The powers of public bodies to carry out surveillance and investigation should be reviewed with every parliament, says former UK home secretary David Blunkett.
Although the Regulation of Investigatory Powers Act (Ripa) has been reviewed three times since 2000, it needs to be updated more frequently, he told the inaugural (ISC)2 EMEA Security Congress in London.
“It is important to ensure this legislation is keeping pace with technological change and to check no public bodies are misusing the legislation to get more access than intended,” said Blunkett.
He said the rapid pace of technological change also creates uncertainty and insecurity with cyber criminals and nation states continually trying to break through the barriers.
In the light of this reality, Blunkett said it is essential for modern societies to address the dire lack of cyber skills, knowledge and awareness through better training and greater sharing of information.
According to the (ISC)2 Global Information Security Workforce Study, 56% of organisations said there are not enough people with the technical skills to defend against cyber attacks.
More on (ISC)2
- Drip bill could put data at greater risk, warns (ISC)²
- (ISC)² launches cyber forensics credential in Europe
- (ISC)² board chairman: 'We've definitely turned it around'
- (ISC)² launches security credential for healthcare
- (ISC)² expands online security awareness programme to Ireland
- IT security industry still immature, says (ISC)² board member
“The skills crisis it is not just about numbers, but also about expertise and continued professional development to meet the new and emerging threats and challenges,” said Blunkett.
“While in government, I oversaw £1bn investment in hardware and software in schools, but I made the substantial error of not investing enough in training teachers,” he added.
Blunkett admitted that if he were to do it all again, he would put much more emphasis on skills to understand technology and how to use it in a secure way.
“If we are training people in using technology and we are not equipping them at the same time to understand the security risks, we are letting down our business and our country,” he said.
Lack of awareness a major challenge
Lack of awareness of the cyber threat is also a major challenge that needs to be addressed, said Blunkett.
Many people do not take the cyber threat seriously, he said, because not all cyber attacks are reported, with companies trying to prevent reputational damage by not admitting when they are breached.
“There needs to be a greater willingness to share information, and banks and goverments should be encouraged to be more transparent in this regard for the benefit of all,” said Blunkett.
In any democracy, he said, there also needs to be an open and public debate on the necessary trade-offs of civil liberties required to keep society safe. “We need a debate on what is acceptable and what is not.”
People a security risk
As part of the training and awareness piece, Blunkett said there should be greater focus on people as potential security risks.
“Organisations need to consider and understand the importance of people like contractors, temporary staff and supply chain partners to their cyber security,” he said.
In this regard, he said academia, business and law enforcement should look at introducing and expanding programmes to share skills and expertise.
“It would be beneficial to second people to benefit business, academia and law enforcement, so we need to start talking more about sharing cyber skills and expertise,” said Blunkett.
“This should include public prosecutors and other members of the judiciary because there is also a desperate need in this sector for understanding about cyber threats,” he said.
In closing, Blunkett said there is also much to learn in the political arena when it comes to cyber security.