The new UK cybersecurity strategy has, generally, been welcomed since it was announced in November 2016. However, will it really be able to measure the countless different factors that make up cyber-threats? Wendy M. Grossman reports
The Government reads the same headlines as the rest of us: the breach at TalkTalk, the attempted theft of $981 million from the SWIFT banking service via Bangladesh Bank, and the outage of the Ukrainian power grid showed the vulnerabilities at the heart of our systems. If that wasn't enough, the recent Mirai botnet attacks that harnessed CCTV cameras, routers, baby monitors and other devices with ports left open for attackers to exploit make plain that even well-educated users who source their devices from well-respected vendors can't always protect themselves.
The cybersecurity strategy announced by UK Chancellor Philip Hammond at the beginning of November recognizes some of this. Parts of it – most notably the commitment to spending £1.9 billion over the next five years to improve the nation's cybersecurity – has generally been welcomed. Of greater concern are the details of how the strategy (see sidebar) will be implemented and, especially, how its success will be measured.
The Roots of the Strategy
Peter Sommer, a visiting professor at Montfort University and a part-time professor of Digital Forensics at Birmingham University, explains that the new strategy's predecessor was created in 2010-2011 by the Office of Cybersecurity and Information Assurance (OSCIA). OSCIA was based at the Cabinet Office and was itself the successor to the earlier Central Sponsor for Information Assurance (CSIA).
The newly-created NCSC includes a number of earlier government pieces: the Centre for the Protection of the National Infrastructure (CPNI), which was a joint MI5/GCHQ effort; the remnants of OSCIA; and the protective part of GCHQ. Ciaran Martin, NCSC's new director, is a former member of the GCHQ board.
As a consequence of that background, Sommer believes the NCSC will struggle to gain broad trust: "Undoubtedly there's a lot of skills available, but the fact remains that GCHQ is an intelligence agency with the need to operate somewhat secretly."
In his opinion, "None of the activities of all of these bodies amounts to a full-blown strategy." For one thing, many parts of the UK's critical national infrastructure are outside government control because they are owned by private companies, many of these overseas. Even many government processes are now outsourced to such companies. "As a result, the 'strategy' is largely persuasive, rather than mandatory," argues Sommer.
Measuring the Target
A bigger issue for Brian Shorten, chair of the charities security forum, is the lack of a way to measure success.
"How do you define 'better'?" he asks. "If we haven't had a publicly-known attack, is that because there haven't been any or because government stepped things up and made the UK a harder target? We don't know. There's a limit to how much government and security police will tell you about how successful they are."
Instead, he says, he'd look for a target you could measure – reducing the number of DDoS attacks or successful hacks, increased awareness across the population, for example. "Some metric to measure progress and be prepared to say, 'we didn't get it right'." There are still difficulties with this – if the number of DDoS attacks drops, are we doing something right, or have attackers moved on to new techniques? Plus, are we counting all DDoS attacks aimed at the UK, or just those originating here?
So, when the strategy says, "Our vision for 2021 is that the UK is secure and resilient to cyber threats, prosperous and confident in the digital world" (section 1.4), what does it mean? How do we measure it?
A Strategy Without a Strategy?
The independent consultant and software engineer Martyn Thomas argues "The main problem with NCSS is that it isn't a strategy. It has no vision of what properties software must have so that we can know that software-based systems are reasonably secure. Without a credible, technical goal, the NCSS cannot plot a credible route to a cyber-secure future."
Thomas argues that the strategy's lack of a specified end goal means it ignores some real possibilities. For one thing, introducing a liability law for safety and security in software would deliver a wake-up call to the industry. For another, the cost of replacing the myriad frequently-used third-party libraries and software components with properly engineered ones would compare favorably to the cost of today's frequent computer system failures. Such an engineering effort would require international cooperation to create languages, supporting tools and core components, but could move us substantially in the direction of developing systems of far higher quality than we have today. In traditional engineering, a bridge's collapse instigates a study of what went wrong and new principles to avoid a reoccurrence. Cyber-threats continue to get bigger, yet society responds not with a rethink of how computer systems are built, but by placing more reliance on the digital framework we already have.
Out of Touch
Cambridge University security engineer Ross Anderson singles out a couple of the strategy's proposals that strike him as recycled or out of touch. "It's ridiculous to say they will teach cybersecurity in school when they can't even teach computer programming," he says, going on to blame former Prime Minister Tony Blair for replacing computing in schools with "ICT".
Like Shorten, he criticizes the strategy's lack of failure standards. The recent Tesco case, where 20,000 customers collectively lost £2.5 million to cyber-theft, was the first where the Financial Standards Authority pushed a bank to make victims good immediately. "If that were the new strategy and it were enforced in all cases, that would be brilliant," he says. That sort of approach, however, is not mentioned. Nor, Anderson points out, are the sorts of abuses seen recently with hacktivists selecting targets, apparently to air perceived grievances. Plus, "There is nothing about organized gangs of trolls, fake news, or other stuff we've seen." Nor: systems made up of Internet of Things devices; safety regulation; or product liability for software, something Anderson has been advocating for at least a decade. GCHQ, in charge of much of the agenda, has little record in consumer protection, competition law or international relations.
"We need to figure out what bad things we're trying to stop," he says. "Information security is about power. In the old days, it was mediated by men with swords, locks, bars and castles. Nowadays, it's access controls, cryptography and the mechanisms we all know and love. For government to say they have the arbitrary power to override all locks, bolts and bars for purpose for which they won't be held effectively accountable is bad from the point of view of the Investigatory Powers Act and also for the cybersecurity strategy."
Sidebar: Cybersecurity 2016 to 2025
The cybersecurity strategy rests on three pillars: defend, deter and develop. The government is pledging £1.9 billion over the next five years to support it.
"Defend" means strengthening the defenses of government, critical national infrastructure sectors, and the wider economy while also deploying technologies to reduce the impact of cyber-attacks. For "deter", the strategy calls for strengthening law enforcement capabilities. "Develop" includes embedding cybersecurity in education and investing in more students. In addition, the strategy will create a new research institute in hardware to join three that have already been established: Research Institute in the Science of Cyber Security (RISCS); Research Institute for Automated Program Analysis and Verification (RIAPAV, being renamed Verify), and the Research Institute in Trustworthy Industrial Control Systems (RITICS). All three pillars will be supported by the new National Cyber Security Centre run by former GCHQ board member Ciaran Martin.
The strategy also sets out an agenda that has already been legally supported in the Investigatory Powers Act, such as working with industry to eliminate "safe spaces" for terrorists to hide their activities (that is, uncrackable encryption)
In addition, the strategy favors increasing cooperation with close international partners, enhancing public awareness, and launching two cyber-innovation centers to develop new cybersecurity products and companies. A portion of the £165 million Defence and Cyber Innovation Fund will support innovative procurement. Finally, the strategy aims to create a Royal Chartered status for cybersecurity professionals by 2020.