Six questions the new Cyber Security Minister should ask
Post the excitement of the UK general election, and the unexpected Conservative victory, David Cameron has been assigning roles in his new Lib-Dem free Cabinet. Francis Maude, who had responsibility for cyber security as part of his ministerial role in the Cabinet Office has been moved on, and replaced with Matthew Hancock.
So what questions should a new minister, with responsibility for cyber security, be asking in the first few days of his new job?
Can we produce tangible evidence to support the value of cyber security related information sharing?
The Cyber Security Information Sharing Portal (CISP) is government hosted forum which enables companies in the UK to share threat information. It recently celebrated its 1000th member. I have always been a believer in information sharing, and (full disclosure) was involved in some of the early CISP development work.
I was challenged recently though when doing some work with the aviation sector about the real value of these kind of sharing initiatives. The challenger wondered what threat information a government might have that would be useful, that couldn’t be got from other, possibly commercial, sources. It’s not an unreasonable question, and whilst there is more to CISP than just getting info from the government (it also allows members to support each other), case studies and concrete examples of benefit to the participants would support further expansion, and demonstrate a return on the government’s investment.
Can we do more for non critical national infrastructure companies?
CERT-UK works primarily with critical national infrastructure companies (as detailed here, and I have written about the CERT previously for RUSI which you can read here). Non CNI, and smaller companies, are left without a central incident reporting point, or place to come for assistance. Now, obviously I don’t expect the government to provide taxpayer funded incident response services to all and sundry. Resources have to be prioritised, and in fairness there has been work aimed at small business (see below). But whilst there is an imperative for government to ensure the lights stay on, CNI companies are just that; companies, and as such responsible for their own defence. Where else might the government, perhaps through the CERT, spend some money to reap some benefit for the UK? I don’t know the answer, but I think it’s worth asking the question.
Is what we have done clear, useful and readily available and are there overlaps?
The UK has lots of cyber security initiatives. I’ve mentioned the CISP and the CERT. Have you heard of Cyber Streetwise? Or Cyber Essentials? Ten steps to cyber security? All good, laudable initiatives from the government, but hosted in different places, and funded through different bits of government. Where does the small business owner go for guidance? Or to report online fraud or hacking? Also, are their overlaps in any of these initiatives? On the face of it ‘Ten steps to cyber security’, ‘Advice for small businesses’ and ’20 critical controls’ all sound broadly similar, and all are outputs from the UK Cyber Security Strategy.
It would be useful if the guidance was all in one place, with clear signposting. In my opinion it would make some sense if that place were the CERT-UK website, as it would seem the obvious gateway for all things cyber security related but there may well be a better answer. And of course I may be wrong, and everyone is fully aware of government initiatives and knows where to find them, and what might be relevant to their needs.
What are we getting for the MOD cyber defence force spend?
The UK announced the MOD cyber defence force (from a bunker, amusingly). Whilst I don’t expect details of what it’s doing to be made public, a new minister should know. How much has it cost? What has been achieved? What of this can reasonably be made public?
Can I get some training?
I’m not joking. Senior decision makers in government and elsewhere are rarely technical. Non necessarily an issue, but it does mean they are often unable to make smart decisions about cyber security related issues. Weighing option A vs option B is difficult when you have to take entirely on trust the supporting arguments. Even if the minister declines training himself, I think the government could do more to encourage senior executives to take the time to do some cyber security related training. Simply understanding some underlying principles would make it easier for decision maker to tell the difference between snake oil and real solutions, and to better prioritise spending and limited resource.
And finally, and by no means least:
Are organisations doing better cyber security?
In other words, is the situation improving. It’s not an easy question to answer – when you begin raising awareness of something you always increase the reporting of that something too. But equally, it seems we can’t go a day without another significant breach, or reported cyber attack in the news. So are companies doing better, or is our approach to cyber security flawed in some way? I have some thoughts on this, which I will save for another post, but I think it’s something the government departments working on improving cyber security could reasonably consider trying to answer.
Those are some initial thoughts from me. Let me know on twitter if you agree/think differently/would like to share a funny picture of a cat.
Thanks for reading.
The Cyber Security Expert