Hammond’s £1.9 billion cyber ‘defend, deter, develop’ strategy

Share

In a speech at the Microsoft ‘Future Decoded’ conference in London this week, the Chancellor of the Exchequer Philip Hammond MP has set out his plans on how best to spend £1.9 billion defending the UK against cyber attacks.

Admittedly, it took rather a long time for Mr Hammond to start talking about cyber security strategy, but when he finally got there he started firing with both barrels. “If we want Britain to be the best place in the world to be a tech business,” he said, “then it is also crucial that Britain is a safe place to do digital business.”

“Trust in the internet and the infrastructure on which it relies is fundamental to our economic future,” Hammond continued, getting into his swing, “because without that trust in, faith in the whole digital edifice will fall away.”

So far, so good. Then it started sounding just a little familiar. Especially if you have sat and listened to government ministers and GCHQ chiefs and other establishment figures from across the political and defence spectrum who have all been happy to toe the party line. “We need a secure cyberspace,” he said, “and we need to work together business and government to deliver it.”

…and still everything is far from fine

And there it was, the business and government will work together to make everything OK line. The line I’ve been listening to year after year; and still everything is far from fine. You can read the full transcript of the Chancellor’s speech here and, to be honest, for once it might not be a bad thing to pop over there before continuing here. That way you get the complete context before we let the security industry loose with its considered reaction. Just promise to pop right back, OK, because this is important stuff.

Despite our reservations here about the differences between blowing a lot of hot air and actually delivering concrete results that make a bloody difference, there is no denying that how just shy of £2 billion is spent is a big deal.

So, are you sitting comfortably? Good, then we’ll begin. IT Security Thing has put together what is almost certainly the most comprehensive cross section of opinion and analysis regarding the speech from the great and the good of the IT security industry. We present it without any further bells and whistles:

David Howorth, Senior VP EMEA, Alert Logic:

“Today’s initiative is a bold move by the UK government, who are recognising the critical role of government in protecting our country’s critical infrastructure and digital assets.  The IT industry is a core foundational block of the UK economy and securing and maintaining trust in the digital world is a central responsibility of any government. At the same, time the UK government is launching this initiative to help drive a mindset change across industry and commerce, by encouraging a proactive approach to managing and minimising IT security risk. Collaboration with the industry will be central to this, both in terms of information sharing and raising awareness of the need to build security into the fabric of tomorrow’s infrastructure and applications. Reducing IT risk has always been a balancing act between cost vs. acceptable risk, and today’s initiative demonstrates the UK government’s desire to create a secure and trusted landscape where innovative companies can thrive.”

…a bold move by the UK government

“Whilst this will provide opportunity for the cyber industry, it also lays down an interesting challenge. Part of the government’s theme is to remove the fear factor from the whole topic of cyber security. Good cyber security solutions need to be flexible, easily consumable and deliver immediate meaningful outcomes. In addition, the UK government is looking at the cyber security industry to collaborate even more closely with government to help deliver this strategy.”

David Emm, Principal Security Researcher, Kaspersky Lab:

“It is encouraging to hear from Chancellor Philip Hammond that part of the £1.9bn to boost the government’s cyber-security strategy will go towards education and training of cyber-security experts. The next generation hold the key to plugging the widening cyber-security skills gap. It is critical that we harness young people’s natural curiosity and strong digital capabilities to prevent cybercrime. If we can’t, we will not only struggle to fill the talent void, but we may also lose bright minds to the ‘dark side’, further exacerbating the problem.”

“Unfortunately, our research shows that as it stands, employers themselves do not have entry-level cyber-security roles and the industry is currently failing to provide a clear path for young people to find work, hone their skills, and serve society. This must change, and it needs a collaborative effort. The government, educators and industry must work together to enthuse young people about entering the cyber-security field. Industry and educators must then ensure that students are taught the right skills to ensure they are work-force ready upon graduation. The final responsibility lies with industry alone, to ensure enough entry-level positions, and a nurturing environment for cyber-security specialists to hone their craft and develop in the role. By working together, we can ensure that their talent and curiosity is harnessed and nurtured for society’s good.”

Spencer Young, Regional VP of EMEA at Imperva:

“Whilst we welcome the acceptance from the UK government that threats are increasing and that we need to more adequately equip ourselves to defend against foreign states, criminal groups and activist individuals, it is clear that we have lagged behind in a number of key areas. For instance, I believe there is a serious talent issue in the country, in that organisations and government departments find it hard to hire individuals with the experience and skills to add value to their cybersecurity teams. This stems from the lack of focus and funding in our schools, colleges and universities in devising vocational based learning and qualifications, to attract our brightest young minds into the cyber-security industry and giving them the skills they can apply in a work environment from day one. The new investment will no doubt enable the technologies required for the government to better defend its citizens, but without the skilled workforce behind it, the cyber-criminals will continue to stay a step ahead.”

… it is clear that we have lagged behind

“However, that said, the attack types we see are becoming more and more sophisticated. Therefore, it is not enough to defend against high volume, low sophistication attacks. Today we need to be more focused on defending high volume, highly sophisticated attacks, which are becoming more prevalent and dangerous. In addition, it would be good to understand who is advising the government on the technology strategy they are adopting? Simply adding investment to defend websites or email systems will not prevent hackers from gaining entry. The information they want resides in databases and applications that exist on premise and in the cloud. Protecting only websites and email systems is akin to having a burglar alarm on the front door, but leaving the valuables in plain sight once the thieves enter the home.”

John Bambenek, Threat Intelligence Manager at Fidelis Cybersecurity:

“The UK government has today announced plans to invest more in cyber-security, which is timely, given the worrying news that the NHS Trust has cancelled routine operations at three hospitals after a virus compromised its computer system. With the UK’s critical infrastructure, which also includes the electrical grid and airports, already at risk, it’s becoming clear that no one and no thing is safe from becoming a target for hackers. For this reason, it’s critical that the UK government uses its £1.9 billion worth of investment wisely, as it has now become a matter of life and death.”

“With the promised investment injection, the government needs to consider both detection and prevention technologies to ensure it fights back against ‘foreign actors’ on as many fronts as possible. Too many enterprises and government institutions focus on a patchwork of endpoint and perimeter-based security, when a full strategy is required. It is critical that organisations including hospitals and airports are able to monitor both the network and endpoints, as well as have the capabilities to analyse data, in order to detect threats quicker and know immediately what kind of action needs to be taken. If we are going to ensure our emergency services are not at risk, and if we are going to safeguard the lives of people in the UK, it is essential that the government invests in cyber-security technologies that will identify and stop attackers wherever they may be.”

Dave Larson, CTO at Corero Network Security:

“Plans unveiled today by Chancellor Philip Hammond focused on major initiatives to better protect the businesses and ultimately, the citizens of the UK. The ever increasing and evolving cyber threat landscape has become dinner table conversation as of late, these events are becoming increasingly common, and proactive, automated solutions must take centre stage in defeating the threat. The modern nation cannot sit back and hope that the next cyber-attack won’t impact critical infrastructure or take down major online institutions. These initiatives must be paired with consumer education in understanding the threats that exist and how to avoid becoming an unintentional pawn in cyber warfare. Additionally, when you think about attacks on the internet of things escalating from consumer devices to businesses, enterprises, government agencies, utilities and more – you realise it is time to more aggressively secure every endpoint so entire networks including cloud services don’t collapse and leave us vulnerable to other forms of terrorism.”

Greg Day, EMEA CISO with Palo Alto Networks:

“It is great to see the ongoing investment by the UK government, recognising the increasing dependence the UK has on the digital world. There’s no doubt that UK organisations want to play a key role in helping the country defend itself from cyber-threats and will respond to the government’s cyber-security announcement positively. Mr Hammond has reinforced, as upcoming EU legislation encourages, that executives have a duty to ensure that their companies are secure. To find out more about how executives view this, we recently surveyed the IT security heads of British businesses – many of those surveyed said they were positive and determined on cyber-security, with strong preventative strategies already being put in place. However, private businesses’ ability to take action on cyber-security may be limited by internal tensions between senior managers on IT security strategy. Our survey revealed that half of IT security professionals (51%) find it difficult to highlight possible security system weaknesses to senior management, while the rest (49%) find it more difficult to admit something has gone wrong and that a breach has occurred.”

