The UK's new cybersecurity strategy will make a particular effort to engage small and medium-sized enterprises, according to a government-funded security group involved in introducing the initiative.
The large organisations that make up the critical national infrastructure already have good flows of security information between them, Tony Dyhouse, director of the Cyber Security Knowledge Transfer Network, said on Friday. Now smaller UK businesses need to be taking part in the knowledge transfer, he said.
"Small businesses are just as open to threats, and one of the main things will be teaching small businesses how to mitigate those threats," Dyhouse told ZDNet UK. "Training is one of the things that the Office of Cyber Security will address."
The government launched the Office of Cyber Security (OCS) on Thursday as part of the its National Security Strategy. It is charged with protecting Britain's IT infrastructure, and with pulling in expertise from government agencies and from industry to prevent and respond to cyberattacks. A multi-agency Cyber Security Operations Centre (CSOC), based at GCHQ in Cheltenham, has been set up to coordinate the protection of critical IT systems.
Dyhouse suggested that the scope of what should be considered critical has expanded alongside the internet. "In a way, the amount of critical infrastructure has increased due to the interconnections of cyberspace," he said. "All sorts of UK business are now online."
Traditionally, Britain's critical infrastructure includes utility and power companies, transport operators, financial institutions, and telecommunications providers. In its new strategy, the government is seeking to encourage a greater range of private sector businesses to harden their systems, and it has said it will offer training to do this.
The government has not finalised training budgets, a Cabinet Office spokesperson said. "It hasn't been discussed," said the spokesperson, who added that budgets should become clearer in September, when the OCS becomes operational.
Intelligence analysis technology company Detica, whose clients include the UK intelligence services and other government agencies, said that it expected knowledge sharing to be funded by both the public and private sectors. "The intention is that it is a collaborative effort," said Steve Daniels, head of cybersecurity and information assurance propositions for Detica. "Industry is prepared to invest monies on top of government money, as long as there is a business case."
David Porter, Detica's head of security and risk, added that companies like Detica are "pumping money into this".
Daniels said that getting large private providers of government services engaged in the effort is a central feature of the government's Cyber Security Strategy. "Frankly, large organisations have a vested interest in ensuring the supply chain is resilient," Daniels added. "It's a common, good effort."
The Cyber Security Strategy, part of the National Security Strategy, set a series of targets for the public and private sectors in the form of 'workstreams'. These include making systems resilient, working out regulatory issues, raising security awareness in organisations and engaging other organisations internationally. Knowledge transfer will be improved by "breaking down silos" between different security groups working in the UK, Dyhouse said.
Dyhouse said a priority for the Cyber Security Knowledge Transfer Network, which acts as a focal point for the transfer of UK cybersecurity expertise, was to figure out how to implement those workstreams.
"We'll have a formal role in introducing [the strategy], working closely with the Cabinet Office," said Dyhouse. "The first thing we need to do, through the National Security Forum, is to put in place a roadmap for the workstreams proposed by the Cabinet Office."