Computing says: UK cyber security – time for a new approach

Events this month have demonstrated that the government has got cyber security wrong.

Hackers’ collective Anonymous announced plans to take government websites offline. Just a few days later, it achieved its aim: both the Downing Street and Home Office websites were hit by DDoS attacks over Easter.

Further reading

If nothing else, those attacks proved that Whitehall’s defences against the most common forms of attack are inadequate, especially when given advance warning of the assault.

Anonymous then targeted GCHQ and MI6, and Home Secretary Theresa May’s own site in an ongoing campaign that has also hit government sites in the US, China and beyond, along with the web presences of large corporates.

The attacks have broad political aims, but – like the Occupy movement before it – have garnered support from people who feel disenfranchised from mainstream politics. Anonymous – a group with no democratic mandate – has hit government for many reasons, including proposals to monitor the web activities of every British citizen.

The subtext is clear: if Whitehall cannot defend itself, how can it be trusted with citizens’ – and enterprises’ – private data?

While the attacks were taking place, new government CIO Andy Nelson started work, and his deputy Liam Maxwell was appointed. Nelson’s role is part time, as he remains CIO of the Ministry of Justice. Maxwell retains what the Cabinet office calls a ‘complementary role’ as director of ICT Futures. The message from government, then, is that being a CIO as a part-time activity.

Meanwhile, some of its most forward-looking proponents are getting out of Whitehall: G-Cloud Programme Director Chris Chant leaves at the end of April, for example.

The government must understand that IT and data management are not just about tough procurement policies – while at the same time appearing to regard all private data as potential evidence at a crime scene. It is an approach that is guaranteed to fail, and which is insulting to the British public.

Computing’s exclusive interview with former GCHQ and CESG CIO Nick Hopkinson, which was published on 12 April and made The Independent’s front page on 13 April, revealed the government’s fragmented, chaotic approach to cyber security that has got us to this point.

In that interview, and its exclusive follow-up, he warned that IT and data security needs to be driven from the top with a budget attached, and not left to a loose alliance of private- and public-sector bodies – many of whom, it must be said, have their own vested interests.

Draconian policies affecting everyone’s private data – where they visit, and who they talk to – are no solution to organised criminal activity, such as the massive increase in hostile cyber attacks from China and the US on the UK financial sector, for example.

Such a blanket policy – akin to throwing a net over the entire ocean to catch a minnow – will only make government, and the data it holds, a bigger target for hackers who can evade the government’s security with ease. 

Chris Middleton, Editor