Cyber agency: Gov't contracts hinder threat response

Cyber agency: Gov't contracts hinder threat response

Summary: Existing long-term government contracts are too unwieldy to allow adequate responses to rapidly evolving cyberthreats, according to the Office of Cyber Security

SHARE:
TOPICS: Security
0

Long-term, monolithic government technology contracts are hampering cybersecurity efforts, according to a Cabinet Office technology defence body.

Technology contracts build in security from the beginning, but some are not well thought through and can, as a result, become dated and restrictive, Steve Marsh, deputy director of the Office of Cyber Security (OCS) said on Wednesday.

"The threat landscape changes rapidly," Marsh told the Commons Science and Technology Committee. "To react to that as change happens — it's not as good as we'd like it to be, because we're tied into contracts that people haven't thought about. On the other hand, we're very good at building security into systems."

Read this

Whitehall official outlines cybersecurity funding plan

The government plans to spend £650m on projects ranging from raising consumer security awareness to increasing GCHQ's capabilities, according to a top Whitehall official

Read more+

Part of the problem lies in "opportunistic" terms in monolithic contracts, Marsh told the committee. "We could probably be better at procuring large IT systems," he said.

The problem also lies with the length of the contracts, Marsh told ZDNet UK on Wednesday. Security requirements change quickly, while contracts can run for years with the same terms and service agreements.

"Some contracts are quite long term, so when they are replaced the threat landscape is different," Marsh said. "In some cases, the original wording of the contract doesn't allow certain responses that we need."

The problem is not restricted to any particular contract, but applies across government, he added.

Government and UK IT systems in general face a number of different threats, Marsh told the committee. High volume, low-level fraudulent e-crime is the most common type of threat to systems and, along with more sophisticated attacks, has caused widespread economic damage, he said. High-impact attacks on critical national infrastructure, with a low likelihood of success, still bring substantial risks to networks, he added.

Neither Buying Solutions — the organisation that provides frameworks for contracts between the government and suppliers — nor the Cabinet Office had responded to requests for comment at the time of writing.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion