UK doesn't have the SKILLS to save itself from cyber threats

Report: Only schoolkids can protect us


The National Audit Office (NAO) has published a report announcing that the UK doesn't have enough skilled workers to protect it against online attacks and asking Blighty's schoolkids to step into the breach.

The number of cyber security professionals in the UK has not increased in line with internet growth, according to the NAO, which blames the skills gap on a lack of promotion of science and technology subjects at school.

The report recommends that schools step up technology and cyber security lessons, in the hope of creating a new generation of IT specialists. But the report says that even if this happens the lack of experts may leave Britain vulnerable to cyber attacks for up to 20 years.

Amyas Morse, head of the NAO, said that “the threat to cyber security is persistent and continually evolving. Business, government and the public must constantly be alert to the level of risk if they are to succeed in detecting and resisting the threat of cyber attack."

Two years ago, the National Cyber Security Programme allocated £650m over five years to boost the UK's cyber-security defences, after deciding that cyber threats posed a tier-one threat on a par with international terrorism to the UK's security. The central power in controlling that budget has become GCHQ, although the police and other agencies have also benefited.

Last year the government announced that it would be putting £8m towards the development of security skills at universities in order to shore up the battle against cybercrime.

Ross Parsell, director of cyber security at defence technology firm Thales, agreed that the government agency should look to schools to provide its future web defence force.

"To tempt talented people into a career in cyber security, the government needs to get them while they’re young," Parsell said. "Last month’s announcement that the government is to make Computer Science a core subject being taught in British schools is a step in the right direction.

"The challenge now is to ensure that the dots are joined up between policies like this at national level and the curriculum being delivered at our schools, colleges and universities,” Parsell added.

The NAO identified six key challenges faced by the government in implementing its cyber security strategy. These included the need to "influence industry to protect and promote itself and UK plc"; to address the UK’s current and future ICT and cyber security skills gap; to increase awareness so that people are not the weakest link; to tackle cyber crime and enforce the law; to get government to be more agile and joined-up; and to demonstrate value for money.

Its report - published on Tuesday - is designed to set the scene for future political debate about the UK's Cyber Security Strategy by groups like MPs on the Committee of Public Accounts.

IT security firms nearly all single out the skills shortage as the most important issue covered in the NAO's UK cyber security strategy: Landscape review report.

Jarno Limnell, director of cyber security for firewall firm Stonesoft, praised the NAO's analysis and blasted the EU's new ceybersecurity directive for "throwing money" at the problem.

"The UK NAO report is a breath of fresh air, especially in light of last week’s misguided proposal by the European Union which suggested that cyber threats can be solved by creating more statutes, directives and restrictions," Limnell said. “Correctly, the NOA doesn’t just recommend throwing money at the problem. The right approach should be based on a strategic and technical understanding of the risk. This is the only way that the appropriate levels of defensive and offensive cyber security measures can be implemented and the relevant expertise acquired or nurtured. This leads to both cost efficiencies and better national security defences against cyber attacks.”

Thurstan Johnston, sales engineer at security tools firm Faronics, said that organisations need to think beyond relying on traditional security tools (antivirus, firewall and intrusion prevention) as well as worrying about recruitment.

"There is no question that a shortage of skilled professionals is extremely detrimental to our cyber defence effort and it is something the government seriously needs to address...

“However, there is not just a skills gap to consider, but also a huge awareness gap that needs to be filled. Many organisations still believe that they are sufficiently protected with just a good security package, which not only indicates blazing ignorance, but also a lazy approach to combating cyber crime that could have expensive consequences." ®

Bootnote

"The cost of cyber crime to the UK is currently estimated to be between £18 billion and £27 billion," according to widely diverging estimates about the cost of cyber crime cited by the NAO. It also quotes figures of 44 million cyber attacks against the UK in 2011, again without quoting sources. Do port scans count? Because if they do I could probably get somewhere near that figure just from events on a personal ZoneAlarm log over a month or so alone.

Yes, we exaggerate - but only a bit.

Cyberthreat estimates are a notorious inexact science, as we've noted more than a few times, and stats in government reports on cyber-security are best ignored. If health policy were based on a similar unscientific methodology then we might end up prescribing everyone in the UK sugar pills to combat winter flu, after taking evidence from homeopaths, assuming that group shouted the loudest in medical discussions.


Other stories you might like

  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading
  • Utility biz Delta-Montrose Electric Association loses billing capability and two decades of records after cyber attack

    All together now - R, A, N, S, O...

    A US utility company based in Colorado was hit by a ransomware attack in November that wiped out two decades' worth of records and knocked out billing systems that won't be restored until next week at the earliest.

    The attack was detailed by the Delta-Montrose Electric Association (DMEA) in a post on its website explaining that current customers won't be penalised for being unable to pay their bills because of the incident.

    "We are a victim of a malicious cyber security attack. In the middle of an investigation, that is as far as I’m willing to go," DMEA chief exec Alyssa Clemsen Roberts told a public board meeting, as reported by a local paper.

    Continue reading

Biting the hand that feeds IT © 1998–2021