In a speech at IA15, the government's information assurance event, GCHQ director Robert Hannigan told delegates that the free market is failing to meet business needs in the event of a security breach or hack. He added that the global cyber-security market was “not quite right” and that standards need to improve.
“It is time to take a hard look at whether the international market for cyber-security is working sufficiently well… something is not quite right here. What is also clear is that we cannot, as a country, allow this situation to continue,” he said.
“Standards are not yet as high as they need to be. The global cyber-security market is not developing as it needs to: demand is patchy and it is not yet generating supply. That much is clear. The normal drivers of change, from regulation and incentivisation through to insurance cover and legal liability, are still immature,” Hannigan said.
“And what's also clear is that we cannot, as a country, allow this situation to continue. So we need, as a government and industry dialogue, to work out: how to make the market work better; and how to foster a national ecosystem that promotes cyber-security and the skills we need automatically.”
He said that those in government charged with national security “have worried about the top-end threats for some time” and “there is no doubt — significant cyber-attacks will become more common, not less in the coming period.”
Hannigan added that the UK was lucky to have avoided a serious incident, such as the attack on Sony, allegedly carried out on behalf of North Korea. He said that businesses needed to improve their security stance and that it wasn't down to GCHQ to protect private infrastructure.
He also said there were a “number of myths” surrounding the Investigatory Powers Bill, more commonly known as the Snooper's Charter.
"There are three myths in particular I want to confront. First is the myth that the Government wants to ban encryption. We don't. We advocate encryption. People and business in the UK should use encryption to protect themselves."
The second myth was that spy agencies wanted backdoors in encryption. "We have never said this and we do not want this. Products should be secure. We work with companies to help make them secure,” he said.
The third myth was that GCHQ was encouraging a lack of disclosure around vulnerabilities, he said: "In the last two years, GCHQ has disclosed vulnerabilities in every major mobile and desktop platform, including the big names that underpin British business."
Rory Byrne, CEO and co-founder of Security First, told SCMagazineUK.com that cyber-security principles are not really embedded into places where they are needed most.
“For example, young people studying computer science, in many cases, barely touch on the issue of security,” he said. “The end result is that people, such as startups, building the technologies of the future, are often not equipped to build secure tools and/or are too busy focusing on growth to really build in a secure manner. Often they are reinventing the wheel each time they build a new product when there are existing tools which are proven and verified to provide the level of security that they need.”