Towards a joined-up Cybersecurity Policy

As part of my retirement hand-over I looked how UK Cybersecurity Policy has evolved over the past 20 years, beginning with the IOCA debate and Y2K, then going through Y2K, Electronic Signatures, RIPA, NHTCU, the EURIM-IPPR Study, ID cards and the failure of attempts by Home Office and Cabinet Office to join-up strategy across the tribes of Whitehall and Law Enforcement. Responsibility for “co-ordinating” cybersecurity policy in the UK has now passed to DCMS but, as yet, little progress has been in reducing the fragmentation, duplication, overlap, conflicts and gaps in statutory and regulatory powers and budgets.

Government departments and Law Enforcement Agencies remain more interested in acquiring authority, budgets and cyberwarfare/surveillance capabilities or regulatory turf wars. There appears to be little or no interest in working together, let alone in co-operation with the private sector,  to use a mix of criminal and civil law to change the risk-reward equations that motivate most criminals,  developers and service providers. It remains almost impossible for most victims to obtain redress. A series of funding and standards barriers get in the way of creating a healthy training and support market to give access to the skills needed for effective protection, investigation or redress. Instead we have a massive spend on technologies which most do not know how to join up and use. The problems are compounded by the spin off effects of the cyberwarfare and surveillance arms races.

Meanwhile the threats, costs and losses have grown exponentially. That should come as no surprise because e-crime has been allowed to remain almost risk-free for the criminals. They co-operate in rapidly evolving consortia as new opportunities emerge. Meanwhile most developers regard security as an annoying afterthought. Few telcos, Internet or transaction service providers actively co-operate with law enforcement to protect their customers, let alone those who personal information they wish to harvest and exploit, unless compelled. The reasons vary but issues of legal liability, confidentiality and trust appear to trump other motivations

The Cyber Security & E-Crime Group of the Digital Policy Alliance, chaired by Baroness Neville Jones, has recently been looking at Cyber Insurance as a Catalyst for Best Practice and on 9th September will be looking current and emerging developments that could shape its future work.

The agenda has not yet been decided but the topics suggested in the advance calling notice included the following:

• challenges in relation to computer assisted crime for law enforcement bodies such as Action Fraud;
• the role of industry co-operation with law enforcement;
• governance structures to promote (IoT) security by design;
• incentives for responsible corporate behaviour;
• pressures on law enforcement & the judiciary resulting from large quantities of digital evidence;
• cyber security skills & the work of DPA’s Skills Group in this area.

The meeting will define the future course of the working group and is for those members and registered observers who will help deliver what is decided. Invitations are available for those who are interested in joining.

This is a unique opportunity for those who are seriously interested in exploiting the current opportunities to make UK cybersecurity policy fit for a post-Brexit world.

It is not enough to have policies that satisfy the conflicting requirements of the EU and US for data protection, including notification to attract fraudsters to the victims of a breach, like sharks to blood in the water. We need to make the UK the location of choice for trusted, secure, on-line business. That includes causing cybercriminals to avoid attacking UK resident consumers and businesses because we are harder to attack and better at organising rapid and effective international retaliation. It should be possible to reconcile those objectives with retaining one of the world’s most competent, devious and ruthless cyberwarfare operations. But the former should not be sacrificed for the hypothetical claims of the latter.

Data Center
Data Management