The government showed its commitment to investing in cyber defences and information security in the Autumn Statement, with a near doubling of spending to £1.9bn over five years. This includes recruiting 1,900 specialist staff, establishing a National Cyber Centre and measures to ensure the UK has the skills, tools and capabilities to defend itself from digital attack.
The chancellor, who chairs the government’s committee on cyber security, outlined details of the new National Cyber Strategy in a lengthy speech at GCHQ. He stressed the need to defend UK citizens against hostile powers, criminals and terrorists and described the internet as a “critical axis of potential vulnerability”. He said “the stakes could hardly be higher” – if our electricity supply, air traffic control or hospitals were successfully attacked online, the consequences could be measured in terms of not only economic damage but also lives lost.
A key element of the strategy is making the UK a more expensive place for digital criminals to operate. This means stepping up efforts to disrupt the criminal marketplace, and making sure that anyone committing cybercrime is brought to justice. Another strand is to equip the military for hybrid conflicts, fighting over the internet as well as on the battlefield, and combating terrorist groups who use technology for propaganda and operational planning.
Developing technology skills will be a major challenge. The latest Global Information Security Workforce Study estimates there will be a worldwide shortage of 1.5m online security professionals by 2020. Plans to address the UK shortfall include higher and degree-level apprenticeships, the creation of an Institute of Coding, establishing two new cyber innovation centres and setting up a £165m Defence and Cyber Innovation Fund.
This means we need to think today about the information security of the future. A Digital Government Security Forum (DGSF) report concludes that public services will all be revolutionised in the next decade by an explosion of data, a greater focus on individuals and changes in working practices.
We need to consider the security and data-sharing implications of how we will work in the future. This includes not just near-term issues like cloud computing and social media, but also longer-term developments such as automated systems for enquiry handling and driverless vehicles.
The DGSF report identifies five key issues for the future of information security: combating increasingly sophisticated attackers; reducing response times; responding to the increasing complexity of the modern IT estate; addressing skills and people issues; and reacting to the ‘internet of things’. It calls for a change of mindset from incident response to continuous detection and prevention, from fire brigade to police force. It stresses that people and skills must be seen as essential, putting both at the heart of proposals for building functional capability.
Information has become the lifeblood of public bodies and its availability and integrity is critical to day-to-day operations. Information security is now a key part of everyone’s day job.