Defence Industrial Strategy suggests the UK is ready to start taking its homegrown infosec industry seriously
Doc makes all the right noises if you like government support for business
In a change from its recent bombastic blather, the British government has published a new Defence Industrial Strategy that looks like it wants to put the infosec industry on a gold-plated pedestal.
"Government also needs to provide complementary support to industry and ensure that the public sector can access the right skills to remain an intelligent customer," said the Defence and Security Industrial Strategy whitepaper published this week.
While the paper was about the wider defence supply chain and not just infosec, a large part of it was about the so-called "cyber" sector. Last week's Integrated Defence Review (another whitepaper) has pushed the British infosec market into sharper focus across government and it looks not only as if government wants more involvement in growing the infosec industry – but that it has also started thinking about how to achieve that.
While the IDR was full of "Global Britain" bombast even as it slashed military budgets, headcounts, and equipment programmes, the industrial strategy underpinning it looks like a far more credible document setting out a clear intent to deepen existing ties with industry – as far as infosec is concerned anyway.
Existing military-industrial relationships (such as Team Complex Weapons, which builds missiles for the RAF and Navy) will be expanded to include the cyber security sector on similar terms, said the paper. This, we are told, will form part of a wider "Team UK" setup intended to deepen links between the Ministry of Defence, Department for International Trade, and the Home Office with the information security (or "cyber", as UK.gov likes to call it) world – a move that might prick up some ears in medium-sized businesses.
In some ways this whitepaper junks 2016's five-year National Cyber Security Strategy (which the Cabinet Office had pretty much given up on by the tail end of 2020) while expanding that document's focus on governmental involvement with the private tech 'n' infosec sector; almost presenting an exoskeleton to fit over Adam Smith's invisible hand.
The Royal United Services Institute, the defence establishment's favourite think tank, was favourable about the "cyber" parts of the whitepaper with "distinguished fellow" Conrad Prince writing: "An ambition to be a world leader in new technology is at the heart of it. That aspiration is closely coupled with cyber security, which acts both as an enabler for this agenda as well as being dependent on its success."
Professor Alan Woodward of the University of Surrey told The Register the whitepaper might mark the start of government taking a much more active interest in the UK cyber security sector's commercial fortunes than it has to date, musing that the UK "can exercise soft power in a way, by helping with [government] being in control of the intellectual side, intellectual properties of these [products and services] as they start to emerge and become strategic assets for the world."
A cross-government approach to cyber security skills is becoming clearer as well, with the Ministry of Fun* having set up a new UK Cyber Security Council as a "governing voice for the cyber security profession in the UK", though existing professional bodies and training providers have remained noticeably quiet about this.
TechUK, which bills itself as the voice of the British tech industry, was predictably anodyne when we asked for its thoughts, with a spokesman describing the industrial strategy whitepaper as "reassuring" for its focus on "strategic imperatives of national importance".
Some of those strategic imperatives includes the MoD's "crypt-key" capability. Rather than relying on foreign (even US) cryptography, the UK rolls its own from first principles, using the result to protect everything from nuclear submarine communications to internal government messaging. There are few businesses in that sector and UK.gov wants more of them, and for them to be more commercially successful at what they do.
"Together, government and industry seek to identify improvements in working practices that meet the needs of both parties to ensure successful delivery of Crypt-Key projects," said the review, describing how GCHQ offshoot the National Cyber Security Centre oversees the UK cryptography industry. "This includes the sharing of risks as appropriate, collaborative and collegiate working between teams and including industry partners as much as possible when articulating the problems that government wishes to solve."
Professor Woodward added: "And that goes more than just saying... we don't want the company being sold off and under the control of some unfriendly power. They also say that some very small companies could very well have some significant intellectual value and be of some strategic value to the country. Not just actually from a sort of economic point of view."
National sovereignty and freedom of action, independent of international opinion, was also touched upon in the whitepaper, which argued that "operational independence" would "increasingly be shaped by our access and ability to share data with industry and across systems in a consistent way." If industry cares for it, there's potentially lucrative contracts to be scooped up in the near future – or so the government wants it to be seen.
International appetite for Western cryptography products may or may not have been diminished by the Crypto AG scandal but it seems the British government is quite keen to give that market a go.
British foreign and defence policy might be a small voice with an increasingly smaller stick behind it, but the infosec industry looks like it'll come out of the 2020s quite well.
If, that is, UK.gov follows up these words with the promised actions and the whole thing doesn't flop to the ground like the British Army is about to do. ®
* Department for Digital, Culture, Media and Sport
** When El Reg predicted last year that Britain was "on the brink of a fundamental shift in how both public and private sectors approach the topic of cyber security," we did, of course, know all of this was coming. Ahem.