Government’s cyber security strategy is a lost opportunity

Shortly after the publication of the US Cyberspace Policy Review the government released its own strategy: "The Cyber Security Strategy of the United Kingdom", writes Crispin Blunt, shadow minister for home affairs and counter-terrorism.

Shortly after the publication of the US Cyberspace Policy Review the government released its own strategy: "The Cyber Security Strategy of the United Kingdom", writes Crispin Blunt, shadow minister for home affairs and counter-terrorism.

Cyber security is a serious priority for the Obama administration. The cyber security report was one of the first commissioned by the administration on 9 February. Its findings were presented personally by the president on 29 May, and the review itself is an in-depth analysis covering the most prevalent issues of cyber security.

Having had 12 years to think about it the same cannot be said for the government's published strategy. The proffered excuse is that the disclosure of detailed analysis would expose potential vulnerabilities to those with malign intent. One would have thought they could have found a middle ground between compromising national security and this "Ladybird" version of the US strategy, in which policy is noticeable for being absent. Minimal or no attention is given to key areas such as coordination of the new cyber structures with existing agencies, response to a cyber incident, information sharing between government and industry and international action.

The threat is real and growing. It comes from state actors, as the Estonians and Georgians can testify, having suffered Russian cyber attack. It could come from terrorist groups who are exploring the possibilities of crippling critical national infrastructure and from organised crime and individual hackers. The scale is breathtaking, the Association of Chief Police Officers estimates worldwide online fraud at £52bn in 2007. Cyber criminals, undoubtedly including state actors among them, are estimated to have stolen intellectual property from businesses worth up to $1trillion last year.

The government's response was to announce the creation of a Cyber Security Operations Centre (CSOC) to monitor trends and developments within cyber space. There will also be a new unit set up in the Cabinet Office, The Office of Cyber Security (OCS), to oversee the implementation of the new Cyber Security Strategy.

Muddle of agencies and mandates

However, there are already 16 different departments and agencies listed as being involved in cyber security in appendix 2 of the strategy. If there has been an assessment of the different mandates, achievements and efficiency of these organisations it hasn't been made public. It is difficult therefore to see how the new cyber structures will advance efforts towards a comprehensive and coordinated response. Instead, the government looks in danger of presiding over a patchwork muddle of agencies and mandates.

There is no consideration within the strategy of how we would respond to a cyber attack. No mention can be found of a framework for response or who would lead it. There is no discussion of issues such as back up communications networks for security and emergency personnel. All of these are given coverage in the US review.

Effective means to resolve the problems faced in sharing information between government, industry and the research community are considered at some length in the US review. This includes the government sharing information with industry and, where possible, providing the research community with cyber-security event data. This could be expanded to facilitate the sharing of vulnerabilities and incidents with trusted allies.

This is a sad contrast with the attitude of the current Labour government, where the desire to restrict information sharing has led to the diluted document put before us a "strategy". The private sector complains that some of the agencies set up to advise and assist businesses in protecting their networks, such as CESG, are good at gathering information, but reluctant to disseminate it.

This culture of information hoarding has to be changed. Otherwise how can we make a thorough appreciation of the risks and consequences of cyber attack and facilitate the adoption of best practice and the most appropriate cyber defence strategy across the board?

Formulaic jargon

The Cyber Security Strategy for the United Kingdom is a master of the formulaic jargon we have come to associate with the Labour government, but this cannot hide the fact that is almost totally devoid of substance. The government cannot go on pretending that this is due to considerations of national security when nations such as the United States are willing to publish comprehensive and considered analysis such as we have seen recently.

President Obama was also able to make explicit the limitations that will be placed on US authorities. "Our pursuit of cyber security will not include monitoring private sector networks on internet traffic. We will preserve and protect the personal privacy and civil liberties that we cherish as Americans." I fear what our government currently has in mind would preclude the current British prime minister saying something similar.

Conservative plan

A Conservative government will set up a National Security Council to deliver a strategy for the UK. That strategy will flow from a comprehensive security and defence review. The lines of authority and responsibility will be clear.

One of the most urgent tasks is to deliver international cooperation between states on cyber issues. We can no longer tolerate even supposedly friendly states trying to peer at our electronic secrets. This is no longer about privileged information; it is about the secure delivery of our critical national infrastructure. Failure of any of the information systems that control our energy, traffic or food distribution could have catastrophic consequences.

All states, including those we have a sometimes difficult relationship with have too much at stake not to cooperate in this area. We can all unwittingly harbour groups who will attack other states electronically. This was a causus belli when Afghanistan played host to Al Qaeda. With the damage that can now be caused by successful electronic attack this threat must be managed. A new Geneva Convention on cyber warfare is required. This is but one area on which our strategy is almost completely silent. A new government with a new approach for the digital age is required. It is time for our analogue leadership to move aside.

Read more on IT risk management