By Craig Melson, Consultant, London
Last week the Government launched the new National Cyber Security Strategy which sets out ambitious interventionist policies and £1.9bn of funding to improve the nation’s cyber defences.
The strategy (launched to much fanfare by the Chancellor) doubles the budget of the the 2011-15 strategy and is centred around three distinct strands:
- DEFEND – Having the means to defend against threats and stop attacks from succeeding.
- DETER – Be a hard target for ‘all forms of aggression from cyberspace’ with the resources in place to proactively launch cyber-attacks.
- DEVELOP – Making the UK a world leading cyber-security hub, with a strong eco-system and measures to get the right skills in place.
The first two strands include many more interventionist policies with some clear directions for private sector operators who Government clearly feel have not done enough to protect themselves or their customers. This is a clear departure from the previous Government that made strides defending the public sector from attacks, but did not want to compel businesses or over-regulate. As well as technological and funding solutions, the Government is also calling for a cultural shift, including a potential ‘cyber ethics’ programme to deter technically minded young people from taking up cyber-crime.
The third strand, ‘develop’, is exciting for the sector with some significant new commercial opportunities for cyber-security companies of all sizes. Firms in this area should be talking to policy makers about these opportunities and will most likely be looked upon favourably as they are high tech, export-friendly, high-skilled, pay well, rich in SMEs and help keep the state safe – all things Westminster and Whitehall like.
So what are the new opportunities?
Whilst the UK lags behind the USA and Israel in developing new cyber products, we are certainly European leaders and Government wants to develop this further. The strategy details plans to spend to support the cyber-security market, laws to make companies more cyber-aware (particularly in critical infrastructure, networks and banks) a public awareness campaign, an expectation that all businesses need to ‘get their house in order’ on cyber and efforts to recruit a new generation of cyber-security experts. The strategy has policies for all sectors, but some ways for cyber vendors to get involved with the strategy include:
- Creating two Innovation Centres to ‘drive the development’ of new companies.
- Government funded testing facilities for companies to trial new products.
- Reforming the accreditation and procurement for cyber-security products.
- Helping start-ups access funds.
Who should you talk to?
The National Cyber Security Centre replaces the myriad of Government bodies that deal with cyber and industry should welcome this. As well as fostering a more collaborative public and private sector response to cyber-threats, this streamlining should make gaining accreditation for new products easier and create one set of policies.
Given the rightful importance the Government places on cyber, companies looking to export should use the strategy to push the newly formed Department for International Trade who now hold the exports brief, coupled with the strategy, this will be a great way to highlight to the various parliamentary committees, Shadows and Ministers how cyber-security can generate growth and help with the trade deficit.
The strategy shows that Government wants to make significant progress on improving the nation’s cyber defences and represents a real chance for cyber-security companies to raise their profile and demonstrate their innovations.
Does the strategy go far or spend enough?
The Chancellor called cyber-attacks a ‘Tier One threat’, but £1.9bn is not exactly ‘tier one’ money. While a welcome boost, in defence terms it would buy fewer than twenty F-35 jets or two submarines. Much of the money isn’t new either – some of it has been re-allocated from elsewhere or was confirmed already.
The strategy rightly sets the tone and approach the Government wants to take on cyber-security, but this big picture focus somewhat ignores the day-to-day cyber-attacks most people face. There were over five million cyber-crimes reported annually and prosecution rates for cyber-enabled and dependent crimes are very low. The ‘defend’ and ‘deter’ strands seek to bolster security and could reduce the number of successful attacks, but not every police force has a cyber-crime unit for example, and the strategy uses vague language on how police forces will go after cyber criminals, but does not discussing how, or what new resources the police will get.
Government also needs to work better between departments to be consistent and make sure their own policies do not undermine the strategy; for example, the Investigatory Powers Bill is set to become law and is not only going to generate huge amount of data, but could undermine encryption – an essential tool against hackers.
Cyber-security that works for everyone
The Government has now essentially formalised what the cyber-security industry has been saying for years – people and businesses need to be taking cyber-security far more seriously. After a year of high profile attacks on networks and five million reported cyber-crimes, the Government has obviously felt compelled to intervene, especially in the private sector.
Those in the sector should now seize this opportunity to talk to the Cabinet Office and National Cyber Security Centre on how their products can make a difference.