'Lack of cohesion' in UK cyber security, warns former GCHQ/CESG head
'Strategy by committee' is not the answer says former GCHQ and CESG chief, as UK cyber security lags behind US, Germany and France
The UK lags behind the US, France and Germany in its ability to respond to cyber attack, according to a former head of the government's spy agency, GCHQ (pictured).
Nick Hopkinson, now head of cyber security EMEA for US-based IT services firm CSC, spent five years as head of GCHQ, and then a further period heading up Communications Electronic Security Group (CESG).
He says there is a lack of cohesion between the various UK organisations set up to work towards its cyber security - a national strategy that was heavily criticised last year for being fragmented and inefficient.
"There is definitely a need for rationalisation between the organisations. Trying to co-ordinate policy and strategy is hard when dealing with lots of bodies. Attempting to set a strategy by committee delays progress."
Speaking exclusively to Computing, Hopkinson pointed to other members of the EU as examples for the UK to follow.
"When I dealt with German and French colleagues while at GCHQ, I noticed they are much more centralised in the way they develop their cyber security strategy.
"This centralisation of responsibility would be a logical next step and ought to be a priority for the government."
Looking beyond Europe, Hopkinson sees the US as another country leading the UK in cyber security, partly because it started planning its strategy two or more years earlier.
"The US recognised the problem earlier, probably because they're seen as the world's richest target for cyber attack, due to the lead they have in technology IP.
"They considered this to be a strategic problem in 2006, both in terms of national security and their future economic wellbeing."
He added that this understanding prompted early progress, which was driven from the very top.
"The drive to establish coherent policy and strategy came directly from the White House and a significant budget followed quickly."
In 2010, the UK government announced a £650m boost to cyber security. Despite that, some believe it is a fraction of the sums that are really needed. Indeed, David Cameron said last year that cyber crime costs the UK economy £27bn each year.
Ross Anderson, professor of security engineering at the University of Cambridge, points to a lack of significant spending on security as part of the UK's problem.
"[The UK's cyber security strategy is] fragmented, messy, inefficient and hopelessly under-resourced," he said.
The superior budget available to the US has enabled it to develop a better strategic defence capability than the UK. That in itself is not surprising, but it is also the country's superior co-ordination that has led to its position ahead of the UK.
"The US sorted out its accountability and priorities earlier than the UK, and so they have greater clarity of responsibility between agencies," said Hopkinson.
The US has also been faster to implement a system of collaboration between its public and private sectors, something which is happening in the UK only now.
"The US put into place active mechanisms in 2008 to enable near real-time data- sharing on threats and mitigation techniques between industry and government," said Hopkinson.
"CSC is part of that framework, in that we advise the government as soon as we see new threats, and about how best to defend against them."
The UK's version of this - the cyber security hub - is currently in a trial phase, and again suffers from under-funding.
"The hub is currently in its pilot phase. It's a good first step, but it needs investment to drive it forward and give it a greater reach," said Hopkinson.