Are the government's cyber-security schemes working? An insider's view

2013 has been awash with government initiatives to tackle cyber-security, and the regularity of attacks on major public and private sector organisations suggests the vast sums of money being pumped into the schemes is vindicated.

But raw investment and end results are two very different things, so we spoke to someone at the top of his tree in the IT security industry to see just how effective state action has been in reducing threat levels in the UK.

Ashley Stephenson is the CEO of Corero Network Security who specialise in protection against DDoS – one of most frequently used attack vectors in the current landscape. As such, businesses are frequently banging on the door of Corero and its peers, with security vendors still representing the first port of call for the majority of organisations when they are breached.

The British government has been keen to change this status quo and establish the public sector as a powerful actor in the war on cybercrime, launching numerous educational campaigns like the £4million cyber-security awareness project announced in June, and alliance schemes like the MoD’s recent Defence Cyber Protection Partnership with UK arms manufacturers.

Perhaps most significant however, was the unveiling of CISP – or the Cyber Security Information Sharing Partnership – in March. This epitomised the government’s new approach of bringing together the private and public sectors to pool intelligence and improve both cybercrime prevention and law enforcement in the process.

Keen to get an insider’s assessment of CISP and everything else within the security industry at present, we invited Stephenson (below) to share his thoughts and experiences.

CISP scheme yet to make impact

“I haven’t yet seen any material results from that but obviously we’re supportive of the intent and we’re following those activities with interest.

“It’s a politically popular thing to do at the moment. To be seen to be doing something about this problem [cybercrime] is a good platform [for governments], so without being cynical, I do expect to see additional activity in this area.”

Cyber-security regulations one step behind

“I think in terms of regulatory compliance work, my own feeling is that the regulations and compliance kind of laws haven’t caught up with the cyber threat landscape. Everybody understands that banks or other institutions have privacy, reporting, and monitoring rules…but those rules and regulations haven’t really kept up with the threat landscape. Therefore, many companies can be fully compliant and have all the check boxes ticked, yet they don’t have some basic cyber-attack monitoring tools in place. It would help a lot if companies were required to monitor for this kind of attack, as some of them don’t even know it’s happening.”

Bringing cyber-attack intelligence into public sector will take time

“Recently we’ve seen more public statements from government authorities encouraging corporations to share information with each other and with the government to create some kind of knowledge base of what’s actually going on out there. I think that will need to continue for several years before we reach a level of understanding of what’s really going on out there. It’s still very much a private enterprise, local solution in the majority of cases.”

Keeping security information private gives businesses competitive edge

“I would go so far as to say that some of these companies who have invested in protection feel that it’s a competitive advantage for them, and they’re not necessarily eager to share how they’ve protected themselves. Obviously when they share that information, not only do all their competitors […seek] equal protection, but also the attackers learn more about the defences, so there is this caution in disclosing too much about how you’re blocking attacks.”

Online law enforcement does not work

“To be quite frank I haven’t seen anybody in the recent past successfully protect themselves with the legal route. Finding and tracing back the originators of even the high profile attacks - it almost goes against the very nature of the Internet.”

Cybercrime transcends hackers. Follow the money

“What is probably likely to yield more information in the future is following the money. Perpetrators of an attack can take advantage of a variety of Internet-based tools to remain anonymous, but when money changes hands - even if it’s through some of these online entities that provide anonymity - then that’s probably the easiest path to follow. Follow the money to find out who’s benefiting from the attacks and that will shed some light on the motivation.”

Public and private sectors need each other

“I don’t think either side can do it on their own. I think the private sector will need some support from the regulatory side to make sure it’s a level playing field as much as possible for the good and the bad actors in the cyber-security space. And then I think from the government or institutional side, they would benefit from leveraging the knowledge of the private sector, including companies like ourselves.”