A specialist academic at Buckinghamshire New University has warned that the general public are the “soft underbelly” in terms of UK cyber protection and need to be better educated on the subject of online threats.
Philip Wood MBE (Head of the School for Management and Professional Studies and Head of Department for Security and Resilience at Buckinghamshire New University), who focuses on the study and development of organisational capability in the face of security and related risks, was speaking after the House of Commons Public Accounts Committee expressed the feeling that a skills shortage and ‘chaotic’ handling of personal data breaches are undermining confidence in the Government’s ability to protect the UK from cyber attacks.
“Millions of IT users who either work for SMEs or for themselves, or even those who just use their smart phones as mobile computers, are the soft underbelly of our cyber protection,” explained Wood in conversation with Risk UK. “We need a joined-up approach that’s not just about business, but also about the wider public understanding the possible repercussions of their own interactions and sharing of information.”
Wood continued: “The cyber threat exposes us all to the types of risks outlined by the House of Commons Public Accounts Committee. We need a much more inclusive approach towards the development of cyber awareness and protection. While there are many educational and training programmes available for those who are dedicated to the cyber profession, there’s much less in terms of general awareness raising for everyone else.”
The Public Accounts Committee’s report, entitled ‘Protecting Information Across Government’, observes that threats to cyber security are growing rapidly and Government faces “a real struggle” to find enough staff with the skills to fight them. The Committee concludes that, while the threat from cyber attacks has been one of the top four risks to national security since 2010, it has “taken Government too long” to consolidate and co-ordinate the “alphabet soup” of agencies that protect Britain.
The Committee states: “Processes for recording departmental personal data breaches by Government departments are inconsistent and dysfunctional, with poor recording of low-level breaches. This reduces the Committee’s confidence in the ability of the Cabinet Office to protect the nation from higher-threat cyber attacks.”
The Committee finds that the Cabinet Office’s role in protecting information remains unclear within central Government and that its approach “places too little emphasis on informing and supporting citizens, service users and the wider public sector beyond Whitehall”. The Committee calls on the Cabinet Office to develop a detailed plan for the new National Cyber Security Centre – itself established to bring together much of Government’s cyber expertise – by the end of this financial year. This plan should explain “who it will support, what assistance it will provide and how it will communicate with organisations needing its assistance”.
Philip Wood went on to state: “While the traditional methods of warfare will always be options for the implementation of foreign policy, the use of information and cyber attacks to destabilise the democratic processes underpinning our infrastructure is known to be effective and will be increasingly employed in what’s termed ‘hybrid warfare’. Soldiers, ships and aircraft may not be used, but the effects of disabling or removing large elements of national infrastructure such as power generation and control systems can be achieved more quickly and at less expense using cyber attacks.”
Emboldening that theme, Wood outlined: “Alongside this, what seems to be an increasingly evident use of misinformation to destabilise and undermine democratic processes is clearly an attractive option. Sir Michael Fallon terms this ‘weaponising misinformation’.”
The approach at Buckinghamshire New University is to design and develop a range of programmes and school linkages through its Cyber Resilience Centre, which is based at University Campus, Aylesbury Vale. “There,” said Wood, “we aim to be able to put together everything from very, very straightforward and simple information and data management courses through to much more technical specialist training and development.”
At present, Wood and his colleagues are diligently working on degree apprenticeships to ensure that cyber capabilities can be embedded within organisations, using dedicated cyber specialist employees. “We’re also able to provide high-level professional development and awareness for executive and Board members to help them in understanding the depth and range not only of the technical issues involved here, but also of the more traditional information security issues that face us all.”
Clear approach towards public sector information protection
Within six months, those individuals constituting the Public Accounts Committee are adamant that the Cabinet Office should also write to the Committee setting out its findings from a pilot ‘security cluster’ (an initiative intended to better enable the sharing of scarce skills across central Government).
Among its other recommendations, the Committee urges Government to establish a clear approach for protecting information across the whole of the public sector.
Meg Hillier MP, chair of the Public Accounts Committee, stated: “Government has a vital role to play in cyber security across society, but it needs to raise its game. Its approach to handling personal data breaches has been chaotic and doesn’t inspire confidence in its ability to take swift, co-ordinated and effective action in the face of higher-level threat attacks. The threat of cyber crime is ever-growing, yet evidence shows Britain ranks below Brazil, South Africa and China in keeping phones and laptops secure.”
Hillier added: “In this context, it should concern us all that the Government is struggling to ensure its security profession has the skills it needs. Leadership from the centre is inadequate and, while the National Cyber Security Centre has the potential to address this issue, practical aspects of its role must be clarified quickly.”
In conclusion, Hillier asserted: “Government must communicate clearly to industry, institutions and the public what it’s doing to maintain cyber security on their behalf and exactly how and where they can find support.”
David Ferbrache, technical director in KPMG’s cyber security practice, has also commented on the Public Accounts Committee’s report highlighting the UK Government’s rationalisation of cyber security roles and functions across Government.
“The document highlights the long overdue rationalisation of cyber security roles and functions across Government,” stated Ferbrache. “The National Cyber Security Centre plays a vital role in defending the UK against state-sponsored cyber attacks, the militarisation of cyber space and an increasingly sophisticated organised cyber crime threat. The Centre has already made good progress in developing and implementing its cyber security strategy, but there’s clearly a long way to go. There can be a natural tendency for Governments to cloak discussions around security in secrecy, but when it comes to cyber security, the best response is a community-focused one that involves industry. The National Cyber Security Centre must be agile, flexible and unconventional. It can only achieve that by drawing on talent from the community as a whole.”