The UK's ability to defend itself online could be compromised by an ongoing IT security skills shortage that could last for decades.
In a report (PDF) into the UK government's progress in delivering its Cyber Security Strategy, the National Audit Office names "addressing the UK's current and future ICT and cybersecurity skills gap" as a "key challenge".
The strategy, launched in 2011 with a £650m budget, detailed the government's plans to help businesses and individuals use the internet safely, protect organisations doing business online, protect the UK's infrastructure from online attack, and strengthen the UK's cyberdefence capabilities.
However, in order to meet its objectives, the UK will need to address the question of a shortage of workers with relevant skills, both within IT and elsewhere. "According to the government, the number of ICT and cybersecurity professionals in the UK has not increased in line with the growth of the internet. This shortage of ICT skills hampers the UK's ability to protect itself in cyberspace and promote the use of the internet both now and in the future," the report, published on Tuesday, says.
"Interviews with government, academia and business representatives confirmed that the UK lacks technical skills and that the current pipeline of graduates and practitioners would not meet demand," it adds.
The NAO highlights the ongoing drop in IT student numbers — between 2003 and 2010, the number of students taking computer science at university in the UK fell by 27 percent (PDF) — as well as the public sector's difficulties in attracting the best talent in the face of competition from private companies.
"Those we interviewed from academia considered that it could take up to 20 years to address the skills gap at all levels of education," the report said. "The government is working to address this and has said that it intends to overhaul ICT teaching in schools to make it genuinely about computer science rather than office skills. It expects cybersecurity to be a strong strand of the future GCSE computer science syllabus."
As well as IT workers, the report says that the UK is in need of psychologists, law enforcers, corporate strategists and risk managers to help draft cybersecurity policy and "other professionals such as lawyers and accountants" to aid businesses in identifying and tackling the risks posed by online threats.
Other challenges facing the Cyber Security Strategy include making sure end users are not the weakest link in security chain, and the ability for the government to determine the strategy's value for money.
"The NAO recognises, in particular, that there are some challenges in establishing the value for money of the cybersecurity strategy. There is the conceptual problem that, if cyberattacks do not occur, it will be difficult to establish the extent to which that was down to the success of the strategy. There is also the challenge of determining the relative contribution to overall success or otherwise of different components of the strategy. And there is the challenge of assigning a value to the overall outcome, to set against the cost of the strategy. The government has work underway to measure the benefits of the strategy," the NAO said.