tashatuvango - Fotolia

RSAC16: UK government to change tack on cyber security

The UK government is thinking about becoming more interventionist to ensure the next five years yield a better return on investment in cyber security, according to CESG cyber security head

The UK government is to change tack in its mission to raise cyber security standards in the country, after its last five-year plan failed to deliver better results.

Despite doing a lot of work and spending “quite a lot of money”, the UK is not winning the cyber security battle, according to the UK’s national technical authority for information assurance CESG.

Although the UK can point to achievements around understanding and mitigating the threat and addressing the skills gap, the “bottom line is that [the past five-year plan] has not worked,” Alex Dewdney, director of cyber security at CESG, told RSA Conference 2016 in San Francisco.

This is illustrated by the fact that 90% of large UK organisations reported breaches in 2015, he said, citing the UK government’s 2015 information security breaches survey.

However, Dewdney was quick to add that the figure would have been higher – and companies would be losing a lot more data – were it not for the government’s investment and actions.

“All that has been worthwhile, but there has been something of a mantra in the UK that the solution to our problems is information sharing and public-private partnerships,” he said.

However, he said the UK government is moving away from the belief that if it keeps doing the same thing, it will magically result in improvement.

“That approach by itself is not enough. We are starting to think about the extent to which government needs to be more interventionist and active in how it takes on some of these challenges – still with industry, but doing more than providing threat information and expecting companies to deal with it,” he said.

Improving government cyber security

Dewdney was speaking on a panel along with White House cyber security co-ordinator Michael Daniel and CTO of Israel’s National Cyber Bureau Tal Steinherz.

For Israel, Steinherz said challenges in the year ahead included implementing a newly developed cyber security strategy, as well as setting up a cyber security authority to oversee that process.

Daniel said the US believes that, unless the underlying cyber security challenges are addressed, there is a risk of the internet becoming a liability for the West.

“The president has charged us with finding ways of moving the needle and making a difference in our cyber security in the next 10 to 11 months. But [we must] also put the country on a better trajectory to get ahead of those threat trends over the next three to five years,” said Daniel.

Regarding improvements in government cyber security, Dewdney said this was a “huge” focus in the UK because of the drive to put services to UK citizens online. This is a key part of making government more efficient and effective.

OPM cyber attacks inspire action

Referring to the cyber attacks on the US Office of Personnel Management (OPM), which compromised personal data on more than 20 million current and former government employees, Dewdney said it was very scary for those responsible for UK government cyber security.

“It scared people who had not thought much about cyber security, which was really helpful,” he said.

The OPM breaches, said Dewdney, resulted in the recognition by the UK government of the need to reform the role of its senior information risk office (Siro).

The breaches inspired a fast-paced survey of the UK government’s holdings of bulk data, as well as a measurement of the extent government departments were adhering to a “fairly basic set” of control measures, which in turn led to remedial action.

Asked whether managed security services is a potential answer to the problem of requiring a relatively small agency – such as the OPM – to look after its own cyber security, Daniel said the US government learned that the model of “every agency on its own” is probably not going to work.

“Expecting agencies the size of OPM to be able to deploy the latest in cyber security capabilities – given the threat we face – is probably not realistic. But that does not mean that they should not have responsibility for protecting their information.

“What we are really talking about is saving them from having to provision their own cyber security. There should be centralised cyber security – and a lot of their other IT work should be common services as well.

We can’t afford to dilute the sense of the risk being owned by people who run the department
Alex Dewdney, CESG

“This is the direction we need to have for the federal government. It will get our cyber security capabilities focused in a few key agencies where we can concentrate talent and get the economies of scale that we need,” said Daniel.

Dewdney said that, from a UK perspective, there is something about managed services that makes a “ton of sense”. However, he said that “we can’t afford to dilute the sense of the risk being owned by people who run the department”.

“When you use terms such as managed services or outsourcing, you may not mean to transfer the risk, but it can affect the attitudes of the senior management of the organisation. Once you have lost that, you are in deep trouble,” said Dewdney.

In Israel, said Steinherz, the government has an “innovative tender” for a government security operations centre that included some managed services.

“It’s a combination of outsourcing – so we get the best technology – but there is a mixture of government and outsourced employees. We have established a unit in our government that instructs the governmental officers on cyber security. The responsibility is theirs, but there is someone who provides them with best practices and standards,” he said.  

Fixing legacy issues

Another key challenge for government, said Daniel, is the issue of legacy systems that “afflicts many companies”. It is relatively easy to get money to maintain legacy systems, he said, but hard to get money to replace them.

“You maintain the old stuff way longer than you should. The consequence is that it becomes really hard to defend. This means we have dug ourselves a very deep hole that is going to take a while to get out of,” he said.

However, Dewdney said he was envious of Daniel’s ability to spend “cyber money” on fixing legacy IT issues, which is a huge challenge for the UK government.  

“I try to make this argument that there is a need to fix legacy issues before tackling anything more sophisticated. But there is a reluctance [in UK government] to spend cyber programme money [on what is considered to be] subsiding government departments’ IT budgets, despite the aim in mind,” he said.

Read more about cyber security

Asked about resources, Daniel said the $19bn figure in the president’s budget for the next financial year backs up the government’s cyber security plans with significant resources.

In the UK, Dewdney said it is not so much a money issue as it is a human resources issue. “There is the lack of availability of people with the relevant skills nationally, but there is also an extent to which an organisation such as CESG, which tries to provide cyber security services and do operations, can recruit and retain skills in public service.

“It’s also about technical leadership in government because – on the whole – the UK government leadership does not have the same technical skills as the leaders of technology companies.”

Dewdney said that when it comes to resources, the UK government always runs out of people before it runs out of money.

In Israel, said Steinherz, this problem is somewhat offset by the fact that the government identifies cyber security talent and develops it through training in computer science, cyber security and ethics through its compulsory military conscription programme.

Cert priorities around the world

Asked what their national computer emergency response teams (Cert) are focusing on, Daniel said the US Cert is getting industrial control systems (ICS) owners and operators to step up their game. This is making them realise they have got to make the same investments in cyber security that the financial services industry has been making for the past decade.

Steinherz said vulnerabilities in ICS systems is the big threat every country is facing. “Israel’s focus is to come up with best practices, because the necessary technology is available. It is also to spread awareness of the issues, as ICS goes far beyond critical infrastructure and touches every manufacturing line, every control in datacentres and many ‘smart’ buildings,” he said.

Cert-UK, said Dewdney, is looking at very closely at the UK’s national incident response processes to bring them all into a single, more coherent response framework. It is also looking at integrating Cert-UK into the UK’s planned new national cyber centre to bring the different arms of government together.

Read more on Hackers and cybercrime prevention