… attackers will also continuously improve their tactics and techniques

Ilia Kolochenko, CEO of High-Tech Bridge:

“This is definitely great news, and more countries should follow the UK’s example. I am very curious how exactly the amount will be invested, as spending more does not necessarily mean better results, but if allocated wisely it can prevent a significant number of new incidents and data breaches. However, we should also keep in mind that without international cooperation, there is no way to reduce global cyber-crime. The internet has no borders, and if only the UK will try to take care of the problem we won’t see many results. We can prepare our defences better, but attackers will also continuously improve their tactics and techniques to by-pass the latest cyber-security solutions.”

Jonathan Martin, Department Manager for Cyber Security & Cloud at Networkers:

“We welcome the governments £1.9bn investment into cyber-security and are pleased to hear that some of this investment will be dedicated towards education and training of cyber-security experts. However, while we welcome this decision we hope that a proportion of that funding goes into the education of the next generation and helps connect school kids with the joys of a career in cyber-security and IT. Currently there is a shortage of cyber-security experts to manage the increasing problems presented by the integration of tech into our daily lives. As industry incorporates more and more technology, the need for these experts will only increase and as a result we anticipate a steep rise in demand for their skills. Without a concerted programme to entice the next generation, the UK could leave itself vulnerable.”

Nigel Hawthorn, Chief European Spokesperson at Skyhigh Networks:

“The sophistication of cyber threats is ever-increasing and attackers working with state-support or independently often view the government as low hanging fruit. With its reliance on outdated infrastructure, some systems are vulnerable and its citizens and businesses that would bear the brunt of any cyberattack on critical networks. The new government strategy reveals the renewed focus on keeping the country secure. Yet, the published document also states that the government alone cannot provide for all aspects of the nation’s cyber-security, meaning businesses must step up to the plate.”

Data is now the crown jewels of any firm

“Cyber security has traditionally been relegated from the boardroom to IT, but Hammond’s speech should provide the impetus to make it a company-wide endeavour. Data is now the crown jewels of any firm and CEOs can no longer expect others, whether government or individual departments, to protect them. They are liable for any data that is compromised when in their care and that means they must adopt the technology and processes that ensures its safeguarding. After all, car manufacturers put bumpers on cars and the government puts footpaths on most streets, but a parent still has to teach their children not to run across the road without looking. In cyber-security, we are all responsible for taking the best care we can of our data assets, which contributes to the nation’s security.”

Bryan Hurcombe, public sector lead for Deloitte UK’s cyber risk practice:

“The Chancellor’s proclamation on how the UK government will spend £1.9 billion on cyber security is a welcome part of a wider strategy to make the UK a preferred location for digital enabled business. This strategy, not without its challenges, has seen the development of the National Cyber Security Centre in London, bringing the expertise of GCHQ right into the heart of the city. This latest initiative will generate capabilities to defend, deter and disrupt cyber threats against the UK. This is a race against the increasing threats and greater numbers of foreign and domestic organisations with the malign intent and the technical know-how. As businesses increase their digital footprint they will naturally increase their vulnerability. Budgeting to reduce the risk of the exploitation of these vulnerabilities must become part of the 21st century business model; security must be a standing item on the board’s agenda and business plan. A key challenge remains the cyber talent and skills shortage. Greater prioritisation of investment in science, technology, engineering and mathematics (STEM) in early education would ensure Britain remains ahead in cyber defence, and keep it there for the next generation.”

Nick Matthews, Managing Director in Duff & Phelps’ Disputes and Investigations Practice:

“The government’s resolve to fight the state-level cyber threat, coupled with a 50-strong boost the National Cyber Crime Unit, part of the National Crime Agency, are laudable. However, there is no substitute for businesses taking steps to protect themselves or at least be ready to respond to a cyber incident. Complete protection from cyber risk, however, is impossible for a business to achieve and any framework of controls must be risk-based and proportionate if it is not to impact unduly the ability to do business.”

