Joined up approach between Government and Industry critical in tackling cyber threats to UK

In advance of the updated version of the UK Cyber Security Strategy being published in the second half of 2011, senior Government officials have underlined the criticality of specialist industry suppliers working closely with the Government and its agencies to address and combat the range of cyber threats faced from state-sponsored organisations and serious organised crime groups. VEGA, a leading provider of information assurance solutions, considers what needs to happen to make such a partnership work.

The 2010 National Security Strategy took the landmark step of categorising the threat to the UK cyberspace as a Tier 1 security risk. This clearly demonstrated the UK Government’s awareness of the potential cyber threat and its commitment to preventing attacks.

Since the Strategy’s release, cyber threats and attacks on the UK and around the world have been increasingly significant, with state organisations and international corporations falling victim to such incidents. Among the global brands to have been targeted are Sony, Amazon, Citigroup and MasterCard, while the International Monetary Fund and G20 are two inter-governmental bodies affected by cyber attacks.

Aside from the high profile cyber attacks, which end up being reported in the media, there are potentially thousands of other cybercrime incidents which go unreported, or more worryingly, unnoticed across businesses and organisations of all sizes, "costing the global private sector as much as $1 trillion in intellectual property each year," according to a report published by Deloitte.

A clear and present danger

Recognising that the cyber threat is no longer a future prospect, but a very "clear and present danger" – according to the Director General for Information Security and Assurance at GCHQ, Jonathan Hoyle – the Government is now embarking on a series of major activities to address the rising cost of cyber crime to the UK economy – currently standing at an estimated £27bn per year.

These include investing an additional £650m in cyber security over the next four years to help improve the UK’s national infrastructure and protect against cybercrime; joining the newly-formed International Cyber Security Protection Alliance (ICSPA); and helping facilitate a working forum of UK stakeholder companies.

Delivering a joined up response

In a speech to the information assurance industry in July 2011, Cabinet Office Minister, Francis Maude, whose remit includes the cyber security portfolio, said: "Businesses and public bodies must put short-term commercial interests aside in favour of regularly pooling knowledge and resources for the national interest.

"Though banks and financial institutions already work closely with SOCA and the Metropolitan Police’s e-crime unit in this regard, and energy providers share information with the Centre for the Protection of Critical Infrastructure (CPNI), as far as I know we are the first country to take this approach in such a broad and systematic way."

Most would recognise the value of such a group, but might conclude that it is taking too long to come to fruition. The fragmented nature of both the UK’s Critical National Infrastructure (CNI) and UK PLC has resulted in a lack of consolidated investment in cyber security. The associated absence of ‘spend to save’ measures in this area, coupled with a vacuum of legislation – with the exception of the Information Commissioner’s Office’s (ICO) ability to penalise data losses and infringements – has consequently failed to incentivise businesses to invest in information assurance as it should.

Clarity of Government vision

The fact is, for all the political rhetoric, private and public sector organisations are still failing to take the threat seriously. The Government must now adopt an educative role and be absolutely clear about its expectations from UK PLC and cyber security specialists, in order to achieve its objective of the UK being the world leader on cyber security.

The updated Cyber Security Strategy, to be delivered in the second half of 2011, is an obvious vehicle for the Government to use in communicating its vision and clearly explaining the measures it will be putting in place to educate and prosecute those who are complacent.

Taking the lead from successful accreditation initiatives such as the CESG Listed Adviser Scheme (CLAS) – a partnership linking the unique Information Assurance knowledge of CESG with the expertise and resources of the private sector – the Government must implement a dedicated accreditation scheme that generates industry partners specialising in the highest levels of cyber security.

Additionally, defining what ‘good cyber security’ looks like – for example, in terms of assessing the value of various Security Operations Centres (SOCs) in the same marketplace – is fundamental, enabling suppliers to qualify against standardised, kitemarked security levels.

Educating UK PLC

Furthermore, businesses must be educated about the risks and opportunities relating to cyber security. After all, £21bn of the £27bn lost to cyber crime in the UK can be attributed to industry (with £2.2bn borne by government, and £3.1bn by individuals). Using independent and accredited specialists, businesses can more easily identify their risk appetite and priorities for information security activities.

Once an initial analysis of a company’s requirements has been completed, a cyber security policy – akin to BSI standardisation, which reflects significant investment in and commitment to information assurance – could be a key business differentiator.

Not only could such investment assure clients and help win new business, but preferential insurance rates may be offered as providers recognise and reward businesses and organisations that have invested in cyber security. After all, burglar alarms and window locks are looked upon positively by home insurers, so why shouldn’t measures taken to safeguard one’s cyberspace be equally recognised?

Making the UK a world leader in cyber security

GCHQ’s Jonathan Hoyle’s assertion that "as a nation, seeking economic advantage, we will also achieve a significant boost to our prosperity if we can position the UK as the nation of choice for conducting business in cyberspace and a cyber centre of excellence for skills, technology and knowledge," sends a clear message about the UK’s objective to be the world leader on cyber security – an aspiration VEGA, as one the UK’s leading information assurance and cyber security specialists, fully supports.

However, before being recognised as genuine leaders on the international stage, UK Government and PLC must themselves be exemplars – not only setting best practice but living by it too.

We have the opportunity to not only ensure the UK cyberspace is a global example of information assurance best practice, but from this security base, drive prosperity and improve the lives of individuals and communities.

Contact VEGA for more information about cyber security