Public has role to play in cyber security, Commons Committee told

The UK government needs to help raise cyber security awareness and engage more with industry and academia, an expert panel has told the House of Commons...

The UK government needs to help raise cyber security awareness and engage more with industry and academia, an expert panel has told the House of Commons science and technology committee.

The committee was hearing evidence on cyber attacks as part of its inquiry into scientific advice and evidence in emergencies.

While the experts agreed that public input and involvement was not necessary in the case of cyber attack, they said that by spending money on raising awareness of the need for the public to keep their computers secure, the overall threat could be reduced.

"There needs to be a change in behaviour both within the UK business and consumer communities," said Robert Hayes, senior fellow, The Microsoft Institute for Advanced Technology in Governments.

"I would like to see money spent on encouraging the public to bring their computers up to a minimum level of defence, to use free resources and apply application patches," he said.

All levels of cyber attack could be reduced, said Hayes, by increasing defence in depth across all computer users.

Botnets, which are used to carry out large-scale cyber attacks, are largely made up of consumer machines, said Peter Sommer, visiting professor, London School of Economics.

Educating people about the importance of protecting their computers would not only benefit consumers, but also the country and the world, he said.

Asked whether government is using scientific advice well to protect against cyber attacks and interact with researchers, most experts agreed there was wide consultation, but Sommer said it was difficult to know to what extent government was keeping up.

It was important for government to maintain and increase engagement with the IT industry, said Hayes, because as attackers tested their cyber weapons on live systems, industry would be best placed to give a global perspective.

Information sharing with the private sector was taking place, said Malcolm Hutty, head of public affairs, London Internet Exchange, but Sommer said it was largely on an informal basis.

Hutty said a lack of funding for cyber departments within the police force meant the private sector seldom received any feedback, making industry feel excluded.

Ross Anderson, professor of security engineering, University of Cambridge, said the requirement for security clearance often inhibited relations with researchers because it prevented them from writing about many topics on which they were consulted.

But Sommer told Computer Weekly that although he did have security clearance, he had never found that an obstacle.

Anderson also said the UK government needed to be more open with the information security community and was less involved with leading edge research into topics such as security economics than the US government, for example.

Mark Welland, chief scientific adviser, Ministry of Defence, agreed the UK government did not always do as well as its US counterpart, but said the MoD was working to increase the number of questions posed in the unclassified arena.

Welland said he favoured the approach of engaging experts in an unclassified way as much as possible, but getting the necessary security clearances when there was good reason to do so.

The expert panel also recommended that government should encourage regulators to become more IT aware and have a more "modern" view of risk, endorse some sort of digital credential to give greater assurance on the internet, give support to private sector operators of critical infrastructure, and focus on network resilience.

Read more on IT risk management