Rising to the cyber challenge
The government hopes to more than double annual cyber exports from the UK to £2bn a year by 2016, according to a progress report published in December - two years after the launch of the National Cyber Security Strategy (NCSS). Detailed in the report are plans to establish a new cyber security suppliers’ scheme, which will allow businesses to state publicly to potential clients that they supply government with cyber security services and products. The government will adopt an industry-led organisation Standard in its procurement ‘where proportionate’, to encourage uptake and help companies demonstrate a competitive edge.
The Standard is based on ISO27000-SERIES, which provides a clear baseline of basic cyber hygiene and protection from low level threats. Ministry of Defence (MoD) suppliers that have already signed up to the standard include BAE Systems, BT, QinetiQ, Rolls Royce, HP and Thales UK, among others.
Other announcements in the update include the development of a free ‘Massive Open Online Course’ (MOOC) in cyber security by summer 2014 for the Open University, the launch of a third research institute to focus on ‘Trustworthy Industrial Control Systems’, funding for the Cyber Security Challenge to expand their schools competition and more partnerships with international academics.
INCREASED CYBER RESILIENCE
The original NCSS was published in November 2011 with the aim of providing government with a framework and objectives to tackle cyber threats, promote awareness and facilitate partnerships within the private sector, supported by £860m of funding. Discussing the update, Cabinet Office minister Francis Maude said: “Two years of solid work by government, in partnership with the private sector and academia, has seen the UK’s cyber resilience, awareness, skills and capability continue to increase across the board. Partnership across sectors remains as crucial today as it has ever done as this is a shared responsibility.
“The launch of the National Crime Agency (NCA) in October saw the establishment of the new National Cyber Crime Unit (NCCU). The NCCU brings together the skills and expertise of its precursors, SOCA Cyber and the Police Central e-Crime Unit, into a world‑leading organisation dedicated to fighting the most serious cyber criminals.
Our initiatives are ensuring the UK is one of the safest places to do business in cyberspace as well as providing a solid platform for economic growth.
“We are already working closely in partnership with the private sector. I want to see that relationship grow to be even stronger, using our extensive engagement with networks and representatives to mainstream cyber security and raise awareness. We know this is important now but this is also vital for our economic growth in the coming years. It will remain an absolute priority as we move to year three of our strategy.
“Meanwhile, government departments have also taken action to prevent cyber fraud. A dedicated Cyber Crime Capability in HMRC has provided specialist advice to approximately 20 criminal cases, resulting in an overall Revenue Loss Prevented of more than £40 million and more than 2,300 fraudulent websites have been shut down since January 2011.
SHARING GOOD PRACTICE
Paul Everitt, chief executive of security trade organisation ADS Group commented: “The report reveals the excellent progress that has been made in tackling the threats, building awareness and it sets a clear programme of work for the coming year. ADS will continue to work closely with Government and members to help businesses understand the risks and put in place proportionate measures to mitigate them. This will be greatly enhanced by the development of an official ‘cyber standard’ to stimulate the adoption of good practice across all sectors and industries.”
In the coming year, the Centre for the Protection of the National Infrastructure, working closely with GCHQ, will continue its outreach to national infrastructure companies, ensuring that they benefit from the latest advice and guidance on potential vulnerabilities and their mitigation. CISP will aim to double its membership to 500 organisations sharing real time information on cyber threats. The Government’s Computer Emergency Response Team (CERT UK) will become operational, helping improving national co-ordination on incident response and providing a focal point for international sharing of technical information on cyber security.
WAKING SHARK II SUCCESS
CERT UK will deliver an expanded exercise programme to make sure that critical sectors understand and are prepared for the potential impact of a destructive cyber attack. This will build on the recent successful ‘Exercise Waking Shark II’ in the finance sector, run with the Bank of England (and using the CISP platform).
The operation was one of the largest ever conducted, with dozens of financial institutions taking part. The tests were overseen by the Bank of England, the Treasury and Financial Conduct Authority. Bank staff responded to a number of simulated cyber-attacks in order to find solutions to various problems including how to ensure the availability of cash from ATM machines and cope with a liquidity freeze in the wholesale market.
Commenting on the exercise, which took place in November, Andrew Miller, chief operating officer at Corero Network Security, said: “I think one of the biggest benefits we will see from Operation Waking Shark 2 is not necessarily about banks learning to defend against cyber-attacks, but learning to cooperate. I personally believe that there needs to be more information sharing within FIs on the latest threats and attacks they are facing, so they can develop a knowledge pool on how to protect against them, and this exercise may hasten this. Those organisations that work together to develop comprehensive defences are far more likely to remain secure than those that go it alone. I’d also like to see a UK version of the US law that legislates about the disclosure of cyber-attacks, sharing information for the benefit of all.”
The Government will also work with the regulators to ensure that the companies that own and operate critical national infrastructure are well protected against the cyber risks they face, as part of their responsibilities to ensure resilience and availability of supply. The Government remains committed to supporting this agenda, and is developing an enhanced offer of support on cyber to regulators and infrastructure owners and operators through GCHQ and CPNI.
Francis Maude: “We are in a much better place than two years ago when we launched the Strategy. This reflects the collective effort of numerous government departments and agencies, and powerful partnerships with industry, academia and international counterparts.”
“There is still much work to be done, but our progress to date has put us in a strong position for the future.”