The UK government has published a progress report praising its own achievements in the two years since it launched an ambitious plan to make Britain the best place to do e-commerce.
The National Cyber Security Strategy (NCSS), launched in November 2011, also has the goals of making the UK more resilient to cyber attack, building partnership between government and the private sector and developing the UK’s cyber security knowledge, skills and capability.
More ReadingUK.gov lobs another fistful of change at SME infosec nightmaresUK.gov's flagship infosec program ISN'T DELIVERING - but all's still well, say auditorsCrack CERT warriors arrive to save UK from grid-crippling hack attacksSoon-to-be Facebook intern wins UK Cyber Security ChallengeUK picks Open Document Format for all government files
The strategy is supported by £860m from the National Cyber Security Programme, an increase from the initial funding allocation of £650m.
Francis Maude, the Cabinet Officer minister who oversees the UK's Cyber Security Strategy, explained the rationale for increased funding at a time of general austerity and cost cutting. "The cyber attack will remain a serious threat to our national security," Maude explained in a statement.
"That is why our work with other sectors," he added, "such as academia and R&D, will continue to benefit strongly from secure government funding. As a result of the 2013 spending review we have directed an additional £210m investment to this area, making £860m of sustained government investment on cyber to 2016."
Science minister David Willetts added that skills training was a key part in delivering on the overall programme.
"We are working closely with business and universities to ensure the country has the skills and knowledge it needs to meet the cyber challenge," Willetts said. "We want to show students and businesses that cyber security does not simply pose a threat. It gives those who take it seriously an opportunity to gain new expertise, or even a commercial advantage."
Building skills can help UK-based security software developers and consultancies to bring in export sales. The UK government has set a target of more than doubling annual cyber exports from the UK to £2 billion a year by 2016. "With a new £2 billion target for cyber exports, we will also be helping the UK cyber sector to grow and keep the UK ahead in the global race," Willetts commented.
Future plans to develop the strategy include a cyber security kitemark for firms that want to do business with the UK Government, boosting UK cyber exports and providing a cyber security baseline standard. Only the baseline standard is in any way controversial.
UK government plans for the coming year include establishing a new Cyber Security Suppliers’ scheme, developed through the Cyber Growth partnership; this will allow businesses to state publicly to prospective clients that they supply government with cyber security products and services.
Other plans include the development of an industry-led organisational standard, based on the ISO27000-series, to give the cyber-security industry a clear baseline to aim for, ensuring focus on basic cyber hygiene and protection from low level threats. The standard would be adopted by government in its procurement where proportionate and relevant thereby encouraging uptake and giving companies a demonstrable competitive edge.
This approach sounds a bit like the not infrequently criticised PCI DSS standards for credit card merchants. Even otherwise supportive IT suppliers are cautious about the proposed scheme.
Richard Archdeacon, head of security strategy at HP Enterprise Security Services, said: "Whilst the introduction of an industry-led organisational Standard for Cyber Security is laudable, businesses should only regard this as the bare minimum. Furthermore, as these measures are well documented and indeed known by our adversaries, companies need to go above and beyond in order to truly secure their critical data."
Other government ideas call for the development of a "Massive Open Online Course" in cyber security by summer 2014 for the Open University. The course has the potential to reach 200,000 students, both domestically and overseas, and will be available online at no charge.
UK.gov also hopes to back the launch of a research institute, which will focus on Trustworthy Industrial Control Systems, a key area of concern in the post-Stuxnet world of running power plants and systems that rely heavily on SCADA industrial control technology. Ministers are also backing continued funding for the Cyber Security Challenge, so that the program to find the next generation of cyber security workers can do more work with schools.
HP's Archdeacon welcomed the focus on education in the government's plans.
HP is fully supportive of the Cabinet Office’s efforts in the realm of cyber security. Undoubtedly, cyber security has become one of the biggest threats to companies and businesses around the world and the countries in which they are based. Not only can a breach affect an organisation’s bottom line and reputation, but we’ve seen numerous cases where high value intellectual property has been stolen," he said.
Ilias Chantzos, senior director government relations EMEA at Symantec, also endorsed the focus on education in pushing the UK's Cyber Security strategy forward: "Today’s commitment to a government-led awareness campaign, supported by industry, across the general public and small businesses is an important investment. Further education is vital in highlighting the profound impact cyber threats have on businesses, individuals and the wider UK economy."
Ross Brewer, vice president and managing director of international markets at security tools vendor LogRhythm, is also upbeat. "This new strategy, which includes an open online course in cyber security, funding for the Cyber Security Challenge and a series of guiding principles, will undoubtedly better prepare UK businesses and raise awareness of cyber crime, which is key when faced with today’s sophisticated threats. By building skill sets and tightening standards, it will hopefully stimulate the much needed adoption of even basic threat detection steps," he added.
Development in the UK government's strategy are explained in policy papers here on the gov.uk website.
A written ministerial statement on progress against the objectives set out in the UK Cyber Security Strategy, which Maude delivered in parliament on Thursday, can be found here. ®