ADS input to National Audit Office report on cyber security

On 10 September, the National Audit Office (NAO) published an Update on the National Cyber Security Programme.

This report assesses the government’s performance in four areas:

  1. Understanding the scale and nature of the threat
  2. Encouraging business to mitigate risks
  3. Opportunities for UK industry, particularly exports
  4. Cyber skills

ADS was the only trade association to be engaged by the NAO in the preparation of this report.

Understanding the threat

ADS briefed the National Audit Office on its work with GCHQ and the Cabinet Office to design the UK’s first ever National Computer Emergency Response Team (CERT-UK).

ADS also briefed the NAO on how its leadership of the Defence Cyber Protection Partnership (DCPP) has helped improve the defence supply chain’s understanding of the unique threats it faces.  For example, ADS has encouraged the Ministry of Defence’s CERT (MODCERT) to publish defence sector-specific reports on the Cyber Security Information Sharing Partnership (CISP) portal on a regular basis.  Primes have found these reports valuable; ADS is now undertaking work to ensure the product is in the right format for SMEs.  ADS also encouraged the Ministry of Defence to provide resource to CERT-UK: it now provides two man-days per week to the CISP Fusion Cell, and there is a formal CERT UK/MODCERT Liaison Officer working within CERT-UK on detachment from MODCERT.

Future priorities include ensuring that other government departments and critical infrastructure operators develop a better understanding of the risks they face – and how the security sector can help address these risks.

Encouraging business to mitigate risks

ADS has been leading the work to develop cyber standards for the defence supply chain through the Defence Cyber Protection Partnership.

ADS also acted as a “critical friend” to the Department for Business, Innovation and Skills (BIS) when the Department developed the ‘Cyber Essentials’ scheme, which followed the publication of the 10 Steps to Cyber Security.

The NAO report rightly reinforces ADS’ view (and concern) that the plethora of standards and guidance issued by the government is confusing and not well co-ordinated:

Industry stakeholders were of the view that this range of advice risked confusing its intended audiences.  This was especially true of the Small and Medium Enterprises (SME) community, where there is a greater need to scale the guidance to fit these smaller business needs.  SMEs are often too small to employ dedicated IT staff.

Trade and exports

The NAO notes that

While UK cyber exports have increased by 22% between 2012 and 2013, progress in encouraging trade and exports in cyber products and services has been slow and is the area of poorest performance, scoring the lowest rating in our survey.

There is a long running issue about how the export statistics are generated and their accuracy.  ADS has some concerns about the methodology.

Perhaps even more importantly, at a practical level, there is a question about whether companies are actually experiencing the observed increase in export levels – not least SMEs.

Various initiatives are trying to improve support to companies in relation to cyber exports, most under the rubric of the Cyber Growth Partnership.  Some of these initiatives have been rushed and may therefore not have the effect envisaged – for example, the Cyber Suppliers Scheme, which is limited to just a few public bodies and indicates nothing about the quality of a product or service.  In other cases, the activity needs to be more focused: UKTI runs a wide range of trade missions, some of which are entirely security-focused and others of which may have a security component, but companies need advice about which missions really matter and are likely to result in real business.  The mission calendar is crowded and confusing.  Market analysis needs to improve.

Export success also depends on a strong domestic R&D base.  More work needs to be done to understand what cyber capabilities are actually being developed and sustained in the UK itself and the government should consider how to encourage greater levels of inward/domestic investment for this purpose.  That is why ADS is exploring how it can work with the regional Cyber Clusters to support growth, through initiatives such as access to secure sites and facilities, clearance to bid for a greater number of projects, and business-to-business introductions.

Cyber skills

Cyber skills pose significant challenges for the defence and security industry.  The lack of adequately trained and practically experienced people, plus the failure to develop proper career paths from apprentice or graduate to more senior levels, means that companies are forced to spend significant amounts of money hiring a small pool of specialists.  This is unsustainable; initiatives such as the 5% Club are trying to address this issue.

Future direction of the National Cyber Security Programme – implications for domestic requirements and exports

Finally, the NAO report offers an interesting glimpse into the future direction of the National Cyber Security Programme:

National Cyber Security Programme Year 4

As in previous years, most of the money is being spent on ‘sovereign capability to detect and defeat high end threats’.  However, there is a real issue about whether the UK has adequate sovereign capabilities – or the skills to develop those capabilities.  Cryptography is a case in point.

Countries to which the UK exports (or with which the UK has Government-to-Government programmes) often want capabilities that are developed within the UK and which are used by UK agencies.  If the UK lacks sovereign capabilities and has poor domestic R&D, UK companies will have to export products and services that are developed elsewhere (in a sense becoming resellers): so why will the UK be a partner of choice or top exporter?  The government and industry need to do more to understand what key customers expect to be “sovereign UK” – this is unlikely to be everything, but we must identify those areas where the R&D needs to be in the UK.

There is also a paradox.  Most of the Cyber Security Programme’s money goes on maintaining capabilities that are already in service – not new capability development – and most of the money is not geared towards computer network defence.  Yet, through the export agenda, we are encouraging other countries to receive advanced (defensive) capabilities from UK industry.  As a result, we may soon find that other countries are better defended than the UK is.