John Suffolk: Cyber security needs international push
Former UK government CIO believes Nato or the UN needs to co-ordinate efforts to protect data...
Former government CIO John Suffolk believes cyber security needs to be discussed at international levelPhoto: Cabinet Office
The issue of cyber security needs to be tackled at an international level and global standards set, according to former government CIO John Suffolk.
Speaking to silicon.com, Suffolk, who stepped down as government CIO in November 2010, said an international organisation such as Nato or the UN should co-ordinate efforts on cyber security to establish common frameworks.
"Why don't we all get in a room and say we're all going to have an open kimono and show each other everything we know about cyber and network defence and hacking - and collectively come up with a different model to begin to say we're going to compare the 1,001 malware protection [technologies] with the gold standard of what the very best people in the world know about malware protection," he said.
By creating a universal system of accreditation for security technology - much like the Euro NCAP five-star standard for car safety - Suffolk said businesses and government organisations will be able to prove their security credentials more effectively.
This approach could lead to local legislation for the level of security software that different organisations should use, depending on their role and the sensitivity of the information they hold, against which they could be audited.
Suffolk said the development of accreditation would mean consumers could do business with companies or government departments in the knowledge that the organisations are providing the best possible protection for their data.
"The only way we're going to be able to make progress is by collaborating," he said in an earlier panel discussion at an event organised by Dtex Systems, in which the most important security issues affecting government and business were discussed.
"Governments are doing some things. I just think we need to move it up to the international level. You need something that drives a structural change in the market," Suffolk told silicon.com afterwards.
He added that although some good work is being carried out in cyber security, it needs to become more embedded in organisations.
"There's a lot of fantastic stuff that goes on but it's not endemic in all organisations. If we're going to address this issue in the next 20 years, we have to make this endemic," he said. Security needs to be visible and "built into the DNA" of organisations, he added.
However, Suffolk acknowledged that security professionals in business and government organisations need to work hard to keep security near the top of the agenda. "In essence, some of this stuff is seen as getting in the way of what [businesses] want to do."
Within government, security efforts aren't a vote winner but an insurance policy for something that could potentially be a vote loser, according to Suffolk.
He added that changes taking place in government organisations due to spending cuts create "a fertile breeding ground for increased cyber security risks".
"Things fall between the cracks, people take their eye off the ball. Change always induces the potential for risk," he said.
Suffolk suggested that a simple but effective way to improve security in government is to scan devices belonging to all 5.5 million public sector workers to check they comply with the latest security patches and updates before allowing them to connect to government systems.
This approach would "instantly educate five million people" and be the kind of seismic shift Suffolk believes is needed to improve public sector security in the next 20 years.
The event also covered the use of data by governments and businesses. Suffolk said he is an "utter fan" of the government's transparency agenda which has moved a huge amount of government data into the public domain via data.gov.uk.
But much of this data is presented in a non-structured way, Suffolk said, and the government should make it easier to publish data that is easy to use and link to as systems are replaced in government departments.
"I think it's good what we've done already but we should be encouraging, cajoling, persuading government to keep improving as they change systems over time," he said.