Saturday, November 26, 2011

UK Cyber Security Strategy

The UK Cyber Security Strategy: Protecting and promoting the UK in a digital world, was released 25 November 2011, along with a ministerial statement on the UK Cyber Security Strategy by Francis Maude, Minister for the Cabinet Office. The UK approach is broadly the same as Australia, with a "GCHQ Joint Cyber Unit" having a central role (equivalent to Australia's DSD Cyber Security Operations Centre). There is also £650m over four years for a new "National Cyber Security Programme" (NCSP), a "Cyber Crime Unit" in the National Crime Agency, an expanded Centre for Protection of the National Infrastructure. The "Get Safe Online" education program will continue and a voluntary code of conduct with ISPs to warn customers their computers are compromised

Increasing the Security Skills of IT Professionals

The UK government strategy includes "Encouraging a cadre of cyber security professionals". The Australian Computer Society (ACS) also recommended this to the Australian Government for their Cyber white paper, to be released in early 2012.

The ACS Submission for the Australian Cyber Policy White Paper, was prepared by the ACS Cyber task force (which I am a member of). We pointed out that the ACS Computer Professional Education Program includes Information Security as an elective. This teaches the use of international security standards and is aligned with the UK developed Skills Framework for the Information Age. The course is offered on-line worldwide and is internationally accredited, so UK IT professionals can enroll now.

Excerpts from the UK Cyber Security Strategy

Encouraging a cadre of cyber security professionals

4.22 The pace of technological change is relentless. Keeping pace will require people who have a deep understanding of cyberspace and how it is developing. But these people are currently a scarce resource across Government and in business. There are clear and authoritative voices warning that cyber security skills and expertise in the private sector will be increasingly sought after, and that business and providers of education and training need to respond. To help boost and maintain the pool of experts in the UK and encourage the development of a community of ‘ethical’ hackers in the UK who can help ensure our networks are well protected, the National Cyber Security Programme will:
  • Drive up the skill levels of information assurance and cyber security professionals by establishing programmes of certified specialist training by March 2012.
  • Continue to support the Cyber Security Challenge (see below) as a way of bringing new talent into the profession.
  • Strengthen postgraduate education to expand the pool of experts with in-depth knowledge of cyber.
  • Strengthen the UK’s academic base by developing a coherent cross-sector research agenda on cyber, building on work done by the Government Office for Science.
  • Establish, with GCHQ’s help, a research institute in cyber security, with an indicative budget of £2 million over 3.5 years.
  • Commissioning research clarifying the extent, pattern and nature of the demand for cyber security skills across the private sector.


Introduction by the Rt Hon Francis Maude MP, Minister for the Cabinet Office
Executive summary
1. Cyberspace: Driving growth and strengthening society
2. Changing threats
3. Our vision for 2015
4. Action: Meeting threats, taking opportunities
Annex A: Implementation
  • Objective 1: Tackling cyber crime and making the UK one of the most secure places in the world to do business in cyberspace.
  • Objective 2: Making the UK more resilient to cyber attack and better able to protect our interests in cyberspace. Cabinet Office.
  • Objective 3: Helping to shape an open, vibrant and stable cyberspace which the UK public can use safely and that supports open societies.
  • Objective 4: Building the UK’s cross-cutting knowledge, skills and capability to underpin all our cyber security objectives.

Executive summary

The internet is revolutionising our society by driving economic growth and giving people new ways to connect and co-operate with one another. Falling costs mean accessing the internet will become cheaper and easier, allowing more people in the UK and around the world to use it, ‘democratising’ the use of technology and feeding the flow of innovation and productivity. This will drive the expansion of cyberspace further and as it grows, so will the value of using it. Chapter 1 describes the background to the growth of the networked world and the immense social and economic benefits it is unlocking.

As with most change, increasing our reliance on cyberspace brings new opportunities but also new threats. While cyberspace fosters open markets and open societies, this very openness can also make us more vulnerable to those – criminals, hackers, foreign intelligence services – who want to harm us by compromising or damaging our critical data and systems. Chapter 2 describes these threats. The impacts are already being felt and will grow as our reliance on cyberspace grows.

