GCHQ: We Failed On Cybersecurity Despite £1bn Spend
The UK spy agency will spend another £1.9bn in the next five years but is being “killed” by legacy IT problems
UK spy agency GCHQ has admitted it is losing the cybersecurity battle on a national level, despite throwing money at the problem.
Alex Dewedney, director of cybersecurity at CESG – the information security arm of GCHQ – warned that it will take a lot more than cash to bring cybersecurity threats under control.
It hasn’t worked
He said: “I think the best way to sum up the challenge we face is that while we’ve done a lot over the past five years and spent quite a lot of money as a Government, particularly in those years of austerity we’ve been through, the bottom line is it hasn’t worked.”
The UK Government splashed £950m on cybersecurity over the past five years and George Osborne has promised a further spend of £1.9bn in the coming five years. Combined with the money being spent on protecting IT systems, a total of £3.2bn is expected to be spent over the next half decade.
“We can point to lots of achievements around understanding the threats much better, about taking steps to mitigate those threats, addressing the national skills base and so on but, nationally, we are not winning the fight on cybersecurity,” Dewedney said.
“I think we would be losing a lot more if we hadn’t done all the things we’ve done over the past five years. So, don’t get me wrong. All of that has been worthwhile but there’s been something of a mantra in the UK that the solution to all of our problems is information sharing and public/private partnerships – that if we keep doing that then somehow it will magically cause improvement to happen. That approach by itself is not sufficient.”
Dewedney has been in the job for just seven months, with the previous incumbent now heading up David Cameron’s campaign to keep the UK in the European Union. The approach to cybersecurity from the Government now needs to be more interventionist than it has been in previous years and more active in how it takes on cybersecurity challenges, while still working with industry, according to Dewedney. “We can’t just pass information on threats to businesses and tell them to go and deal with it themselves.”
Dewedney does, however, believe that GCHQ is in a fortunate position when it comes to planning to tackle the cybersecurity challenge.
He said: “We have something of a luxury in the UK Government in that we run five-year budget and planning cycles rather than the annual process that tends to happen in many other countries, such as the USA. We’re just completing the final year of one of those and we’re about to embark on a new five year plan.”
Last year 90 percent of large companies in the UK suffered a cybersecurity breach. “That tells you we’ve got some way to go,” Dewedney said. “So we’ll need to do a set of things quite differently in the next five year cycle.”
The UK Government has not even been getting the basics right, though, says Dewedney, and has all kinds of problems stemming from legacy IT.
For example, the Government paid Microsoft £5.5m to extend Windows XP support in 2014.
All Government departments had been given seven years warning that Microsoft would be ending its standard support for the operating system but migration away from XP had not been completed on time.
Then, in April 2015, the Government chose to not extend support from Microsoft for Windows XP, despite some departments still running the outdated software.
Dewedney said: “We’ve not been spending money on fixing legacy IT issues, and that is just killing us. I’ve tried to make this argument to my bosses that surely you have to start there before you try to do anything more sophisticated.
“But the response has always been ‘I’m not spending cybersecurity program money to subsidise other departments’ IT budgets’. Come on, it’s the aim that you have in mind that justifies it, but I haven’t won that battle yet.”
Another big problem GCHQ faces is a dire lack of resources, Dewedney explained. “It’s not so much a money issue as it is a human resources issue. There are layers to this problem.
“There’s the issue of availability of relevant skills nationally. It’s about the extent to which an organisation like mine, which is trying provide cybersecurity services and carry out cybcersecurtiy operations, can actually recruit and retain staff in public service.
“What’s the right model for how long you expect to keep people in public service? How often should you be looking to rotate people in an out, and so forth? But it’s also about technical leadership in Government because, on the whole, our Government is still led by people like me who have liberal arts degrees.
“Usually we have a CTO who travels around with us in case any difficult questions are asked. That doesn’t really reflect what the top of technology companies look like and we’re desperately trying to fix that but it’s a work in progress for all sorts of reasons. So when we talk about resources, we always run out of people before we run out of resources.
“It’s a battle for the skills pipeline. I think there is something Government can do around working with academia, so that demand is actually met by the skills pipeline.”
One of the initiatives that Dewedney feels has worked is Cyber Essentials – a program helping companies achieve market differentiation by demonstrating they meet a certain set of cybersecurity standards. “If companies demonstrate they meet a basic set of cyber hygiene standards they get a stamp they can use in all of their publicity,” explained Dewedney.
“If we can couple that with work to increase public awareness, it will generate more public demand for strong cybersecurity within the companies people deal with. If customer bases increasingly actually care about the cybersecurity of these companies then we start to get the virtuous cycle going. To a certain extent, that’s already working.”
But Dewedney believes that Internet of Things is only going to make GCHQ’s job more challenging in the coming years. “We used to call cybersecurity ‘information assurance’. That term seems less appropriate than ever because there’s been a trend of increasing risk to operating systems, not just to information risk. It’s the Internet Of Things risk, which I think is increasingly going to take more of our attention. It’s no longer just financial information that hackers are interested in.”
How much do you know about the world’s greatest tech leaders? Take our quiz to find out!