Infosec: Government ‘Not Clear Enough’ On Cyber War Strategy

SecurityWorkspace

Thales’ Ross Parsell, who has been advising on the UK’s Cyber Security Strategy, says the government must be clearer on how it will respond to web-based attacks.

When the government pledged to spend £650 million on cyber crime over its five-year tenure, many an eyebrow was raised. Was it enough? Where was the Coalition going to spend? And would it spend in the right areas?

Not much information has been forthcoming on exactly where funds are going. The police have received £63 million directly, whilst £180,000 will be handed to the UK Cyber Security Challenge each year until 2015. That’s about all we have to go on right now.

In terms of strategy, there isn’t a wealth of detail to go on either. The National Crime Agency will lead the nation’s attack on illegal use of the Internet, whilst there will be greater collaboration between the public and private sectors. There’s also a new cyber operations group within the Ministry of Defence that will help deliver military cyber capabilities. Little else was established when the strategy was launched in November.

But to learn a little more about what the government is doing, at InfoSecurity 2012, TechWeekEurope caught up with one man who’s been sitting on advisory boards for the National Cyber Security Strategy – Ross Parsell, director of cyber strategy at Thales. One major issue, it appears, is a lack of clarity over the highly-contentious topic of cyber war.

Reasonable force?

The US has the approach that if it is hit by a serious enough cyber attack, it retains the right to retaliate with physical force. The UK seems to be following the US in the that respect. Is that a dangerous attitude?
I think they have to define what is serious enough. If they [hackers] are coming in and taking down their defence network, if they are cyber attacking and stealing top secret information, then you would be back into John le Carre’s cold war of spies.

You need to classify [the level of an attack] very clearly and publicise that to anybody before you make a declaration of war based on somebody hacking your network.

So do you think the UK government is being clear?
I don’t think that’s clear enough. You wouldn’t have been asking the question if it was clear and I’d have a clear answer.

In the US, they have regulated more and have put more standards in place for their critical and national infrastructure, saying ‘if you operate in this sphere, you must operate to these standards’. Certainly, the strategy of the UK government hasn’t gone down that route yet and that’s not very clear as to where that’s going. Our call to the government is to make some statement on standards.

Smart metering will need some form of security standard because if it doesn’t it’s a key area where you can start losing information. We’ve heard of cases where you can monitor meters to see if people are away when the heating is turned down and the house isn’t in use. Criminals will start to pick up on that and start using it.

We’ve heard complaints that the government is giving too much of its £650m pot to GCHQ, when it should be focusing on police. Is that something you believe is a genuine problem?
Putting it into context, from what I know and what I’ve done, is that they are actually joining these things up a lot more. So at the front end where police are getting money to work on fraud, cyber crime and its effects, they are joining themselves up at the back end to Cheltenham, who have got more money and are doing more monitoring and assisting. There’s the front end allocation of money and a back end that’s also got a greater amount of money, but they’ve managed to join themselves up and talk more.

It is a little misleading in that if you’re just reading pure figures, police only got around £50 million and GCHQ got the rest. Actually they’ve joined up more so they’re using all that money for the greater good. If you look at it that way, it doesn’t look that bad.

Big brother, big hassle

Do you worry about the controversial proposed surveillance measures that would see black boxes installed in ISPs before citizens’ communications data is sent off to GCHQ? Can they even work? Is it a waste of money?
I think there is a lot of hype around it. Is it feasible? My personal opinion is that they will struggle to do it. I also think they should not underestimate the amount of data they would have to go through. Also, don’t underestimate the public outcry either to actually doing it.

Do the government do it already? Can they monitor your emails? Yes, they can, on the spot. There are legalised, authorised ways of looking at them. Would they do it for everybody? They haven’t got the man-power to be able to process that amount of information.

It’s also dangerous that you’re giving organised criminals a single point of capture as well, within ISPs. If you could ever get into that black box, that’s the one you’d want to go for.

Education is an issue that the government bangs on about, but it hasn’t actually put its money where its mouth is. Very little of the £650m pot is going to education. Do you think the Coalition has to do more here?
We are not seeing the skill sets we need coming out of universities. Therefore we need to do something about it. We can do modern apprenticeships, we can do a number of things before people go to university, that’s fine.

But that’s not enough. We need to get lower down the chain and educate children, to look at the threat not just keeping passwords safe.

There’s no movement from government on this though. It is all about programming, which is great, but do you think that will translate into greater security skills coming out of schools?
It needs a different skill set and that needs addressing. It needs a bigger focus and it needs more investment.

Not only would that lead to an increase in security engineers, but it would give the future, our legacy, a better understanding of what is going on.

I would say put some more money towards that. The government needs to allocate more money into it. There is a problem now that needs fixing, but there is a future problem that we also need to fix at the same time. We’re spending a lot on now, and not enough on the future.

Are you a security expert? Try our quiz!

Read also :
Click to read the authors bio  Click to hide the authors bio