The networks on which we now rely for our daily lives transcend organisational and national boundaries. Events in cyberspace can happen at immense speed, outstripping traditional responses (for example, the exploitation of cyberspace can mean crimes such as fraud can be committed remotely, and on an industrial scale). Although we have ways of managing risks in cyberspace, they do not match this complex and dynamic environment. So we need a new and transformative programme to improve our game domestically, as well as continuing to work with other countries on an international response.

Chapter 3 sets out where we want to end up – with the Government’s vision for UK cyber security in 2015.

Our vision is for the UK in 2015 to derive huge economic and social value from a vibrant, resilient and secure cyberspace, where our actions, guided by our core values of liberty, fairness, transparency and the rule of law, enhance prosperity, national security and a strong society.

To achieve this vision by 2015 we want:

Objective 1: The UK to tackle cyber crime and be one of the most secure places in the world to do business in cyberspace

Objective 2: The UK to be more resilient to cyber attacks and better able to protect our interests in cyberspace

Objective 3: The UK to have helped shape an open, stable and vibrant cyberspace which the UK public can use safely and that supports open societies

Objective 4: The UK to have the cross-cutting knowledge, skills and capability it needs to underpin all our cyber security objectives

That means a UK where:
  • Individuals know how to protect themselves from crime online.

  • Businesses are aware of the threats they face, their own vulnerabilities and are working with Government, trade associations, and business partners to tackle them. We want to see UK companies building on our strengths to create a thriving and vibrant market in cyber security services around the world. In the current economic climate the UK needs more than ever to identify and exploit areas of international competitive strength to drive growth. We believe that being able to show the UK is a safe place to do business in cyberspace can be one such strength.

  • Government has: sharpened the law enforcement response to cyber crime; helped the UK take opportunities to provide the cyber security services that will be needed across the world; encouraged business to operate securely in cyberspace; bolstered defences in our critical national infrastructure against cyber attack; strengthened our capabilities to detect and defeat attacks in cyberspace; enhanced education and skills; and established and strengthened working relationships with other countries, business and organisations around the world to help shape an open and vibrant cyberspace that supports strong societies here and across the globe.

To achieve this we have set aside £650 million of public funding for a four‐year, National Cyber Security Programme. Chapter 4 sets out what Government will do, in partnership with the private sector and other countries, to deliver the vision.

As part of this action plan Government will:

  • Continue to build up in GCHQ and MOD our sovereign UK capability to detect and defeat high-end threats.

  • Pursue the agenda defined at the recent London Conference on Cyberspace to establish internationally-agreed ‘rules of the road’ on the use of cyberspace.

  • Work with the companies that own and manage our critical infrastructure to ensure key data and systems continue to be safe and resilient.

  • Establish a new operational partnership with the private sector to share information on threats in cyberspace.

  • Encourage industry-led standards and guidance that are readily used and understood, and that help companies who are good at security make that a selling point.

  • Help consumers and small firms navigate the market by encouraging the development of clear indicators of good cyber security products.

  • Hold a strategic summit with professional business services, including insurers, auditors, and lawyers to determine the role they might play in promoting the better management of cyber risks.

  • Bring together existing specialist law enforcement capability on cyber crime into the new National Crime Agency (NCA). Encourage the use of ‘cyber-specials’ to make more use of those with specialist skills to help the police.
  • Build an effective and easy-to-use single point for reporting cyber fraud and improve the police response at a local level for those who are victims of cyber crime.
  • Work with other countries to make sure that we can co-operate on cross-border law enforcement and deny safe havens to cyber criminals.
  • Encourage the courts in the UK to use existing powers to impose appropriate online sanctions for online offences.

  • Seek agreement with Internet Service Providers (ISPs) on the support they might offer to internet users to help them identify, address, and protect themselves from malicious activity on their systems.

  • Help consumers respond to the cyber threats that will be the ‘new normal’ by using social media to warn people about scams or other online threats.

  • Encourage, support, and develop education at all levels, crucial key skills and R&D.

  • Build a single authoritative point of advice for the public and small businesses to help them stay safe online.

  • Foster a vibrant and innovative cyber security sector in the UK, including exploring new partnerships between GCHQ and business to capitalise on unique Government expertise.Because of its links to intelligence and national security, some of the activity the Government has set in train is necessarily classified. The full range of unclassified actions is set out in Annex A. ...

    From: UK Cyber Security Strategy: Protecting and promoting the UK in a digital world, UK Cabinet Office, 25 November 2011

No comments: