UK.gov's pricey Five Year Plan to see off cyber thugs still in place

UK Chancellor Philip Hammond is due to reaffirm a pledge to spend £1.9bn up until the end of 2020 to bolster the UK’s cyber security strategy in a speech early this afternoon.

The updated strategy [84-page PDF] - which doesn’t include any new spending pledges¹ - is expected to include an increase in focus on investment in automated defences to combat malware and spam emails, establish a fund earmarked to recruit 50 specialists to work on cybercrime at the National Crime Agency, the creation of a Cyber Security Research Institute and an “innovation fund” for cyber security startups. All this investment is needed because of increased threats from nation state attackers, terrorists and organised crime gangs, the Chancellor is expected to say.

The strategy offers a revamp of a UK government cyber-security programme first put forward in 2009. Hammond is expected to criticise UK business’s apparent reluctance to invest in cyber security to protect itself and has highlighted the use of regulators, insurers and investors to drive a better response from companies. UK government will become an “early adopter” in the latest security technologies.

Hammond is expected to speak positively about the use of the European General Data Protection Regulation (GDPR) to drive up standards in cyber security. The legislation comes into full force in May 2018 and threatens punitive fines for negligence that results in data breaches. It’s likely UK will either enact something similar to the GDPR or else incorporate European rules into UK law post-Brexit.

'The only disappointment with the strategy is the failure to recognise that cyberspace is invented, implemented and run by international businesses, not governments'

Infosec vendors have welcomed the UK strategy revamp, not least, we suspect, because it represents a golden opportunity to sell more kit to the UK government.

Andrew Rogoyski, head of cyber security at CGI Group and chair of Tech UK’s Cyber Security Group, an expert given advance sight of the strategy, commented: “The strategy’s sheer breadth of response and ambition is impressive, from the creation of the National Cyber Security Centre (NCSC) as a focal point for best practise, to the creation of offensive cyber capabilities, the promise to strengthen sovereign capabilities in cryptography and the relentless pursuit of cyber security skills.

“The only disappointment with the strategy is the failure to recognise that cyberspace is invented, implemented and run by international businesses, not governments – there is a strong need to work more closely with global technology companies in order to really deliver our digital future in a way that is safer and more secure,” Rogoyski added.

Richard Horne, cyber security partner at PwC, added that the infosecurity problem can’t be solved by simply spending more money on improving security defences.

"It's not just about having more budget to buy more technology to patch cyber security holes,” Horne said. “UK organisations need to take a more strategic approach to how they spend their increased budgets to start to see a real uptick in security posture. Getting cyber security right means changing an organisation to be securable and that requires all aspects of a business to be engaged - from tough decisions at a board level, to the consideration of cyber risk in all decision-making processes.”

Ed Parsons, associate director at consultancy MWR Infosecurity, expressed doubts as to whether the strategy would go anywhere towards bridging the cyber-security skills gap.

“It is unclear from where the government will find 50 cybercrime specialists for the NCA when there is such a massive skills shortage within the industry,” said Parsons. “The necessary changes to recruitment within the industry will not be achieved overnight. Instead, the reality is this government-backed initiative should be seen as a multi-year, perhaps generational effort to drive sufficient numbers of specialists into cyber security.

“With corporations competing for the same resources, we would like to see more emphasis on apprenticeships, internships and exchanges,” he added.

Bootnote

¹ The £1.9bn to fund the UK’s national cyber security strategy was allocated last year as part of a five year plan.