Sergey Nivens - Fotolia

Government’s cyber security policy: decide or delay?

The UK government is leaving too many of its options open and needs to implement effective cyber security rules now

Abraham Lincoln said if he had eight hours to chop down a tree, he would spend six hours sharpening his axe. The Tories’ election strategist Lynton Crosby updated the same idea by saying, “You can’t fatten a pig on market day”.

Away from the cameras, just about any political strategist could give you even earthier advice, along the lines of “perfect preparation prevents poor performance”.

Whichever way you put it, careful planning is essential to good policymaking, especially for something as important as cyber security. But the Cabinet Office’s interim cyber security strategy, which builds on a detailed paper published in 2016, simply risks putting off big decisions rather than taking them now.

The problem is not government underestimating cyber risks or being complacent about the measures needed to address them.

Mandarins and ministers are both aware of the real threat posed by inadequate cyber security policies – and following the extensive media coverage of recent attacks on our public services, with many people experiencing their effects first hand, there is an appetite for improved cyber security among voters too.

The government even has a good idea of where it is falling short – in its recent paper on the subject, the Cabinet Office admits “we recognise the risk that we are already behind the curve” in some key areas.

Strong incentives

Beyond the immediate need to keep citizens, businesses and public services safe, the government has strong incentives to set the right approach to cyber security.

Brexit is clearly the main focus for nearly everyone in Whitehall but, regardless of whether there is sufficient progress in talks or a just merry dance until 2019, the UK’s ability to foster digital enterprise is going to be vital in determining our economic future outside the European Union (EU).

The government’s interim cyber security strategy risks putting off decisions that really need to be taken now
Greig Baker, Guide Consultancy

The government’s approach to tax relief for research and development (R&D), investment in digital infrastructure, and creating sensible cyber regulation will all have a huge economic impact – and one that is likely to be beyond the terms of any EU or World Trade Organisation rules.

In Whitehall, there is an explicit recognition that there are “significant industrial opportunities which the UK is ideally placed to exploit, thanks to our permissive regulatory framework, excellent research base and innovation infrastructure”, and it is these opportunities the government wants to foster with its “interim” cyber security strategy.

To this end, the Cabinet Office paper seeks to set out “how the UK government approach will integrate identification of emerging technologies and future technologies into its cyber security policy [to allow] the UK to be a world leader, capitalising on our expertise in cyber security and using security as a competitive advantage”.

Practical measures

To give credit where it’s due, the government’s interim strategy does offer some welcome practical measures. The Cabinet Office promises to “use the weight of UK government procurement to spur innovation” and make it “easier for smaller companies to do business with government”, all while committing to being “less risk averse in trialling and using new products”.

Ministers have also earmarked the National Cyber Security Centre (NCSC) as the “single authoritative voice for cyber security science and technology”, which is a helpful steer for any company looking to meet changing public procurement rules on cyber security.

The government promises it will practise what it preaches on boosting cyber standards, saying all “departments will be required to account to a panel chaired by the government chief scientific adviser on the extent they have incorporated NCSC’s guidance and scientific best practice into their policy making”.

Politicians are even showing an admirable regard for where work can best be done by the private sector, citing financial services companies’ investment in financial technology (fintech) as evidence that a light regulatory touch can help “because we anticipate the market [can] deliver solutions”.

But after that, the government’s interim cyber security strategy starts to get a bit hazy. Worse, it risks putting off decisions that really need to be taken now.

In 20 pages of text, there are more than 30 different instances of the Cabinet Office promising to conduct a “review”, or “consultation”, or even launch an entirely new “strategy” in one related policy area or another before it is willing to set out specific recommendations to address practical concerns. Much of the paper reads more like a vague to-do list than a proper description of what has already been decided.

A dynamic response is needed

It would be unfair to criticise the government too strongly for this. Civil service resources have been moved to support the Brexit negotiations, leaving less capacity to work on other policy areas.

At the same time, the absence of a reliable government majority in Parliament makes it much harder to get new policies onto the statute book, even when ministers have a clear idea of what they want to do.

However, understanding the government’s predicament does not make it any less frustrating – or potentially damaging. Not only is the cyber threat evolving at pace and demanding a dynamic response now, but the longer government delays action the more dramatic it is probably going to have to be.

To give just one example, the interim strategy correctly states that government data must be “held securely, whether in data storage centres or hosted in the cloud”. But it doesn’t address concerns about how even cloud-based servers have to use a physical data storage centre somewhere – and potentially in a country with a different judicial system and a different approach to privacy and safety issues.

As more government departments are using internationally owned cloud data storage facilities, those concerns could grow very quickly if ministers do not have clear mitigation measures in place soon.

It is encouraging that government is seeking to constantly update its cyber security strategy, but delaying important decisions will only make it harder to implement effective solutions.

Thinking back to Lincoln and his axe, it’s all very well taking Honest Abe’s advice on preparing for big political changes, but unless government steps up the pace – and soon – there’s a real risk that it could be lumbered with a set of very sharp, but entirely redundant, tools.

Read more about government cyber security strategy

Read more on Hackers and cybercrime prevention