UK’s National Security Strategy Needs Your Input, Says MP

Labour MP Margarett Beckett, chair of the National Security Strategy Committee, has delivered a sharp criticism of the upcoming National Security Strategy – a document which will outline UK’s digital defences, among other things.

The National Security Strategy is expected to be published in 2015, but according to Beckett, work on the draft will not begin until after the general election, leaving little time to create meaningful guidelines.

Speaking at a Westminster eForum seminar on cyber security policy, she repeatedly invited the security industry and private businesses to suggest ideas and participate in setting the policy.

Meanwhile, Andrew Archibald, head of the recently established National Cyber Crime Unit (NCCU), reported that the country’s law enforcement was getting better at cross-border cooperation, something that’s instrumental for tackling cybercrime, but the progress was threatened by the lack of digital skills.

Co-operation between public and private sector was something of a theme throughout the event. “I think it’s fair to say that it is everybody’s problem. This is not something the government is going to solve for you, this is not something that you are going to single-handedly solve for your customers,” said Chloe Smith MP, who chaired the meeting.

Your country needs you

The first National Security Strategy was launched in 2010 but accordion to Beckett, the progress on the next iteration is not going well. She warned that there weren’t enough resources being spent on this document, and there was a real danger it would be rushed and incomplete.

Beckett criticised the lack of long-term thinking around cyber security in the current government, and warned that cyber security should become part of any national infrastructure planning. “For example, energy security is vital in itself, and the cyber security threat to that must be addressed. Our resilience to natural disasters could be compromised by a cyber attack on our infrastructure. Cyber concerns need to be embedded in all of our thinking on security and resilience.

“When they are major crises, we do tend to turn to the armed forces. It is not at all clear that the preparations the armed forces have made stretch beyond cyber security concerns of their own.”

“We repeatedly urged the government to begin early preparation for the next National Security Strategy, but sadly, we have seen little evidence that this work has seriously begun,” said Beckett.

She complained about the lack of outside expertise in the government, and invited the private sector to participate: “The government simply can’t succeed without input from the industry.”

The Skills Gap

Giles Watkins, head of Information Protection at KPMG, said that the adoption of cyber security measures among local businesses was happening slowly because such measures were traditionally seen as an additional expense with no clear ROI, while delaying the delivery of projects.

But at the same time, there was an increased interest in security from business executives. Watkins quoted a recent study which found that four out of five board members in large organisations now think that the security of the business is the responsibility of the board.

There’s also more interest from government organisations, which are finally finding effective means to tackle cybercrime. However, Andrew Archibald noted that investigating such crimes was very different from the traditional law enforcement operations.

“The police work used to involve statements and fingerprints, and we have the skills to operate in that environment. But the skills we need to run intelligence, gather digital evidence to prosecute – it’s a totally different skillset.”

He said that the cyber security ‘skills gap’ was affecting not just the private sector, but also organisations like the NCCU, and suggested that the government needs new ways to attract talented people, including higher wages.

Archibald added that the launch of the National Crime Agency was bringing positive change, especially in the way it co-operated with the industry and foreign colleagues – something he admitted wasn’t working well in the past. “The key to understanding the threat is how you access intelligence and information from a range of partners,” he said.

“Any of our investigations could typically involve some Russian-speaking countries, the US or Asia – multiple jurisdictions with different cultures, legislation, different skills, different values and different approaches. These are the challenges we must face.”

Juncker’s all right

Ulf Bergström, a spokesman for theEuropean Network and Information Security Agency (ENISA), told the audience that Jean-Claude Juncker, the just appointed European Commission president, actually made the Digital Agenda and digital economy his number one priority.

He added that there was great potential in the single European market, and the UK with its stringent data protection laws was well-positioned to become a security powerhouse, especially following the revelations about the intrusive practices of the US security agencies.

“Why don’t we have ‘security made in Europe’ as a brand?” asked Bergström. “Why is there no cyber security Airbus project, where you co-operate between the [EU] member states, and have a different approach to data protection in relation to what the US offers? The governments can’t force this on the industry, the industry needs to realise this is an opportunity.”

How well do you know network security? Try our quiz and find out!