In a speech at IA15, the government's information assurance event, GCHQ director Robert Hannigan told delegates that the free market is failing to meet business needs in the event of a security breach or hack. He added that the global cyber-security market was “not quite right” and that standards need to improve.
“It is time to take a hard look at whether the international market for cyber-security is working sufficiently well… something is not quite right here. What is also clear is that we cannot, as a country, allow this situation to continue,” he said.
“Standards are not yet as high as they need to be. The global cyber-security market is not developing as it needs to: demand is patchy and it is not yet generating supply. That much is clear. The normal drivers of change, from regulation and incentivisation through to insurance cover and legal liability, are still immature,” Hannigan said.
“And what's also clear is that we cannot, as a country, allow this situation to continue. So we need, as a government and industry dialogue, to work out: how to make the market work better; and how to foster a national ecosystem that promotes cyber-security and the skills we need automatically.”
He said that those in government charged with national security “have worried about the top-end threats for some time” and “there is no doubt — significant cyber-attacks will become more common, not less in the coming period.”
Hannigan added that the UK was lucky to have avoided a serious incident, such as the attack on Sony, allegedly carried out on behalf of North Korea. He said that businesses needed to improve their security stance and that it wasn't down to GCHQ to protect private infrastructure.
He also said there were a “number of myths” surrounding the Investigatory Powers Bill, more commonly known as the Snooper's Charter.
"There are three myths in particular I want to confront. First is the myth that the Government wants to ban encryption. We don't. We advocate encryption. People and business in the UK should use encryption to protect themselves."
The second myth was that spy agencies wanted backdoors in encryption. "We have never said this and we do not want this. Products should be secure. We work with companies to help make them secure,” he said.
The third myth was that GCHQ was encouraging a lack of disclosure around vulnerabilities, he said: "In the last two years, GCHQ has disclosed vulnerabilities in every major mobile and desktop platform, including the big names that underpin British business."
Rory Byrne, CEO and co-founder of Security First, told SCMagazineUK.com that cyber-security principles are not really embedded into places where they are needed most.
“For example, young people studying computer science, in many cases, barely touch on the issue of security,” he said. “The end result is that people, such as startups, building the technologies of the future, are often not equipped to build secure tools and/or are too busy focusing on growth to really build in a secure manner. Often they are reinventing the wheel each time they build a new product when there are existing tools which are proven and verified to provide the level of security that they need.”
He added that the government and its industry partners are generally pretty bad at rolling out big IT projects.
“In the UK, for far too long the big industry partners have been aware that a government IT contract is a cash cow which can be milked,” he warned.
“Meanwhile, government has not really had the internal capability to manage such projects. With policies changing, too many costly changes mid-flow of the contract etc. Shifting away from de facto jobs creation or corporate welfare in these organisations towards a more dynamic, test bed and competition type system, with smaller goals, faster response and lower barriers to entry (similar to the US DARPA system for defence innovation) – would probably be more cost effective in the long run.”
Jonathan Sander, VP of product strategy at Lieberman Software, told SC that while putting more laws and regulations into place will likely be ineffective, the government could create safe spaces for commercial organisations to share and collaborate that reduce their perception of the risks of that sharing.
“They could act as a clearing house for intelligence and threat data. They could be the only eyes which see the names attached to incidents that need not go public but the revelation of which could aid overall security posture for all. Acting as that arbiter, government could be the place where security data comes to be anonymised and shared for the benefit of all,” he said.
Lewis Henderson, consultant at Glasswall Solutions, told SC that a serious security incident in the UK is possible, but questions have to be asked as to how easy it could be.
“Hannigan is in the best position to make a well-informed comment that the UK has been lucky at avoiding a serious incident at a nuclear power station for example, and if we have just been lucky and nothing else is factored in, then we should probably worry a bit more rather than just take for granted the lights come on when we want them to,” he said.
Ian Trump, security lead at Logicnow, told SC that to be effective, cyber-security relies on an integrated system of people, process and technology.
“Recent GCHQ discussions are correct in their assumption that we need to do more, but we need a strong combination of all three to make it work. Process improvements and increased transparency are needed in alignment with continual improvements in technology. Privacy issues have been escalating over the last 35 years, and it would seem that the ball has not moved very far forward in this debate,” he said.