…one in four companies do not have a specific response in the event of a cyber-attack

Sam Millar, Litigation & Regulatory partner at DLA Piper:

“This is a welcome investment from the UK government – Philip Hammond is right to emphasise the need for the UK to keep up with the scale and pace of cyber threats. It is clear that individuals and businesses are not yet equipped to cope with these collective risks – likened by Hammond as being as dangerous a threat to our national security as terrorism. It is vital that the government ensures that law enforcement efforts and legislation to tackle cyber-crime are agile, up-to-date and robust, so that the ever-evolving risks are managed and criminals prosecuted swiftly wherever possible. On the corporate side, there is no doubt that responsibility for ensuring that organisations are as secure as they can be against cyber-attacks rests firmly with the CEO and the board. How that responsibility is exercised and the extent of resources deployed will differ from corporate to corporate and sector to sector. Recent research suggests that one in four companies do not have a specific response in the event of a cyber-attack, despite almost half considering it a significant threat to their business. Stronger partnerships between government, law enforcement, industry (in all sectors) and academia will be essential if the UK is to protect its businesses and infrastructure – both physical and digital – and ultimately remain a global leader in the cyber space.”

Jonathan Sander, VP of Product Strategy, Lieberman Software:

“Chancellor Philip Hammond’s planned increase in cyber-defence spending is the right idea at the right time. It has never been more crucial to double down on cyber defence. The devil is in the details, though, and the question remains if that money will be put to the right use. There are hints that the Chancellor and GCHQ may be getting bad advice from the small details they revealed. Some spending will be aimed at producing more cyber-security experts to combat threats. While experts are good to cultivate, they should also pay attention to normal folks both inside and outside the government, utility sectors, and everywhere else. If they could push out the basics on how to avoid falling for phishing scams to a majority of citizens, they would severely hamstring the bad guys who rely on people blindly clicking on bad emails as the start of their attacks.

“They also mentioned spending on sophisticated mechanisms to fight back against the attackers, but the latest Dyn attacks should have taught us that simple discipline in changing device passwords would be as if not more effective than the fanciest counter attacks. It’s not that they should not invest in counter attack capabilities. They should. But there needs to be a walk, run, fly mentality applied and when bad guys can sweep through millions of devices at will to form zombie attack armies because of weak passwords, the notion of counter attack seems a bit like putting on airs. Finally, they mention giving cyber-security start-ups a boost. Again, this may pay off, but there must be cognizance that spending in the start-up world is a bet. It may pay off or it may fall flat. Cyber-security experts could spend time applying proven technologies – that may not be as cool – but will absolutely be effective. Like all spending, this new cyber-security spending needs to be weary of being penny wise and pound foolish.”

Javvad Malik, Security Advocate, AlienVault:

“Cyber-security is an ever-moving set of goal posts and it is necessary to re-evaluate risks and the threats that are posed. As cybercrime increases, it is necessary to shift investments and focus to prevent the biggest of threats. The investment will likely not signal a big step change – but rather a continued evolution of the nation’s cyber defences, to respond to the growing cyber challenges that present themselves.”

“Perhaps the biggest challenge when it comes to cyber-security is answering the question, “when are we done?” as in, how much do we need to invest in security until we are confident that we’ve achieved enough? Today there isn’t a good answer to that from a preventative point of view as attacks continually evolve. However, having the right level of visibility in terms of detecting threats when they do materialise is something that can be achieved now. So, investing in well-trained staff and technologies that can detect threats will help boost response capabilities in the long run.”

Gubi Singh, Chief Operating Officer, Redscan:

“This latest announcement by the chancellor emphasises the growing threat of cybercrime to the UK. Hardly a week goes by without news of highly damaging cyber-attacks making headlines around the world. Well-resourced and determined cyber criminals are continuously advancing the sophistication of their approach to stay ahead of the latest defences. As technology develops, with a rise in cloud computing and growth in IoT devices, more and more investment in critical infrastructure will be needed to protect against increasingly complex threats.”

Companies simply can’t be reliant on the government to protect them

“Any person unconvinced about the latest threats posed should look at last year’s reported cyber-attack on a Ukraine power grid to understand the significant consequences of a failure to adequately protect defences. The incident in the Ukraine is just one high-profile example of an attack that was made public. Far too many organisations are blissfully unaware that their defences have been breached and a lack of regulation across markets means than many attacks go unreported. Investing to improve the UK’s cyber defences will help to ensure the UK remains competitive in an increasingly digital economy, as well as being able to better protect vital infrastructure. It is yet to be seen, however, if the level of funding proposed will be sufficient to deal with the rapidly evolving threats that both nations and businesses face. It’s also important to note that as well as increased investment, greater collaboration between governments and businesses to share threat intelligence is essential in the fight against cybercrime.”

