Security experts have given a cautious welcome to the government’s £1.9 billion cybersecurity spending plans, which were officially announced during the autumn statement on Wednesday.
Most of the measures have already been trailed by chancellor George Osborne—who committed £1.9 billion to cybersecurity over the course of this parliament in a speech at the headquarters of GCHQ last week.
They include a National Cyber Centre in GCHQ, which will “act as a single point of contact to simplify and strengthen government effort on cybersecurity and improve engagement with industry.”
As well as a vague commitment to develop and improve the UK’s “offensive cyber capability,” there is a pledge to create two new innovation centers in London and Cheltenham “to support talent and drive growth” in the cybersecurity sector.
The statement also described “a programme of active defence” which will involve partnerships with internet service providers to help them “divert known malware and block malicious sites.”
Finally, there’s a commitment to help develop the UK’s cybersecurity skills base, “including by running a £20 million competition to open a new Institute for Coding to train the next generation in the high level digital and computer science skills the UK needs.”
Security commentators broadly welcomed the plans.
Lee Wade, CEO of cloud firm Exponential-e, was enthusiastic about the National Cyber Centre.
“When combined with a dedicated platform for increasing cyber skills and by forging closer relationships with internet service providers, the UK will be in a much stronger position to power its defense,” he argued.
“Capitalizing on this support will involve businesses taking proactive steps towards their own cybersecurity future-proofing. Delivering on-service level agreements and protecting customer data as well as corporate assets will mean carefully selecting and investing in partnerships to bolster security expertise.”
Paul Glass, partner at the law firm, Taylor Wessing, argued the budget would be best spent on improving cross-sector information sharing frameworks.
“To raise the bar on improving UK businesses' cybersecurity capability, businesses should work with the government. They cannot, and should not, deal with this alone. The government needs to help people and businesses understand the current threat,” he added.
“Increasing awareness and understanding of preventative methods, coupled with this increased government spending on joint initiatives, will help develop a robust defense strategy that will increase the country’s resilience to cyber threats in the long term.”
Veracode senior solutions architect, Paul Farrington, argued that the government needs to complement this extra funding with renewed policy and regulation “to ensure that companies are held liable for breaches where they have not taken appropriate measures to secure customer data.”
“But, with any steps towards issuing liability, the government must also ensure that it is providing cyber education to the private sector so that all companies can make informed decisions on cybersecurity,” he added.
“Without more executives gaining a greater understanding of how to question the CEO and CIO on these topics, change will continue to be glacial in pace, despite a rapidly growing attack landscape.”
Andy Hardy, EMEA managing director of endpoint security firm Code 42, argued the government’s plans are mistakenly predicated on a clear-cut “villain and hero narrative.”
“Of course, being attack-ready and securing the perimeter with a National Cyber Centre is an absolutely essential strategy, but it does not actually address the biggest cyber vulnerability for British businesses—the insider threat,” he added.
“70% of data breaches originate from employees, either willingly or unwittingly, a trend set to increase as more and more employees access sensitive corporate information at the endpoint, through their smartphones and laptops.”
Photo © Orla