George Osborne's understanding of cybersecurity is worrying

Chancellor's new cyber measures get an awful lot wrong

George Osborne said the word 'cyber' 134 times in his 45-minute speech to GCHQ earlier this week.

They say that talk is cheap, but in this case it could turn out to be quite expensive. Not only does Osborne plan to double cybersecurity spending to 1.9 billion over the next five years, but the proposals he set out in his speech will be expensive in terms of protecting our data and our critical national infrastructure.

If you include the Snooper's Charter in all this, the government's measures could ultimately cost us our freedom.

Why such a negative reaction to the words of Mr Austerity? Well, reading through the transcript of his speech, it's clear that while Osborne gets some things right, he also gets an awful lot wrong.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

I'm not going to argue with Osborne when he says that "citizens need to follow basic rules of keeping themselves safe: installing security software, downloading software updates, using strong passwords".

Nor when he states that "companies need to protect their own networks, and harden themselves against cyber attack": all of this makes perfect sense.

Where things go a little pear-shaped, however, is when Osborne claims that "only government can defend against the most sophisticated threats". 

This is patently nonsense. Governments the world over have proven time after time that they are incapable of defending against the least sophisticated threats, and data breach after data breach is proof of that.

If you want more proof, then Osborne went on to praise GCHQ, saying that "it has an unmatched understanding of the internet and of how to keep information safe", which again I would take some issue with.

 This is the organisation whose recent advice includes that "complex passwords do not usually frustrate attackers" and "by simplifying your organisation's approach, you can reduce the workload on users, lessen the support burden on IT department, and combat the false sense of security that unnecessarily complex passwords can encourage. 

Advertisement - Article continues below

Ciaran Martin is Director General of Cyber Security at GCHQ, and the man who gave that advice, along with the ripe old chestnut that is "regular password changing harms rather than improves security, so avoid placing this burden on users". 

Of course, this kind of advice isn't for 'high value individuals' like Martin, but for the rest of us plebs. Then there was the occasion a couple of years back when GCHQ was found to be sending passwords by email in plaintext to would-be spies.

As part of his five-step plan to protect the UK from cyber attack, Osborne will introduce a single National Cyber Centre, reporting to the GCHQ, to replace the "alphabet soup of agencies involved in protecting Britain in cyberspace".

Apparently this will make it easier for government and industry to share information on cyber threats, though I'm not exactly sure how this new organisation is that much different to when "a unified and integrated response to the threat of cyber attack" was established in 2011 in the shape of the Defence Cyber Security Programme, or the Joint Cyber Reserve in 2013, which promised "a dedicated capability to counter-attack in cyberspace". 

Advertisement
Advertisement - Article continues below

It's these inconsistencies in what he is saying now, and what has been said and done in the recent past, that annoy and worry me in equal measure.

But it doesn't stop there - Osborne went on to claim that the government has built cybersecurity into "every stage of the education process", and that its cyber apprentices will ensure we have enough talent to fill cyber vacancies. 

Advertisement - Article continues below

Erm, excuse me? Isn't there a well-acknowledged skills gap when it comes to cybersecurity? 

Even Osborne himself admits that the cyber workforce gap could hit 1.5 million by 2020. So to claim that efforts over the last five years have led to Britain being regarded as "top or near top in the world" when it comes to cyber defence capability is, frankly, laughable. 

Osborne then backtracked a little, within a few breaths, to add "we are not winning as often as we need to against those who would hurt us in cyberspace". Indeed, anyone who reads the news knows that data breaches are on the up. Many who work within the IT security industry will tell you we are not only losing lots of battles, but the war as well. 

Just throwing money at cybersecurity is not enough, and has never been enough. That the government can find a spare 1.9 billion over the next five years for cybersecurity investment, at a time of austerity measures almost everywhere else, is one thing.

Ensuring the money is well spent is quite another thing. Regular readers will know that I have something of a mantra which goes 'it ain't what you spend, it's the way that you spend it, that's what gets results'.

It remains to be seen just how ambitious, and just how successful, the programme to train young people with cyber talent will be. 

Advertisement - Article continues below

The announcement that things are kicking off with a competitive bidding process to open a new Institute of Coding is a start. But without the education of end users in security smarts, as well as skilling up potential IT security graduates, I fear we will not move on from the situation we find ourselves, in where we are chasing our tails as the bad guys get access to increasingly dumbed down tools to launch increasingly advanced attacks.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/government-it-strategy/28305/ir35-news
Policy & legislation

Businesses urged to continue IR35 preparations despite Conservative review pledge

3 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using
identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/network-internet/wifi-hotspots/354283/industrial-wi-fi-6-trial-reveals-blistering-speeds
wifi & hotspots

Industrial Wi-Fi 6 trial reveals blistering speeds

5 Dec 2019
Visit/business/policy-legislation/354282/boris-johnson-suggests-uk-will-side-with-us-over-huawei
Policy & legislation

Boris Johnson suggests UK will side with US over Huawei exclusion

5 Dec 2019