“The chancellor’s announcement will certainly improve confidence in British businesses, especially at a time when there are many question marks around the impact of Brexit on the economy. If the UK is perceived to be a leader in developing cyber-security defences, it will help to attract increased investment from the private sector, create skilled jobs, and improve global demand for these expert services. In addition to investing in improving defences, cyber education can significantly reduce the risks of cybercrime. A lack of user awareness around best practice continues to be one of the biggest reasons for successful attacks. Educating users about the dangers of online threats from a young age could also be a smart long-term strategy to reduce cybercrime.”

“Companies simply can’t be reliant on the government to protect them and need to do more themselves to improve their security posture. By regularly assessing defences, proactively monitoring threats and rapidly responding to incidents, organisations can significantly reduce their security risk. There are also existing government-backed initiatives, such as Cyber Essentials, that provide an easy way for businesses to reduce their security risk. Security expertise across the country is in short demand, which means that hiring qualified professionals can be costly, particularly for small businesses. Recruiting talent is very much a long-term strategy that will require investment beyond 2020. Identifying the right personnel will be critical to avoid inadvertently training and arming the next generation of hacktivists.”

Troy Gill, Manager of Security Research, AppRiver:

“With the global cost of cybercrime expected to explode over the next few years (costs estimated in the trillions globally in just a few short years), investment now is essential in staving off the impact. I believe UK’s recent announcement to increase spending in the cyber-defence grid is a positive step. Attacking the problem from multiple fronts, as they are, is a good idea. It’s good to see an investment in prevention such as shrinking the attack surface by improving email security and taking down malicious websites. This will of course require investment in technology as well as a workforce to manage and implement their strategies. I also believe investment in security start-ups through the innovation fund is an important piece of the puzzle that hopefully will not get overlooked. I am interested to hear what sort of benchmarking will be baked into the plan, as it might prove useful in identifying areas to focus efforts moving forward. I think this is also a good time for businesses and individuals to take a long hard look at their own cyber-security practices and consider doubling their efforts as well in the face of this ever-growing threat.”

Bogdan Botezatu, Senior e-threat analyst, Bitdefender:

“Investing in cyber-security is always recommended especially if it involves a long-term strategy not only for developing new technologies, but also for training cyber-security experts. Whatever the investment plans for the £1.9bn, a top priority should be given to education and creating cyber-security specialists that will fill in the current knowledge gap. Also, programs that stimulate the cyber-security star-up environment along with R&D funding for new cyber-security defence mechanisms should also be on the list. While the £1.9bn figure might seem like a huge amount, splitting and allocating it based on requirements and expected results could be problematic without properly devising a plan and setting up expectations.”

Board members need to be held to a minimum standard on cyber preparedness

Richard Olver, Vice President at Tanium:

“This strategy will help to increase the UK’s cyber capabilities and sends a strong signal that the government intends to take action on cybercrime. But if we want to see real change, it is time to address the serious accountability gap that exists at the top of business. Board members and executives have been asleep at the wheel when it comes to assessing and understanding the cyber threat. It is not enough for the government to tell chief executives to protect their networks, they need to be held to a minimum standard on cyber preparedness. Some of the largest organisations are often alarmingly unprepared for a massive breach that could mean the loss of sensitive customer data. Only when both board members and senior executives are held to account by government on their cyber defences will a strategy like this be effective.”

Jason Hart, CTO, Data Protection, Gemalto:

“It’s encouraging to see that the government is making cyber-security a priority in its latest round of investment, especially with less than two years until GDPR comes into effect. The focus needs to be on securing our most valuable asset: data, instead of just on the perimeter, which hackers can and will breach if they want to. In order for the government’s strategy to be successful, they need to encourage businesses to understand where their most valuable data is, and bring security controls closer to the data in order to ensure user and device access controls are in place. The threats we face are not just about data being stolen anymore either, businesses have increasingly become victims of data manipulation, the next frontier of cybercrime. Through data being changed, businesses can make vital decisions based on incorrect or exaggerated information, which hackers can exploit for financial gain, or purely for reputational damage – implementing protocols where the data resides helps protect against that.”

