I had been apprehensive that the BIS attempt to identify a “standard” for information security would lead to another tick box distraction. Instead a much more nuanced approach was described at the Lancaster House event to announce the outcome of the consultation on a recommended standard for cyber security.
David Willetts said that HMG said that industry led standards and accreditations were a better way forward than inflexible regulation as proposed by the EU. Even better, what was announced was a framework not a straight-jacket. I particularly liked the recognition that different industries and different types of business will need different, but still auditable, “profiles” within an ISO 27000 like approach. I also happen to be a fan of IASME .
I was less happy with the idea that mainstream policy could regard “advanced persistent threats” as the exception rather than the norm. I fear that they are the new norm. Once a criminal group has obtained the information necessary to impersonate an individual or has identified a worthwhile target, they now appear to return to the attack again and again, especially if an earlier attack was successful. They are only deterred when it becomes apparent that the target (or their bank, transaction provider or ISP) is willing to fight back, using civil and/or criminal law to bankrupt or incarcerate the attackers and those who provide the tools used. The odds of success may be low, but it is becoming apparent that this is a win win strategy. Criminals clearly prefer the no risk strategy of attacking those who do not fight back (and merely spend ever more on layers of protection) to the risk (however low) that victims or their allies may land a lucky punch.
In this context the approach of the National Crime Agency as described at the Govnet Cyber Security conference this week is most welcome. The shoot out between Spamhaus and Stophaus earlier this year illustrated both the threats we now face and the value of robust counter-attack. I look forward to hearing more when the case finally comes to court despite the difficulties of using UK criminal law (as previously illustrated by the Mackinnon Case and the subsequent US attempts at extradition).
Meanwhile the main auditors and law firms are seeking to double, treble or quadruple the size of their global investigation and litigation teams to support those wanting to identify who is attacking them and to stop them. Hence the point with which I ended my last blog . Those who do not act now to identify, develop and retain the in-house security skills they need, will face serious problems next spring as the law firms and audit practices bid against each other for skills which are already in short supply.
David Willetts said that BIS would itself be adopting the standards led approach announced this week. I do hope BIS will cross-train existing officials with the security skills it will need, using the frameworks being developed by e-Skills and City And Guilds, and not add to the crisis by seeking to recruit from outside or retaining consultants.