As Christmas approaches I’m reminded that this is traditionally a season for sharing. Our ‘internet of things’ makes it very easy to share and will, no doubt, enable many families and friends to enjoy virtual moments ‘together’ during the festivities. Unfortunately our seasonal good wishes are not shared by everyone and the darker side of our connected world is never far away. Criminals, hostile states, terrorists, and hacktivists are becoming ever more adept at exploiting our increasing reliance on cyberspace to further their own ends. And that’s why I welcome the publication of The UK Cyber Security Strategy1.
I’d guess that the majority of people in the UK are blissfully unaware that our Critical National Infrastructure (CNI) could grind to a halt through hostile cyber activity. And there’s no opt out. Whether you are one of the 5.7 million UK households without an internet connection2 or an always connected multiple device user, an attack on the CNI affects us all the same. I’d recommend reading the Chatham House publication Cyber Security and the UK’s Critical National Infrastructure3 if you want to explore this further. It also, rightfully in my opinion, makes sense of the ministerial statement that accompanied the Cyber Strategy launch saying “the Government cannot tackle this challenge alone”.
As you’d expect, the strategy has many threads, and I’ll return to some of these in future postings. But, prompted by my earlier festive thoughts, I’m going to pick up on the concept of sharing. This month [December] the Government is running a pilot called a ‘hub’. It will involve the public sector, and five business sectors; defence, finance, telecommunications, pharmaceuticals, and energy. The plan is to extend this to other sectors in March 2012. The idea is simple; the hub will pool information on cyber threats, analyse new trends and identify emerging threats and opportunities, and work to strengthen our collective cyber capabilities.
The question for me is does a common threat automatically give rise to common interest? There is an implied assumption in the Strategy that government, commerce, and the individual have a similar appetite for risk. But the risk appetite in the public and private sectors – and even within sectors – differs significantly and is difficult to measure, control and govern. And, in the private sector, how will a desire to achieve a common good stack up against commercial advantage?
With 6 per cent4 of the UK’s GDP being enabled by the internet, cyberspace becomes just another place to do business. Cost, quality and service will continue to drive custom but so, increasingly, will cyber security. How realistic is it to expect a private sector company to share information if that very same information gives it a commercial advantage? Or how do you incentivise a company to admit to an incident if in doing so its reputation is harmed and it surrenders market share? Trust is a key element underpinning successful brands and, by extension, effective cyber security will play an increasingly important part in building that trust. I suspect many enterprises will be reluctant to share cyber security information if it helps differentiate their brand.
One of the things the Strategy does is to build on the existing momentum. Sharing is not new and a glance at the Juniper Networks Global Threat Center pages for mobile security will show you the latest industry trends as well as specific threat data along with discussions in the form of blogs or white papers such as The Evolving Threat Landscape5.
The UK Cyber Security Strategy is a sensible approach to tackling the threat and the Government should be praised for taking the lead. It cannot do it alone and nor should we expect it to but it will need more than seasonal good will to change some long established behaviours.
What is the balance of responsibilities between government and the private sector in making cyber space safer? How can enterprise be incentivised to share commercially sensitive information? To what extent should regulation and enforcement play a part in this? Share your views so we can tackle cyber security together.
1 The UK Cyber Security Strategy; Protecting and promoting the UK in a digital world, The Cabinet Office, (2011), Crown Copyright. PDF available for download at: http://www.cabinetoffice.gov.uk/resource-library/c
2 Internet Access - Households and Individuals, 2011,The Office for National Statistics, (2011). PDF available for download at: http://www.ons.gov.uk/ons/dcp171778_227158.pdf
3 Cyber Security and the UK’s Critical National Infrastructure, Cornish, Livingstone, Clemente & Yorke (2011), Chatham House. PDF available for download at: http://www.chathamhouse.org/sites/default/files/pu
4 Written Ministerial Statement, Francis Maude (Minister for the cabinet Office and Paymaster General), 2011. PDF available for download at: http://www.cabinetoffice.gov.uk/sites/default/file
5 The Evolving Threat Landscape: Where the Key Security Battles Are Taking Place Today and Essential Strategies for Winning Them. Juniper Networks (2011). PDF available for download at: http://www.juniper.net/us/en/local/pdf/whitepapers