Defence Industrial Strategy suggests the UK is ready to start taking its homegrown infosec industry seriously

Doc makes all the right noises if you like government support for business

In a change from its recent bombastic blather, the British government has published a new Defence Industrial Strategy that looks like it wants to put the infosec industry on a gold-plated pedestal.

"Government also needs to provide complementary support to industry and ensure that the public sector can access the right skills to remain an intelligent customer," said the Defence and Security Industrial Strategy whitepaper published this week.

While the paper was about the wider defence supply chain and not just infosec, a large part of it was about the so-called "cyber" sector. Last week's Integrated Defence Review (another whitepaper) has pushed the British infosec market into sharper focus across government and it looks not only as if government wants more involvement in growing the infosec industry – but that it has also started thinking about how to achieve that.

While the IDR was full of "Global Britain" bombast even as it slashed military budgets, headcounts, and equipment programmes, the industrial strategy underpinning it looks like a far more credible document setting out a clear intent to deepen existing ties with industry – as far as infosec is concerned anyway.

Existing military-industrial relationships (such as Team Complex Weapons, which builds missiles for the RAF and Navy) will be expanded to include the cyber security sector on similar terms, said the paper. This, we are told, will form part of a wider "Team UK" setup intended to deepen links between the Ministry of Defence, Department for International Trade, and the Home Office with the information security (or "cyber", as likes to call it) world – a move that might prick up some ears in medium-sized businesses.

In some ways this whitepaper junks 2016's five-year National Cyber Security Strategy (which the Cabinet Office had pretty much given up on by the tail end of 2020) while expanding that document's focus on governmental involvement with the private tech 'n' infosec sector; almost presenting an exoskeleton to fit over Adam Smith's invisible hand.

The Royal United Services Institute, the defence establishment's favourite think tank, was favourable about the "cyber" parts of the whitepaper with "distinguished fellow" Conrad Prince writing: "An ambition to be a world leader in new technology is at the heart of it. That aspiration is closely coupled with cyber security, which acts both as an enabler for this agenda as well as being dependent on its success."

Professor Alan Woodward of the University of Surrey told The Register the whitepaper might mark the start of government taking a much more active interest in the UK cyber security sector's commercial fortunes than it has to date, musing that the UK "can exercise soft power in a way, by helping with [government] being in control of the intellectual side, intellectual properties of these [products and services] as they start to emerge and become strategic assets for the world."

A cross-government approach to cyber security skills is becoming clearer as well, with the Ministry of Fun* having set up a new UK Cyber Security Council as a "governing voice for the cyber security profession in the UK", though existing professional bodies and training providers have remained noticeably quiet about this.

TechUK, which bills itself as the voice of the British tech industry, was predictably anodyne when we asked for its thoughts, with a spokesman describing the industrial strategy whitepaper as "reassuring" for its focus on "strategic imperatives of national importance".

Some of those strategic imperatives includes the MoD's "crypt-key" capability. Rather than relying on foreign (even US) cryptography, the UK rolls its own from first principles, using the result to protect everything from nuclear submarine communications to internal government messaging. There are few businesses in that sector and wants more of them, and for them to be more commercially successful at what they do.

"Together, government and industry seek to identify improvements in working practices that meet the needs of both parties to ensure successful delivery of Crypt-Key projects," said the review, describing how GCHQ offshoot the National Cyber Security Centre oversees the UK cryptography industry. "This includes the sharing of risks as appropriate, collaborative and collegiate working between teams and including industry partners as much as possible when articulating the problems that government wishes to solve."

Professor Woodward added: "And that goes more than just saying... we don't want the company being sold off and under the control of some unfriendly power. They also say that some very small companies could very well have some significant intellectual value and be of some strategic value to the country. Not just actually from a sort of economic point of view."

National sovereignty and freedom of action, independent of international opinion, was also touched upon in the whitepaper, which argued that "operational independence" would "increasingly be shaped by our access and ability to share data with industry and across systems in a consistent way." If industry cares for it, there's potentially lucrative contracts to be scooped up in the near future – or so the government wants it to be seen.

International appetite for Western cryptography products may or may not have been diminished by the Crypto AG scandal but it seems the British government is quite keen to give that market a go.

British foreign and defence policy might be a small voice with an increasingly smaller stick behind it, but the infosec industry looks like it'll come out of the 2020s quite well.

If, that is, follows up these words with the promised actions and the whole thing doesn't flop to the ground like the British Army is about to do. ®


* Department for Digital, Culture, Media and Sport

** When El Reg predicted last year that Britain was "on the brink of a fundamental shift in how both public and private sectors approach the topic of cyber security," we did, of course, know all of this was coming. Ahem.

Similar topics

Other stories you might like

  • Meet Wizard Spider, the multimillion-dollar gang behind Conti, Ryuk malware
    Russia-linked crime-as-a-service crew is rich, professional – and investing in R&D

    Analysis Wizard Spider, the Russia-linked crew behind high-profile malware Conti, Ryuk and Trickbot, has grown over the past five years into a multimillion-dollar organization that has built a corporate-like operating model, a year-long study has found.

    In a technical report this week, the folks at Prodaft, which has been tracking the cybercrime gang since 2021, outlined its own findings on Wizard Spider, supplemented by info that leaked about the Conti operation in February after the crooks publicly sided with Russia during the illegal invasion of Ukraine.

    What Prodaft found was a gang sitting on assets worth hundreds of millions of dollars funneled from multiple sophisticated malware variants. Wizard Spider, we're told, runs as a business with a complex network of subgroups and teams that target specific types of software, and has associations with other well-known miscreants, including those behind REvil and Qbot (also known as Qakbot or Pinkslipbot).

    Continue reading
  • Supreme Court urged to halt 'unconstitutional' Texas content-no-moderation law
    Everyone's entitled to a viewpoint but what's your viewpoint on what exactly is and isn't a viewpoint?

    A coalition of advocacy groups on Tuesday asked the US Supreme Court to block Texas' social media law HB 20 after the US Fifth Circuit Court of Appeals last week lifted a preliminary injunction that had kept it from taking effect.

    The Lone Star State law, which forbids large social media platforms from moderating content that's "lawful-but-awful," as advocacy group the Center for Democracy and Technology puts it, was approved last September by Governor Greg Abbott (R). It was immediately challenged in court and the judge hearing the case imposed a preliminary injunction, preventing the legislation from being enforced, on the basis that the trade groups opposing it – NetChoice and CCIA – were likely to prevail.

    But that injunction was lifted on appeal. That case continues to be litigated, but thanks to the Fifth Circuit, HB 20 can be enforced even as its constitutionality remains in dispute, hence the coalition's application [PDF] this month to the Supreme Court.

    Continue reading
  • How these crooks backdoor online shops and siphon victims' credit card info
    FBI and co blow lid off latest PHP tampering scam

    The FBI and its friends have warned businesses of crooks scraping people's credit-card details from tampered payment pages on compromised websites.

    It's an age-old problem: someone breaks into your online store and alters the code so that as your customers enter their info, copies of their data is siphoned to fraudsters to exploit. The Feds this week have detailed one such effort that reared its head lately.

    As early as September 2020, we're told, miscreants compromised at least one American company's vulnerable website from three IP addresses: 80[.]249.207.19, 80[.]82.64.211 and 80[.]249.206.197. The intruders modified the web script TempOrders.php in an attempt to inject malicious code into the checkout.php page.

    Continue reading

Biting the hand that feeds IT © 1998–2022