UK’s New Cyber Security Strategy Does Not Help Secure The Individual

Cyber-Security

The UK recently released a new strategy document delineating a future approach towards cyber security.

First, some positives:

  • Problem has been analysed correctly and the right strategic goals have been identified. For instance, for the first time, we see an emphasis on protecting data and intellectual property versus the past emphasis solely focused on network security.
  • The objective to make UK a safe place to conduct business in cyberspace is an impressive one. This is probably the first time physical borders have been recognised in cyberspace. This is an important goal and will be interesting to see how it is achieved.
  • A strong and substantive emphasis on coordination. The government seems quite serious about organising various security centres around the country to monitor and exchange information about attacks. This type of coordination is essential for a successful cyber defence.

But, sadly, there are many more negatives—and some big ones:

The biggest? There is no real innovation or no innovative attempt to achieve the goals set. Most telling, the UK has set a budget of £650 million to be spent over the next 4 years (by 2015), however the money is being spent very traditionally:

  • Vast majority of funds will be used to protect military, government and critical national infrastructure (CNI)
  • Very little allocated to the private sector and to individual citizens. The strategy has given only a few insights on how government is going to help businesses and individuals protect themselves. In fact, it has taken the traditional approach of non-intrusive, general advisor for tasks left to the individuals to do, e.g., keep safe and stay current with the latest threats. As we know, most consumers and enterprises don’t do that which explains why we’re in the cyber crime mess we live in today.

While the document considers “treating cybercrime conceptually like other forms of crime” to be a critical success criteria it fails to present a clear plan in this direction. In particular it basically says, “deal with shoplifting and burglary yourself as they are small crimes but we will help with bigger crimes.”

Sadly, the UK has completely missed the point in helping secure the individual – they are not stepping up to the challenge. They have done all the right stuff for CNI and Government but nothing for private businesses and individuals.

What should the UK do? Money should be spent on innovative ways to make UK safe place for e-commerce. This is a huge budget they have and maybe spending on technology is not the answer, maybe it should be spent on extra policing on cybercrime for individuals. Spending all of it on government and CNI is not going to solve the problem of cybercrime.

Amichai Shulman is Co-Founder and CTO of Imperva, where he heads Imperva's internationally recognised research organisation focused on security and compliance. Prior to Imperva, Amichai was founder and CTO of Edvice Security Services, a consulting group that provided application and database security services to major financial institutions, including Web and database penetration testing and security strategy, design and implementation. Amichai served in the Israel Defense Forces, where he led a team that identified new computer attack and defense techniques. He has B.Sc and Masters Degrees in Computer Science from the Technion, Israel Institute of Technology.