UK government is weak on cyber security

PERHAPS UNSURPRISINGLY, the push-me pull-you UK government is not in a good position to handle cyber attacks and cannot ensure the safety of its systems or stakeholders, according to a report from the Chatham House think tank.

In a report the think tankers said that the government was unable to answer questions about security (PDF) and recommended that other organisations take the lead on securing systems and increasing awareness about cyber threats. It warned that the budget in this area is £650m, which it claimed is not likely to be enough.

If taken away from the government, security awareness, protection and notification would be better according to the Chatham House report, and it recommended that talk about cyber attacks should be normalised, as opposed to screamed from the rooftops into server rooms. This will help put attacks and threats into perspective.

The report poses a number of questions, such as whether £650m is enough for the government to counter "all conceivable cyber threats" and whether the really bad ones have anything to do with government anyway.

It asked, "Who or what is best placed to tackle the problem, given that £650 million will hardly enable the government to counter all conceivable cyber threats and that, in any case, the vast majority of critical infrastructure in the UK is privately owned?"

There must be something wrong as presently the people that the researchers spoke with have little idea of what constitutes a security vulnerability and no way of assessing how much impact it might have.

Respondents complained that there was no coherent national database or alerting system in the UK, and that this had led to a complicated, confusing and failing security network. Many suggested that the government is more likely to be a taker of security information rather than a provider.

So, the report recommends that critical national infrastructure providers, such as those affected by Stuxnet, should take the lead on security and encourage their individual departments to look out for and deal with problems as they arise. How this would work in the context of a serious security attack remains to be seen, particularly when respondents are unaware of what constitutes a severe threat.

Despite the fact that these are critical systems, Chatham House recommended that people start talking in plain terms rather than security jargon about problems. This is expected to make it easier for the board to understand what is happening, but could lead to serious problems being described as "server go boom-boom".

The government is not expected to be totally hands off, however, and should act as a focal point for security awareness. Chatham House recommended that it collate information and feed it out to its critical service providers and, importantly, the ones that it depends upon the most. µ