National Audit Office Warns Of 20-Year Wait For Cyber Security Professionals

The National Audit Office (NAO), the independent body responsible for scrutinising UK government departments and agencies, has today warned that if the number of applicants for ICT courses doesn’t increase, it could take “up to 20 years” to fill the skills gap in the cyber security field.

The NAO did say the establishment of the national Cyber Security Strategy (CSS) in 2011 has already started delivering benefits, but gave a bleak forecast in a 40-page report entitled “The UK cyber security strategy: Landscape review”.

Protect the money

According to NAO, the cost of cyber crime to the UK is currently estimated to be between £18 billion and £27 billion a year. At the same time, eight percent of the country’s GDP is the direct product of the Internet economy, a greater contribution than in any other G20 country.

“The threat to cyber security is persistent and continually evolving. Business, government and the public must constantly be alert to the level of risk if they are to succeed in detecting and resisting the threat of cyber attack,” said Amyas Morse, head of NAO.

In 2011, the CSS outlined how an investment of £650 million would keep the country secure from hackers through to 2015. The programme relied on “cooperation between the government and the private sector” in order to make UK networks safe, and included a number of education and research initiatives.

Despite the abundance of funding, CSS has so far failed to solve one particular issue – the lack of qualified staff. In the report, the NAO says that the number of IT and cyber security professionals in the UK has failed to increase in line with the growth of the Internet sector.

“Interviews with government, academia and business representatives confirmed that the UK lacks technical skills and that the current pipeline of graduates and practitioners would not meet demand,” states the report.

“Interviewees were concerned about a lack of promotion of science and technology subjects at school resulting in the reported lower uptake of computer science and technology courses by UK students,” it adds.

NAO hopes that the skills shortage will be helped by several upcoming government initiatives and the overhaul of the ICT curriculum. “The government is working to address this and has said that it intends to overhaul ICT teaching in schools to make it genuinely about computer science rather than office skills,” states the report.

Not just the kids

There are also other parts of the CSS aimed at increasing the number of IT and security professionals. For example, last year GCHQ, in partnership with the Research Council’s global uncertainties programme and the Department for Business, Innovation and Skills, awarded the status of ‘academic centre of excellence in cyber security research’ to eight UK universities.

Meanwhile, the government established a £2 million-a-year Centre for Global Cyber Security Capacity Building, and the joint public and private sector initiative ‘Cyber Security Challenge UK’ had launched a new framework to enable people to move into cyber security mid-career.

Besides bridging the “skills gap”, the report also mentions other, less critical objectives, such as “increasing awareness” (NAO believes that 80 percent of cyber attacks could be prevented through simple computer and network ‘hygiene’) and “demonstrating value for money” that cyber security solutions can provide.

“There is the conceptual problem that, if cyber attacks do not occur, it will be difficult to establish the extent to which that was down to the success of the strategy,” notes a press release from NAO.

Even though some problems remain, the UK has made considerable progress since the CSS was first published. The Police Central e-crime Unit has trebled in size, and the Serious Organised Crime Agency has repatriated over 2.3 million sets of compromised card payment details since 2011, preventing a potential economic loss of more than £500 million.

The report also mentions that since 2010, the UK Parliament has shown growing interest in cyber security, so at least the aim of “increasing awareness” is definitely being achieved.

“While it’s important to have specifically trained staff to counter the growing hacking threat, the UK certainly can’t wait 20 years for the next generation of cyber-security experts to be inspired, educated and trained,” commented Geoff Collins, VP of Product Management at 1E.

According to Collins, regular OS patching, application whitelisting, upgrading of (potentially highly vulnerable) legacy applications and careful monitoring of admin privileges has proven to mitigate 85 percent of all cyber-attacks.

What do you know about public sector IT? Take our quiz!