Following news on the anticipated announcement today by Chancellor Philip Hammond of an increase in national cyber-defence spending to £1.9billion, please see below comment from cyber security experts on the real effects this might have on the UK’s cyber security efforts:
James Tolfree, UK Director at Cryptzone:
“Talk of ‘Strike back’ represents quite a change in mindset. Traditionally, UK governments cyber strategy has focused on ‘defence’ but in recent months we have heard much more rhetoric around an offensive cyber capability. This recognises that the cyber space is the new battleground – you can’t be in a battle space with only a defensive position, especially when dealing with state-sponsored cyber attack strategies.
“We know that our current defences are inadequate. This is apparent by the 22% rise in cyber crime recently outlined in a report by Action Fraud. Given that the cost of this to the UK economy is estimated to be as much as £11billion per year, some might ask the question ‘ is this response by government enough?’
“The reality is of course that Cyber defence is the responsibility of us all. Government should lead much of the initiative but the responsibility and cost needs to be borne by government, industry and us as individuals; in much the same way we expect government to lead on other areas of crime, but it is all our responsibility to make sure our homes are fitted with adequate locks and alarms, and that we use them.
“One of the main challenges is the ‘shape-shifting’ nature of cyber threats. We’ve seen a very fast evolution of cyber threats from well organised criminal organisations as well as state-sponsored attacks. These now take on a multi-vectored form, utilising combinations of, advanced reconnaissance, elegant well-hidden malicious code and social engineering. Traditional cyber defence strategies that tend to focus on the concept of protecting network perimeters haven’t kept pace with the criminals and cannot respond to these advanced threats. So whilst increased government spend should broadly be welcomed and applauded, unless it is focused towards a fundamental shift in approach to cyber defence, it risks being a case of good money after bad.
“It is a little too early to say what this will mean for cyber security in the UK. It is encouraging that part of the funding has been ear-marked for training cyber security professions as there is currently a noticeable skills-gap here in the UK. It is also encouraging that funding will be available to innovative start-up cyber security businesses. The UK has long been respected for its skills in this sector, but in order to maintain this position, strong investment from both government and industry is needed.”
Gavin Millard, EMEA Technical Director at Tenable Network Security:
“With boots on the battlefield being replaced by bits and bytes directed at critical infrastructure, shoring up our cyber defences is a prudent move by the UK government.
“As demonstrated last week with the Mirai DDoS levied against the East Coast of America, bringing down huge swathes of internet services for a short time, infrastructure can easily, and will be more frequently, targeted in the future.
“With ageing critical national infrastructure, investments need to be made to remediate easily exploitable services and reduce the available attack surface an adversary could target.
“Cyber attacks affecting our citizens are becoming part of everyday life. Money is the current target for most attackers, but if the approaches they take are more political in nature, we could see the UK severely impacted unless proactive steps are taken to reduce the risks.”
Richard Meeus, VP technology EMEA at NSFOCUS:
“National investment into cyber-security can only be encouraged as recent events have shown. We need to place this threat in the same arena as the Police and Armed Forces and stop treating it as an inconvenience. It is important, however, that this investment does not create barriers around the UK’s cyber infrastructure such that it reduces the overall benefit of the web. This “Balkanisation” of the internet should be avoided else we retreat from the cyber world quicker than Brexit…
“Hopefully the investment will be far-reaching and not only help the advancement of cyber-security companies in the UK but also the education of the general public. The World wide web has been around for over 20 years and basic security controls are still ignored by the general populace; we are told frequently to close our windows and doors, not to speak to strangers, don’t always trust people at your front door are who they say they are – yet how many people still don’t have a screen lock on their Smartphone?”
Paul Calatayud, CTO, FireMon:
“When it comes to national cyber defence, most of the time current funding focuses on critical infrastructure protection. When funding by governments increases, it is usually attributed to two main factors: definitions of critical often expand and changes in adversary attack techniques that require more investments.
“If expansions in the cyber defence programme are attributed to expanded scopes, more resources will be required. Often this comes in the form of outreach grants and new laws to help assist the corporate side. It also means increase collaboration between government and private industry.”
Alex Mathews, EMEA Technical Manager at Positive Technologies:
“The investment is a reflection of how seriously The Government is taking the problem. Safeguarding the populous from cybercrime is worthy, but there also needs to be a sharpening of focus on protecting critical infrastructure. There is a rising risk from cyber-attacks targeting vital services such as transport, utilities and industrial systems within the UK. Taking down an electrical grid or breaching an Air Traffic or Railway network, doesn’t just cause disruption and financial damage, it puts lives at risk. The fact the same IT systems manage everything from banking infrastructure to power stations, makes them a target for attack.
“More investment means the UK can become better at staying ahead of the vast array of continually advancing threats. This is achieved through better technology, education and sharing of threat intelligence. In an ideal world, investment should be underpinned by added legislative teeth. This will help ensure that companies and IT companies take the responsibility to protect their assets and customers at all levels seriously.”