Q&A: The UK government's role in cyber security

With the modern threat landscape more treacherous than ever, the government has a vital role to play in helping businesses protect UK citizens from cyber attacks.

Following the launch of the National Cyber Security Centre, we spoke to Gordon Morrison, director of government relations at Intel Security, about how the government is supporting the cyber security industry in the UK and what more needs to be done.

  1. What does the launch of the National Cyber Security Centre prospectus mean for security in the UK?

The launch of the National Cyber Security Centre (NCSC) is an entirely positive development – providing a centralised and coherent reference point for business on cyber security. A more familiar organisation, its open doors policy hopes to encourage organisations to consult them on best practice and how to respond to cyber threats.

We’re also likely to see greater efficiencies and improved capability, as currently disparate organisations begin to work more closely together, including CESG, CERT UK and other assets. This should help improve how we protect and respond to cyberattacks on a national level.

  1. How well positioned is the UK in general to deal with hackers and cyber attacks?

The UK has long been recognised as a leader in cyber defence. Indeed, the UK topped the 2014 Cyber Power Rankings in the EIU Cyber Power Threat Index, reflecting how it is leading the way into the digital era.

And, from a government perspective, there is a strong awareness around the cyber threats to both the nation state and industry. However, the challenge is converting this not only into a greater consciousness for British businesses around these issues, but – more importantly – action.

This was demonstrated by the Cyber Security Breaches Survey, which revealed that while 69 per cent of businesses say that cyber security is a high priority for senior managers, only 51 per cent have taken recommended actions to identify cyber risk and just 29 per cent have a formal written cyber security policy in place.

Cyber security standards vary significantly according to industry type. Sectors which have traditionally been under threat, such as defence and aerospace, have built a good foundation and are doing a lot to secure their operations. However, in the sectors where the cyber threat is relatively new, many organisations aren’t as secure as we – the cyber security industry and government – would like them to be.

Despite being in a period of deficit and recovery, the creation of the NCSC and the £1.9bn cyber security funding announced ahead of the 2015 Autumn Budget demonstrate that national cyber security is a priority. We now need that monetary investment from the government to translate into more organisations following the best practice models that the government has outlined, to help improve the overall cyber health of the country.

  1. For IoT devices and things like connected cars, what is the government’s role in ensuring a security-first approach is taken by manufacturers?

The cyber threat posed by new connected devices, whether that’s a vehicle, a TV or a fridge, are well known. Without clear standards of what a responsible level of security is, it is difficult for manufacturers to ascertain whether their product meets the necessary security levels and, inevitably, security will fall in priority against bringing products quickly to market.

The government ought to work with the security industry to provide a benchmark on IoT products. This will ultimately ensure that the government continues to support innovation in the UK and doesn’t hinder its progressive technology goals, as a global hub for driverless vehicles for instance, while at the same time ensuring that these technologies are developed to a high security standard.

Such benchmarks will be essential to ensuring that the market can lead on innovation, while inspiring and initiating essential conversations around good security standards for these devices.

  1. How is the UK combating the current skills gap in the security industry?

The UK government is doing all the right things to reduce the skills gap. Indeed, the Cyber First programme and London Mayor Sadiq Khan’s digital skills initiative will be key to supporting upskilling across both the public and private sector.

But, despite these great programmes, still more needs to be done to engage young people to develop the skills to become cyber experts. And with high demand for job and salaries for cybersecurity professionals now averaging at $100,000 (£63,000) per year (both globally and in the UK), there is every reason for them to want to join this innovative and rewarding sector.

However, we must also be realistic about the demands of industry and our potential to fill the 1.5 million cyber vacancies we will still be looking for in 2020. To that end, we must ensure that we are deploying those with cyber skills wisely. That means considering what can be automated to ensure skilled workers are engaged in higher level tasks.

  1. Are there any big myths in the industry at the moment that the government should be doing more to dispel?

With the growing consciousness around cyber security in the UK, there’s isn’t much of a myth to dispel. The TalkTalk breach, for example, did result in many CEOs and boardrooms sitting up and taking notice of the cyber threat. However, that hasn’t translated into businesses universally addressing these challenges – unless their sector is under particular attack, many are taking their time to address best practice cyber security.

Instead, the government needs to continue to communicate the urgency of the cyber threat and ensure the resources are readily available. And on the advent of the IoT touching every industry and city in the UK, it has never been more important.

Hopefully as an open and centralised body, the National Cyber Security Centre will provide organisations across the UK with a focal point on where to seek advice on protecting against, responding to, and recovering from cyberattacks.

Indeed, at Intel Security we encourage businesses to actively do so to enable us to improve the nation’s cyber health.

Image source: Shutterstock/Titima Ongkantong