This article is replicated in Policing Insight
“Reflections on the Chancellors Cyber speech at GCHQ”
Stuart Hyde QPM
Policing Insight. November 2015
On Tuesday this week the Chancellor gave an impressive outline of the UK response to the multiple threats to Cybercrime and Cyber terrorism. In a positive contribution he outlined a range of actions and investments across Government linked to outstanding contributions from industry that will be aimed at keeping the UK safe online. The full text is below
George Osborne speech at GCHQ 17th November 2015
Whilst the speech was fascinating and sparked of a real joined up approach including some very interesting anecdotes, there remains concern that some of the solid foundations he talks of, may not be delivered, and that the investment in Cyber intelligence and Analysis could be undermined. In brief here are some of the concerns that should be tackled:
The risk of further cuts to policing could weaken the police response to Cybercrime and the support Forces can give to Regional Cyber Crime Units and the NCCU
The training provision for officers and staff in Cyber issues is not mature enough yet to enable effective response to the very wide range of cyber-enabled and cyber-dependant criminality.
The investment in the prevention of cybercrime, particularly through GetSafeOnline is minimal and directly contrasted with the huge costs of CyberStreetWise
Exercising is sporadic, and although highly sophisticated facilities such as CYBX exist (run under the auspices of the Emergency Planning College) lack of financial support has discouraged many organisations including public and private sector from investing in such activities.
The national scheme supporting Cybercrime Information Sharing Partnerships is inconsistent across the UK. Despite being a National model not all regions have them. This undermines the ability of Government agencies to reach out to vulnerable industry and circulate common security messages. Many regions don’t have them yet, despite it being a national initiative.
A Review of the curriculum in schools for ICT and Computer Studies could be adopted to try and ensure that the education children receive about Cyber reflects their current or future usage. The encouragement for coding is to be welcomed but a wider review may help to better align learning across the education sector with current trends in Cyber development.
The previous Government was extremely keen on the concept of the Big Society. This should not escape the attention of Cyber. Opportunities to recruit Cyber Police Specials within industry to actively support policing should be encouraged. There are very small examples of this which could be developed further particularly in the wake of further police cuts
Now is the time to make a dramatic but effective shift towards making the UK the safest place online.
Looking at some of the specific comments within the speech
“Before the dreadful events of the weekend we had already indicated that we would be increasing substantially the resources we dedicate to countering the terrorist threat posed by ISIL. “
It is interesting that this is not a reaction to the tragic events in Paris but a broader and historic reaction to the threat of an online ISIS/ISIL. The investment is being targeted against a particular threat, one of many currently facing the UK cyber environment.
“The Prime Minister has made clear that across the agencies a further 1,900 staff will be recruited to keep Britain safe from terrorist attack.”
The 2000 additional staff for the estimated £400M a year seems quite expensive, however the additional on-costs and technology costs will be excessive in order to retain the edge required to tackle the enormous online threat. The issue of further police cuts should, however, not be ignored. These intelligence officers and analysts will create opportunities to arrest or intervene to prevent attacks, or to mitigate risk. That, in many cases, will increase the requirement for specialist policing services including armed tactical support. Whilst this is the right thing to do, it will have an additional demand for the police service at a time of contraction.
“The answer is not just in more resources, but in ensuring those who keep us safe have the right legal framework, that allows them to do their job while preserving the values and freedoms which we are so determined to defend.”
It is also right that throwing money at something is not always the best solution, but it helps. Linking a review of funding and investment with a review of legislation will help to make the new resources much more effective. However, the people of the UK will need to balance their need for protection against their desire for privacy, a difficult challenge at the best of times
“As Chancellor I know about the enormous potential for the internet to drive economic growth, but I am also acutely aware of the risk of cyber-attack harming our economy and undermining the confidence on which it rests.”
The harm to businesses of an attack or a leak of data is considerable. The recent TalkTalk crisis threw the Chief Executive, Baroness Dido Harding, into the media spotlight as TalkTalk struggled to come to terms with the media avalanche that descended upon them. CEOs cannot avoid being in the frontline when an attack takes place and the disruption to a company will be dramatic and potentially irrecoverable. It is interesting to see the very positive pre- Christmas adverts from TalkTalk now rebuilding its reputation and branding.
“And I also know that we can’t afford to build strong cyber defences unless they rest on the solid foundations of sound public finances.”