Andy Powell, VP, Head of Cybersecurity at Capgemini UK:

“Any investment to strengthen the national infrastructure against the proliferation of cyberattacks is strongly welcomed. Bringing universities and think tanks together is a very good thing too, but we must avoid over-focus on tools and technology and do much more to develop our people and processes. Increasingly it has become more about how we apply the technology, rather than the tools themselves. So, in order for a strategy like this to be effective, it needs to be enacted properly and enforced through mechanisms such as legislation, this being the key to creating good behaviours at the board level and prompting much needed investment. With the UK government showing its commitment to boosting cybersecurity, it will be interesting to see if it will commit to the EU’s General Data Protection Regulations (GDPR), which while two years away, needs actions to start now and will apply large fines to organisations failing to protect personnel data properly, despite the decision to leave the EU.”

James Tolfree, UK Director at Cryptzone:

“Talk of ‘Strike back’ represents quite a change in mindset. Traditionally, UK governments’ cyber strategy has focused on ‘defence’ but in recent months we have heard much more rhetoric around an offensive cyber capability. This recognises that the cyber space is the new battleground – you can’t be in a battle space with only a defensive position, especially when dealing with state-sponsored cyber attack strategies. We know that our current defences are inadequate. This is apparent by the 22% rise in cyber crime recently outlined in a report by Action Fraud. Given that the cost of this to the UK economy is estimated to be as much as £11 billion per year, some might ask the question is this response by government enough?”

We’ve seen a very fast evolution of cyber threats

“The reality is of course that cyber defence is the responsibility of us all. Government should lead much of the initiative but the responsibility and cost needs to be borne by government, industry and us as individuals; in much the same way we expect government to lead on other areas of crime, but it is all our responsibility to make sure our homes are fitted with adequate locks and alarms, and that we use them. One of the main challenges is the ‘shape-shifting’ nature of cyber threats. We’ve seen a very fast evolution of cyber threats from well organised criminal organisations as well as state-sponsored attacks. These now take on a multi-vectored form, utilising combinations of, advanced reconnaissance, elegant well-hidden malicious code and social engineering. Traditional cyber defence strategies that tend to focus on the concept of protecting network perimeters haven’t kept pace with the criminals and cannot respond to these advanced threats. So, whilst increased government spend should broadly be welcomed and applauded, unless it is focused towards a fundamental shift in approach to cyber defence, it risks being a case of good money after bad.”

“It is a little too early to say what this will mean for cyber security in the UK. It is encouraging that part of the funding has been ear-marked for training cyber-security professions as there is currently a noticeable skills-gap here in the UK. It is also encouraging that funding will be available to innovative start-up cyber-security businesses. The UK has long been respected for its skills in this sector, but in order to maintain this position, strong investment from both government and industry is needed.”

Gavin Millard, EMEA Technical Director at Tenable Network Security:

“With boots on the battlefield being replaced by bits and bytes directed at critical infrastructure, shoring up our cyber defences is a prudent move by the UK government. As demonstrated last week with the Mirai DDoS levied against the East Coast of America, bringing down huge swathes of internet services for a short time, infrastructure can easily, and will be more frequently, targeted in the future. With ageing, critical national infrastructure, investments need to be made to remediate easily exploitable services and reduce the available attack surface an adversary could target. Cyber attacks affecting our citizens are becoming part of everyday life. Money is the current target for most attackers, but if the approaches they take are more political in nature, we could see the UK severely impacted unless proactive steps are taken to reduce the risks.”

Richard Meeus, VP Technology EMEA at NSFOCUS:

“National investment into cyber-security can only be encouraged as recent events have shown. We need to place this threat in the same arena as the Police and Armed Forces and stop treating it as an inconvenience. It is important, however, that this investment does not create barriers around the UK’s cyber infrastructure such that it reduces the overall benefit of the web. This “Balkanisation” of the internet should be avoided else we retreat from the cyber world quicker than Brexit. Hopefully the investment will be far-reaching and not only help the advancement of cyber-security companies in the UK, but also the education of the general public. The worldwide web has been around for over 20 years and basic security controls are still ignored by the general populace; we are told frequently to close our windows and doors, not to speak to strangers, don’t always trust people at your front door are who they say they are – yet how many people still don’t have a screen lock on their smartphone?”

