£1.3bn National Cyber Security Strategy? Meh – we're looking at 2021, Cabinet Office shrugs

'Progress' report shows nobody's really paying attention any more

How is Britain's £1.3bn National Cyber Security Strategy going? Nobody really cares any more – even the Cabinet Office, judging by its latest progress report.

In a report issued this week the Cabinet Office waffled for several tens of pages saying how much work Britain's various governmental organs had done that vaguely fits under the banner of the National Cyber Security Strategy.

Yet nowhere in the report did it explicitly say "we have done what the strategy was meant to achieve". Neither did it say it had missed its goals, or say exactly where £1.3bn of public money had gone – even though the five-year plan expires in a few months.

Penny Mordaunt MP, the Paymaster General (aka Cabinet Office minister Michael Gove's bag carrier and cyber security minister) said in the report's foreword: "Our approach to cyber security strategy post 2021 will reinforce the outcome of the current Integrated Review of the UK's foreign, defence, security and development policy."

Aside from that, about the only tangible thing the report did say was that the next overarching national infosec strategy would be baked into the long-delayed Integrated Review, which will be the cornerstone of Britain's foreign policy in years to come. Cyber security having been enthusiastically adopted by the more military-minded side of government, it seems 2016's priorities are a long way from what civil servants want to do in the immediate future.

While the Cabinet Office progress report contains some details of things achieved over the past year (ranging from "published a cyber security toolkit" to launching specialist police cyber crime units), the report does not relate these to any of its "strategic outcomes" beyond merely reproducing them as haphazard bullet points.

Industry, however, will be pleased to note that UK infosec exports were apparently worth £3.96bn in 2019, an increase of almost £2bn on the previous year. This suggests government is beginning to see that an infosec sector that thrives on its own two feet, rather than one that exists purely to serve UK government contracts, is a valuable thing.

As the Royal United Services Institute think tank said last year when it published [PDF] a paper on the future of the strategy:

To succeed, there will need to be more engagement with the private sector – to move the discussion beyond generalities and into specifics. There must be a clear mutual understanding as to where UK government responsibility ends, and private sector accountability begins. This dialogue is at present only in the early stages.

Despite online security clawing its way up the government's list of priorities, it appears that the National Cyber Security Strategy has been largely overtaken by events. Earlier this month the worst-kept secret in Whitehall, the existence of the National Cyber Force, was revealed to the world, while the Foreign Office has gleefully swung from the coat-tails of the EU and the US Department of Justice as the bodies imposed international sanctions and criminal charges on individual Russian hackers.

Back in 2016 the UK renewed its £1.9bn cyber security spending pledge, a splurge that gave birth to the National Cyber Security Centre and sowed the seeds for Britain's newly acknowledged National Cyber Force state-sponsored hacking crew.

Three years later the National Audit Office (NAO) huffed that the Cabinet Office wasn't doing very well on the plan, known by then as the National Cyber Security Programme – but said that embarrassed civil servants had retreated behind unspecified "security reasons" to gag the NAO from saying precisely what had gone wrong.

While that may or may not have been a factor in the Cabinet Office's report being as dreary as it is, it is clear that Britain is on the brink of a fundamental shift in how both public and private sectors approach the topic of cyber security. ®

Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022