US cyber security review will help UK do better

Cyber threat is one of the most serious economic and national security challenges faced by the US, President Barack...

Cyber threat is one of the most serious economic and national security challenges faced by the US, president Barack Obama has acknowledged.

The same is therefore true for the UK and most other countries, but in unveiling the findings of a cyber security review he ordered, Obama said the US is not as prepared as it should be.

Former UK home secretary David Blunkett is among an increasingly vociferous coterie of MPs who say the UK too should and could be doing more to strengthen its cyber defences.

What can the UK learn from the US cyber security review?

The most important points are that the threat is real, and to counter it effectively is going to take a collaborative and co-ordinated effort by the public and private sectors.

Dubbing the computer a potential "weapon of mass disruption," Obama has committed the US to a new and comprehensive approach to secure its digital infrastructure.

Obama should be applauded for classifying information infrastructure as a strategic national asset, says Howard Schmidt, former White House IT security advisor and current head of the Information Security Forum.

Top of the US president's action list is to appoint a single cyber security tzar to lead an office in the White House that will co-ordinate all cybersecurity-related government policy.

This corrects one of the biggest errors of the previous administration, says Alan Paller, director of research at the Sans Institute, which specialises in information security and training.

The White House has much more authority to get things done, which was lost when cybersecurity was moved out to the Department of Homeland Security (DHS), he says

"The DHS has zero influence over other [US government] agencies," says Paller.

Jay Chaudhry, chief executive of security firm Zscalerand former researcher into vulnerabilities of US critical infrastructure, says a powerful cybersecurity co-ordinator will bring focus to the problem.

"A strong action-oriented business and tech-savvy executive with the support of the president can overcome the turf battles that are natural in any large organisation," he says.

According to Chaudhry, the cybersecurity czar's first task should be translating strategies into tangible tactical plans, with botnets as the top target.

"Botnets are the biggest risk to national security, implanted in computers to send secrets to the enemy," he says.

The UK should follow Obama's example, according to Neil Fisher, VP global security solutions at Unisys, a supplier to US government departments

"We are lacking a centrally accountable official for cybersecurity who reports directly to the PM's office," he says.

Tony Dyhouse, director of the UK's Cyber Security Knowledge Transfer Network (CSKTN) says the roles of individuals and organisations could be more clearly defined and structured.

Having a single cybersecurity co-ordinator would help, with plenty of talent to draw on from those experts pulled together by the UK's National Information Assurance Forum.

But, he says, the UK has several years' head start and made good progress in other areas highlighted by the US cybersecurity review.

In particular, Dyhouse says the UK leads in public and private sector collaboration on cybersecurity, which is recognised in the review and prioritised by the US president.

The review recommends using the "British model" in which information security providers are used as the "nexus for combining data" rather than government.

"The emphasis Obama is putting on cybersecurity will act as a catalyst for the private and public sector to do more than they have in the past," says Chaudry.

Obama has also prioritised strategies to secure the national digital infrastructure; to co-ordinate responses to cyber attacks; to foster security research, and to promote cybersecurity awareness.

Internationally, the US plans to promote co-operation on things like policy, technical standards and territorial jurisdiction.

In all these areas the UK has made a good start, says Dyhouse, and through the CSKTN has been promoting cross-sector and international collaboration on a co-ordinated response to cyber threats.

The findings of the US cybersecurity review highlight the need to continue and increase these efforts, he says."It is a wake-up call. Something to rally behind."

The UK particularly needs to expand on existing programmes to raise awareness of the threat in small and medium sized businesses and members of the public, according to Dyhouse.

"They all need to understand the risk before they can understand the benefits of what the government and big business is doing and what they should be doing themselves," he says.

Increased international collaboration is also important to prevent duplication of research efforts and enable faster innovation to keep pace with technological developments.

President Obama's cybersecurity review has articulated the magnitude of the problem and key strategies for tackling it, which Dyhouse says the UK can use to help identify which gaps to fill.

"The review has focussed my attention on what I can do to help and I hope it will have the same effect on others," he says.

Read more on IT legislation and regulation