The UK is still operating in pre-cyber attack mode, but that needs to change before it is hit by a major cyber attack, according to Jonathan Shaw, head of the defence cyber operations group at the Ministry of Defence (MoD).
The UK should learn from Estonia, hit by a wave of cyber attacks in 2007, which operates a virtual cyber defence system in post-attack mode that harnesses all cyber users, Shaw (pictured) told attendees of the Govnet Cyber Security 2011 conference in London.
“In reality all of us are already under cyber attack all the time, and just as we have done in the physical world, we need a national response,” Shaw said.
The UK can learn from Estonia, which takes the cyber threat seriously, while most UK organisations believe it does not involve them and do not realise how important it is, said Shaw.
The government’s communications intelligence agency GCHQ is the obvious central pillar of that national response as the UK’s centre of excellence in cyber security, he said, which is why it has won 57% of the £650m allocated for cyber security over four years.
Shaw’s defence cyber operations group in the MoD has been allocated around £90m. He said a significant part of it will be used to educate military personnel to use cyber as another tool.
The national security strategy draws on the MoD’s organisational ability to harness the national capability to protect UK interests in cyberspace and enable a unified national and international effort, said Shaw.
“There is already an established hierarchy of internet liaisons, most notably between the US, UK and Australia, which have all signed a memorandum of understanding on collaboration in cyber security,” he said.
“The key message is that mass attacks are swamping technological responses and we need to change our behaviour to make it more manageable,” said Shaw.
According to GCHQ, as much as 80% of cyber threats could be eliminated by good cyber hygiene, while Microsoft recently put this figure at 92%.
“This gives us hope that individual actors can have a positive effect on the national effort,” he said.
The UK needs to recognise that this is a problem for all and follow Estonia’s example of harnessing the efforts of all to improve the country’s cyber security posture.