The Chancellor, Philip Hammond, signalled a more muscular approach to combating state-sponsored cybercrime and cyber espionage on Tuesday.
Announcing a new National Cyber Security Strategy he fleshed out details of how the £1.9bn earmarked for the purpose would be spent by the National Crime Agency.
Rather than simply responding after the fact of an attack to minimise damage, Hammond has indicated that the UK would retaliate in kind against attackers. “If we do not have the ability to respond in cyberspace to an attack which takes down our power network – leaving us in darkness or hitting our air traffic control system grounding our planes – we would be left with the impossible choice of turning the other cheek, ignoring the devastating consequences, or resorting to a military response. That is a choice we do not want to face and a choice we do not want to leave as a legacy to our successors.”
James Tolfree, UK director of network security specialist Cryptzone, say that “talk of ‘strike back’ represents quite a change in mindset. Traditionally, UK governments’ cyber strategy has focused on ‘defence’, but in recent months we have heard much more rhetoric around an offensive cyber capability. This recognises that cyberspace is a new battleground and that you can’t be in a battle space with only a defensive position, especially when dealing with state-sponsored cyber-attack strategies.”
Some of the cash will be spent on public education and training of cyber security experts. Ethical hacker Ralph Echmendia recently said that cyber security skills are in such short supply that cyber security experts now often earn more than some executives.
Responding to the government announcement, several cyber security experts give their verdict to the Chancellor’s announcement below.
“Given the cost to the UK economy is estimated to be as much as £11bn per year, some might ask if this response is enough”
Given the cost to the UK economy is estimated to be as much as £11bn per year, some might ask if this response is enough.
One of the main challenges is the ‘shape-shifting’ nature of cyber threats. We’ve seen a very fast evolution of cyber threats from well organised criminal organisations as well as state-sponsored attacks.
These now take on a multi-vectored form, utilising combinations of, advanced reconnaissance, elegant well-hidden malicious code and social engineering. Traditional cyber defence strategies that tend to focus on the concept of protecting network perimeters haven’t kept pace with the criminals and cannot respond to these advanced threats.
So whilst increased government spend should broadly be welcomed and applauded, unless it is focused towards a fundamental shift in approach to cyber defence, it risks being a case of good money after bad.
It is a little too early to say what this will mean for cyber security in the UK. It is encouraging that part of the funding has been earmarked for training cyber security professions as there is currently a noticeable skills-gap here in the UK.
It is also encouraging that funding will be available to innovative start-up cyber security businesses. The UK has long been respected for its skills in this sector, but in order to maintain this position, strong investment from both government and industry is needed.
Gavin Millard, EMEA technical director, Tenable Network Security
“With ageing critical national infrastructure, investments need to be made to remediate easily exploitable services and reduce the available attack surface an adversary could target”
As demonstrated last week with the Mirai DDoS levied against the East Coast of America, bringing down huge swathes of internet services for a short time, infrastructure can easily, and will be more frequently, targeted in the future.
With ageing critical national infrastructure, investments need to be made to remediate easily exploitable services and reduce the available attack surface an adversary could target.
Cyber attacks affecting our citizens are becoming part of everyday life. Money is the current target for most attackers, but if the approaches they take are more political in nature, we could see the UK severely impacted unless proactive steps are taken to reduce the risks.
“We need to place this threat in the same arena as the Police and Armed Forces and stop treating it as an inconvenience”
National investment into cyber-security can only be encouraged as recent events have shown. We need to place this threat in the same arena as the police and armed forces and stop treating it as an inconvenience.
It is important, however, that this investment does not create barriers around the UK’s cyber infrastructure, such that it reduces the overall benefit of the web. This ‘Balkanisation’ of the internet should be avoided, else we retreat from the cyber world quicker than Brexit.
Hopefully the investment will be far-reaching and not only help the advancement of cyber-security companies in the UK but also the education of the general public. The world wide web has been around for over 20 years and basic security controls are still ignored by the general populace; we are told frequently to close our windows and doors, not to speak to strangers, don’t always trust people at your front door are who they say they are – yet how many people still don’t have a screen lock on their smartphone?
“Taking down an electrical grid or breaching an air traffic or railway network, doesn’t just cause disruption and financial damage, it puts lives at risk.”
The investment is a reflection of how seriously the Government is taking the problem. Safeguarding the populous from cybercrime is worthy, but there also needs to be a sharpening of focus on protecting critical infrastructure.
There is a rising risk from cyber attacks targeting vital services such as transport, utilities and industrial systems within the UK. Taking down an electrical grid or breaching an air traffic or railway network, doesn’t just cause disruption and financial damage, it puts lives at risk.
The fact the same IT systems manage everything from banking infrastructure to power stations, makes them a target for attack.
More investment means the UK can become better at staying ahead of the vast array of continually advancing threats. This is achieved through better technology, education and sharing of threat intelligence.
In an ideal world, investment should be underpinned by added legislative teeth. This will help ensure that companies and IT companies take the responsibility to protect their assets and customers at all levels seriously.
“Given the speed with which cybercrime is becoming both a national and international problem one concern I have about today’s news is that £1.9bn and a five-year plan underestimates the ever growing problem”
The government’s National Cyber Security Strategy is a welcome initiative and will help in raising awareness of the severity of the issue that both businesses and consumers face when it comes to their personal and private information being at the mercy of cybercriminals.
Given the speed with which cybercrime is becoming both a national and international problem one concern I have about today’s news is that £1.9bn and a five-year plan underestimates the ever growing problem. Day by day the amount of information sent via the internet and stored unsecurely is increasing at a far greater pace than the solutions that are coming to market can deal with, so it is not just a question of investing in more preventative measures, but ensuring there’s a much greater understanding of how to protect oneself, which is likely to take a great deal longer than five years given the way technology evolves.
We recently undertook our own nationwide research into business and consumer behaviour in respect to cybersecurity and, worryingly, the results showed that people claim to be highly aware of the cyber threats they face. However they still send and receive personal and confidential information in a way that shows they do not understand the issue and wholly miscalculate the risks they are opening themselves to, in what is clearly a ‘laissez-fair, it won’t happen to me’ attitude.
The research highlights that not only are consumers putting themselves at risk, but businesses are doing little to prevent their customers being subjected to cybercrime, something that urgently needs to be resolved with better education on the subject and the right solutions that protect individuals and small businesses.
“Most government cyber-security funding focuses on critical infrastructure protection. When funding increases it is usually because definitions of ‘critical’ expand or changes in adversary attack techniques require more investment”
When it comes to national cyber defence, most of the time current funding focuses on critical infrastructure protection. When funding by governments increases, it is usually attributed to two main factors: definitions of ‘critical’ often expand and changes in adversary attack techniques require more investments.
If expansions in the cyber defence programme are attributed to expanded scopes, more resources will be required. Often this comes in the form of outreach grants and new laws to help assist the corporate side. It also means increased collaboration between government and private industry.
Join other high-end security professionals at the launch of Borders & Infrastructure Expo, in conjunction with Europe’s most renowned security event, IFSEC International, addressing your critical needs for large-scale security projects. By attending, you’ll access leading security providers showcasing the latest advancements in both physical and cyber solutions.
Click here to register your place now to join us at London Excel on 20 – 22 June 2017.