The National Audit Office (NAO) has published a report announcing that the UK doesn't have enough skilled workers to protect it against online attacks and asking Blighty's schoolkids to step into the breach.
The number of cyber security professionals in the UK has not increased in line with internet growth, according to the NAO, which blames the skills gap on a lack of promotion of science and technology subjects at school.
The report recommends that schools step up technology and cyber security lessons, in the hope of creating a new generation of IT specialists. But the report says that even if this happens the lack of experts may leave Britain vulnerable to cyber attacks for up to 20 years.
Amyas Morse, head of the NAO, said that “the threat to cyber security is persistent and continually evolving. Business, government and the public must constantly be alert to the level of risk if they are to succeed in detecting and resisting the threat of cyber attack."
Two years ago, the National Cyber Security Programme allocated £650m over five years to boost the UK's cyber-security defences, after deciding that cyber threats posed a tier-one threat on a par with international terrorism to the UK's security. The central power in controlling that budget has become GCHQ, although the police and other agencies have also benefited.
Last year the government announced that it would be putting £8m towards the development of security skills at universities in order to shore up the battle against cybercrime.
Ross Parsell, director of cyber security at defence technology firm Thales, agreed that the government agency should look to schools to provide its future web defence force.
"To tempt talented people into a career in cyber security, the government needs to get them while they’re young," Parsell said. "Last month’s announcement that the government is to make Computer Science a core subject being taught in British schools is a step in the right direction.
"The challenge now is to ensure that the dots are joined up between policies like this at national level and the curriculum being delivered at our schools, colleges and universities,” Parsell added.
The NAO identified six key challenges faced by the government in implementing its cyber security strategy. These included the need to "influence industry to protect and promote itself and UK plc"; to address the UK’s current and future ICT and cyber security skills gap; to increase awareness so that people are not the weakest link; to tackle cyber crime and enforce the law; to get government to be more agile and joined-up; and to demonstrate value for money.
Its report - published on Tuesday - is designed to set the scene for future political debate about the UK's Cyber Security Strategy by groups like MPs on the Committee of Public Accounts.
IT security firms nearly all single out the skills shortage as the most important issue covered in the NAO's UK cyber security strategy: Landscape review report.
Jarno Limnell, director of cyber security for firewall firm Stonesoft, praised the NAO's analysis and blasted the EU's new ceybersecurity directive for "throwing money" at the problem.
"The UK NAO report is a breath of fresh air, especially in light of last week’s misguided proposal by the European Union which suggested that cyber threats can be solved by creating more statutes, directives and restrictions," Limnell said. “Correctly, the NOA doesn’t just recommend throwing money at the problem. The right approach should be based on a strategic and technical understanding of the risk. This is the only way that the appropriate levels of defensive and offensive cyber security measures can be implemented and the relevant expertise acquired or nurtured. This leads to both cost efficiencies and better national security defences against cyber attacks.”
Thurstan Johnston, sales engineer at security tools firm Faronics, said that organisations need to think beyond relying on traditional security tools (antivirus, firewall and intrusion prevention) as well as worrying about recruitment.
"There is no question that a shortage of skilled professionals is extremely detrimental to our cyber defence effort and it is something the government seriously needs to address...
“However, there is not just a skills gap to consider, but also a huge awareness gap that needs to be filled. Many organisations still believe that they are sufficiently protected with just a good security package, which not only indicates blazing ignorance, but also a lazy approach to combating cyber crime that could have expensive consequences." ®
"The cost of cyber crime to the UK is currently estimated to be between £18 billion and £27 billion," according to widely diverging estimates about the cost of cyber crime cited by the NAO. It also quotes figures of 44 million cyber attacks against the UK in 2011, again without quoting sources. Do port scans count? Because if they do I could probably get somewhere near that figure just from events on a personal ZoneAlarm log over a month or so alone.
Yes, we exaggerate - but only a bit.
Cyberthreat estimates are a notorious inexact science, as we've noted more than a few times, and stats in government reports on cyber-security are best ignored. If health policy were based on a similar unscientific methodology then we might end up prescribing everyone in the UK sugar pills to combat winter flu, after taking evidence from homeopaths, assuming that group shouted the loudest in medical discussions.