UPDATE: The strategy update has been published, at first glance, it appears to hit several of the points I mentioned below. I will publish my thoughts on the content later this afternoon.
I did note though, from a BBC report “Officials said it would require input from those who had their own expertise in hackers. “We need youngsters,” an official said.“. If that’s true, do we need youngsters to tackle knife crime? Youngsters to tackle binge drinking? I would absolutely call on the government not to lose sight of the fact that organisations like Trend Micro and our peers in the industry already have over 20 years experience in combating malicious online behaviour.
The UK government is set to announce a National Cyber Security Strategy today and the security industry awaits some concrete detail on the plans to tackle the rising tide of cybercrime and international espionage now and in the future.
What can we expect?
Lots of people have spoken about the importance of being able to develop a “cyber-offensive” capability and there appears to be a lot of buzz in the intelligence community around developing some kind of “strikeback” capability.
To be honest though, if we need anyone, then we need someone who appreciates the reality of the situation. The most attractive attack point for organised online crime/espionage is the weakest point and we as users and as a nation present enough of those.
Number one job for any prospective “cybersecurity czar” is to eliminate the low-hanging fruit both in the public and private sector networks. Recent malware infections should serve as ample illustration that IT policies around simple things like Windows Autorun, complex password policy, keeping security software up to date and application/OS patching leave much to be desired, to say nothing of user education, the cornerstone of any information security policy. It is documented that Conficker/Downadup, just for example, infected both Parliament and the MoD, this should absolutely not have happened. We should not have to wait for the next infiltration of government networks to find out which simple areas of IT Security are neglected.
A cybersecurity czar should be responsible for a root and branch review of any and all systems connected to government secure networks, design, creation and publication of best practice security policies, applying need-to-know coupled with least-privilege principles across every end-point and every user account.
They should eliminate any insecure connection to outside networks, including access to online services such as webmail and social networking which represent a potential source of infection and potential point of information leakage.
I’m a great believer in the air-gapped network, if something is sensitive enough to represent a threat to national security, then it should not be connected to the Internet.
Another important point will be the creation and maintenance of international intelligence gathering and intelligence sharing agreements. The nature of the crime is so distributed and trans-national, with victims perpetrators, mules, facilitators, and technology all being employed in different jurisdictions at the same time to commit a single criminal act. One nation alone cannot hope to stem let alone turn the tide of organised criminal endeavour.
Finally, and equally importantly, the Strategy should have a firm presence in education starting in our schools and continuning through employment. We al need to understand the nature of the threat and approach the internet with a healthy caution rather than blind trust in a technological, or worse still departmental solution.