not just those of the Intelligenceand Security services, important though the latter undoubtedly are. 

The NAO report on the value for money represented by Get Safe On-line and Think U Knowillustrated that their effectiveness was limited by the failure ofGovernment to provide the funding comitment that would allow them toplan ahead. Until this problem is addressed and Government websitesroutinely carry well publicised links for reporting problems and what todo if victimised, we run the risk that improving awareness will lead toincreased paranoia on the part of the target communities rather than confidence and security.

The small sums devoted to improving the capabilities of law enforcementare a significant problem when it comes to persuading industry thatGovernment is serious. But the disparity of resource between public andprivate sectors mean this will always be a matter for partnerhip. Hence thetitle of the EURIM-ippr studies into “Partnership Policing for the Information Society” , whose 50 or so recommendations are finally being implemented. 

Getting the tribes of Whitehall to join uptheir activities on anything at all will remain a problem until the rewardsfor co-operation (i.e. budgets and promotion) are greater than thosefor protecting the departmental silos and winning their battles with each other forauthority and control. The partnerships announced over the last few weeks are amajor step forward but need quarterly review processes (which havecredibility with those industry partners who are in a postion to contribute serious budgets andresources) for progress to be maintained. And the very concept ofquarterly reviews appears culturally alien to many in central government.

Finally commes the challenge of assessing value for money. This is not unique to Whitehall. Information security specialists in theprivate sector, alongside many of those in the world of ICT as a whole, also findthe concept totally alien. That is why so few of them have seriousinfluence on board decisions, let alone make it to board level. The NAOAnnex on assessing the value for money of cyber security (page 32onwards) and the Appendices on the approach they intend to use forauditing are not perfect. They are, however, a good shot across the bowsof those who expect to spend money without spelling out what they intendto achieve, how they expect to achieve it – and how success will bemeasured. They are a welcome first step on a long, long walk.

And now -back to the question with which I started this blog.

I have no idea -but unless we ask the question we will not get value from the balance ofthe £650 million which has not yet been spent.

Also I would hesitate to challenge the spending priorities. GCHQ is a world classresource capable of helping make the UK one of the most, or least,trusted location for globally trusted on-line operations. I know which Iwould prefer. And bringing the programmes to meet the skills needs of GCHQ alongside those of the priovate sector might well be a good way of achieving that.