The UK Cyber Security Strategy analyses the problems and defines the goals well but it lacks a definite plan of action to achieve those aims says Amichai Shulman.
The UK recently released a new strategy document delineating a future approach towards cyber security.First, some positives:
• Problem has been analysed correctly and the right strategic goals have been identified. For instance, for the first time, we see an emphasis on protecting data and intellectual property versus the past emphasis solely focused on network security.
• The objective to make UK a safe place to conduct business in cyberspace is an impressive one. This is probably the first time physical borders have been recognised in cyberspace. This is an important goal and will be interesting to see how it is achieved.
• A strong and substantive emphasis on coordination. The government seems quite serious about organising various security centres around the country to monitor and exchange information about attacks. This type of coordination is essential for a successful cyber defence. Moreover, the UK government recognizes the need for international standardization on defining cyber crime and law enforcement activities aimed at its mitigation.
Sadly though I do not find in the report any concrete plans for achieving these ambitious goals. Probably my biggest disappointment from this report is the lack of any creative or innovative approach to making UK a safer place for cyber activity. Take for example the large £650 million budget allocated for the plan over the next 4 years (2012 – 2015). The spending plan for this budget is nothing but the traditional, more of the same governments security spending:
• 88% are allocated towards mitigating cyber attacks at the state level or against government services and critical national infrastructure (CNI)
• Only 10% are allocated towards fighting cyber crime
• Only 2% are allocated towards direct help to businesses
In fact, the document provides very few insights on how government is going to help businesses and individuals protect themselves, and those indicate a traditional approach of non-intrusive, general advisor. Repeatedly, the document refers to the responsibilities of individuals including:
• Keeping up to date with latest software updates and anti-virus updates
• Keeping up to date with government advisories about new threats
• Conducting safe and vigilant web interactions, including avoiding messages and emails from unknown individuals and unexpected interactions with known individuals (or entities)
• Reporting any type of allegedly criminal activities they encounter.
Clearly most consumers are unable to follow these requirements or we would not be in the cyber crime mess we are in today.
While the document considers “treating cybercrime conceptually like other forms of crime” to be a critical success—it fails to present a clear plan in this direction. In particular, it basically argues, “deal with shoplifting and burglary yourself as they are small crimes but we are too busy hunting Jack the Ripper.” Moreover, with respect to sanctioning, those who are found guilty for cyber crime the report, for instance, suggest some obscure consequences, including “cyber relevant sanctions”. What does this mean? A cyber criminal who unlawfully took people’s money should be sentenced to a virtual prison sell rather than an actual one? Or maybe people who spread malware through Facebook should be sanctioned with a suspended Facebook account?
What should the UK do? I would expect to see four major changes in the report:
• First, shift in budget allocation towards making “UK cyberspace” safer for business and individuals. Do I know how should this specific budget be spent? No, I do not. But I think that spending 100M GBP on research of technologies that would allow us to define state boundaries in cyber space is going to give us the answer. Additionally, I think that some of this money if spent on scaling up law enforcement resources dedicated to fighting cybercrime would make a huge difference.
• Second, monitoring. For the past years, UK authorities have gone to great lengths in order to ensure, for example, public safety in football matches. London has been covered with a thick net of CCTV cameras in order to reduce street crime and increase personal safety. If the same approach, in terms of resource allocation and focus would have been given to cybercrime then UK authorities could claim a real progress in terms of public safety in cyberspace.
• Third, retaliation. One of the cornerstones of any large scale personal safety initiatives is a zero tolerance policy. Such a policy (together with ample budgets to local law enforcement) allowed Rudi Guiliani to turn New York into a much more amicable and friendly place to live. This same approach should be deployed with respect to cyber criminals. Instead of using “cyber relevant sanctions” it should clearly be stated that those who are found guilty of crimes in “cyber space” are going to be severely punished in the real world.
• Fourth, follow PCI. Data security is a critical issue and if the UK wants to avoid being left behind, it must focus on the critical issue of cyber security and on what already is working to mitigate that threat. The PCI Data Security Standard is an established system that works well - one that several industries and states already have embraced and that would give a quick and effective data security framework. The UK should acknowledge the precedent and results already in place and ensure that citizen data is secure immediately by applying the DSS model to all federal agencies and also to legislation.
Found at: http://www.egovmonitor.com/node/44962
No comments:
Post a Comment