Balkanisation of the internet should be avoided

Paul Calatayud, CTO, FireMon:

“When it comes to national cyber defence, most of the time current funding focuses on critical infrastructure protection. When funding by governments increases, it is usually attributed to two main factors: definitions of critical often expand and changes in adversary attack techniques that require more investments. If expansions in the cyber defence programme are attributed to expanded scopes, more resources will be required. Often this comes in the form of outreach grants and new laws to help assist the corporate side. It also means increase collaboration between government and private industry.”

Alex Mathews, EMEA Technical Manager at Positive Technologies:

“The investment is a reflection of how seriously the government is taking the problem. Safeguarding the populous from cybercrime is worthy, but there also needs to be a sharpening of focus on protecting critical infrastructure. There is a rising risk from cyber-attacks targeting vital services such as transport, utilities and industrial systems within the UK. Taking down an electrical grid or breaching an air traffic or railway network, doesn’t just cause disruption and financial damage, it puts lives at risk. The fact the same IT systems manage everything from banking infrastructure to power stations, makes them a target for attack. More investment means the UK can become better at staying ahead of the vast array of continually advancing threats. This is achieved through better technology, education and sharing of threat intelligence. In an ideal world, investment should be underpinned by added legislative teeth. This will help ensure that companies and IT companies take the responsibility to protect their assets and customers at all levels seriously.”

Ed Parsons, Associate Director at MWR Infosecurity:

“While this is a welcome increase to the UK’s focus on its cyber defence capabilities, some uncertainties remain. It is unclear from where the government will find 50 cybercrime specialists for the NCA when there is such a massive skills shortage within the industry. The necessary changes to recruitment within the industry will not be achieved overnight. Instead, the reality is this government-backed initiative should be seen as a multi-year, perhaps generational effort to drive sufficient numbers of specialists into cyber-security. With corporations competing for the same resources, we would like to see more emphasis on apprenticeships, internships and exchanges. UK plc is a great place to work on fascinating and challenging cyber projects and we should be realistic that people undertaking training will want to experience the full range of subjects incorporated within the sector.”

Our industry has built itself on illusions

“Finally, while the government’s statement focuses on boosting the NCA’s capability and specific measures to tackle the volume of cybercrime, there appears to be little mention of nation state action, which has shifted from espionage towards disruptive attacks and overtly political action. The UK must devote attention to the threats posed by such political players, as well as the more day-to-day threats that cost members of the public dearly.”

Azeem Aleem, Director of Advanced Cyber Defence Practice EMEA for RSA Security:

“The UK latest cyber-security strategy highlights the government’s continuous determination in the fight back against cyber crime. However, is £1.9 billion over five years sufficient to address the core problem? Our industry has built itself on illusions (one fix work all) so the government needs to develop filters to chalk out the white noise and follow patterns of attacks that are specific to business industry/domains. This would require more than £1.9 billion to do it. The strategy can only be successful if we are able to develop a holistic partnership among industry, academia and government bodies. The industry is facing a drought in terms of core expert skills in this sector. Graduates are coming out of universities with a clear lack of alignment with the industry, which is hindering the effort in fight towards cyber crime.”

Amichai Shulman, CTO of Imperva:

“I personally like the tone of the announcement. It seems that the money is aimed at increasing cyber safety for the general public rather than adding protection to “critical infrastructure”. I’ve talked about it numerous times in the past. Most modern nations spend much more on the attack side rather than the defence side. When they do spend on defensive technologies it is to protect “national interests” and “critical infrastructure”. While these are important causes, over the years modern nations have failed to invest in “cyber safety” for the masses – making the internet a safer place for people who conduct commerce and surf for information and fun. If, as stated by the UK official the additional funds are going to be invested in better policing of cyber space as well as helping commercial organizations to get protection then this is a much desired long deserved investment.”

