On 1 November 2016, Philip Hammond announced that the UK Government was investing £1.9 billion into developing the UK's cyber-security defences. The investment is significant in that the Government has acknowledged the scale of the threat which cyber-attacks pose to the UK.
A recent survey undertaken for the Government indicated that 69 per cent of businesses said that cyber-security was a high priority issue for business managers. However, for an issue classed as high priority, the defences which businesses have in place are largely ineffective. Only 29 per cent of businesses surveyed indicated that they had formal cyber-security policies and only 10 per cent had a formal incident management plan.
This is concerning when 65 per cent of businesses indicated that they had detected a cyber-attack or breach in the last year.
There are certain sectors that are a priority to be ‘cyber-proofed’ and will likely be addressed first by the Government. For example, those classed as Critical National Infrastructure, such as financial services, technology and energy companies, will likely be top of the agenda.
The responsibility lies with the individual companies themselves. Businesses should implement a strong cyber-security framework if they are to be resilient to cyber-attacks. A comprehensive set of policies and procedures relating to cyber-security is a vital starting point in creating a framework. These should cover system security; physical security; third party contractors; remote working; and tackling the "insider threat".
Training staff is also essential – staff who are engaged in cyber-security will ensure the systems are less vulnerable and create a strong security culture. A detailed cyber-incident response plan should also be prepared, with clear delineation of responsibilities in the event of an attack.
Ultimately, businesses should ensure that there is strong engagement with the issue of cyber-security throughout the business, especially at board level. The Government can augment business' cyber-security frameworks by investment in technology.
Collaboration between the public and private sector is essential if Hammond’s investment is to make a difference. One of the key ways to do this is by sharing information- both between industry and Government, and between countries. It is vital to bridge the gap between the private sector and the public sector to identify what threats the private sector is experiencing and as such, how best resources can be used. One such initiative already in existence is the Cyber-security Information Sharing Partnership (CiSP). This initiative between Government and industry was set up to share information and increase awareness of the cyber-threat, whilst maintaining the confidentiality of the information shared.
Furthermore, British police and their US equivalents have recently come together to form the Global Cyber Alliance. This is made up of police specialists and industry professionals and seeks to identify the most significant fraud threats before identifying solutions for the business world.
Fundamental to targeting resources is taking responsibility. As the risk of cyber-threats continue to rise, the Government might consider introducing legislation, not only to place the responsibility for management of cyber-security with CEOs, but also to ensure that someone on the board has sufficient knowledge of cyber-security to protect the business.
Lessons from our cyber history
The US has borne the brunt of many of the worst cyber-attacks. It has been subject to attacks by other nations (allegedly China and Russia), as well as various distributed denial of service attacks. As such, its cyber-resilience strategy has included diplomacy. The US reached agreement with China in 2015 that neither government would conduct or knowingly support cyber-enabled theft of intellectual property. However, it remains to be seen how effective this agreement has been. The University of Maryland has a cyber-security course, indicating that the US considers investment in education an important part of its cyber-defence strategy.
Meanwhile Israel's cyber-security sector is worth half a billion dollars annually - second only to the US. It boasts a level of partnership unmatched in the Western world. Israel is building a new cyber-city in Beersheba to house some of the country's best talent from the military, academia and business. This will include Israel's National Cyber Bureau, a national cyber-response team, global technology companies, the Israeli Defence Force’s unit 8200 intelligence division and Shin Bet, Israel's top security service.
Furthermore, Ben-Gurion University houses a cyber-security research centre. The military elite of the Israeli army scouts those at school who excel in maths and computer science to sign up for its cyber-units. Four Israeli schools have advanced courses in maths and computer science - a programme which has 800 students despite only running for two years.
Israel and the US this year combined their cyber-security prowess in the form of a cyber-defence cooperation agreement. This cross-border partnership as well as investment in education and encouraging partnership is something the UK should look to emulate.
Timescale to measure the outcome of the investment
Philip Hammond's £1.9 billion is to be spent over the course of five years. As such, it will take at least five years before we can begin to measure the outcome of this investment.
The government's investment is significant and a big step in the right direction towards strengthening the UK's defences against cyber-attacks. However, the cyber-threat is constantly evolving. In order to avoid being left one step behind the cyber-criminals, the UK must ensure that it invests in technology to combat cyber-attacks, strengthen partnerships between industry, government and law enforcement, and educate people at all levels - from children at school to those in business - on how best to manage cyber-threats.
Sam Millar, Partner, and Helen Vickers, Associate, DLA Piper
Image Credit: Sergey Nivens / Shutterstock