The wider public finances issue is a very real requirement for the UK. However, a number of the initiatives through these announcements will require the solid foundations of policing. Neighbourhood policing, a service connected to its communities, the capacity to support arrests or disruption, specialist cybercrime and digital forensics capabilities, compliance with ISO 17025, flexibility to support substantial human surveillance, post incident management and evidence recovery to name but a few of the roles inevitable to support making the UK online world safer. All currently at risk.
“Citizens need to follow basic rules of keeping themselves safe – installing security software, downloading software updates, using strong passwords.”
CyberStreetWise has fixated over the past few weeks about its three word campaign, but find any reference to TalkTalk on the site, you won’t. Yet the TalkTalk saga was an issue that may have affected 10% of the population. And who talks for Cyberstreetwise, no one, it’s anonymous. This is not the best use of investment. Far outstripping it is the very versatile and responsive GetSafeOnline, which involves industry and others with very little investment from Government, effectively run on a shoestring. If we want citizens to protect themselves we need to invest in better and much more effective and responsive campaigns run by real public people.
“Companies need to protect their own networks, and harden themselves against cyber attack…The starting point must be that every British company is a target, that every British network will be attacked, and that cyber crime is not something that happens to other people… We established the Computer Emergency Response Team for the UK, and the Cyber Information Sharing Partnership so companies could share what they knew.”
If we want to engage business in making the UK safer online then the government should enforce the CISP programme (see above) it takes far too long to launch and then run CISPs. Getting them moving and putting a little investment in, will provide a truly national response between Government, Police and Industry. Here are the areas with CISPs. The North East comes online very soon.
“We have built the National Cyber Crime Unit so cyber criminals are brought to justice.”
The Cybercrime Units across the UK linked to the National Unit are working together to address a range of cyber-attacks. Building up their knowledge and experience and exercising together, is helping to develop a good model for the future. However, with forces reducing budgets it is probable that the model could be undermined as Chiefs and PCCs seek alternative ways to spent scant resources
“We developed clear guidance for businesses, including the Cyber Essentials scheme, which already has over a thousand companies accredited.”
The scheme itself is simple yet effective but with the absence of an effective national model of CISPs it is left to a multitude of fora to distribute and promote the scheme. Of equal value is the 10 Steps to Cyber Seciurity a Board level tick box that should be a common statement for all organisations.
“We built cyber security into every stage of the education process. We established Cyber First and cyber apprentices to make sure that we got the talent we needed coming into the field…. And most ambitiously, we will be rolling out a major programme for the most talented 14 to 17 year olds, involving after-school sessions with expert mentors, challenging projects, and summer schools where those on the scheme can see where their cyber skills can take them. ”
Keeping the “Cyber” learning up to date is essential and making it relevant really does mean we can keep the UK safe. In an interview BBC Radio5 Live had with the hacker Charles Float, he talked about his frustration at the technology education provided in school and his lack of interest. I make no judgement about his actions but there must be a better way to channel bright and knowledgeable school children who are orientated towards gaming, and moving them away from hacking. Ensuring that people who hack, even if only to have an advantage within an online game, know that disrupting other players online access is illegal might be a start.
“It is a bold, comprehensive programme that will give Britain the next generation of cyber security, and make Britain one of the safest places to do business online.”
I agree it is a big investment, but one that is essential to retain a safer online UK. However, there are still risks that this strategy could be undermined, unfortunately by the same person proposing it.
“Today I can announce that in 2016 we will establish a single National Cyber Centre, which will report to the Director of GCHQ. The Centre will be a unified source of advice and support for the economy, replacing the current array of bodies with a single point of contact.”
It will be useful to see the details of the Cyber Centre in particular its engagement with Police Forces and how it will strengthen the Regional Cyber Crime Units and the NCCU.
Overall it was a positive step. Some of my comments may appear to be negative, they are not meant to be. Any investment in this area is welcome but we need to ensure that the good intentions are not undermined by the economic realities facing Policing particularly.
There is an opportunity to bring Cyber issues into the current psyche of leaders across all sectors which would substantially help to create a safer online UK. As a policy or strategy it does, however, stand alone, as there does not appear to be an alternative from others and I look forward to seeing alternative strategies to keep online UK safe from other political parties particularly the Opposition.
Stuart Hyde QPM
Vice president www.hightechcrimecops.org
Vice President www.polcyb.org
Director of Solutions www.cclgroupltd.com