Mark James, Security Specialist at ESET:

“With so much malware being delivered via emails and websites the only way we are going to stop it is investing in the right places. Providing the right expertise and professionals to give the best advice along with investing in the right software and or hardware to identify attacks or incoming risks will need a substantial cash injection. Sadly, it’s not going to just happen overnight and requires ongoing investment in training and future projects. One of the problems we have always seen is information sharing, being able to get real time usable data on how threats are incoming and evolving will be invaluable for our defence. But having the means and processes in place to not only stop attacks but find and prosecute the criminals responsible wherever they may be, is what we need. With international boundaries and the ability to administer an attack from almost anywhere in the world successfully, prosecuting cyber criminals with the sentences that sends a clear message would do a lot of good. Investing in our upcoming cyber security professionals is one of the areas that needs to be expanded, it should be an area teenagers consider alongside traditional careers and one that should be easily accessible by all. We also need to ensure help and training is available for anyone who needs it in understanding the everyday risks involved in using computers, tablets and mobile devices.”

Lee Munson, Security Researcher at Comparitech:

“The British Empire Strikes Back would make a cool-sounding film, but the plot surrounding the Chancellor’s plan to inject £1.9 billion into the nation’s cyber security defences is, at best, a confusing one. Automated defences, designed to nullify phishing and other nefarious emails, sound like an awesome solution to a problem that has plagued the best business and technical minds for at least a generation. Quite how they will work is entirely unclear at this time, but this security researcher is super-excited at the prospect of the silver bullet so many of us in this industry have yearned for since the dawn of the internet. More than that, I am even keener to see how the UK will ‘strike back’ at those who threaten Britain across the interwebs when there isn’t enough cash on offer for the process of identification, let alone retaliation, unless ‘Russia done it’ is now the official government line in response to all cyber-attacks.”

Geoff Smith, Managing Director, Experis UK & Ireland:

“As the digital warfare intensifies, any measure that helps fight off persistent attackers should be lauded, and it’s very promising to see the government pledge some of its cyber-security strategy investment towards increased education and training opportunities for IT security experts. Cyber-security expertise is in short supply, with businesses willing to pay more to bring in the right skill sets. In our recent Tech Cities Job Watch research, it was revealed that the average salary for permanent IT security professionals now stands at £58,003, up 7.95% on last year’s figures. IT security day rates are also on the rise – up 4.98% year-on-year (£443 on average), as many companies turn to short-term contractor support to help plug the gaps.”

Cyber-security expertise is in short supply

“For organisations struggling to find the right talent, it’s important to look for people with the right mindset and transferable skills, which can be assessed during interviews. By hiring and working with individuals with the aptitude and enthusiasm to learn new skills, and giving them relevant training and the freedom to experiment with new technologies, businesses can mitigate the risks. This will help to future-proof their organisation and ensure they don’t become tomorrow’s cyber-attack headlines.”

Christine Andrews, Managing Director of Data Governance, Risk and Compliance Consultancy DQM GRC:

“Whilst we welcome any boost in spending by the UK government to improve cyber-security, unfortunately real progress will only occur when the organisations themselves start taking data governance seriously and consider cyber security as a boardroom issue, not a problem that can be resolved in a backroom department. Assistance from the government is a supportive step in the right direction, but it is vital that the organisations themselves implement an engaging staff training programme to ensure all employees are aware of the need to manage data securely. The most common and destructive mistakes are often due to human error – not state-sponsored, powerful cyberattacks. For example, even the simple loss or theft of a USB stick or laptop containing personal information about the business could seriously damage your organisation’s reputation, as well as lead to severe financial penalties.”

David Navin, Corporate Security Specialist at Smoothwall:

“The modern day business should know that when it comes to cyber-security and the protection and defence of a company’s data, systems and intellectual property, security is of utmost importance. However, as we have seen even recently in the news, it is not always the case, and so the announcement today from the Chancellor of a £1.9 billion spend to boost the UK’s cyber security strategy should be well received. Hopefully this new government spend will resonate with UK boardrooms and show the importance of having a robust security program in place with everyone from the CEO, CFO and CTO, ensuring they are educated to the risks and understand the importance of having strong enterprise grade security measures in place. Businesses should not rely on one security supplier when trusting them to protect their business. Instead businesses should build its resilience through multiple layers of firewalls, encryption and good security software providers so that if one is compromised, the others are all in place and maintaining that high level of protection.”

What do you think of the annoucement? Will this be money well spent, is it enough or does more need to be done? Let us know in the comments below.

Share