Maude is upbeat on what has been achieved, and what is in progress; but his statement is not without critics. Industry is largely favorable; independent security experts are more critical; and political commentators are political commentators.
For example, Maude makes much of the progress in improving existing police capabilities to take on cyber criminals. But critics have long wondered why the police are receiving only a tiny fraction of the £630 million budget for the national strategy, while the majority goes to GCHQ. “As part of this work,” says Maude in his statement, “the MOD has established a tri-service Unit, hosted by GCHQ in Cheltenham. The Joint Cyber Unit training and skills requirements have been established and it is currently developing new tactics, techniques and plans to deliver military capabilities to confront high-end threats.” Delivering military capabilities is cyber offense, not cyber defense.
Nevertheless, there is much to applaud. Two items that have received particular attention are the new national CERT and the planned Cyber Reserve. Martin Sutherland, managing director of BAE Systems Detica, commented, “One of the most significant elements of [the] announcement is the move towards the establishment of a UK National CERT (Computer Emergency Response Team). Implemented well,” he added, “a CERT would be a welcome addition to the defense of cyber space by providing a conduit for knowledge and a concentration of technical expertise and information. It will also help with international co-operation as it will provide a clear point of contact for other nations.”
‘Implemented well’ is the key. PC Pro points out that just two years ago the government rejected the idea of a national CERT, saying that it “would be of no added value to the UK, and that the current CERT network provides more effective protection.” That current CERT is operated by GCHQ, and GCHQ is not known for openly sharing its security information. So all the potential good of a new national CERT will depend upon GCHQ being able to reverse its currently entrenched position.
The idea of a Cyber Reserve is not new to this announcement, and Maude says very little now: “The MOD is taking forward the development of a ‘Cyber Reserve’, allowing the Services to draw on the wider talent and skills of the nation in the cyber field. The exact composition is currently in development and a detailed announcement will follow in 2013.” Once again, however, ‘implemented well’ will be a key phrase. Provided that the Cyber Reserve comprises individual security experts, rather than the companies they work for, this could provide an invaluable and almost incalculable increase in government security understanding. But we simply don’t yet know how it will operate – and the idea has been labeled a ‘Dad’s Army of cyber security experts’ by the Telegraph.
Writing in the political Coffee House blog, Sebastian Payne takes a political view and comments, “But whether the twenty-first century Dad’s Army is a success depends on to what extent Maude fleshes out the scheme in 2013. Otherwise, it may just turn into another Big Society flop.”
John Colley, Managing Director (ISC)2 EMEA, is really rather scathing. “They are missing an opportunity to create the kind of market and consumer interest required to have real impact, with the budget dedicated to education skills and awareness being the smallest slice of the pie.
“One year on,” he added, “the public has moved into the Twitter era while the Government’s significant public initiatives have included publishing advice targeted at the FTSE 100 companies; and establishing Centre of Excellence status for a few universities... The major focus seems to be on influencing the elite and developing intelligence.” His conclusion? “It is not enough and is out of step with how the management of society’s information security risk must evolve.”