Can The UK Learn From US Cyber Security Plans?

The Obama Administration’s announcement of a cyber security plan, has met with general approval, though one or two companies think it may have missed a detail or two.

In the UK, however, we wonder whether the announcement will provoke the UK government to get a bit more strategic.

George Osborne has said that Treasury systems are being attacked regularly by hostile agencies outside the UK, or by Anonymous-style ‘hacktivists’. “During 2010, hostile intelligence agencies made hundreds of serious and pre-planned attempts to break into the Treasury’s computer system,” Osborne said, adding that the Treasury is one of the top targets among UK government agencies.

Given that level of urgency, it is a shame that the government’s cyber security minister Baroness Neville-Jones resigned last week. Despite a peaceful changeover, and a move to a non-ministerial advisory role, there have been media reports that the peer, who is a respected security expert, felt her concerns were not being heard in the cabinet – even though the government’s funding for cyber security was increased last year, with £650 million going to a new cyber defence initiative.

In Europe, agencies have held a test of the critical infrastructure’s likely ability to cope with an attack.

Will the US wake up the UK’s security efforts?

The UK is certainly aware of the need for cyber defence: armed forces minister Nick Harvey spelt out the need for a “cyber battle plan” last year, and numerous conferences have gone into the need in some detail.

But some commentators still feel that the reponsibility falls unfairly on the private sector.

“We applaud President Obama’s proposed initiatives for improving the protection of the US’s critical infrastructure against cyber attack,” said Henry Harrison, technical director, BAE Systems Detica: “While both the US and the UK governments recognise cyber security as one of their top national security risks, the reality is that the majority of the challenge is borne by private sector companies that operate our national infrastructure and provide our national wealth generation.”

Expecting the private sector to take up the slack implies they will also foot the bill, is Harrison’s basic objection. “It can be difficult for private sector organisations to justify significant new investments in cyber security and explain countermeasures to shareholders on profit and loss grounds alone.” After all, we are talking about unlikely, but very serious events.

Harrison hopes that President Obama’s apparent awareness of the importance of the issues may inspire the UK government to formulate a more consistent response.

Time for data breach reporting

He also hopes – like many in the security industry – for the arrival of mandatatory reporting of breaches. The US  proposal has “called for  a federal data-breach-notification law”, which has been urged for some time.

Following the Sony hack, European Commissioner Vivienne Reding has also called for a European data breach reporting law.

Reporting incidents should be mandatory, even though this will increase work and embarassment for victims. It would also increase the pressure to lock up systems, including the critical infrastructure, before the worst happens.

The British government’s cyber defence strategy has shown quite promising signs of awareness, but still lacks overall coherence. Maybe the Obama administration’s plans will provoke our government to step up a gear.