Whether aimed at an individual, private organisation or the public sector, cyber attacks are always about threats to information. This means that everyone should take cyber security seriously because a successful attack can result in the loss of high-value information to an entity: the consequences of such lost data for a public sector body can range from fines and reputational damage to the theft of national secrets and putting the public at risk.
The same rules apply to the public sector as to the enterprise. When thinking about cyber security, a public sector body needs to consider the sort of information it wants to protect; the consequences of losing that information; its risk appetite when it comes to information security; and, importantly, where sensitive data resides in the organisation. Once public sector bodies have taken a mature approach to risk assessment, data protection and dictating response policy, they can make serious strides to improving their cyber security posture.
In recent years the UK government has made significant progress in raising national cyber security standards: on 25 November 2011 the government published its new Cyber Security Strategy which outlines how it plans to create a more trusted and resilient digital environment for the nation; and in September 2012 Minister for the Cabinet Office Francis Maude announced the launch of a new research institute into Cyber Security which will become a focal point for the UK’s efforts to protect cyber space.
New academic centre
The Research Institute in the Science of Cyber Security is the UK’s first academic centre dedicated to studying the cyber threat. Funded by a £3.8m grant, the Institute is part of a cross-government initiative led by GCHQ, the Department for Business, Innovation and Skills (BIS), the Research Councils’ Global Uncertainties Programme (RCUK) and the Office of Cyber Security and Information Assurance (OCSIA).
Led by UCL’s Head of Information Security Angela Sasse, the virtual facility brings together leading authorities in cyber, IT, mathematics, social sciences and other disciplines to increase the UK’s resilience to digital attacks. Academics from the University of Aberdeen, Imperial College, Queen Mary College Royal Holloway, University of London, Newcastle University, and Northumbria University will collaborate with industry experts and international researchers to address some of the most pressing cyber challenges affecting the public and private sectors. One of the main principles of the Institute is that it will study real life cyber issues, thereby ensuring that its research remains relevant to the rapidly evolving cyber threat.
With the UK already generating 8 per cent of its GDP from the cyber world, it is of critical importance that the UK retains its status as one of the most secure places in the world to do business. The arrival of the Institute is therefore welcome news indeed for the UK. For the very first time, the entire nation will have a focal point for its efforts to improve cyber security and the Institute can carry out important work to tackle current deficiencies in the UK’s cyber security posture.
Public sector cyber security
One of the main benefits of the Research Institute will be to raise cyber security awareness amongst the general public, private enterprise and crucially the public sector. Amongst the upper echelons of the public sector, government minsters to CIOs in public sector bodies have at least some grasp of the cyber threat. However, there is a clear dichotomy between the message and direction of cyber strategies coming from the top and the implementation of those strategies further down the food chain. It would not be misleading to say that the majority of public sector employees have a very limited grasp of the issues surrounding cyber security and of major national IT projects in general.
As a case in point, a survey was recently conducted into awareness of the Public Services Network – one of the most important UK ICT projects in recent years. The Public Services Network is designed to be the cornerstone of the UK’s ICT strategy and is designed as a ‘Network of Networks’ for the public sector to share resources, ease the procurement burden and instil a minimum security standard of IL2. Of those surveyed, sixty-one percent of respondents stated that they were completely unaware of the initiative, which is indicative of the challenge the UK government is facing.
Relieving the pressure
When it comes to cyber security, it is usually the case that IT managers in the civil service, military and emergency services look to Government Communication Headquarters for guidance. But Cheltenham simply doesn’t have the capacity to deal with all enquiries. The new Research Institute should help relieve some of the pressure on GCHQ and go some way to addressing unanswered queries.
Another area where the Institute can greatly help with the nation’s cyber security efforts is in tackling the serious skills shortage the UK faces when it comes to qualified information security personnel. The private sector currently struggles to hire staff with the necessary skills and experience to work in cyber security. Workers with cyber expertise are a scarce resource and command premium salaries which drives up operational costs. The public sector usually cannot compete on salary packages with the private which places the nation in a vulnerable position.
The obvious problem here is that UK is simply not producing enough graduates or post‑graduates with the right IT skills to meet command. An additional pressure is that university leavers with the right skills frequently do not see information security as an attractive career path.
While it is relatively easy to attract younger children to cyber security with talk of codebreaking and the dark arts, the UK needs to be much more proactive in encouraging secondary school children to take up IT courses and gain an interest in information security. Last year Michael Gove pointed out how IT lessons at secondary schools were ‘demotivating and dull’ for the majority of students: we’re focusing on PowerPoint and Excel when we should be teaching children how to code. It is therefore pleasing to see the government acting on its word and phasing in programming lessons so that students can learn some hard skills. Projects such as Raspberry Pi initiative - where inexpensive, single-board computers are provided to schools with the intention of teach basic programming – may also help in this regard.
Finally, the Research Institute will be able to conduct the sort of academic research that the private sector cannot. As has been stressed time and time again, if the UK is to adequately address the cyber threat, collaboration between the public and private sector is critical. If we were to leave the problem to the public or private sector alone, we simply would not address all sides of the issue. Many security firms, for instance, have expertise in the banking and finance industries, transport, defence and critical national infrastructure which they can bring to the UK’s cyber security project. However, the government must work with a range of organisations to ensure all bases are covered. The Institute will be able to provide an overall strategy and groundbreaking ideas.
Fitting into Cyber Security Strategy
The Research Institute is an integral part of the government’s Cyber Security Strategy that was officially launched in 2011. Responsibility for the direction of that strategy ultimately rests with the Office of Cyber Security and Information Assurance (OSCIA). A number of respected industry bodies feed into the strategy, however. OSCIA engages with industry through the ‘Cyber Security Industry Working Party’. The Working Party then collaborates with a range of other industry associations including Intellect, Aerospace, Defence and Security Industry association (ADS), and many others in the energy, banking and CNI sectors. GCHQ naturally plays a major role in feeding into the strategy as well.
The Cyber Security Strategy and Research Institute are laying the foundations to make the UK one of the most secure places in the world to do business online. Private enterprise will be pivotal in making the project a success.
Resources in academia are also being harnessed to bolster the UK’s cyber security capabilities. Cyber Security Research status has now been granted to eight UK universities. Also, in the pipeline are government plans for a second Research Institute and increased grants for students studying cyber topics. The future of UK cyber security looks bright. Building upon the UK’s knowledge resources, we are capable of making the nation resilient to cyber attack and a great place to do business.
Ross Parsell is Director of Cyber Strategy at Thales UK. He has an extensive background in devising guidelines for private, public and defence security strategies with more than16 years’ experience in the security industry, and sits on a number of governing bodies that decide the UK National Cyber Security Strategy