UK cyber defences get £650m, but is it enough?

David Cameron confirmed that £650m will be provided for UK cyber defences in the Strategic Defence and Security Review, but the IT security industry has expressed concerns about how this will be allocated

Prime minister David Cameron confirmed that £650m will be provided for UK cyber defences over a four-year period in the Strategic Defence and Security Review, and while this is about a third more than expected, the IT security industry has expressed concerns about how this will be allocated.

The announcement has been widely welcomed by the industry because it demonstrates the government understands the importance of cybersecurity defences, as well as joined-up thinking on how this integrates with national security.

"We need to fix the shortfalls in the critical cyber infrastructure on which the whole country relies," says Cameron.

It is very encouraging to see cyber security being prioritised by the government, says Tony Dyhouse, cyber security director of the Digital Systems Knowledge Transfer Network, but it will be interesting to see exactly how this money will be spent.

The biggest concern of the IT security industry is around the allocation of funding for cyber security training, especially within law enforcement agencies.

Fighting the cyber war requires an army of prize troops, and the UK does not have enough of them, says William Beer, director, OneSecurity, PricewaterhouseCoopers.

"The people element is often overlooked in building strong cyber defences, but this funding will be vital in attracting top talent into the industry as well as providing security professionals with the best training and support," he says.

Although it is impossible to predict the future, says Beer, gaining insight into new developments will help to build better defences against potentially crippling cyber attacks.

Judy Baker, director of the UK Cyber Security Challenge set up to identify and attract talent to the industry, says priorities for the funding should include supporting professional organisations that are working to constantly adapt to counter threats to our cyber security.

"We look forward to seeing the impact of such a significant investment in the sector and watch with interest to see how this investment can support the development of a pool of talented cyber security specialists upon which the UK will undoubtedly rely," she says.

Adequate investment in national and international cyber threat information sharing systems is another area of industry concern.

Cybercriminals have established cross-border alliances and trading markets to carry out and monetise their attacks, says Paul Judge, chief research officer at Barracuda Networks.

"Governments must do the same in order to effectively pursue these criminals," he says.

It remains to be seen if these objectives will be met by the establishment of a UK Defence Cyber Operations Group, as outlined in the Strategic Defence Review.

Judge also highlights a common call for greater collaboration between the IT security industry to develop the best tools and the best policy.

The government must work with security experts from across the country, and if necessary the world, to produce a watertight, considered strategy to battle international cybercrime, says Rob Cotton, chief executive of NCC Group.

"While much of this protection can be achieved by patching simple vulnerabilities in existing networks, other threats will require specialist defence strategies and responsive action," he says.

The UK and US are drafting a Cyber Operations memorandum of understanding covering cybersecurity responses, the government says.

Input from the private sector could be valuable, says Ray Bryant, chief executive at security supplier Idappcom, as the IT industry has demonstrated it is possible to meet the needs of a good IT security strategy while at the same time cutting costs to meet budgetary constraints.

"It is against this backdrop that we would encourage small companies to form partnerships with the government when it comes to developing an effective cybersecurity strategy," he says.

There are concerns that budget cuts outlined in the Comprehensive Spending Review will hit IT spending and leave public sector bodies facing serious security challenges, but Bryant says the lessons being learned in the private sector can also be applied to the public sector.

Having recognised the importance of cyber security and allocated funds for its provision, the government's real challenge is in allocating those funds in an effective way.

The funding, while a positive move, also has to be seen in perspective because, as IT security professionals point out, cybercriminals are extremely well funded.

The £650m is a large some of money, but this must be set against the enormous resources of the underground economy and the potential financial losses to the UK.

Read more on IT risk management