11 June 2015

As part of its broader digital and national security strategies, the coalition government invested significantly in building capacity in cyber security and relationships with industry and academia. But with the evolving threat environment, much work is needed to ensure further progress, and guard against reversal.

"We have known for a long time that there are significant vulnerabilities, and that these vulnerabilities are going to accelerate as time goes by, both in systems within government and within the private sector." This was the message from President Obama, speaking on 8 June at the Group of Seven summit meeting in Germany.

Part of the US problem is that the country has "very old systems," Obama said, adding that the recent breach was discovered because of efforts to install newer and better systems.

"Both state and non-state actors are sending everything they've got at trying to breach these systems," he said.

The massive hack on the US Office of Personnel Management is a timely reminder of the need for good cyber security. The UK government has invested significantly in cyber security over the last five years, building partnerships with academia and industry. But much work remains to enhance cyber awareness and skills across the country, in government, business and wider society.

Yesterday the Institute for Government’s Daniel Thornton chaired a breakfast briefing on ‘The New Government and Cyber Security’, which explored how the UK’s approach to cyber security might change over the next five years.

The event, organised by Westminster Briefing, brought together representatives from government, academia and industry, and began with a presentations from leading cyber security professionals: Richard Bach (Assistant Director for Cyber Security at the Department for Business, Innovation & Skills), Professor Angela Sasse (UCL), Professor Robin Bloomfield, (City University London), and Mike Corcoran (University of Warwick).

Richard Bach emphasised the sincerity of the government’s commitment to cyber security, pointing to its significant investment via the National Cyber Security Programme (NCSP). According to a National Audit Office (NAO) report, the NCSP spent £434m in the three financial years from 2011-12 to 2013-14, and will have spent around £210m per annum in 2014-15 and 2015-2016. The NAO assesses that the “Cabinet Office is managing the programme effectively but cannot yet demonstrate a clear link between the large number of individual outputs being delivered and an overall picture of benefits achieved.”

As the NAO makes clear, in addition to NCSP government agencies and departments also invest part of their operational budgets in cyber security, so total government investment is greater than the touted £860m for the NCSP. This is as an indication of how seriously the government takes cyber security. It will be interesting to see what plans and funding arrangements replace NCSP when it expires next year. (Read more on the UK government’s recent cyber security policy)

Richard Bach also explained that this challenge was complex, embracing the local economy, crime, national cyber defence, and the development and dissemination of accepted standards for digital devices and services. Government needed to be active in facilitating progress across this landscape, said Bach.

In addition to Cabinet Office Cyber Security Minister Matt Hancock, ministerial responsibility for digital issues is diffuse under the new government, with Business Secretary Sajid Javid, Culture Secretary John Whittingdale, and junior ministers Baroness Shields and Ed Vaizey all having potentially overlapping roles. In addition, Government Communications Headquarters (GCHQ), the Ministry of Defence and the Home Office all have stakes in the fields of cyber security and cyber defence.

The National Security Council (NSC) exists to provide cross-government clarity on strategic security issues (see the Institute’s NSC report), and all the relevant secretaries of state with an interest in cyber security are represented on either the NSC or its resilience subcommittee. But the Cyber Security Minister, Matt Hancock, is curiously not present on that subcommittee, despite being on many other Cabinet committees and taskforces (see the full list here).

This thicket of intertwined ministerial responsibilities, committees and subcommittees will need to ensure that the government’s cyber security effort is undiminished in its clarity, focus and momentum over the next five years. Bach said this was important, because a successful approach to cyber security requires a holistic approach by government to digital issues (see Government Digital Service chief Mike Bracken’s speech to the Institute for Government on digital strategy here). This is especially true against the backdrop of preparations for the Comprehensive Spending Review and the Strategic Defence and Security Review later this year.

Bach described government’s engagement with industry on cyber security as “good but embryonic”, with more work needed to build public awareness and preparedness to cope with cyber threats.

In the context of the boost in research funding commissioned by GCHQ that resulted from the 2011 strategy, Professor Sasse talked about academics’ initial scepticism about collaborating with government in researching cyber security threats, noting unease in universities about the principle of accepting investment which was directed by GCHQ.

But Professor Sasse proceeded to describe the progress that had been made over the last five years in fostering a genuine sense of community between academic researchers, industry and government, in facing the challenge of cyber security. Academics now feel that government and industry share more freely with them the cyber problems they face and discuss ways in which academic research can help.

She commended examples of such regularised co-operation, such as the creation of more than a dozen Academic Centres of Excellence in Cyber Security Research, as well as her own research institute for the Science of Cyber Security, hosted at UCL, which was the first of three such institutes created since 2012 to develop strategically significant cyber security capabilities.

The question of trust ran through Professor Sasse’s presentation. She cautioned about the quality of some cyber security products on the market and the danger of a “lemon” market in cyber security. It was important for businesses to understand what they were actually buying. There was a related discussion of the risks involved in the embryonic cyber security insurance market, and the need to learn from the mixed experience of the more developed market in the US.

Sasse also criticised a tendency for government to present cyber security as entailing a trade off between privacy and security, arguing that “digital self-determination” could be seen as the foundation of a resilient digital economy. And in response to a question from the audience, Professor Sasse described the academic community as “outraged” by Edward Snowden’s revelations about the US National Security Agency’s secret programme of internet collection, known as PRISM.

Professor Bloomfield said that effective cyber-attacks did not need to destroy a computer system, merely to destroy confidence in it, which could often be done cheaply. He also noted the disproportionate cost of dealing with relatively inconsequential cyber-attacks. In such an environment, resilience – preparing and responding effectively, rather than expecting to prevent every attack – was fundamental. But we lack much of the data we need to be able to answer questions about how much resilience and what kind of resilience strategy we need as a country. This is a political issue and progress requires both strong political leadership and a wide-ranging and informed public debate.

Mike Corcoran noted the mixed success of the government’s previous attempts to raise cyber security awareness, e.g. with the “Get Safe Online” campaign. He also criticised the poor capacity of police forces to conduct cyber investigations, cyber forensics and get the most out of Big Data.

But Corcoran also noted the intensification of UK engagement in international negotiations in recent years, and commended the FCO’s Chevening Programme for its funding of cyber security capacity-building for Indian professionals – a good example of effective bilateral cooperation that could also benefit British businesses.

The overall mood at the briefing was positive: much has been achieved and the relationship between government, industry and academia is better than ever. However, with the scale of the challenge and the rapid pace of developments, it is clear that more work is needed to guard against reverses. And there is a manifest role for central government in overseeing and facilitating much of this work, especially in light of the lack of awareness, capability and skills in both the public and private sectors. These issues will be important to the Institute for Government as we develop our agenda on digital government.