Cyber shambles

Whenever a Minister in the current government states that a particular issue is a top priority and that the government is leading the way, you can almost guarantee that the opposite is the case.

Despite the occasional highly-publicised success in tackling cyber-crime, the harsh reality is that the vast majority of such crimes are not investigated, let alone brought to successful prosecution. Day-in, day-out, millions of people receive phishing e-mails and scam texts and learn that their data has been stolen or, even worse, heard that information about themselves that they had provided in confidence to a supplier of good or services had been sold to many others.

I predict that there are many more scandals to be revealed about global companies taking our data and records of our activities – without our permission – to be aggregated, profiled and sold for a wide variety of purposes. Targeted marketing may be the most innocuous of these. There is much more to be revealed about interference in elections and politics.

Of course, these cyber-security issues are those which mainly affect the individual. But there are big cyber issues which affect the security and defence of the state. Across the world, we have seen examples of hackers (whether state-sponsored or far-too-clever-for-their-own-good teenagers) taking control of, or disabling, key elements of infrastructure from power-plants to TV stations, from defence establishments to financial institutions.  Some defence analysts believe that we should drastically cut resources in traditional state security measures and invest those resources in cyber-security.

Last week, the government released its first progress report on its 2016-2021 National Cyber Security Strategy. This should have been the third annual report. Given the lack of progress, it’s no surprise that the government hasn’t wanted to be held accountable for it.

The report was an admission of failure by the government. It admits that 11 of its 12 strategic outcomes have not been met and are unlikely to be met by 2021. The Cabinet Office – the government department responsible for the strategy – has admitted that it has “low confidence” in the evidence used to assess progress against six of the strategic outcomes.

Also this week, the Public Accounts Committee has published its report on the cyber-security strategy. The facts speak for themselves:

  • Just nine percent of businesses are aware of the CyberEssentials programme, the government-backed scheme to protect against cyber-attacks;
  • Only 16% of FTSE 350 boards have a grasp of cyber threats;
  • Only 57% of FTSE 350 companies regularly test their cybersecurity incident response plans.
  • the proportion of UK firms reporting a cyber-attack has risen from 40 per cent to 55 per cent in the last year, and almost three quarters of firms were ranked as “novices” in terms of cyber-readiness
  • only 4% of businesses use government sources of information to protect themselves against cyber threats
  • a third (£169 million) of the Programme’s planned funding for the first two years was either transferred or loaned to support other government spending£69 million of this funding will not be returned to the Programme.

It’s little wonder that government ministers are divided and all over the place when it comes to making a decision about what, if any, place there should be for the Chinese company H in 5G UK telecoms infrastructure

This is despite the Huawei Cyber Security Evaluation Centre Oversight Board (HCSEC) finding critical cyber vulnerabilities that are not being adequately addressed and that Huawei’s approach to software development brought significantly increased risk to UK operators.

Does it fill you with confidence? No, me neither.

It’s a cyber-shambles.

%d bloggers like this: