Why are our systems so vulnerable: the cybersecurity bandwagon

My inbox has recently been full of invitations to cybersecurity events, albeit those targeted at public sector users use the words “information assurance” and those targeted at the private sector use the words “information security”. “Data protection” is passe, except among lawyers and compliance officers. Meanwhile international action against the e-crime industry has finally begun, leading to sharp drops in spam and malware for a fortnight or so while the “dark markets” reconfigure and re-establish control of leaderless botnets and mule teams after their herders have been taken out. We are even seeing the begining of action to clean up the Internet addressing system to reduce opportunities for fraud and impersonation. But most of those bidding for the newly available government cybersecurity budgets appear stuck in a time-warp.     

Most conferences still conclude with recommendations that are remarkably akin to those in the 2002 paper, “e–Crime: a new opportunity for partnership“. Most of the 69 recommendations in the six main papers produced over five years ago in the EURIM-ippr study into “Partnership Policing in the Information Society” have not yet been properly actioned. We have Get Safe On-line, the Fraud Authority, CEOPPCEU , OCSIA , CSOC and a whole alphabet soup of other initiatives competing for attention and funds – but nowhere near enough co-operation across law enforcement boundaries, let alone between law enforcement and industry, users as well as suppliers. 

The Conservative e-Crime policy as announced by David Davis when he was Shadow Home Secretary also called for the response of government and law enforcement to be brought together in partnership, as recommended in the EURIM-ippr study, with industry – who would be expected to contribute most of the effort and expertise. We can now see Ministers trying to implement that policy.

Will their efforts be helped or hindered by defence contractors bidding for the £650 million diverted from high tech hardware and battlefield training technology to cybersecurity. We have just seen one of the UK’s main security training operations closed and the staff dispersed with the cancellation of an MoD contract on which it had spend over £30 million in bidding costs. Is that a problem or an opportunity? At the same time MoD has cancelled the FACTIS framework contract “to save money”. Ditto.

Perhaps more worrying is the view among defence contractors that the 80% of spend should be on organisation-wide information assurance, with most of the rest on top-end security and a fraction on developing resilience for when things go wrong. 

The message from the Information Society Alliance (EURIM) work on Security by Design is that we can no longer afford such an inefficient, wasteful and potentially disastrous approach. We should be focussing on risk reduction strategies to remove the vulnerabilities. For example, if SCADA systems are so vulnerable why do they need to be permanently on-line to the Internet (whether public or via VPNs)? Why is the exploitation of low-cost, trusted computing technologies like that of WAVE not commonplace?  

Is the real reason for the focus on information assurance rather than vulnerability reduction and predator removal because these could put at risk the multi-billion pound cybersecurity sticking plaster industry?

P.S. I enjoyed reading Andrea Simmons blog on the launch of Get Safe On-line week. She, like myself, is a great fan of GSOL.  But why do so many mouth words of support while launching yet more awareness initiatives. We should be trying to get GSOL to critical mass, giving it the resource to remedying its weakness. I will say more on this when the wrok of the Information Society Alliance of Cybersecurity Skills is ready for announcement. 


Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

We are agreed. Our web-based systems are vulnerable. Not just ours. Any web-based systems.

The government know it and have allocated another few hundred million pounds to the problem.

The newspapers know it and cover cyber-invasion stories worldwide.

The banks know it and spend ever-greater amounts defending web-banking and containing the problem to manageable proportions.

The vulnerability of web-based systems to attack is common knowledge.

Except in the Cabinet Office, apparently, where they plan to deliver all or most public services over the web, see for example here and here.

Shall we tell them?

Hardly had I finished posting, Philip, than an email from a satirist colleague of yours at Computer Weekly arrived, entitled "Complimentary Round Table Event – Grow your Business not your IT Spending through Cloud Computing".