UK cyber security: Government fights full force

The British government says UK cyber crime is as severe as terrorism and will spend billions on a UK cyber security mission that includes education and intelligence gathering.

The British government is ramping up its battle against cyber crime, investing £650 million over four years in UK cyber security and Internet defence.

Though analysts question the validity of a UK government-sponsored report that cites a £27 billion  annual loss due to cyber crime, the government has used these numbers to justify spending on UK cyber security at a time when other public funding is being cut. In fact, since the general election last May, the new government has ranked Internet crime as a focal point for national defence.

Speaking at the Unified Communications Expo in London earlier this month, Lt. Col. Nigel Harrison, an officer in the Royal Signals with expertise in networking, electronic warfare and signals intelligence, explained the government's decision to found the Office of Cyber Security and Information Assurance (OCSIA), where he is now serving on secondment to the Cabinet Office.

“The OCSIA was set up just over 18 months ago,” he said. It became apparent that we needed to do something about our vulnerabilities. It's not just about credit card fraud; it is a huge gamut of threats. It is not just about government securing government cyber activities; it is about overhauling our abilities to detect and defend against cyber attack. And it's not just about national security; it is about the economic well-being of the country.”

The formation of OCSIA was part of a “massive reinvigoration” in security strategy that included merging the Office of Cyber Security with the Cabinet Office's Information Assurance team and the release of a new National Security Strategy report published in October 2010. That report identified hostile cyber attacks as a Tier 1 risk to the nation alongside international terrorism and military crises. 

UK cyber security: OCSIA's role

OCSIA's brief is to support and advise Security Minister Baroness Pauline Neville-Jones and the National Security Council. It also coordinates work on enhancing UK cyber security and information assurance, and on “winning advantage” for the UK in cyberspace. It is based in Cheltenham alongside the Cyber Security Operations Centre, but Harrison stressed that while it works with other government departments and agencies, including the other well-known Cheltenham resident, Government Communications Headquarters (GCHQ), it is not part of GCHQ.

The agency's four areas of operation include the following: addressing cyber security education and skills, combating cyber crime, addressing shortcomings in the critical cyber infrastructure and the public sector, and improving the national cyber security operational infrastructure.

Beyond reducing vulnerabilities in the UK, OCSIA's ultimate goal is to lessen risk by reducing threats. "We want to exploit opportunities in cyberspace by gathering intelligence and intervening against adversaries, and improving our knowledge capabilities and decision-making,” said Harrison.

“This impacts on the workings of at least six government departments, so it needed a cross-governmental programme, plus links with the public sector, industry, civil liberties groups, the public and our international partners, “he said.

He noted too that the Ministry of Defence is forming a new Defence Cyber Operations Group. “Legislation [to force industry to be secure] is an option, but we have got to examine other methods of incentive to ensure that the network infrastructure is secure.”

In the meantime, while cyber crime is high, the UK has done well in protecting itself relative to other European countries. “An EU study 15 or 16 months ago assessed the UK as one of the EU leaders [in cyber security]; maybe even in the top three. But we are a larger and juicier target than many other countries,” Harrison said.

He warned though that plenty more needs to be done. In particular, security needs to become inherent, not an add-on. “Some universities, when they update their IT degree to an IT security degree they just bolt a security module on the end,” he said. “That is just not good enough -- it has to be throughout. For example it has to be secure Web design, not just Web design.”

Read more on Network security strategy